Secure, Simplify and Transform to a Cloud-Enabled …...Secure network transformation Enabled by...

©2017 Zscaler, Inc. All rights reserved.2

Jay Chaudhry, CEO & ChairmanMay 2017

The cloud security leader

IT’S TIME TO BREAK FREE FROM THE OLD WORLD OF IT

Secure, Simplify and Transform to a Cloud-Enabled Enterprise

©2017 Zscaler, Inc. All rights reserved.

Perimeter defenses – castle and moat Protect people and gold

©2017 Zscaler, Inc. All rights reserved. 4

A Drawbridge let people in and out

©2017 Zscaler, Inc. All rights reserved. 5

Guards at the Gatekeep enemies out and gold in


Modern day castle and moat

Outbound Gateway

FW / IPS

URL Filter

Antivirus

DLP

SSL

Sandbox

Global LB

DDoS

FW/IPS

RAS (VPN)

Internal FWInternal

FW/LB

Outbound gatewaysSecure access to Internet

More threats, more appliances

Inbound gatewaysVPN to access DC apps

More users, more appliances

NetworkCorporate

Moscow

Outbound & Inbound Gateway

©2017 Zscaler, Inc. All rights reserved.

The world evolved People sought greener pastures


The IT world has evolved: Seeking greener pastures in the cloud

Applications are moving to the

cloud

Connections are

following

the path of least

resistance

Users are leaving

the corporate network Headquarters

Hub and Spoke Architecture

? ??


Medieval Times Modern Times


How do you secure this new world of IT?

VM1

VM2

VM6

VM3 VM5

VM4

©2017 Zscaler, Inc. All rights reserved.11 ©2017 Zscaler, Inc. All rights reserved.11

Architectural approach for better security to reduce risk


? ? ?

New world of IT: Business happens everywhere (where is my perimeter?)

Apps are movingSaaS / IaaS

THE NEW CENTER OF GRAVITY

Hub-and-Spoke ArchitectureMPLS to backhaul to regional GWs

How many gateways do you have?

“80% of traffic on my WAN was for the DC and 20% for the Internet.

Now it’s the opposite.” CIO, Fortune 500

How much are you paying to transport your Internet traffic on MPLS?

If you don’t control the network (Internet), how can you secure it? The traditional network security stack is irrelevant.

MPLS

Datacenter

Branch

European GW Asian GW


Inbound & Outbound Gateway

Ext. FW / IPS

URL Filtering

Antivirus

DLP

SSL

Sandbox

Global LB

DDoS

Ext FW/IPS

RAS (VPN)

Internal FW

Internal LB

Outbound Gateway Inbound Gateway

ZSCALER INTERNET ACCESSSecure access to the Internet

and SaaS apps

ZSCALER PRIVATE ACCESS Secure access to private apps: Data center or cloudX X

A new approach to app access and security: Flip the security modelFast, secure, policy-based access connecting the right user to the right service and app

HQ/IOTMOBILE

DC APPS

BRANCH

Securing the network is no longer relevant


An architectural approach for secure IT transformation

IoTON-THE-GO HQ / BRANCHES

Security and Access Control

PRIVATE DC

SAAS

OPEN INTERNET

PUBLIC CLOUD

DC APPS

Allows internal apps to behave like cloud apps

External Internal

Secure the networkSecure Policy-Based Access connecting the right user, to the right app or service

Cloud Security Gateway


Secure Access to Internet & SaaS


Allowed: HTTP(S)

Allowed: No signature match

Allowed: Trusted domain

Allowed: No Intercept

Allowed: Detected, not blocked

Sensitive data gets exfiltrated4

Allowed: No Intercept (encrypted)

FW / IPS

URL Filter

Antivirus

DLP

SSL

Sandbox

Global LB

DDoS

FW/IPS

RAS (VPN)

Internal FW

Internal LB

Outbound & Inbound Gateway

www.nbc.com/leno

How do breaches happen despite massive investments in appliances?

Hacker infects a trusted domain1

User visits compromised site and the PC gets infected – establishing a beachhead

2

The infected machine can then sniff for other machines and exploit vulnerabilities

3

Appliances weren’t designed to keep up with sophisticated threats

“45% of enterprises have suffered a ransomware attack.”

Attacks are targeting the weakest link – the user. They need to be

protected – on and off network

“5% of enterprises PCs are infected with bots.”

-Zscaler research

WHAT’S YOUR RISK SCORE – FIND OUT AT SECURITYPREVIEW.ZSCALER.COM


Cloud Security: Secure, fast access to the Internet and SaaSEliminates the appliance mess: allowing IT to focus on strategic / architectural initiatives.

