Security As a Service & Microsoft
Total Page:16
File Type:pdf, Size:1020Kb
Security as a Service & Microsoft 365 Nils Ullmann June 2020 This model worked well in the old world Internal networks were built and optimized to connect users to apps in the data center Perimeter security appliances to protect the network Outbound Inbound Gateway Gateway FW / IPS Global LB Workforce Customers URL Filter DDoS Antivirus Ext. FW/IPS Workforce DLP Customers RAS (VPN) APJ SSL EU Internal FW DC Sandbox DC Internal LB DNS Trusted Network NA DC Securing your cloud transformation This model worked well in the old world Internal networks were built and optimized to connect users to apps in the data center Perimeter security appliances to protect the network User Outbound Inbound Board My internet is faster at home!Gateway Gateway How secure are we? FW / IPS Global LB Workforce Customers URL Filter DDoS Antivirus Ext. FW/IPS Workforce DLP Customers RAS (VPN) APJ SSL EU Internal FW DC DC CEO Sandbox Internet Security Assessment Internal LB DNS Why does it take so long! Trusted Network External Attack Surface Assessment NA DC Securing your cloud transformation An opportunity for IT to empower the business The cloud is the new data center Application Facilitates collaboration Transformation New business models Simplifies IT Data Center to Cloud Trusted Network NA DC EU DC Securing your cloud transformation The Problem: Microsoft 365 5 ©2020 Zscaler, Inc. All rights reserved. This model worked well in the old world Internal networks were built and optimized to connect users to apps in the data center Perimeter security appliances to protect the network Outbound Inbound Gateway Gateway FW / IPS Global LB Workforce Customers URL Filter DDoS Antivirus Ext. FW/IPS Workforce DLP Customers RAS (VPN) APJ SSL EU Internal FW DC Sandbox DC Internal LB DNS Trusted Network NA DC Securing your cloud transformation … the biggest megashift CLOUD INTERNET / MOBILITY 2010s 2000s CLIENT / SERVER MAINFRAME 1990s 1980s Windows-as-a-Service (aka Windows 10) • first OS build from ground up for the Cloud • many functions to improve Cloud usage, but also functionality based on the Cloud • breaks traditional software and hardware deployment cycles • monthly Quality Updates (~ 1 Gbyte) • semiannual Feature Updates (~ 3,5 Gbyte) • Roughly 20 Gbyte per client per year • Application owner and delivery teams have to adopt agile development processes because of the frequency of the updates or shift the applications to the Cloud as well • Doesn’t like proxies anymore / gardening for default route / direct Internet access recommend 8 ©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your cloud transformation Windows 10 - Internet access Microsoft offers two different APIs to access the Internet WinINet WinHTTP 9 ©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your cloud transformation Windows 10 - Internet access Microsoft offers two different APIs to access the Internet WinINet • for interactive user applications • manual / gpo / proxy.pac / wpad / direct / auto-detect (default) 10 ©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your cloud transformation Windows 10 - Internet access Microsoft offers two different APIs to access the Internet WinHTTP • designed for services • independent from WinINet • different supported feature set • manual / wpad / registry / direct (default) 11 ©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your cloud transformation Windows 10 - Internet access Application WinINet WinHTTP 3rd-party Internet Explorer X Edge Browser X Google Chrome X Firefox (X) X 12 ©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your cloud transformation Windows 10 - Internet access Application WinINet WinHTTP 3rd-party Internet Explorer X Edge Browser X Google Chrome X Firefox (X) X PowerShell X Windows PKI X Updates / Bits X S4B Client X Windows Store X Store Apps X Live Tiles X Office 365 Lean Install X 13 ©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your cloud transformation Windows 10 - Internet access Application WinINet WinHTTP 3rd-party Internet Explorer X Edge Browser X Google Chrome X Firefox (X) X PowerShell X Windows PKI X Updates / Bits X S4B Client X Windows Store X Store Apps X Live Tiles X Office 365 Lean Install X Teams X X X 14 ©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your cloud transformation Office 365 ProPlus • first Office build from ground up for the Cloud • many functions to improve Cloud usage, but also functionality based on the Cloud • breaks traditional software and hardware deployment cycles • initial deployment includes Microsoft CDN network ( ca. 2 Gbytes ) • multiple incremental updates each month ( ca. 1 