12. 12 Securing your cloud transformation
Denver
Toronto
New York Paris
London
Amsterdam
Brussels
Stockholm
Moscow
Mumbai
Singapore
SydneyCape Town
Madrid
Riyadh
Johannesburg
Atlanta
Dallas
Frankfurt
Sao Paulo
Lagos
Kuala Lumpur
Tel Aviv
Washington DC
Chicago
Los Angeles
Copenhagen
Melbourne
Milan
Hong Kong Taipei
Zurich
Chennai
Tianjin
Tokyo
Doha
Dubai
Abu Dhabi
Miami
Jeddah
Al Khobar
Warsaw
Seattle
Oslo
Shanghai
SASE要件でもある「グローバル対応」は業界No.1
2: https://www.peeringdb.com1: https://www.zscaler.com/threatlabz/global-internet-threats-insights
リクエスト処理数/日
600億+
ブロックした脅威/日
10億+ 12万+
セキュリティ情報更新/日6大陸にまたがるデータセンター展開
100
2Tb
ピアリング
キャパシティ
O365を含む
主要CSPとの
ピアリング
zScalerのプラットフォームは世界のグローバル企業にご活用いただいています。
27. 27 Securing your cloud transformation
データセンター
&ハードウェア
業務
アプリケーション
ネットワーク
セキュリティ
「大変革」が
起こる時
新たなリーダーが
誕生する
Securing your cloud transformation
M e g a S h I f t
Apps are leaving the data center and moving to the cloud as orgs are getting out of the DC and file storage business.
Yet, we continue to backhaul internet-bound traffic from branches to the data center to go out and hairpin back.
It’s even worse if you’re a mobile user - you bring a user on the network, from wherever they’re connecting only to go out again. I’ve yet to meet anyone that likes VPN.
It’s a poor user experience and you’re paying to backhaul traffic in two directions. It will only get worse at Internet traffic continues to grow – apps like Office 365.
The natural path is to go direct – and with 5G around the corner more traffic will go direct. But security is sitting in the DC, protecting the network. Leaving you exposed.
Once a user gets infected and they’re on the network – branch or remote, everyone is at risk….NotPetya exploited this and quickly infected other users on the network.
Our cloud is deployed in 100 data centers across 6 continents to bring security close to the user for a fast experience. Nestle, Siemens, and GE have users connecting to all of our datacenters around the world. Employees in London, connect in London. When the same employee is in NY, they connect to the NY data center.
We peer with all leading content and service providers, including Office 365, Azure, AWS, Box and Salesforce. This helps you get the fastest performance because our data center sitting in Chicago and New York are peered with the content, giving you fastest connection from our cloud. The DCs in yellow peer with Office 365. We have over 2Tbs of peering capacity today and are aggressively expanding.
The cloud processes over 60B transactions every day. We block over 100M threats each day. And do over 120,000 unique security updates every day. Imagine trying to do this with appliances. We have over 40 threat feeds updating our cloud and every time a identify a new threat, we block it everywhere.
We made sure that our cloud is very secure. Our cloud is the first security cloud platform for both ZIA and ZPA to receive FedRamp certification.
We essentially flipped the security model and built a cloud security platform that securely connects a user to app, independent of where the app is located – whether it’s a SaaS app, or internal app in AWS, Azure or the DC.
And independent of the underlying network and device.
For sites that still have a lot of traffic destined for apps in the DC, you should continue to use MPLS, but breakout out Internet traffic locally – a hybrid branch. For sites that don’t have a lot of traffic going to the DC, you can route all traffic to Zscaler.
For HQ and branches, you route traffic to Zscaler over IPSec and GRE tunnels – this can be done using your router, or with SD-WAN.
For mobile users, we recommend using Zscaler App. In fact a lot of smaller sites use ZAPP instead of tunnels.
Traffic can be routed over 4G/5G, Broadband, Satellite – doesn’t matter.
The Zscaler cloud acts as a checkpost.
For access to SaaS apps or the internet, Zscaler provides full inline inspect, to block the back and protect the good.
For access to internally managed apps, AWS, Azure or the DC, Zscaler private app connects an authenticated user and devices to an authorized applications.
