The evolution of IT in a cloud world
•
3 gostaram•484 visualizações
How Zscaler can help: cloud security for every campus, user, application and device on the Internet
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a The evolution of IT in a cloud world
Semelhante a The evolution of IT in a cloud world (20)
Mais de Zscaler
Mais de Zscaler (20)
Último
Último (20)
The evolution of IT in a cloud world
- 1. The evolution of IT in a cloud world Larry Biagini, Chief Technical Evangelist
- 2. Cloud adoption will accelerate… Creating new opportunities and threats The point is… 1
- 3. Improved analytics, cloud and user interfaces are driving agility and user experiences… the Internet is the foundation of business transformation Business must embrace the Internet as their greatest weapon 2
- 4. CEOs are taking notice of how digital has changed the game Business Transformation is real 3
- 5. Technology is no longer the sole domain of technologists 4 IT must change or become irrelevant 4
- 6. There is only one network in the world 5
- 7. There is only one network in the world AND YOU DON’T CONTROL IT 6
- 8. Business is going to drive the change – like it or not It’s back to the drawing board if you want to thrive 7
- 9. Transformation does not start in the data center 8 It starts with the organizational mindset of doing business differently 8
- 10. What has to change? CISO • Shift from “security and controls” to “risk and enablement” CIO • Shift from technology- first to business-first CTO • Shift from architecting corporate networks to embracing the cloud 9
- 11. Internet Controls Framework Users Devices Networks Applications Data ©2016 Zscaler, Inc. All rights reserved Controls Framework Users Devices Networks Applications Data Internet Technology evolution… 10
- 12. • It is a business discussion around why unsanctioned apps are being used • Understanding the usage helps frame the risk associated • Is usage malicious or careless? • Either way, do we have a data leakage or exfiltration problem? To keep from breaking new business processes and models, and be compliant…change the conversation from ’CONTROL' to ’RISK' CISO’s evolving mindset 11
- 13. The New CISO • Stop talking Security with your board • Get visibility into cloud services that are being consumed in your environment • Separate your critical assets from the consumers of those assets • Get Identity right - Invest in identity and access management • Create a risk assessment and risk appetite so that the business has a means to make decisions 12
- 14. The New CIO/CTO • Focus on Growth • Move from an IT shop to a Digital Enabler • Address your legacy environment head on • Be honest with the board about technology debt • Go fast - Speed is the new currency 13
- 15. Controls Based No You Can’t Build Services Prevention Requirements Network-Centric IT Risk Based Yes… and here’s how Create Value Detection & Response Innovation – Fail Fast User-Centric IT & OT Transform… 14
- 16. How Zscaler can help: cloud security for every campus, user, application and device on the Internet 15
- 17. So you don’t need to put a perimeter around every campus, user, application or device Gain visibility into all of the applications, users, threats, and botnet-infected machines. GLOBAL, REAL-TIME REPORTING SINGLE POLICY CONSOLE Define policies by user, group, location. Policy follows the user. MOBILE EMPLOYEES Connect – Control – Secure Nothing bad comes in, nothing good leaks Zscaler App GRE SIMPLY CONFIGURE THE ROUTER OR ENDPOINT DEVICE TO FORWARD TRAFFIC TO ZSCALER HQ REMOTE OFFICES ID PROVIDER Zscaler builds a perimeter around the Internet… 16
- 18. Zscaler Internet Access (ZIA) - Secure all users, all the time from Internet threats Zscaler Private Access (ZPA) - Allow policy based access to any internal or external servic without requiring network access. Zscaler Solution… 17
- 19. HQ/IOT MOBILE BRANCH Zscaler App or PAC File GRE/Ipsec Tunnel Default Internet route Block the bad, protect the good The Secure Internet and Web Gateway Delivered as a Service Global real-time policy and analytics engine Security stack with Access Control, Threat and Data Prevention Full Inline Content Inspection with native SSL Cloud-Effect: Find once, block everywhere 60+ Threat Feeds and 120k updates/day The Zscaler architecture is the best approach for SD-WAN and Office 365 Zscaler Internet Access 18
- 20. Access to the Internet and apps1 IDENTITY & ACCESS4 REPORTING & ANALYTICS5 DEVICE MANAGEMENT & PROTECTION 3 BRANCH (SD-WAN)2 HQMOBILE BRANCHIOT APPS Zscaler: A foundation for modern access and security 19
- 21. MOBILE An Innovative Software Defined Perimeter (SDP) Bringing users on network increases risk Users are never on network which reduces risk Zscaler uses policy to connect users to internal applications Traditional application access requires network access CLOUD INTERNAL APP DATA CENTER INTERNAL APP How leading Organizations use Zscaler Private Access Access to Internal Apps VPN replacement Secure Partner Access M&A and Divestitures Apps are Invisible, never exposed Replace VPN - Use Internet as secure network Easily deliver application segmentation Move apps to AWS/Azure easily Zscaler Private Access 20
- 22. A three-step journey to secure IT transformation SECURE Up-level your security Make Zscaler your next hop to the Internet. Fast to deploy. No infrastructure changes required. SIMPLIFY Remove point products Phase out gateway appliances at your own pace. Reduce cost and management overhead. (BROADBAND) Enable secure SD-WAN / local Internet breakouts – optimize backhaul. Deliver a better and more secure user experience. TRANSFORM Cloud-enable your network 21
