DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
The evolution of IT in a cloud world
1. The evolution of IT in a cloud world
Larry Biagini, Chief Technical Evangelist
2. Cloud adoption will accelerate…
Creating new opportunities and threats
The point is…
1
3. Improved analytics, cloud and user interfaces are
driving agility and user experiences…
the Internet is the foundation of business transformation
Business must embrace the Internet as their greatest weapon
2
4. CEOs are taking notice of how digital has changed the game
Business Transformation is real
3
5. Technology is no longer the sole domain of technologists
4
IT must change or
become irrelevant
4
7. There is only one network in the world
AND YOU DON’T CONTROL IT
6
8. Business is going to drive the change – like it or not
It’s back to the
drawing board if you
want to thrive
7
9. Transformation does not start in the data center
8
It starts with the organizational mindset of
doing business differently
8
10. What has to change?
CISO
• Shift from “security
and controls” to “risk
and enablement”
CIO
• Shift from technology-
first to business-first
CTO
• Shift from
architecting corporate
networks to
embracing the cloud
9
12. • It is a business discussion
around why unsanctioned apps are
being used
• Understanding the usage helps frame
the risk associated
• Is usage malicious or careless?
• Either way, do we have a data leakage
or exfiltration problem?
To keep from breaking new business processes and models, and be
compliant…change the conversation from ’CONTROL' to ’RISK'
CISO’s evolving mindset
11
13. The New CISO
• Stop talking Security with your board
• Get visibility into cloud services that are being consumed in your
environment
• Separate your critical assets from the consumers of those assets
• Get Identity right - Invest in identity and access management
• Create a risk assessment and risk appetite so that the business
has a means to make decisions
12
14. The New CIO/CTO
• Focus on Growth
• Move from an IT shop to a Digital Enabler
• Address your legacy environment head on
• Be honest with the board about technology debt
• Go fast - Speed is the new currency
13
15. Controls Based
No You Can’t
Build Services
Prevention
Requirements
Network-Centric
IT
Risk Based
Yes… and here’s how
Create Value
Detection & Response
Innovation – Fail Fast
User-Centric
IT & OT
Transform…
14
16. How Zscaler can help: cloud security
for every campus, user, application and
device on the Internet
15
17. So you don’t need to put a perimeter around every campus, user, application or device
Gain visibility into all of the
applications, users, threats, and
botnet-infected machines.
GLOBAL, REAL-TIME
REPORTING
SINGLE POLICY CONSOLE
Define policies by user,
group, location. Policy
follows the user.
MOBILE EMPLOYEES
Connect – Control – Secure
Nothing bad comes in, nothing good leaks
Zscaler App GRE
SIMPLY CONFIGURE THE ROUTER OR ENDPOINT DEVICE TO FORWARD TRAFFIC TO ZSCALER
HQ REMOTE OFFICES
ID PROVIDER
Zscaler builds a perimeter around the Internet…
16
18. Zscaler Internet Access (ZIA) - Secure all users, all the time from Internet threats
Zscaler Private Access (ZPA) - Allow policy based access to any internal or external servic
without requiring network access.
Zscaler Solution…
17
19. HQ/IOT
MOBILE BRANCH
Zscaler App
or PAC File
GRE/Ipsec
Tunnel
Default Internet route
Block the bad, protect the good
The Secure Internet and Web
Gateway Delivered as a Service
Global real-time policy and
analytics engine
Security stack with Access Control,
Threat and Data Prevention
Full Inline Content
Inspection with native SSL
Cloud-Effect: Find once,
block everywhere
60+ Threat Feeds and
120k updates/day
The Zscaler architecture is the best
approach for SD-WAN and Office 365
Zscaler Internet Access
18
20. Access to the Internet and apps1
IDENTITY & ACCESS4 REPORTING & ANALYTICS5
DEVICE MANAGEMENT
& PROTECTION
3 BRANCH (SD-WAN)2
HQMOBILE
BRANCHIOT
APPS
Zscaler: A foundation for modern access and security
19
21. MOBILE
An Innovative
Software Defined Perimeter (SDP)
Bringing users
on network
increases risk
Users are never
on network which
reduces risk
Zscaler uses policy
to connect users to
internal applications
Traditional application
access requires
network access
CLOUD
INTERNAL APP
DATA CENTER
INTERNAL APP
How leading Organizations use
Zscaler Private Access
Access to
Internal Apps
VPN
replacement
Secure Partner
Access
M&A and
Divestitures
Apps are Invisible, never exposed
Replace VPN - Use Internet as secure network
Easily deliver application segmentation
Move apps to AWS/Azure easily
Zscaler Private Access
20
22. A three-step journey to secure IT transformation
SECURE
Up-level your security
Make Zscaler your next hop to the Internet.
Fast to deploy.
No infrastructure changes required.