Gbyte / month ) • lean deployment strategy is the best option • Microsoft recommendation for good performance • Latency: 50ms from Client to Microsoft Edge • Latency: 30ms from Customer to Microsoft Edge • Direct-to-Internet • no dedicated proxies anymore 15 ©2019 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your cloud transformation The Problem: Remote Access 16 ©2020 Zscaler, Inc. All rights reserved. This model worked well in the old world Internal networks were built and optimized to connect users to apps in the data center Perimeter security appliances to protect the network Outbound Inbound Gateway Gateway FW / IPS Global LB Workforce Customers URL Filter DDoS Antivirus Ext. FW/IPS Workforce DLP Customers RAS (VPN) APJ SSL EU Internal FW DC Sandbox DC Internal LB DNS Trusted Network NA DC Securing your cloud transformation VPN: First approach to remote access Remote users placed on network via IPsec tunnel Internet VPN Inbound Gateway Site-to-site Traffic, including malware DDoS VPN spreads laterally Global LB Even as you move to cloud… Ext. FW/IPS Local LB RAS (VPN) Remote employee or third-party Internal FW Trusted Network Securing your cloud transformation Back to Zscaler 19 ©2020 Zscaler, Inc. All rights reserved. An opportunity for IT to empower the business The cloud is the new data center Application Facilitates collaboration Transformation New business models Simplifies IT Data Center to Cloud Requires Security Transformation Security Policy-based Transformation Transparent experience Network Security to SASE Standardization Trusted Network Network Fast user experience NA DC EU DC Transformation Network cost savings Simplify IT (Agility) WAN to Internet Securing your cloud transformation Delivering secure, fast, and reliable access to apps/data DC Factory DC External Apps Internal Apps B2B Apps / Portal Protect against threats Protect apps/data; only Secure access to and data leakage allow authorized access B2B apps (ZIA) (ZPA) (ZB2B) Digital Experience Monitoring (ZDX) Digital Services Exchange Zscaler Cloud Security Platform Secure Edge 150 Data Centers Your Workforce Your Customers Branch HQ Road Warrior B2B B2C Securing your cloud transformation Global data center footprint brings security close to the user 150 75B+ 100M+ 120K+ Data centers across six continents Requests processed/day Threats blocked/day1 Unique security updates/day Oslo Stockholm Moscow Copenhagen Manchester Amsterdam Warsaw Toronto London Brussels Rouen Frankfurt Seattle Chicago Paris New York Zurich Vienna Beijing Denver San Francisco Washington DC Madrid Milan Tianjin Seoul Tokyo Los Angeles Atlanta Dallas Tel Aviv Shanghai Miami Qatar Hong Kong Taipei UAE Peering with content Saudi Arabia Mumbai Chennai Lagos Office 365 DC peering and service providers Kuala Lumpur Singapore Sao Paulo Johannesburg Cape Town Sydney Melbourne Auckland Nestle, Company, and GE have users being secured by all Zscaler Cloud Insights: https://www.zscaler.com/threatlabz/global-internet-threatsDCs-insights Peering: https://www.peeringdb.com Securing your cloud transformation Four areas where Zscaler can help you deliver value Make the business Protect the company’s Provide customers Reduce costs and more agile and increasing digital and end-users a better ensure future cost competitive footprint experience avoidance Accelerate cloud adoption Policy-based access Fast and direct access to 100% cloud service – from anywhere apps – no backhaul per-user subscription Remove network and security friction Inspect encrypted traffic Security and policy at the Consolidate and at scale edge in 150 data centers simplify IT (SASE) “It’s a rare occasion in history where it got more secure, better, and cheaper all at once.” Securing your cloud transformation Blueprint for a cloud and mobile world Better value: Easy deployment and operations PRIVATE CLOUD Identity Management Security Operations Digital Services Exchange Security and Policy Enforcement Endpoint Protection Branch Networking DC Securing your cloud transformation Zscaler Internet Access: Secure and fast access to internet & SaaS Use Cases External Apps Office 365 Secure SD-WAN • App prioritization/peering with Microsoft • Local breakouts for branch internet Block Bad / Protect Good • One-click deployment • API integration with SD-WAN vendors Threat Protection Data Protection Protect Against Threats • Inspect encrypted traffic at scale • Shadow IT discovery ID Provider and Data Leakage • Cloud-effect: Identify once, protect all • Protect IP / PII / Compliance Standardization Simplification Identical Protection (mobile, branch, HQ) Sydney New York London Platform Services Threat Prevention Access Control Data Protection