- 23. Unmatched security – all users, branches, and devices Consistent policy and protection by design vs. exception Always up-to-date No need to be patient zero Consolidate point products and simplify IT Cloud-enabled network Rapid deployment Policy based Access for Internal, Cloud and SaaS No Capex, elastic subscription fee Reduced Opex, no box management Manage Security & Compliance policy vs. Technology No yearly maintenance fee Reduced MPLS costs Higher productivity – local breakouts Prioritize business apps Consistent User experience Empowers users to leverage cloud apps Intelligent Peering for SaaS/O365 Anywhere Access with ZPA Fast Response Time (End-Users) Reduced Risk (CISO) IT Simplification (CTO / IT Head) Impressive Value (CIO / CFO) The foundation of a modern access and security architecture 22
- 24. Powered by Patented Technologies SSMA All security engines fire with each content scan – only microsecond delay ByteScanTM Each outbound/inbound byte scanned, native SSL scanning PageRiskTM Risk of each object computed inline, dynamically NanoLogTM 50:1 compression, real-time global log consolidation PolicyNow Polices follow the user for Same on-premise, off-premise protection ACCESS CONTROL CLOUD FIREWALL URL FILTERING BANDWIDTH CONTROL DNS FILTERING THREAT PREVENTION ADVANCED PROTECTION ANTI-VIRUS CLOUD SANDBOX DNS SECURITY DATA PROTECTION FILE TYPE CONTROLS DATA LOSS PREVENTION CLOUD APPS (CASB) Zscaler Cloud Security Platform Consolidate and simplify point appliances 23
- 25. Zscaler cloud traffic – compared to other transaction volumes 0.5 2 4 5.4 7.7 35 0 5 10 15 20 25 30 35 Tweets on Twitter Facebook Active Users Google Searches Salesforce.com Transactions YouTube Views Zscaler Transactions Daily Volume (Billions) Zscaler Internal & Confidential 24
- 26. We scale as Internet traffic grows 25 • Secured 2 Trillion transactions • Stopped 3.4 Billion threats (0.2%) • Enforced 67 Billion policies (3.4%) Zscaler Cloud Q3 FY17 Summary 14% quarterly growth rate 25
- 27. Key Takeaways • Move from IT and Security shops to digital enablers • Speed is the new currency in the connected world, friction is unacceptable • Legacy technology can and will hold you back, address it • Realize work is an activity, not a place • Get visibility into cloud services consumed by your users • Legacy controls cannot keep you safe in the digital world • Stop talking Security with your board, start talking about addressable risk 26
- 28. Create a frictionless experience Protect your users from the Internet – Zscaler Internet Access Protect your network from your users – Zscaler Private Access
Notas do Editor
- I appreciate you taking the time to meet with us today. We’re very excited to share some significant changes that are happening in the industry and provide some color around how and why a lot of our customers are transforming their enterprise IT through cloud enablement.
- We believe that in this new world of IT, the network security stack — and the need to buy, build, and manage appliances — is no longer relevant. With the amount of ransomware hitting organizations, it no longer makes sense. The question in this new world of globally dispersed and mobile users becomes, how do you secure it? You need to flip the security model and take a new approach to how applications are accessed and where security is enforced. Security needs to move to the cloud and application access needs to shift from network-based to policy-based — and it needs to securely connect the right user to the right app. Easier said than done. You can’t simply deploy the same set of appliances sitting in your gateway today. It won’t scale and it won’t perform. You’re essentially relocating the problem. The Zscaler cloud, built from scratch, is a multi-tenant cloud security platform equipped to secure this new world of IT. If you recall, we described the gateways as having outbound and inbound components. For the outbound gateway, we have Zscaler Internet Access, which provides secure access to the Open Internet and SaaS applications — or your external apps. And for the inbound gateway, we have Zscaler Private Access, which is a completely new way of accessing internal apps. It provides secure access to internal apps, whether in the data center or cloud, without VPN.
- We believe that in this new world of IT, the network security stack — and the need to buy, build, and manage appliances — is no longer relevant. With the amount of ransomware hitting organizations, it no longer makes sense. The question in this new world of globally dispersed and mobile users becomes, how do you secure it? You need to flip the security model and take a new approach to how applications are accessed and where security is enforced. Security needs to move to the cloud and application access needs to shift from network-based to policy-based — and it needs to securely connect the right user to the right app. Easier said than done. You can’t simply deploy the same set of appliances sitting in your gateway today. It won’t scale and it won’t perform. You’re essentially relocating the problem. The Zscaler cloud, built from scratch, is a multi-tenant cloud security platform equipped to secure this new world of IT. If you recall, we described the gateways as having outbound and inbound components. For the outbound gateway, we have Zscaler Internet Access, which provides secure access to the Open Internet and SaaS applications — or your external apps. And for the inbound gateway, we have Zscaler Private Access, which is a completely new way of accessing internal apps. It provides secure access to internal apps, whether in the data center or cloud, without VPN.
