Secure, Simplify and Transform to a Cloud-Enabled …...Secure network transformation Enabled by...
Transcript of Secure, Simplify and Transform to a Cloud-Enabled …...Secure network transformation Enabled by...
©2017 Zscaler, Inc. All rights reserved.2
Jay Chaudhry, CEO & ChairmanMay 2017
The cloud security leader
IT’S TIME TO BREAK FREE FROM THE OLD WORLD OF IT
Secure, Simplify and Transform to a Cloud-Enabled Enterprise
©2017 Zscaler, Inc. All rights reserved.
Perimeter defenses – castle and moat Protect people and gold
©2017 Zscaler, Inc. All rights reserved. 4
A Drawbridge let people in and out
©2017 Zscaler, Inc. All rights reserved. 5
Guards at the Gatekeep enemies out and gold in
©2017 Zscaler, Inc. All rights reserved.6
Modern day castle and moat
Outbound Gateway
FW / IPS
URL Filter
Antivirus
DLP
SSL
Sandbox
Global LB
DDoS
FW/IPS
RAS (VPN)
Internal FWInternal
FW/LB
Outbound gatewaysSecure access to Internet
More threats, more appliances
Inbound gatewaysVPN to access DC apps
More users, more appliances
NetworkCorporate
Moscow
Outbound & Inbound Gateway
©2017 Zscaler, Inc. All rights reserved.
The world evolved People sought greener pastures
©2017 Zscaler, Inc. All rights reserved.8
The IT world has evolved: Seeking greener pastures in the cloud
Applications are moving to the
cloud
Connections are
following
the path of least
resistance
Users are leaving
the corporate network Headquarters
Hub and Spoke Architecture
? ??
©2017 Zscaler, Inc. All rights reserved.9
Medieval Times Modern Times
©2017 Zscaler, Inc. All rights reserved.10
How do you secure this new world of IT?
VM1
VM2
VM6
VM3 VM5
VM4
©2017 Zscaler, Inc. All rights reserved.11 ©2017 Zscaler, Inc. All rights reserved.11
Architectural approach for better security to reduce risk
©2017 Zscaler, Inc. All rights reserved.12
? ? ?
New world of IT: Business happens everywhere (where is my perimeter?)
Apps are movingSaaS / IaaS
THE NEW CENTER OF GRAVITY
Hub-and-Spoke ArchitectureMPLS to backhaul to regional GWs
How many gateways do you have?
“80% of traffic on my WAN was for the DC and 20% for the Internet.
Now it’s the opposite.” CIO, Fortune 500
How much are you paying to transport your Internet traffic on MPLS?
If you don’t control the network (Internet), how can you secure it? The traditional network security stack is irrelevant.
MPLS
Datacenter
Branch
European GW Asian GW
©2017 Zscaler, Inc. All rights reserved.13
Inbound & Outbound Gateway
Ext. FW / IPS
URL Filtering
Antivirus
DLP
SSL
Sandbox
Global LB
DDoS
Ext FW/IPS
RAS (VPN)
Internal FW
Internal LB
Outbound Gateway Inbound Gateway
ZSCALER INTERNET ACCESSSecure access to the Internet
and SaaS apps
ZSCALER PRIVATE ACCESS Secure access to private apps: Data center or cloudX X
A new approach to app access and security: Flip the security modelFast, secure, policy-based access connecting the right user to the right service and app
HQ/IOTMOBILE
DC APPS
BRANCH
Securing the network is no longer relevant
©2017 Zscaler, Inc. All rights reserved.14
An architectural approach for secure IT transformation
IoTON-THE-GO HQ / BRANCHES
Security and Access Control
PRIVATE DC
SAAS
OPEN INTERNET
PUBLIC CLOUD
DC APPS
Allows internal apps to behave like cloud apps
External Internal
Secure the networkSecure Policy-Based Access connecting the right user, to the right app or service
Cloud Security Gateway
©2017 Zscaler, Inc. All rights reserved.15 ©2017 Zscaler, Inc. All rights reserved.15
Secure Access to Internet & SaaS
©2017 Zscaler, Inc. All rights reserved.16
Allowed: HTTP(S)
Allowed: No signature match
Allowed: Trusted domain
Allowed: No Intercept
Allowed: Detected, not blocked
Sensitive data gets exfiltrated4
Allowed: No Intercept (encrypted)
FW / IPS
URL Filter
Antivirus
DLP
SSL
Sandbox
Global LB
DDoS
FW/IPS
RAS (VPN)
Internal FW
Internal LB
Outbound & Inbound Gateway
www.nbc.com/leno
How do breaches happen despite massive investments in appliances?
