Security as a Service & Microsoft 365 Nils Ullmann June 2020 This model worked well in the old world Internal networks were built and optimized to connect users to apps in the data center
Perimeter security appliances to protect the network
Outbound Inbound Gateway Gateway
FW / IPS Global LB Workforce Customers URL Filter DDoS Antivirus Ext. FW/IPS Workforce DLP Customers RAS (VPN) APJ SSL EU Internal FW DC Sandbox DC Internal LB DNS
Trusted Network
NA DC
Securing your cloud transformation This model worked well in the old world Internal networks were built and optimized to connect users to apps in the data center
Perimeter security appliances to protect the network
User Outbound Inbound Board My internet is faster at home!Gateway Gateway How secure are we? FW / IPS Global LB Workforce Customers URL Filter DDoS Antivirus Ext. FW/IPS Workforce DLP Customers RAS (VPN) APJ SSL EU Internal FW DC DC CEO Sandbox Internet Security Assessment Internal LB DNS Why does it take so long! Trusted Network
External Attack Surface Assessment NA DC
Securing your cloud transformation An opportunity for IT to empower the business
The cloud is the new data center
Application Facilitates collaboration Transformation New business models Simplifies IT Data Center to Cloud
Trusted Network NA DC EU DC
Securing your cloud transformation The Problem: Microsoft 365
5 ©2020 Zscaler, Inc. All rights reserved. This model worked well in the old world Internal networks were built and optimized to connect users to apps in the data center
Perimeter security appliances to protect the network
Outbound Inbound Gateway Gateway
FW / IPS Global LB Workforce Customers URL Filter DDoS Antivirus Ext. FW/IPS Workforce DLP Customers RAS (VPN) APJ SSL EU Internal FW DC Sandbox DC Internal LB DNS
Trusted Network
NA DC
Securing your cloud transformation … the biggest megashift
CLOUD
INTERNET / MOBILITY 2010s 2000s CLIENT / SERVER
MAINFRAME 1990s
1980s Windows-as-a-Service (aka Windows 10)
• first OS build from ground up for the Cloud • many functions to improve Cloud usage, but also functionality based on the Cloud
• breaks traditional software and hardware deployment cycles • monthly Quality Updates (~ 1 Gbyte) • semiannual Feature Updates (~ 3,5 Gbyte) • Roughly 20 Gbyte per client per year • Application owner and delivery teams have to adopt agile development processes because of the frequency of the updates or shift the applications to the Cloud as well
• Doesn’t like proxies anymore / gardening for default route / direct Internet access recommend
8 ©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your cloud transformation Windows 10 - Internet access
Microsoft offers two different APIs to access the Internet
WinINet WinHTTP
9 ©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your cloud transformation Windows 10 - Internet access
Microsoft offers two different APIs to access the Internet
WinINet
• for interactive user applications • manual / gpo / proxy.pac / wpad / direct / auto-detect (default)
10 ©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your cloud transformation Windows 10 - Internet access
Microsoft offers two different APIs to access the Internet
WinHTTP
• designed for services • independent from WinINet • different supported feature set • manual / wpad / registry / direct (default)
11 ©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your cloud transformation Windows 10 - Internet access
Application WinINet WinHTTP 3rd-party
Internet Explorer X
Edge Browser X
Google Chrome X
Firefox (X) X
12 ©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your cloud transformation Windows 10 - Internet access
Application WinINet WinHTTP 3rd-party
Internet Explorer X
Edge Browser X
Google Chrome X
Firefox (X) X
PowerShell X
Windows PKI X
Updates / Bits X
S4B Client X
Windows Store X
Store Apps X
Live Tiles X
Office 365 Lean Install X
13 ©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your cloud transformation Windows 10 - Internet access
Application WinINet WinHTTP 3rd-party
Internet Explorer X
Edge Browser X
Google Chrome X
Firefox (X) X
PowerShell X
Windows PKI X
Updates / Bits X
S4B Client X
Windows Store X
Store Apps X
Live Tiles X
