Security As a Service & Microsoft

Security as a Service & Microsoft 365 Nils Ullmann June 2020 This model worked well in the old world Internal networks were built and optimized to connect users to apps in the data center

Perimeter security appliances to protect the network

Outbound Inbound Gateway Gateway

FW / IPS Global LB Workforce Customers URL Filter DDoS Antivirus Ext. FW/IPS Workforce DLP Customers RAS (VPN) APJ SSL EU Internal FW DC Sandbox DC Internal LB DNS

Trusted Network

NA DC

Securing your cloud transformation This model worked well in the old world Internal networks were built and optimized to connect users to apps in the data center

Perimeter security appliances to protect the network

User Outbound Inbound Board My internet is faster at home!Gateway Gateway How secure are we? FW / IPS Global LB Workforce Customers URL Filter DDoS Antivirus Ext. FW/IPS Workforce DLP Customers RAS (VPN) APJ SSL EU Internal FW DC DC CEO Sandbox Internet Security Assessment Internal LB DNS Why does it take so long! Trusted Network

External Attack Surface Assessment NA DC

Securing your cloud transformation An opportunity for IT to empower the business

The cloud is the new data center

Application Facilitates collaboration Transformation New business models Simplifies IT Data Center to Cloud

Trusted Network NA DC EU DC

Securing your cloud transformation The Problem: Microsoft 365

Perimeter security appliances to protect the network

Outbound Inbound Gateway Gateway

FW / IPS Global LB Workforce Customers URL Filter DDoS Antivirus Ext. FW/IPS Workforce DLP Customers RAS (VPN) APJ SSL EU Internal FW DC Sandbox DC Internal LB DNS

Trusted Network

NA DC

Securing your cloud transformation … the biggest megashift

CLOUD

INTERNET / MOBILITY 2010s 2000s CLIENT / SERVER

MAINFRAME 1990s

1980s Windows-as-a-Service (aka Windows 10)

• first OS build from ground up for the Cloud • many functions to improve Cloud usage, but also functionality based on the Cloud

• breaks traditional software and hardware deployment cycles • monthly Quality Updates (~ 1 Gbyte) • semiannual Feature Updates (~ 3,5 Gbyte) • Roughly 20 Gbyte per client per year • Application owner and delivery teams have to adopt agile development processes because of the frequency of the updates or shift the applications to the Cloud as well

• Doesn’t like proxies anymore / gardening for default route / direct Internet access recommend

Microsoft offers two different APIs to access the Internet

WinINet WinHTTP

Microsoft offers two different APIs to access the Internet

WinINet

• for interactive user applications • manual / gpo / proxy.pac / wpad / direct / auto-detect (default)

Microsoft offers two different APIs to access the Internet

WinHTTP

• designed for services • independent from WinINet • different supported feature set • manual / wpad / registry / direct (default)

Application WinINet WinHTTP 3rd-party

Internet Explorer X

Edge Browser X

Google Chrome X

Firefox (X) X

Application WinINet WinHTTP 3rd-party

Internet Explorer X

Edge Browser X

Google Chrome X

Firefox (X) X

PowerShell X

Windows PKI X

Updates / Bits X

S4B Client X

Windows Store X

Store Apps X

Live Tiles X

Office 365 Lean Install X

Application WinINet WinHTTP 3rd-party

Internet Explorer X

Edge Browser X

Google Chrome X

Firefox (X) X

PowerShell X

Windows PKI X

Updates / Bits X

S4B Client X

Windows Store X

Store Apps X

Live Tiles X

Office 365 Lean Install X

Teams X X X

• first Office build from ground up for the Cloud • many functions to improve Cloud usage, but also functionality based on the Cloud

• breaks traditional software and hardware deployment cycles • initial deployment includes Microsoft CDN network ( ca. 2 Gbytes ) • multiple incremental updates each month ( ca. 1 Gbyte / month ) • lean deployment strategy is the best option

• Microsoft recommendation for good performance • Latency: 50ms from Client to Microsoft Edge • Latency: 30ms from Customer to Microsoft Edge • Direct-to-Internet • no dedicated proxies anymore

Perimeter security appliances to protect the network

Outbound Inbound Gateway Gateway

FW / IPS Global LB Workforce Customers URL Filter DDoS Antivirus Ext. FW/IPS Workforce DLP Customers RAS (VPN) APJ SSL EU Internal FW DC Sandbox DC Internal LB DNS