Hacker infects a trusted domain1
User visits compromised site and the PC gets infected – establishing a beachhead
2
The infected machine can then sniff for other machines and exploit vulnerabilities
3
Appliances weren’t designed to keep up with sophisticated threats
“45% of enterprises have suffered a ransomware attack.”
Attacks are targeting the weakest link – the user. They need to be
protected – on and off network
“5% of enterprises PCs are infected with bots.”
-Zscaler research
WHAT’S YOUR RISK SCORE – FIND OUT AT SECURITYPREVIEW.ZSCALER.COM
©2017 Zscaler, Inc. All rights reserved.17
Cloud Security: Secure, fast access to the Internet and SaaSEliminates the appliance mess: allowing IT to focus on strategic / architectural initiatives.
Easy to forward traffic and authenticate users
MOBILE
Default route to InternetBlock the bad, protect the good
Zscaler App/ PAC File GRE/IPsec
HQ / IoT BRANCH
ID Provider
• You retain full control – policy and admin• Policies by user, locations, AD groups • Follow-the-user policy for the same
protection at any location, any device
Global real-time policy engine
• Global visibility - cloud apps and usage• Identify botnet-infected machines that
need to be remediated
Real-life analytics –actionable info
MPLS
DC APPS
Cloud Security Gateway
©2017 Zscaler, Inc. All rights reserved.18
When the board asks, “Have we been compromised?”Actionable intelligence to remediate botnet infected machines
THREATS BLOCKED
13.5 M
1092.0 K
270.3 K
47.7 K
45.6 K
33.8 K
5.2 K
383
Malicious Content
Botnet
Spyware or Adware
Phishing
Browser Exploit
Cross-site Scripting
Unauthorized Communication
Peer-to-Peer
BOTNET TRAFFIC BY LOCATION313.5 K
273.9 K
203.2 K
115.8 K
76.2 K
Beijing
Sau Paulo
San Francisco
Tokyo
France
BOTNETC&CUSER
BOTNET INFECTED MACHINES
©2017 Zscaler, Inc. All rights reserved.19
When the auditor asks, “Which cloud apps are we using?”It starts with processing all Internet traffic (including SSL), not a few sites
MEDIA AND FILE SHARING
Is YouTube hogging Internet bandwidth?
Can you prioritize Office 365 over streaming?
BUSINESS APPS WEBMAIL
Do you allow access to Russian webmail?
DEVELOPMENT
Is your intellectual property stored on GitHub?