SIMPLIFY
Remove point products
Phase out gateway appliances at your own pace.
Reduce cost and
management overhead.
(BROADBAND)
Enable secure SD-WAN / local Internet
breakouts – optimize backhaul.
Deliver a better and more secure
user experience.
TRANSFORM
Cloud-enable your network
21
23. Unmatched security – all
users, branches, and
devices
Consistent policy and
protection by design vs.
exception
Always up-to-date
No need to be patient zero
Consolidate point products
and simplify IT
Cloud-enabled network
Rapid deployment
Policy based Access for
Internal, Cloud and SaaS
No Capex, elastic
subscription fee
Reduced Opex, no box
management
Manage Security &
Compliance policy vs.
Technology
No yearly maintenance fee
Reduced MPLS costs
Higher productivity –
local breakouts
Prioritize business apps
Consistent User experience
Empowers users to leverage
cloud apps
Intelligent Peering for
SaaS/O365
Anywhere Access with ZPA
Fast Response Time
(End-Users)
Reduced Risk
(CISO)
IT Simplification
(CTO / IT Head)
Impressive Value
(CIO / CFO)
The foundation of a modern access and security architecture
22
24. Powered by Patented Technologies
SSMA
All security engines fire with
each content scan – only
microsecond delay
ByteScanTM
Each outbound/inbound
byte scanned, native SSL
scanning
PageRiskTM
Risk of each object
computed inline,
dynamically
NanoLogTM
50:1 compression,
real-time global log
consolidation
PolicyNow
Polices follow the user
for Same on-premise,
off-premise protection
ACCESS CONTROL
CLOUD FIREWALL
URL FILTERING
BANDWIDTH CONTROL
DNS FILTERING
THREAT PREVENTION
ADVANCED PROTECTION
ANTI-VIRUS
CLOUD SANDBOX
DNS SECURITY
DATA PROTECTION
FILE TYPE CONTROLS
DATA LOSS PREVENTION
CLOUD APPS (CASB)
Zscaler Cloud Security Platform
Consolidate and simplify point appliances
23
25. Zscaler cloud traffic – compared to other transaction volumes
0.5
2
4
5.4
7.7
35
0 5 10 15 20 25 30 35
Tweets on Twitter
Facebook Active Users
Google Searches
Salesforce.com Transactions
YouTube Views
Zscaler Transactions
Daily Volume (Billions)
Zscaler Internal & Confidential 24
27. Key Takeaways
• Move from IT and Security shops to digital enablers
• Speed is the new currency in the connected world, friction is unacceptable
• Legacy technology can and will hold you back, address it
• Realize work is an activity, not a place
• Get visibility into cloud services consumed by your users
• Legacy controls cannot keep you safe in the digital world
• Stop talking Security with your board, start talking about addressable risk
26
28. Create a frictionless experience
Protect your users from the Internet – Zscaler Internet Access
Protect your network from your users – Zscaler Private Access
Notas do Editor
I appreciate you taking the time to meet with us today. We’re very excited to share some significant changes that are happening in the industry and provide some color around how and why a lot of our customers are transforming their enterprise IT through cloud enablement.
We believe that in this new world of IT, the network security stack — and the need to buy, build, and manage appliances — is no longer relevant. With the amount of ransomware hitting organizations, it no longer makes sense. The question in this new world of globally dispersed and mobile users becomes, how do you secure it?
You need to flip the security model and take a new approach to how applications are accessed and where security is enforced. Security needs to move to the cloud and application access needs to shift from network-based to policy-based — and it needs to securely connect the right user to the right app. Easier said than done. You can’t simply deploy the same set of appliances sitting in your gateway today.
It won’t scale and it won’t perform. You’re essentially relocating the problem. The Zscaler cloud, built from scratch, is a multi-tenant cloud security platform equipped to secure this new world of IT.
If you recall, we described the gateways as having outbound and inbound components. For the outbound gateway, we have Zscaler Internet Access, which provides secure access to the Open Internet and SaaS applications — or your external apps. And for the inbound gateway, we have Zscaler Private Access, which is a completely new way of accessing internal apps. It provides secure access to internal apps, whether in the data center or cloud, without VPN.
We believe that in this new world of IT, the network security stack — and the need to buy, build, and manage appliances — is no longer relevant. With the amount of ransomware hitting organizations, it no longer makes sense. The question in this new world of globally dispersed and mobile users becomes, how do you secure it?
You need to flip the security model and take a new approach to how applications are accessed and where security is enforced. Security needs to move to the cloud and application access needs to shift from network-based to policy-based — and it needs to securely connect the right user to the right app. Easier said than done. You can’t simply deploy the same set of appliances sitting in your gateway today.
It won’t scale and it won’t perform. You’re essentially relocating the problem. The Zscaler cloud, built from scratch, is a multi-tenant cloud security platform equipped to secure this new world of IT.