In contrast, legacy networks were: a private hub and spoke network that you controlled and managed. The security model was castle and moat – where you secure the network to protect users and apps.
In the new world, it’s a direct to cloud architecture over the internet. A network you don’t control and breaks the network security model.
The security model is new world is policy based – securely connects a user to a an app or service.
We often get asked, what exactly do you replace and do you eliminate the need for firewalls.
When you take a look at the internet gateway, you have an outbound gateways protecting users going to the internet, and inbound gateways – an inbound gateway for remote access or VPN and and inbound gateways to protect servers an apps.
With ZIA, we eliminate the entire outbound SWG stack of appliances.
With ZPA, we eliminate the VPN stack of appliances.
While do replace the need for branch firewalls and UTMs, we do not replace firewalls protecting your servers and apps in the data center. Our view is that over time these servers will eventually move to the cloud.
On the flip side, we enable a fast, and secure direct-to-cloud architecture. This allows you to reduce your MPLS costs and in the case of AutoNation – largest car dealership in the US, the need to deploy over 300 branch firewalls in their branches.
Zscaler was founded on the notion that cloud and mobility would disrupt traditional network and security architectures.
To secure this new world, we realized we need to build a security cloud from the ground up. Just like Salesforce built a multitenant CRM platform.
Simple goal: provide fast, secure and reliable access to your apps – across any network, on any device, from any location.
Today our cloud…..
Our cloud has been proven by some of the worlds largest brands to support these use cases.
Zscaler started with the goal of being the salesforce of cloud security. Scale was extremity important.
In fact, Zscaler stand for Zenith of Scalability. Let me highlight 4 dimensions of scale.
Protection across countries: Siemens has employees being secured by our cloud in over 185 countries
Locations protected: LDS has over 30K meetings houses all over the world that offer Internet services – we secure all of them.
User protected: MCNC: over 1.3 M users in North Carolina are secured by Zscaler – most of it being SSL traffic to YouTube.
YouTube hands down created more traffic on our network until late last year. Office 365 Traffic has now surpassed YouTube and account for 20% of our Internet traffic.
All companies will have a logo slide – many only sold a box being used for a department or small office. With a few exceptions, all employees form all locations go through Zscaler every day.
Adoption is not just across all industries. We have the largest organizations in the most verticals trusting Zscaler for their secure cloud transformation.
A lot of companies, including MARs and United, got started with Zscaler to reduce their risk and improve security – adding advanced threat protection over their existing stack, extending the same level of protection to remote users, and in some cases using ZPA to provide executives and departments a VPN alternative for remote access.
After deploying Zscaler, the second phase of their journey involves phasing out security appliances to reduce cost and complexity. This can be done at your pace, but more often than not, this is typically shortly after or in tandem with starting to send traffic to Zscaler.
The third phase of the journey is about routing traffic locally via Internet breakouts to Zscaler. By routing traffic locally companies can optimize their MPLS spend and deliver a more secure and better user experience. Office 365 has been a key accelerator for local breakouts as Microsoft now recommends routing traffic locally and doing local DNS. So users are connecting to the closest Office 365 pop and on their network as fast as possible.
Most companies tend to follow the secure, simplify, and transform journey, but underlying use case may be different.
To close, technology is always changing, but every 10-15 years, megashifts take place that creates new opportunities and new leaders. It’s extremely difficult for incumbents to pivot.
Datacenter and hardware is moving to Azure and AWS.
Applications that sat in the datacenter are being replaced by SaaS applications. Workday is replacing Peoplesoft. ServiceNow Remedy. And Salesforce Siebel. Siebel tried to compete with Salesforce by repurposing their on premise app for the cloud, but it’s not that easy and doesn’t work.
To close, technology is always changing, but every 10-15 years, megashifts take place that creates new opportunities and new leaders. It’s extremely difficult for incumbents to pivot.
Datacenter and hardware is moving to Azure and AWS.
Applications that sat in the datacenter are being replaced by SaaS applications. Workday is replacing Peoplesoft. ServiceNow Remedy. And Salesforce Siebel. Siebel tried to compete with Salesforce by repurposing their on premise app for the cloud, but it’s not that easy and doesn’t work.