©2017 Zscaler, Inc. All rights reserved.20
ZSCALER TECHNOLOGY PARTNERS
MOBILE
Securely enable the usage of cloud apps Zscaler provides inline CASB functionality and partners for out-of-band controls
HQ / IoT BRANCH SD-WAN
VISIBILITYReal-time visibility into all users across all locations
THREAT PREVENTIONFull inline content inspection
APP RISK SCORINGThird-party integrations with Skyhigh, CloudLock, and CipherCloud
DATA LOSS PREVENTIONInline protection for all users
ACCESS CONTROLView / post, download / upload by file type, browser, and plugins
INLINE CASBOUT-OF-BAND CASB (API)
i.e. sandbox a file that was shared by a partner via box
API Integration
(In development)
Cloud Security Gateway
©2017 Zscaler, Inc. All rights reserved.21
Secure network transformationEnabled by moving security to the cloud
Hub-and-Spoke
Secure the network to protect users and apps
All users must be on-network for protection
Internet traffic backhauled over MPLS for protection
FROM: HUB – AND – SPOKE ARCHITECTURE TO: HYBRID CLOUD ARCHITECTURE
Policy-based access, users to apps
On-net, off-net the user is always protected
Local Internet breakouts
Cloud Security Gateway
©2017 Zscaler, Inc. All rights reserved.22 ©2017 Zscaler, Inc. All rights reserved.22
Secure Access to Internal Apps on Azure or AWS
©2017 Zscaler, Inc. All rights reserved.23
How digital businesses access internal apps today
Internal apps on public cloud (Azure, AWS)
User traffic is backhauled to a static VPN gateway, traverses a site-to-site VPN and hairpins back to the user location Internal apps in data center
User traffic is backhauled to a static VPN gateway and the network is extended to the user location
Site-to-site VPN
Inbound Gateway
Global LB
DDoS
FW/IPS
RAS (VPN)
Internal FW
Internal LB
Apps moved to a modern platform. Access is still 20-year old technology
VPN MOSCOW
VPN MADRID
Bring users on the corp network to provide app access
©2017 Zscaler, Inc. All rights reserved.24
Zscaler Private AccessSecure and fast access policy-based access to private apps on Azure, AWS or your DC
Z-APP
2
Datacenter
User
1
POLICY (Brokers)
ID Provider
Windows, Mac, iOS, Android - On-net or off-net
Public Cloud
Connect a named user to a named app, not a network; Direct path to cloud apps without hairpinning through DC. No VPN needed
ZPA replaces the entire inbound gateway/DMZ. Not just a VPN replacement
Reduced cost, complexity, better security and user experience
ZPA: Innovative Design
Cloud-based policy engine – who can access what apps
1
Z-APP – Request access to app2
Z-Connector – sits in front of apps. Starts inside out connection
3
Zscaler cloud brokers a secure connection between the Z-connector and Z-app
Private AppsWeb, TCP, UDP
Z-CONNECTOR
3
31. User never on your network
2. Apps are invisible (safe)
3. App segmentation without
network segmentation
4. Use Internet as a secure
network without VPN
Why ZPA is Revolutionary
©2017 Zscaler, Inc. All rights reserved.25
The natural shift: On-premise to a cloud service
Inbound & Outbound Gateway
Ext. FW / IPS
URL Filtering
Antivirus
DLP
SSL
Sandbox
Global LB
DDoS
Ext FW/IPS
RAS (VPN)
Internal FW
Internal LB
©2017 Zscaler, Inc. All rights reserved.26
Purpose-built, multi-tenant cloud architecture
Can you build a power plant with power generators designed for your home?Different: Scale, design, and architecture
HOME POWER GENERATORS POWER PLANT
©2017 Zscaler, Inc. All rights reserved.27
Power Plant
Purpose-built, multi-tenant cloud architecture
• To use more than one data center, policies need to be pushed - “batch”
• Logs scattered in every data center
Single-tenant – cloud-washingCustomer tied to a specific datacenter or VM
FirewallIPSLoad BalancerDatabaseProxiesAV ScannersSandboxingEast Coast Tower 1
(customer 1 – 100)
Europe(201 – 300)
West Coast(101 – 200)
Appliances bolted together in “towers”
Logging Cluster – Logs go to a designated log cluster in real-time, never written in ZENs
Enforcement Node) – Inspects traffic, enforces policy
Central Authority –Brain/nervous system, policy definition, cloud health, rapid updates
Purpose-built cloud architectureCustomer roam across 100 data centers
SIEM USAEU
USER A (policy follows)
USER A
LondonNY Sydney
INTERNET
©2017 Zscaler, Inc. All rights reserved.28
Real-Life Customer Evaluation – Acme CorpZscaler security cloud vs. on-premise security stack
No Hardware / SoftwareOPEX Cost Model
Anywhere Policy Enforcement
Full Log Analysis – Single Pane of Glass
Advanced Threat Protection
SSL Inspection
Application Control and Visibility
User Authentication, Real IP Source, and Bandwidth
Controls
Complex Hardware / Software Deployment Subject to Lifecycle
Security Policy Only Enforced On-Premise or via VPN
Multiple Log Sources – Difficult Correlation
ATP For Certain Traffic Flows
No SSL Inspection w/o Significant Hardware/CapEx Investment
Application Control for Certain Traffic Flows
Can Support User Authentication –Major Architecture Mod for IP
Source
Zscaler StackOn-Premise Stack
From this..