If you recall, we described the gateways as having outbound and inbound components. For the outbound gateway, we have Zscaler Internet Access, which provides secure access to the Open Internet and SaaS applications — or your external apps. And for the inbound gateway, we have Zscaler Private Access, which is a completely new way of accessing internal apps. It provides secure access to internal apps, whether in the data center or cloud, without VPN.
With Zscaler it’s simple to get started. In fact, we’ve cut over 40,000 in 1 weekend night and 160,000 users over 60 days.
All you need to do to make Zscaler your next hop to the Internet is to make Zscaler your default route. A number of customers did this to block threats that were going undetected by their current security appliances without making any policy changes. Some also start by securing their mobile workers, then migrating their office locations. This allows them to take their security from a 6 or 7 to a 9 or 9.5 out of 10. No one is perfect. One ZPA customer got started with one of the uses cases before replacing their entire VPN infrastructure.
The second phase of the journey involves phasing out security appliances to reduce cost and complexity. This can be done at your pace, but more often than not, this is typically shortly after or in tandem with starting to send traffic to Zscaler.
With Zscaler in place, the third phase of the journey is about routing traffic locally via Internet breakouts to Zscaler. By routing traffic locally companies can optimize their MPLS spend and deliver a more secure and better user experience. Office 365 has been a key accelerator for local breakouts as Microsoft now recommends routing traffic locally and doing local DNS. So users are connecting to the closest Office 365 pop and on their CDN Network as fast as possible. ExpressRoute is now only recommending for very specific use cases. Microsoft also cautions against hub-and spoke-architectures with centralized proxies for a variety of reasons.
With Zscaler fully deployed, it provides a lot of value to all key users and stakeholders.
For users we deliver a fast user experience by eliminating the latency associated with stacks of appliances and backhaul.
From a risk perspective, there is no question on the value of protection our cloud delivers.
The shift to the cloud eliminates patch management, outage windows, and vendor end-of-life issues — allowing you to focus on more important things than updating boxes.
From a financial perspective, it’s all Opex and we can optimize MPLS spend.
So if you’re looking to either improve your overall security posture or secure your mobile worker, evaluating SD-WAN transformation to simply the branch and reduce costs, deploying Office 365 and/or migrating your apps from the data center to AWS or Azure, we can help.
The Zscaler cloud security platform was purpose-built as a multi-tenant architecture and is powered by patented technologies. We architected the platform for performance and scale, and paid particular attention to maintaining user privacy. We never store content and we only write log files to disk in a location of your choice.
We built the proxy based next-gen firewall that handles all ports and all protocols. We are not a just a Web proxy. It’s only one aspect of the platform.
SSMA – in a single scan we fire all of our engines
ByteScan – we scan all inbound and outbound traffic, including native SSL-inspection. Every page consists of hundreds of objects pulling from different sources, including CDNs and ad networks. All pose a threat. So we scan it all, regardless of the domain reputation
PageRisk – here we correlate information about the Web object and page and perform dynamic scoring of the content to determine it’s risk level
NanoLog – this is how we process log files, a functionality that is unique to Zscaler. It is one of the main reasons we can provide near real-time access of logs for all users in all locations within 1-2 minutes. We apply WAN op techniques and can even anonymize log files, and only those that know the user ID can associate a log file to a user
The platform consists of a series of tightly integrated services, and we categorize them into 3 buckets: Access Control, a cloud firewall that is a full next-gen firewall with a best-of-breed DPI engine, bandwidth control to prioritize business apps like Office 365 over other Internet traffic; DNS filtering, which some of our customers use for guest Wi-Fi to enforce an AUP; and of course URL filtering, which is pretty much table stakes.
For threat prevention we offer AV, DNS security, and a cloud sandbox with unique capabilities like patient zero quarantine. Appliance sandboxes are extremely expensive and most customers can’t afford to use them for all traffic. So they often deploy them in tap mode and loosely chain them together with other appliances. Sandboxing is essential to protect against zeroday threats and the only effective way to consume it is via a cloud service.
What really differentiates our security is our Advanced Threat Protection — which allows us to deliver better security. Advanced Threat Protection uses the underlying technologies we described earlier to inspect all content, identify patterns in callbacks to C&Cs and phishing sites, and look for cross-site scripts and code that’s been obfuscated to avoid detection.
The third pillar is data protection. It only takes a few clicks to attach any confidential file in Gmail and send it out. By default no document saving acme confidential should be sent out over Gmail. And since we were already inspecting traffic, adding another engine was relatively straightforward. A lot of our larger customers have on-premises DLP and we complement them by adding protection to branches and mobile users. We can also tie it in with the on-premises DLP solution by sending it information for policies enforced.
Other Zscaler data protection services include inline CASB functionality where we can block file types, and limit a user to only view Facebook without being able to post content or upload files.