- With Zscaler it’s simple to get started. In fact, we’ve cut over 40,000 in 1 weekend night and 160,000 users over 60 days. All you need to do to make Zscaler your next hop to the Internet is to make Zscaler your default route. A number of customers did this to block threats that were going undetected by their current security appliances without making any policy changes. Some also start by securing their mobile workers, then migrating their office locations. This allows them to take their security from a 6 or 7 to a 9 or 9.5 out of 10. No one is perfect. One ZPA customer got started with one of the uses cases before replacing their entire VPN infrastructure. The second phase of the journey involves phasing out security appliances to reduce cost and complexity. This can be done at your pace, but more often than not, this is typically shortly after or in tandem with starting to send traffic to Zscaler. With Zscaler in place, the third phase of the journey is about routing traffic locally via Internet breakouts to Zscaler. By routing traffic locally companies can optimize their MPLS spend and deliver a more secure and better user experience. Office 365 has been a key accelerator for local breakouts as Microsoft now recommends routing traffic locally and doing local DNS. So users are connecting to the closest Office 365 pop and on their CDN Network as fast as possible. ExpressRoute is now only recommending for very specific use cases. Microsoft also cautions against hub-and spoke-architectures with centralized proxies for a variety of reasons.
- With Zscaler fully deployed, it provides a lot of value to all key users and stakeholders. For users we deliver a fast user experience by eliminating the latency associated with stacks of appliances and backhaul. From a risk perspective, there is no question on the value of protection our cloud delivers. The shift to the cloud eliminates patch management, outage windows, and vendor end-of-life issues — allowing you to focus on more important things than updating boxes. From a financial perspective, it’s all Opex and we can optimize MPLS spend. So if you’re looking to either improve your overall security posture or secure your mobile worker, evaluating SD-WAN transformation to simply the branch and reduce costs, deploying Office 365 and/or migrating your apps from the data center to AWS or Azure, we can help.
- The Zscaler cloud security platform was purpose-built as a multi-tenant architecture and is powered by patented technologies. We architected the platform for performance and scale, and paid particular attention to maintaining user privacy. We never store content and we only write log files to disk in a location of your choice. We built the proxy based next-gen firewall that handles all ports and all protocols. We are not a just a Web proxy. It’s only one aspect of the platform. SSMA – in a single scan we fire all of our engines ByteScan – we scan all inbound and outbound traffic, including native SSL-inspection. Every page consists of hundreds of objects pulling from different sources, including CDNs and ad networks. All pose a threat. So we scan it all, regardless of the domain reputation PageRisk – here we correlate information about the Web object and page and perform dynamic scoring of the content to determine it’s risk level NanoLog – this is how we process log files, a functionality that is unique to Zscaler. It is one of the main reasons we can provide near real-time access of logs for all users in all locations within 1-2 minutes. We apply WAN op techniques and can even anonymize log files, and only those that know the user ID can associate a log file to a user The platform consists of a series of tightly integrated services, and we categorize them into 3 buckets: Access Control, a cloud firewall that is a full next-gen firewall with a best-of-breed DPI engine, bandwidth control to prioritize business apps like Office 365 over other Internet traffic; DNS filtering, which some of our customers use for guest Wi-Fi to enforce an AUP; and of course URL filtering, which is pretty much table stakes. For threat prevention we offer AV, DNS security, and a cloud sandbox with unique capabilities like patient zero quarantine. Appliance sandboxes are extremely expensive and most customers can’t afford to use them for all traffic. So they often deploy them in tap mode and loosely chain them together with other appliances. Sandboxing is essential to protect against zeroday threats and the only effective way to consume it is via a cloud service. What really differentiates our security is our Advanced Threat Protection — which allows us to deliver better security. Advanced Threat Protection uses the underlying technologies we described earlier to inspect all content, identify patterns in callbacks to C&Cs and phishing sites, and look for cross-site scripts and code that’s been obfuscated to avoid detection. The third pillar is data protection. It only takes a few clicks to attach any confidential file in Gmail and send it out. By default no document saving acme confidential should be sent out over Gmail. And since we were already inspecting traffic, adding another engine was relatively straightforward. A lot of our larger customers have on-premises DLP and we complement them by adding protection to branches and mobile users. We can also tie it in with the on-premises DLP solution by sending it information for policies enforced. Other Zscaler data protection services include inline CASB functionality where we can block file types, and limit a user to only view Facebook without being able to post content or upload files.