Office 365 Lean Install X
Teams X X X
14 ©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your cloud transformation Office 365 ProPlus
• first Office build from ground up for the Cloud • many functions to improve Cloud usage, but also functionality based on the Cloud
• breaks traditional software and hardware deployment cycles • initial deployment includes Microsoft CDN network ( ca. 2 Gbytes ) • multiple incremental updates each month ( ca. 1 Gbyte / month ) • lean deployment strategy is the best option
• Microsoft recommendation for good performance • Latency: 50ms from Client to Microsoft Edge • Latency: 30ms from Customer to Microsoft Edge • Direct-to-Internet • no dedicated proxies anymore
15 ©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your cloud transformation The Problem: Remote Access
16 ©2020 Zscaler, Inc. All rights reserved. This model worked well in the old world Internal networks were built and optimized to connect users to apps in the data center
Perimeter security appliances to protect the network
Outbound Inbound Gateway Gateway
FW / IPS Global LB Workforce Customers URL Filter DDoS Antivirus Ext. FW/IPS Workforce DLP Customers RAS (VPN) APJ SSL EU Internal FW DC Sandbox DC Internal LB DNS
Trusted Network
NA DC
Securing your cloud transformation VPN: First approach to remote access
Remote users placed on network via IPsec tunnel Internet VPN Inbound Gateway Site-to-site Traffic, including malware DDoS VPN spreads laterally
Global LB Even as you move to cloud… Ext. FW/IPS
Local LB
RAS (VPN) Remote employee or third-party Internal FW
Trusted Network
Securing your cloud transformation Back to Zscaler
19 ©2020 Zscaler, Inc. All rights reserved. An opportunity for IT to empower the business
The cloud is the new data center
Application Facilitates collaboration Transformation New business models Simplifies IT Data Center to Cloud
Requires Security Transformation Security Policy-based Transformation Transparent experience Network Security to SASE Standardization
Trusted Network Network Fast user experience NA DC EU DC Transformation Network cost savings Simplify IT (Agility) WAN to Internet
Securing your cloud transformation Delivering secure, fast, and reliable access to apps/data
DC Factory DC
External Apps Internal Apps B2B Apps / Portal
Protect against threats Protect apps/data; only Secure access to and data leakage allow authorized access B2B apps (ZIA) (ZPA) (ZB2B)
Digital Experience Monitoring (ZDX)
Digital Services Exchange Zscaler Cloud Security Platform Secure Edge 150 Data Centers
Your Workforce Your Customers
Branch HQ Road Warrior B2B B2C
Securing your cloud transformation Global data center footprint brings security close to the user
150 75B+ 100M+ 120K+ Data centers across six continents Requests processed/day Threats blocked/day1 Unique security updates/day
Oslo Stockholm Moscow Copenhagen Manchester Amsterdam Warsaw Toronto London Brussels Rouen Frankfurt Seattle Chicago Paris New York Zurich Vienna Beijing Denver San Francisco Washington DC Madrid Milan Tianjin Seoul Tokyo Los Angeles Atlanta Dallas Tel Aviv Shanghai Miami Qatar Hong Kong Taipei UAE Peering with content Saudi Arabia Mumbai Chennai Lagos Office 365 DC peering and service providers Kuala Lumpur Singapore
Sao Paulo
Johannesburg Cape Town Sydney Melbourne Auckland
Nestle, Company, and GE have users being secured by all Zscaler
Cloud Insights: https://www.zscaler.com/threatlabz/global-internet-threatsDCs-insights Peering: https://www.peeringdb.com Securing your cloud transformation Four areas where Zscaler can help you deliver value
Make the business Protect the company’s Provide customers Reduce costs and more agile and increasing digital and end-users a better ensure future cost competitive footprint experience avoidance
Accelerate cloud adoption Policy-based access Fast and direct access to 100% cloud service – from anywhere apps – no backhaul per-user subscription Remove network and security friction Inspect encrypted traffic Security and policy at the Consolidate and at scale edge in 150 data centers simplify IT (SASE)
“It’s a rare occasion in history where it got more secure, better, and cheaper all at once.”