Trusted Network

NA DC

Securing your cloud transformation VPN: First approach to remote access

Remote users placed on network via IPsec tunnel Internet VPN Inbound Gateway Site-to-site Traffic, including malware DDoS VPN spreads laterally

Global LB Even as you move to cloud… Ext. FW/IPS

Local LB

RAS (VPN) Remote employee or third-party Internal FW

Trusted Network

Securing your cloud transformation Back to Zscaler

The cloud is the new data center

Application Facilitates collaboration Transformation New business models Simplifies IT Data Center to Cloud

Requires Security Transformation Security Policy-based Transformation Transparent experience Network Security to SASE Standardization

Trusted Network Network Fast user experience NA DC EU DC Transformation Network cost savings Simplify IT (Agility) WAN to Internet

Securing your cloud transformation Delivering secure, fast, and reliable access to apps/data

DC Factory DC

External Apps Internal Apps B2B Apps / Portal

Protect against threats Protect apps/data; only Secure access to and data leakage allow authorized access B2B apps (ZIA) (ZPA) (ZB2B)

Digital Experience Monitoring (ZDX)

Digital Services Exchange Zscaler Cloud Security Platform Secure Edge 150 Data Centers

Your Workforce Your Customers

Branch HQ Road Warrior B2B B2C

Securing your cloud transformation Global data center footprint brings security close to the user

150 75B+ 100M+ 120K+ Data centers across six continents Requests processed/day Threats blocked/day1 Unique security updates/day

Oslo Stockholm Moscow Copenhagen Manchester Amsterdam Warsaw Toronto London Brussels Rouen Frankfurt Seattle Chicago Paris New York Zurich Vienna Beijing Denver San Francisco Washington DC Madrid Milan Tianjin Seoul Tokyo Los Angeles Atlanta Dallas Tel Aviv Shanghai Miami Qatar Hong Kong Taipei UAE Peering with content Saudi Arabia Mumbai Chennai Lagos Office 365 DC peering and service providers Kuala Lumpur Singapore

Sao Paulo

Johannesburg Cape Town Sydney Melbourne Auckland

Nestle, Company, and GE have users being secured by all Zscaler

Cloud Insights: https://www.zscaler.com/threatlabz/global-internet-threatsDCs-insights Peering: https://www.peeringdb.com Securing your cloud transformation Four areas where Zscaler can help you deliver value

Make the business Protect the company’s Provide customers Reduce costs and more agile and increasing digital and end-users a better ensure future cost competitive footprint experience avoidance

Accelerate cloud adoption Policy-based access Fast and direct access to 100% cloud service – from anywhere apps – no backhaul per-user subscription Remove network and security friction Inspect encrypted traffic Security and policy at the Consolidate and at scale edge in 150 data centers simplify IT (SASE)

“It’s a rare occasion in history where it got more secure, better, and cheaper all at once.”

Securing your cloud transformation Blueprint for a cloud and mobile world Better value: Easy deployment and operations

PRIVATE CLOUD

Identity Management Security Operations

Digital Services Exchange Security and Policy Enforcement

Endpoint Protection Branch Networking

Securing your cloud transformation Zscaler Internet Access: Secure and fast access to internet & SaaS

Use Cases

External Apps Office 365 Secure SD-WAN • App prioritization/peering with Microsoft • Local breakouts for branch internet Block Bad / Protect Good • One-click deployment • API integration with SD-WAN vendors

Threat Protection Data Protection

Protect Against Threats • Inspect encrypted traffic at scale • Shadow IT discovery ID Provider and Data Leakage • Cloud-effect: Identify once, protect all • Protect IP / PII / Compliance

Standardization  Simplification  Identical Protection (mobile, branch, HQ) Sydney New York London Platform Services

Threat Prevention Access Control Data Protection

Broadband Fiber 4/5G Proxy (Native SSL) Cloud Firewall Cloud DLP Advanced Threat Protection URL Filtering Exact Data Match Cloud Sandbox Bandwidth Control CASB DNS Security DNS Resolution Browser Isolation Branch HQ Road Warrior

Your Workforce

Securing your cloud transformation Achieve Zero Trust Network Access with ZPA

Public Private Industrial Control Use Cases

Replace Remote Access VPN Direct Access to Multi-Clouds Internal Apps • Fast, direct access to apps – no backhaul • No data center-to-cloud direct connect required • Secure contractors’ connectivity to data center • Eliminate the need for virtual DMZs