Easy to forward traffic and authenticate users

MOBILE

Default route to InternetBlock the bad, protect the good

Zscaler App/ PAC File GRE/IPsec

HQ / IoT BRANCH

ID Provider

• You retain full control – policy and admin• Policies by user, locations, AD groups • Follow-the-user policy for the same

protection at any location, any device

Global real-time policy engine

• Global visibility - cloud apps and usage• Identify botnet-infected machines that

need to be remediated

Real-life analytics –actionable info

MPLS

DC APPS



When the board asks, “Have we been compromised?”Actionable intelligence to remediate botnet infected machines

THREATS BLOCKED

13.5 M

1092.0 K

270.3 K

47.7 K

45.6 K

33.8 K

5.2 K

383

Malicious Content

Botnet

Spyware or Adware

Phishing

Browser Exploit

Cross-site Scripting

Unauthorized Communication

Peer-to-Peer

BOTNET TRAFFIC BY LOCATION313.5 K

273.9 K

203.2 K

115.8 K

76.2 K

Beijing

Sau Paulo

San Francisco

Tokyo

France

BOTNETC&CUSER

BOTNET INFECTED MACHINES


When the auditor asks, “Which cloud apps are we using?”It starts with processing all Internet traffic (including SSL), not a few sites

MEDIA AND FILE SHARING

Is YouTube hogging Internet bandwidth?

Can you prioritize Office 365 over streaming?

BUSINESS APPS WEBMAIL

Do you allow access to Russian webmail?

DEVELOPMENT

Is your intellectual property stored on GitHub?


ZSCALER TECHNOLOGY PARTNERS

MOBILE

Securely enable the usage of cloud apps Zscaler provides inline CASB functionality and partners for out-of-band controls

HQ / IoT BRANCH SD-WAN

VISIBILITYReal-time visibility into all users across all locations

THREAT PREVENTIONFull inline content inspection

APP RISK SCORINGThird-party integrations with Skyhigh, CloudLock, and CipherCloud

DATA LOSS PREVENTIONInline protection for all users

ACCESS CONTROLView / post, download / upload by file type, browser, and plugins

INLINE CASBOUT-OF-BAND CASB (API)

i.e. sandbox a file that was shared by a partner via box

API Integration

(In development)



Secure network transformationEnabled by moving security to the cloud

Hub-and-Spoke

Secure the network to protect users and apps

All users must be on-network for protection

Internet traffic backhauled over MPLS for protection

FROM: HUB – AND – SPOKE ARCHITECTURE TO: HYBRID CLOUD ARCHITECTURE

Policy-based access, users to apps

On-net, off-net the user is always protected

Local Internet breakouts



Secure Access to Internal Apps on Azure or AWS


How digital businesses access internal apps today

Internal apps on public cloud (Azure, AWS)

User traffic is backhauled to a static VPN gateway, traverses a site-to-site VPN and hairpins back to the user location Internal apps in data center

User traffic is backhauled to a static VPN gateway and the network is extended to the user location

Site-to-site VPN

Inbound Gateway

Global LB

DDoS

FW/IPS

RAS (VPN)

Internal FW

Internal LB

Apps moved to a modern platform. Access is still 20-year old technology

VPN MOSCOW

VPN MADRID

Bring users on the corp network to provide app access


Zscaler Private AccessSecure and fast access policy-based access to private apps on Azure, AWS or your DC

Z-APP

2

Datacenter

User

1

POLICY (Brokers)

ID Provider

Windows, Mac, iOS, Android - On-net or off-net

Public Cloud

Connect a named user to a named app, not a network; Direct path to cloud apps without hairpinning through DC. No VPN needed

ZPA replaces the entire inbound gateway/DMZ. Not just a VPN replacement

Reduced cost, complexity, better security and user experience

ZPA: Innovative Design

Cloud-based policy engine – who can access what apps

1

Z-APP – Request access to app2

Z-Connector – sits in front of apps. Starts inside out connection

3

Zscaler cloud brokers a secure connection between the Z-connector and Z-app

Private AppsWeb, TCP, UDP

Z-CONNECTOR

3

31. User never on your network

2. Apps are invisible (safe)

3. App segmentation without

network segmentation

4. Use Internet as a secure

network without VPN

Why ZPA is Revolutionary


The natural shift: On-premise to a cloud service

Inbound & Outbound Gateway

Ext. FW / IPS

URL Filtering

Antivirus

DLP

SSL

Sandbox

Global LB

DDoS

Ext FW/IPS

RAS (VPN)

Internal FW

Internal LB


Purpose-built, multi-tenant cloud architecture

Can you build a power plant with power generators designed for your home?Different: Scale, design, and architecture

HOME POWER GENERATORS POWER PLANT


Power Plant

Purpose-built, multi-tenant cloud architecture

• To use more than one data center, policies need to be pushed - “batch”

• Logs scattered in every data center

Single-tenant – cloud-washingCustomer tied to a specific datacenter or VM

FirewallIPSLoad BalancerDatabaseProxiesAV ScannersSandboxingEast Coast Tower 1

(customer 1 – 100)

Europe(201 – 300)

West Coast(101 – 200)

Appliances bolted together in “towers”

Logging Cluster – Logs go to a designated log cluster in real-time, never written in ZENs

Enforcement Node) – Inspects traffic, enforces policy

Central Authority –Brain/nervous system, policy definition, cloud health, rapid updates

