Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
Zscaler Private Access Webinar 14. Mai 2019
©2019 Zscaler, Inc. All rights reserved. 1
Private Application Access with ZscalerSecure access to private apps without requiring access to the network
Steffen ProbstConsulting Sales Engineer
2 Securing your cloud transformation
Zscaler: Securely transform IT for a cloud world
RELIABLE.FAST. SECURE.
Business policies connect users to apps from anywhere, over any network
100+ data centers across 6 continents
60B+ transactionsprocessed daily
300 of the Forbes Global 2000
Nasdaq: ZS
Market Leader
GlobalPresence
Proven Scale
2
Zscaler Private Access Webinar 14. Mai 2019
©2019 Zscaler, Inc. All rights reserved. 3
How Application Access Traditionally Works
Global LB
DDoS
Ext. FW / IPS
Internal LB
Internal FW
RAS (VPN)
Site-to-site VPN
Remote User
Risk is introduced by placing users on network
Complexity of ACLs and firewalls can make remote access difficult to manage
Users become frustrated with VPN
Months spent on just getting infrastructure set up
How users felt.
3
Zscaler Private Access Webinar 14. Mai 2019
©2019 Zscaler, Inc. All rights reserved. 5
Global load balancing
Distributed denial of service protection
External firewall / intrusion prevention
VPN concentrator
Internal firewall
Internal load balancer
Firewall / intrusion prevention
URL filter
Anti-virus
Data loss prevention
Secure sockets layer inspection
Sandbox
Any device, any location, on-network or off-network
Externally managed Internally managed
Securely connects users to externally managed SaaS applications and internet destinations
Zscaler Internet Access (ZIA)Securely connects authorized users to internally managed applications
Zscaler Private Access (ZPA)
HQMOBILE BRANCHIOT
Zscaler: Secure and fast access to any app, from anywhere
©2018 Zscaler, Inc. All rights reserved. 5
Open Internet Public Cloud Private Cloud / DCSaaS
Software Defined Perimeter (SDP)
4
Zscaler Private Access Webinar 14. Mai 2019
©2019 Zscaler, Inc. All rights reserved. 7
Old World New World
Application Location Datacenter
Network Architecture
“Hub-and-spoke”backhaul traffic to the data center
Security Approach
“Castle and Moat” secure the corporate network
App transformation drives need for a user-centric approach to access
Cloud + Datacenter
+
Hybrid NetworkDirect-to-cloud & data center
Securely connect users and devices regardless of network
Security Checkpost
Software-Defined Perimeter (SDP)
A modern approach to remote access and zero trust:
Abandons the network‐centric design, and instead secures private application access using a user and app‐centric approach:
“By 2021, 60% of enterprises will phase out network VPNs for digital business communications in favor of software‐defined perimeters.”
Gartner, November 2017
• Decouples private application access from network access
• 100% software‐defined; No physical or virtual appliances needed
• Application access is micro‐segmented and provisioned on a “least privileged” basis
• Advanced visibility into all user and app activity
• Different approach to zero trust than firewalls and users placed on network
5
Zscaler Private Access Webinar 14. Mai 2019
ZPA in comparison to other access solutions
Internal firewallsIP-based ACLs
NAC
Internal firewallsIP-based ACLsTunnel policies
Zscaler Private Access
6
Zscaler Private Access Webinar 14. Mai 2019
11
Zscaler Private Access: Software-defined access to private applications
Public CloudPrivate Cloud / Data Center
• No firewalls appliances or ACLs. Minimizes overhead and costs
• Application segmentation w/o network segmentations
• App connectivity without trusting users and placing them on-net
• Completely seamless user experience across users & apps
INTERNALLY MANAGED
HQMOBILE BRANCHIOT
12
Part of an ecosystem built for securing access to hybrid environments
Public Cloud
Real-timelog feed
Reporting and analytics3Conditional access /
SAML integration
Identity andauthentication2
Provisioning andremediation
Device management and protection4
HQEmployee
In-L
ine
Cloud providers1
Secure access without security
appliances
Faster user experience
Partners
Private Cloud / Data Center
SDP
7