Accelerate M&A IT Integration Secure Access to Industrial Systems • Integrate companies w/out integrating networks • Secure critical infrastructure (invisible) Protect apps/data; only • Standardize security across companies • Policy-based access from anywhere ID Provider allow authorized access

Data Center Zero Attack Surface  App Segmentation  Zero Trust Network Access Sydney New York London Platform Services

Zero Trust Discovery/ App/Device Network Access Availability Access Broadband Fiber 4/5G Anti-VPN GSLB Browser Access Anti-Firewall Optimal Path Selection Web Isolation Branch HQ Road Warrior Anti-DDoS App Health Monitoring Private Service Anti-network segmentation App Discovery Edge Your Workforce

Securing your cloud transformation Zscaler Private Access: Fast and secure access to private apps

Multi-Cloud: Public / Private

How it works…. Zero Trust approach:

1 A user requests SDP Remote users never brought access to an app Connectors on the corporate network App access with out network access 2 Policies determine if the user has access to the app Apps are invisible Security and Policy not exposed to the internet 3 If allowed, the cloud Enforcement establishes inside out

connection from App New York London Sydney Native app segmentation Connector to ZEN and client microtunnels that connect an to same ZEN authenticated user to an name app Enterprise Broker Directory

Traffic Forwarding: Browser Zscaler App

Partners Employees Internet Only Branch

Securing your cloud transformation A few ideas …

28 Securing your cloud transformation Data Center Data Center

Employee Application Access

Scale to demand is provided by the Zscaler cloud – no hardware requirements

No exposed ecosystem to the Internet, turning infrastructure dark

Single global access, user gets the same service, Zero Trust Exchange security and access, regardless of where they are

Users can exist anywhere & are not tied to a physical location or network

Outbound connections removes needs to “inbound controls”, e.g. VPN, FW, DDoS Protection”

Single user experience with Zscaler Internet (ZIA) and Private Access (ZPA) Company Company EMEA User Americas User

Securing your cloud transformation Data Center

Multi-Cloud Access

Users access apps directly. There is no backhaul over MPLS links

Apps exist in any location, user access apps in parallel, no network connection

Single global access, user gets the same service, Zero Trust Exchange security and access, regardless of where they are

Optimization of network interconnects – server to server connections

Single user experience with Zscaler Internet (ZIA) and Private Access (ZPA)

Company Company EMEA User Americas User Securing your cloud transformation Divestiture / M&A

Connection path is not dependent on user or app Company Energy DC location: DC - No need for network interconnect (MPLS/VPN/Etc.) - Users can be at any location - No doubling up of NAT/FW/DNS

Access control is managed for both sets of users (company A&B), globally.

Zero Trust Exchange Single global access, user gets the same service, security and access, regardless of where they are

Compan Energy Compan Energy y User User y User User

Company Energy Office Office Securing your cloud transformation Data Center

3rd Party User Access

3rd parties get direct access to only what is allowed and nothing more, protecting your infrastructure

No need to integrate or manage 3rd parties on IDP, leverage 3rd party IDP for authenticated

Zero Trust Exchange Single global access, user gets the same service, security and access, regardless of where they are Company IDP 3rd party IDP

Company 3rd party Workforce users

Securing your cloud transformation What you should consider

User “networks” are pointless Use the Internet Host Apps Anywhere

Substantial Hardware Requirements Access from anywhere On Premise

Useless when your users are mobile Cloud goes direct – it is native Cloud Locations to the Internet

Multiple user networks means multiple Faster User Experience Simplified user access spots for ingress to occur

Global Protection regardless Policy is enabled granularly, but Limit your ability to consume external globally services

Securing your cloud transformation Zscaler: Securely transforms IT for a world of cloud Fast, secure, and reliable access to your apps – to any cloud, over any network, on any device

SaaS Internet Multi-Cloud: Public & Private

Externally Managed Internally Managed

Zscaler Internet Access (ZIA) Zscaler Private Access (ZPA) Full inline inspection to block the bad, Connect an authorized user to an and protect the good authorized internal app Legacy Network New Network Hub-and-Spoke - Private Direct-to-Cloud over Any Security and Policy Enforcement Network Legacy Security Secure the Network New Security Secure the Network

Business policies securely connect users to apps

Traffic Forwarding 4G/5G Broadband Satellite Optimal Path: Zscaler App SD-WAN (GRE/IPsec tunnels) DC

MPLS WAN

Mobile Internet Only and HQ Hybrid Branches Securing your cloud transformation Next Steps

Architecture Workshop  Executive Briefing  San Jose, CA

Securing your cloud transformation