Securing your cloud transformation Blueprint for a cloud and mobile world Better value: Easy deployment and operations
PRIVATE CLOUD
Identity Management Security Operations
Digital Services Exchange Security and Policy Enforcement
Endpoint Protection Branch Networking
DC
Securing your cloud transformation Zscaler Internet Access: Secure and fast access to internet & SaaS
Use Cases
External Apps Office 365 Secure SD-WAN • App prioritization/peering with Microsoft • Local breakouts for branch internet Block Bad / Protect Good • One-click deployment • API integration with SD-WAN vendors
Threat Protection Data Protection
Protect Against Threats • Inspect encrypted traffic at scale • Shadow IT discovery ID Provider and Data Leakage • Cloud-effect: Identify once, protect all • Protect IP / PII / Compliance
Standardization Simplification Identical Protection (mobile, branch, HQ) Sydney New York London Platform Services
Threat Prevention Access Control Data Protection
Broadband Fiber 4/5G Proxy (Native SSL) Cloud Firewall Cloud DLP Advanced Threat Protection URL Filtering Exact Data Match Cloud Sandbox Bandwidth Control CASB DNS Security DNS Resolution Browser Isolation Branch HQ Road Warrior
Your Workforce
Securing your cloud transformation Achieve Zero Trust Network Access with ZPA
Public Private Industrial Control Use Cases
Replace Remote Access VPN Direct Access to Multi-Clouds Internal Apps • Fast, direct access to apps – no backhaul • No data center-to-cloud direct connect required • Secure contractors’ connectivity to data center • Eliminate the need for virtual DMZs
Accelerate M&A IT Integration Secure Access to Industrial Systems • Integrate companies w/out integrating networks • Secure critical infrastructure (invisible) Protect apps/data; only • Standardize security across companies • Policy-based access from anywhere ID Provider allow authorized access
Data Center Zero Attack Surface App Segmentation Zero Trust Network Access Sydney New York London Platform Services
Zero Trust Discovery/ App/Device Network Access Availability Access Broadband Fiber 4/5G Anti-VPN GSLB Browser Access Anti-Firewall Optimal Path Selection Web Isolation Branch HQ Road Warrior Anti-DDoS App Health Monitoring Private Service Anti-network segmentation App Discovery Edge Your Workforce
Securing your cloud transformation Zscaler Private Access: Fast and secure access to private apps
Multi-Cloud: Public / Private
How it works…. Zero Trust approach:
1 A user requests SDP Remote users never brought access to an app Connectors on the corporate network App access with out network access 2 Policies determine if the user has access to the app Apps are invisible Security and Policy not exposed to the internet 3 If allowed, the cloud Enforcement establishes inside out
connection from App New York London Sydney Native app segmentation Connector to ZEN and client microtunnels that connect an to same ZEN authenticated user to an name app Enterprise Broker Directory
Traffic Forwarding: Browser Zscaler App
Partners Employees Internet Only Branch
Securing your cloud transformation A few ideas …
28 Securing your cloud transformation Data Center Data Center
Employee Application Access
Scale to demand is provided by the Zscaler cloud – no hardware requirements
No exposed ecosystem to the Internet, turning infrastructure dark
Single global access, user gets the same service, Zero Trust Exchange security and access, regardless of where they are
Users can exist anywhere & are not tied to a physical location or network
Outbound connections removes needs to “inbound controls”, e.g. VPN, FW, DDoS Protection”
Single user experience with Zscaler Internet (ZIA) and Private Access (ZPA) Company Company EMEA User Americas User
Securing your cloud transformation Data Center
Multi-Cloud Access
Users access apps directly. There is no backhaul over MPLS links
Apps exist in any location, user access apps in parallel, no network connection
Single global access, user gets the same service, Zero Trust Exchange security and access, regardless of where they are
Optimization of network interconnects – server to server connections
Single user experience with Zscaler Internet (ZIA) and Private Access (ZPA)
Company Company EMEA User Americas User Securing your cloud transformation Divestiture / M&A
Connection path is not dependent on user or app Company Energy DC location: DC - No need for network interconnect (MPLS/VPN/Etc.) - Users can be at any location - No doubling up of NAT/FW/DNS
Access control is managed for both sets of users (company A&B), globally.
Zero Trust Exchange Single global access, user gets the same service, security and access, regardless of where they are
Compan Energy Compan Energy y User User y User User
Company Energy Office Office Securing your cloud transformation Data Center
3rd Party User Access
3rd parties get direct access to only what is allowed and nothing more, protecting your infrastructure
No need to integrate or manage 3rd parties on IDP, leverage 3rd party IDP for authenticated
Zero Trust Exchange Single global access, user gets the same service, security and access, regardless of where they are Company IDP 3rd party IDP
Company 3rd party Workforce users
Securing your cloud transformation What you should consider
User “networks” are pointless Use the Internet Host Apps Anywhere
Substantial Hardware Requirements Access from anywhere On Premise
Useless when your users are mobile Cloud goes direct – it is native Cloud Locations to the Internet
Multiple user networks means multiple Faster User Experience Simplified user access spots for ingress to occur
Global Protection regardless Policy is enabled granularly, but Limit your ability to consume external globally services
Securing your cloud transformation Zscaler: Securely transforms IT for a world of cloud Fast, secure, and reliable access to your apps – to any cloud, over any network, on any device
SaaS Internet Multi-Cloud: Public & Private
Externally Managed Internally Managed
Zscaler Internet Access (ZIA) Zscaler Private Access (ZPA) Full inline inspection to block the bad, Connect an authorized user to an and protect the good authorized internal app Legacy Network New Network Hub-and-Spoke - Private Direct-to-Cloud over Any Security and Policy Enforcement Network Legacy Security Secure the Network New Security Secure the Network
Business policies securely connect users to apps
Traffic Forwarding 4G/5G Broadband Satellite Optimal Path: Zscaler App SD-WAN (GRE/IPsec tunnels) DC
MPLS WAN
Mobile Internet Only and HQ Hybrid Branches Securing your cloud transformation Next Steps
Architecture Workshop Executive Briefing San Jose, CA
Securing your cloud transformation