On-Premise Security Infrastructure
Global Unified Access and Security Service
To this..
©2017 Zscaler, Inc. All rights reserved.29
Zscaler: The market leader in cloud security
TECHNOLOGY INNOVATION
Cloud security platform Purpose-built (100 patents)
Largest security cloud
100 data centers
30B requests a day
125M threats blocked a day
MARKET LEADERSHIP
Trusted by G2000
5,000 organizations
15M users in 185 countries
Global partners
FINANCIAL STRENGTH
Accelerating growth
125% renewal rate
Solid financial model
Backed by
INDUSTRY ACCOLADES
MQ Leader Wave Leader
©2017 Zscaler, Inc. All rights reserved.30
Zscaler = Zenith of scalability: Three dimensions of scale
80,000
120,000
162,000
125,000
155,000
400,000
~1.6M
~1.3M
300,000
5K+ Organizations
15M+ Users
All users – All traffic
MO
NTH
LY O
FFIC
E 3
65
TR
AFF
IC (
TB)
83 TB
44 TB
38 TB
37 TB
35 TB
PROTECTION ACROSS COUNTRIES
130125120113 19055 70
©2017 Zscaler, Inc. All rights reserved.31
The largest security cloud: Reliable, available, and fast
30B+Requests/day
125M+Threats
blocked/day
120K+Unique security
updates/day
100 DATA CENTERS – 5 CONTINENTS
PEERING IN INTERNET EXCHANGES
150+Vendors peered
Secure
On-going thirdparty testing
CertifiedReliableRedundancy within and
failover across DCs
TransparentTrust Portal for service availability monitoring
©2017 Zscaler, Inc. All rights reserved.32
Leader – 6 years in a row
Leading industry analysts agree…
Zscaler is a very strong choice for any organization interested in a cloud gateway.
…On-premises web content security can’t protect digital business…
©2017 Zscaler, Inc. All rights reserved.33
DC APPS
HQ/IOT
MOBILE BRANCH
Provisioning
Remediation
Traffic Forwarding
Real-time Log FeedsSAML Integration
IDENTITY & ACCESS4 REPORTING & ANALYTICS5
BRANCH (SD-WAN) 2
Zscaler: A foundation for a modern access and security architectureHow Zscaler complements your existing ecosystem across five segments of security vendors
Access to the Internet & Apps1Inbound & Outbound Gateway
Device Mgmt:
AV:
Encryption:
DEVICE MANAGEMENT & PROTECTION
3
External Internal
©2017 Zscaler, Inc. All rights reserved.34
(BROADBAND)
A three-step journey to cloud and mobility transformation
SECUREUp-level your security
Enable secure SD-WAN / local Internet breakouts – optimize backhaul.
Deliver a better and more secure user experience.
TRANSFORMCloud-enable your network
SIMPLIFYRemove point products
Phase out gateway appliances at your own pace.
Reduce cost and management overhead.
Make Zscaler your next hop to the Internet.
Fast to deploy. No infrastructure changes required.
©2017 Zscaler, Inc. All rights reserved.35
Unmatched security – all users, branches, and devices
Consistent policy and protection
Always up-to-date
Reduced Risk(CISO)
Zscaler: The foundation of a modern access and security architecture
Consolidate point products and simplify IT
Cloud-enabled network
Rapid deployment
IT Simplification(CTO / IT Head)
No Capex, elastic subscription fee
Reduced Opex, no box management
Reduced MPLS costs
Impressive Value(CIO / CFO)
Higher productivity –local breakouts
Prioritize business apps
Empowers users to leverage cloud apps
Fast Response Time(End-Users)
Securing a distributed and mobile workforce
SD-WAN transformation
Office 365 deployment
App migration from the data center to AWS or Azure
Where Zscaler can help
Key insights
‣The connected, cloud & mobile world is disruptive to enterprise security
‣Security and compliance must inevitably move into the cloud
‣You can quickly add extra layers of security, reduce costs and improve user experience
Meet us at the Zscaler booth
Free Security Health Check at www.zscaler.com