Purpose-built cloud architectureCustomer roam across 100 data centers

SIEM USAEU

USER A (policy follows)

USER A

LondonNY Sydney

INTERNET


Real-Life Customer Evaluation – Acme CorpZscaler security cloud vs. on-premise security stack

No Hardware / SoftwareOPEX Cost Model

Anywhere Policy Enforcement

Full Log Analysis – Single Pane of Glass

Advanced Threat Protection

SSL Inspection

Application Control and Visibility

User Authentication, Real IP Source, and Bandwidth

Controls

Complex Hardware / Software Deployment Subject to Lifecycle

Security Policy Only Enforced On-Premise or via VPN

Multiple Log Sources – Difficult Correlation

ATP For Certain Traffic Flows

No SSL Inspection w/o Significant Hardware/CapEx Investment

Application Control for Certain Traffic Flows

Can Support User Authentication –Major Architecture Mod for IP

Source

Zscaler StackOn-Premise Stack

From this..

On-Premise Security Infrastructure

Global Unified Access and Security Service

To this..

https://upload.wikimedia.org/wikipedia/commons/b/ba/Red_x.svg








Zscaler: The market leader in cloud security

TECHNOLOGY INNOVATION

Cloud security platform Purpose-built (100 patents)

Largest security cloud

100 data centers

30B requests a day

125M threats blocked a day

MARKET LEADERSHIP

Trusted by G2000

5,000 organizations

15M users in 185 countries

Global partners

FINANCIAL STRENGTH

Accelerating growth

125% renewal rate

Solid financial model

Backed by

INDUSTRY ACCOLADES

MQ Leader Wave Leader


Zscaler = Zenith of scalability: Three dimensions of scale

80,000

120,000

162,000

125,000

155,000

400,000

~1.6M

~1.3M

300,000

5K+ Organizations

15M+ Users

All users – All traffic

MO

NTH

LY O

FFIC

E 3

65

TR

AFF

IC (

TB)

83 TB

44 TB

38 TB

37 TB

35 TB

PROTECTION ACROSS COUNTRIES

130125120113 19055 70


The largest security cloud: Reliable, available, and fast

30B+Requests/day

125M+Threats

blocked/day

120K+Unique security

updates/day

100 DATA CENTERS – 5 CONTINENTS

PEERING IN INTERNET EXCHANGES

150+Vendors peered

Secure

On-going thirdparty testing

CertifiedReliableRedundancy within and

failover across DCs

TransparentTrust Portal for service availability monitoring


Leader – 6 years in a row

Leading industry analysts agree…

Zscaler is a very strong choice for any organization interested in a cloud gateway.

…On-premises web content security can’t protect digital business…


DC APPS

HQ/IOT

MOBILE BRANCH

Provisioning

Remediation

Traffic Forwarding

Real-time Log FeedsSAML Integration

IDENTITY & ACCESS4 REPORTING & ANALYTICS5

BRANCH (SD-WAN) 2

Zscaler: A foundation for a modern access and security architectureHow Zscaler complements your existing ecosystem across five segments of security vendors

Access to the Internet & Apps1Inbound & Outbound Gateway

Device Mgmt:

AV:

Encryption:

DEVICE MANAGEMENT & PROTECTION

3

External Internal


(BROADBAND)

A three-step journey to cloud and mobility transformation

SECUREUp-level your security

Enable secure SD-WAN / local Internet breakouts – optimize backhaul.

Deliver a better and more secure user experience.

TRANSFORMCloud-enable your network

SIMPLIFYRemove point products

Phase out gateway appliances at your own pace.

Reduce cost and management overhead.

Make Zscaler your next hop to the Internet.

Fast to deploy. No infrastructure changes required.


Unmatched security – all users, branches, and devices

Consistent policy and protection

Always up-to-date

Reduced Risk(CISO)

Zscaler: The foundation of a modern access and security architecture

Consolidate point products and simplify IT

Cloud-enabled network

Rapid deployment

IT Simplification(CTO / IT Head)

No Capex, elastic subscription fee

Reduced Opex, no box management

Reduced MPLS costs

Impressive Value(CIO / CFO)

Higher productivity –local breakouts

Prioritize business apps

Empowers users to leverage cloud apps

Fast Response Time(End-Users)

Securing a distributed and mobile workforce

SD-WAN transformation

Office 365 deployment

App migration from the data center to AWS or Azure

Where Zscaler can help

Key insights

‣The connected, cloud & mobile world is disruptive to enterprise security

‣Security and compliance must inevitably move into the cloud

‣You can quickly add extra layers of security, reduce costs and improve user experience

Meet us at the Zscaler booth

Free Security Health Check at www.zscaler.com

http://www.zscaler.com/

Secure, Simplify and Transform to a Cloud-Enabled …...Secure network transformation Enabled by...

Documents

Transcript of Secure, Simplify and Transform to a Cloud-Enabled …...Secure network transformation Enabled by...