When Schneider Electric decided to undergo a digital transformation initiative, they knew their approach to security would also need to transform. As their apps moved to the cloud and their users left the network, the Schneider team needed a way to deliver consistent security controls across a globally dispersed workforce of 140,000 users.
5. Global specialist in energy
management and automation
Located in Over 100 countries (1000+ locations)
Over 170,000 employees.
130,00 Internet facing employees
Four Businesses
Buildings & Partner
Infrastructure
Industry
IT
Four principal markets:
Non-residential & residential buildings,
utilities & infrastructure,
industry & machine manufacturers
data centers & networks
6. Challenges at Schneider
Mobile Users
Traveling users connecting
to wrong
GEO based breakout
Performance and internet
experience was terrible
Policy Management
Securing a Distributed
workforce requires strong
policy control
Difficulties in managing policy
across all users on and off
network
User Authentication
Access to cloud applications
like Office 365
Location of users – Off or On
network & split tunneling
7. Microsoft
Edge Node
Exchange Online
Schneider Tenant
Amsterdam | Dublin
St. Louis
Open Internet
Non-trusted
IP
Tunnel Schneider Network
VPN traffic at destination
to internal IP Addresses
Outlook traffic at destination
to Microsoft Cloud
Dealing with Untrusted Networks
Cloud Apps like Office 365 are accessed over the Internet.
Authentication and VPN split tunneling added a challenge for Schneider users
10. Zscaler App for both Internet and Private Access
Access to private
apps from anywhere
• No VPN Required
• No Internal Network
Visibility
• No Network Lateral
Movement
• No Inbound Ports Required
• Mutually Authenticated
Secure Tunnel
• Transparent Application
Access for Users
• Trusted Network Detection
• Compatible with other
forwarding methods
• Works with existing Zscaler
Policies
• No backhauling traffic
through corporate network
• Strict Enforcement
Zscaler Private Access Zscaler Internet Access
Secure internet access
from anywhere
11. Centralized view of all Devices
Single Portal for Z App Endpoint Management
Traffic Forwarding
• Trusted Network Detection
• VPN Interoperability
• Geographic Routing
Client Policy
• Control Access to App Functions
• Privacy Compliance
• Control App Disabling and
Removal
Version Control
• Download App Versions
• Control Application Auto-Updates
• Version and Status Reporting
14. PAC Management Handled by Z App
Non Proxy Aware App Traffic
Location Aware PAC Changing
Additional Client Policy
Visibility Into Devices
Transparent Authentication
Zscaler App
PAC Management External (GPO)
Only Gets Proxy Aware Traffic
PAC Is Static
No Additional Policies, only Forwarding
No List of PAC Only Devices
Cookie Based Authentication
Without Zscaler App (PAC)
Advantages of using Zscaler App
16. The Deployment
• ZAPP was distributed in “push”
mode by using SCCM
• Deployed over six months,
• Piloted and deployed
region by region
• Deployed to 70,000 employees
• 2000 users per deployment
• NA – 20,000 users in 10 weeks
17. Zscaler App Deployment Results at Schneider
Mobile Users
Transparent App with
minimal impact to the
user base
Policy Management
Security policy is now
centralized and unified
across all users
on and off network
User Authentication
Simplified across all cloud
and network apps. User
experience and performance
vastly improved
19. Why Zscaler App?
Simple deployment at large scale with no infrastructure dependencies
Configure Deploy Report
• Define Trusted
Network Criteria
• Identify Groups and
Policies
• Define ZPA Apps
and ZIA Policy
• Distribute Z App using
existing client
management tools
• Pre-configure to simplify
user experience
• Leverage ZIA and ZPA
consoles for access and
policy logging
• Zscaler App Portal for
fleet status