Zscaler Private Access Webinar 14. Mai 2019
EMPLOYEESPARTNERS
Policy Console
Zscaler Private Access – How it works
GETTING STARTED
• Deploy Z‐App on endpoints
• Deploy App Connector in front of your apps
• Define user and app access policies
HOW IT WORKS
DC
ID PROVIDER
User attempts to access an app1
User identity/role is verified (before DNS)2
Policy is checked to determine if access is permitted3
If allowed:‐ App Connector initiates outbound connection‐ Z‐App initiates a connection (per app)‐ Zscaler enforcer node stitches connection together
5
1
2
3
47
Z‐Connector provides app load balance across VMs/servers6
5
Public Cloud
LB for apps
App Connector
ZEN
Optimal path to app is determined 4
Monitor app usage – anomaly detection7
New York London Sydney
6
Z‐App
Unmatched Security: Strong authentication, context-aware policy
Strong Authentication
Critical as users get ubiquitous access to apps
• Device fingerprint & your company certificate
• Device posture checking
• Integration with your directory
• SAML‐based; multi‐factor auth
App context
Access to a specific app or app groupsEach app can be its own segment
Location context
Understand where user access originates Restrict apps to be accessed from road
Device context
John can access a specific app, only from a company‐owned PC (with cert)
User context
John can access only a specific app Marketing can access a group of apps
ID Provider
4GMoscow
Private DCPublic Cloud
OfficeHotel
Four Contexts for Policy
Example
8
Zscaler Private Access Webinar 14. Mai 2019
Browser Access
16
What is Browser Access?
• Browser Access allows use of a web browser for user authentication and application access over ZPA, without requiring users to install the Zscaler App on their devices.
• Browser Access is truly clientless/agentless in the sense there is no extension/plugin/JAVA client that needs to be installed in the browser
Motivation
• Primary use case is 3rd party users who are unable to install Zscaler App
• Chromebooks/Linux devices which are not covered by Zscaler App
9
Zscaler Private Access Webinar 14. Mai 2019
17
ZPA Browser Access - Architecture
Data Center
• External FQDN for Browser Access application
resolves to Zscaler via DNS (CNAME)
• Same authentication / authorization process
as ZPA with ZApp
• User is authenticated against SAML IdP
• Policy is evaluated for authorization
• Dynamic path selection is applied
• ZPA tunnel for app traffic is established
from browser to web app server, via ZPA
ZEN and App Connector
Public Cloud
HTTP/HTTPS Application
App Connector
ZPA ZEN
HTTP/HTTPS Application
App Connector
Browser Access ZEN
18
Four main enterprise use cases
Private Application Access
VPN Refresh
• Remove inbound VPN gateway appliances
• Users never placed on‐net
• Application segmentation by default
• Prevent inbound connections to apps
Accelerate M&A
• Simplify IT integration during M&A to weeks
• Minimize network converge
• Reduce cost of appliances & additional infrastructure
• Standardize security across all entities
Secure third‐party access
• Control third‐party access
• Minimize lateral movement to other apps
• Never place them on‐net
• Gin visibility into activity
Multi‐cloud access
• Provide secure access across hybrid cloud
• Avoid lock‐in/enable multi‐cloud strategies
• Improve user experience
• Streamline adoption of IaaS
ZPA
10
Zscaler Private Access Webinar 14. Mai 2019
Location: Germany
Industry: Manufacturing
User Count: 12,000 users in over 100 locations and 70 countries
Zscaler Products: ZPA, ZIA
Use Case: • VPN retirement• Secure cloud adoption• Zero-trust adoption
The challenge
Benefits of Zscaler Platform
• MAN was undertaking a massive cloud (AWS) adoption, and needed a better way to provide remote access to internal applications.
• Needed more visibility into their network and to ensure true zero trust access to their internal applications
• Enabled zero trust security through application segmentation and enforcing granular policies via the Zscaler Security Cloud.
• Users and devices are never allowed on the network, which increases security and decreasing risk. Creating a Zero-trust network.
Securing MAN’s move to cloud
©2019 Zscaler, Inc. All rights reserved. 20
Thank you.