14May2019 Avantec Zscaler Private Access Webinar · 2019. 5. 21. · Location Datacenter Network Architecture “Hub-and-spoke” backhaul traffic to the data center Security Approach

1

Zscaler Private Access Webinar 14. Mai 2019

©2019 Zscaler, Inc. All rights reserved. 1

Private Application Access with ZscalerSecure access to private apps without requiring access to the network

Steffen ProbstConsulting Sales Engineer

2 Securing your cloud transformation

Zscaler: Securely transform IT for a cloud world

RELIABLE.FAST. SECURE.

Business policies connect users to apps from anywhere, over any network

100+ data centers across 6 continents

60B+ transactionsprocessed daily

300 of the Forbes Global 2000

Nasdaq: ZS

Market Leader

GlobalPresence

Proven Scale

2



How Application Access Traditionally Works

Global LB

DDoS

Ext. FW / IPS

Internal LB

Internal FW

RAS (VPN)

Site-to-site VPN

Remote User

Risk is introduced by placing users on network

Complexity of ACLs and firewalls can make remote access difficult to manage

Users become frustrated with VPN

Months spent on just getting infrastructure set up

How users felt.

3



Global load balancing

Distributed denial of service protection

External firewall / intrusion prevention

VPN concentrator

Internal firewall

Internal load balancer

Firewall / intrusion prevention

URL filter

Anti-virus

Data loss prevention

Secure sockets layer inspection

Sandbox

Any device, any location, on-network or off-network

Externally managed Internally managed

Securely connects users to externally managed SaaS applications and internet destinations

Zscaler Internet Access (ZIA)Securely connects authorized users to internally managed applications

Zscaler Private Access (ZPA)

HQMOBILE BRANCHIOT

Zscaler: Secure and fast access to any app, from anywhere


Open Internet Public Cloud Private Cloud / DCSaaS

Software Defined Perimeter (SDP)

4



Old World New World

Application Location Datacenter

Network Architecture

“Hub-and-spoke”backhaul traffic to the data center

Security Approach

“Castle and Moat” secure the corporate network

App transformation drives need for a user-centric approach to access

Cloud + Datacenter

+

Hybrid NetworkDirect-to-cloud & data center

Securely connect users and devices regardless of network

Security Checkpost

Software-Defined Perimeter (SDP)

A modern approach to remote access and zero trust:

Abandons the network‐centric design, and instead secures private application access using a user and app‐centric approach:

“By 2021, 60% of enterprises will phase out network VPNs for digital business communications in favor of software‐defined perimeters.”

Gartner, November 2017

• Decouples private application access from network access

• 100% software‐defined; No physical or virtual appliances needed

• Application access is micro‐segmented and provisioned on a “least privileged” basis

• Advanced visibility into all user and app activity

• Different approach to zero trust than firewalls and users placed on network

5


ZPA in comparison to other access solutions

Internal firewallsIP-based ACLs

NAC

Internal firewallsIP-based ACLsTunnel policies

Zscaler Private Access

6


11

Zscaler Private Access: Software-defined access to private applications

Public CloudPrivate Cloud / Data Center

• No firewalls appliances or ACLs. Minimizes overhead and costs

• Application segmentation w/o network segmentations

• App connectivity without trusting users and placing them on-net

• Completely seamless user experience across users & apps

INTERNALLY MANAGED

HQMOBILE BRANCHIOT

12

Part of an ecosystem built for securing access to hybrid environments

Public Cloud

Real-timelog feed

Reporting and analytics3Conditional access /

SAML integration

Identity andauthentication2

Provisioning andremediation

Device management and protection4

HQEmployee

In-L

ine

Cloud providers1

Secure access without security

appliances

Faster user experience

Partners

Private Cloud / Data Center

SDP

7


EMPLOYEESPARTNERS

Policy Console

Zscaler Private Access – How it works

GETTING STARTED

• Deploy Z‐App on endpoints

• Deploy App Connector in front of your apps

• Define user and app access policies

HOW IT WORKS

DC

ID PROVIDER

User attempts to access an app1

User identity/role is verified (before DNS)2

Policy is checked to determine if access is permitted3

If allowed:‐ App Connector initiates outbound connection‐ Z‐App initiates a connection (per app)‐ Zscaler enforcer node stitches connection together

5

1

2

3

47

Z‐Connector provides app load balance across VMs/servers6

5

Public Cloud

LB for apps

App Connector

ZEN

Optimal path to app is determined 4

Monitor app usage – anomaly detection7

New York London Sydney

6

Z‐App

Unmatched Security: Strong authentication, context-aware policy

Strong Authentication

Critical as users get ubiquitous access to apps

• Device fingerprint & your company certificate

• Device posture checking

• Integration with your directory

• SAML‐based; multi‐factor auth

App context

Access to a specific app or app groupsEach app can be its own segment

Location context

Understand where user access originates Restrict apps to be accessed from road

Device context

John can access a specific app, only from a company‐owned PC (with cert)

User context

John can access only a specific app Marketing can access a group of apps

ID Provider

4GMoscow

Private DCPublic Cloud

OfficeHotel

Four Contexts for Policy

Example

8


Browser Access

16

What is Browser Access?

• Browser Access allows use of a web browser for user authentication and application access over ZPA, without requiring users to install the Zscaler App on their devices.

• Browser Access is truly clientless/agentless in the sense there is no extension/plugin/JAVA client that needs to be installed in the browser

Motivation

• Primary use case is 3rd party users who are unable to install Zscaler App

• Chromebooks/Linux devices which are not covered by Zscaler App

9


17

ZPA Browser Access - Architecture

Data Center

• External FQDN for Browser Access application

resolves to Zscaler via DNS (CNAME)

• Same authentication / authorization process

as ZPA with ZApp

• User is authenticated against SAML IdP

• Policy is evaluated for authorization

• Dynamic path selection is applied

• ZPA tunnel for app traffic is established

from browser to web app server, via ZPA

ZEN and App Connector

Public Cloud

HTTP/HTTPS Application

App Connector

ZPA ZEN

HTTP/HTTPS Application

App Connector

Browser Access ZEN

18

Four main enterprise use cases

Private Application Access

VPN Refresh

• Remove inbound VPN gateway appliances

• Users never placed on‐net

• Application segmentation by default

• Prevent inbound connections to apps

Accelerate M&A

• Simplify IT integration during M&A to weeks

• Minimize network converge

• Reduce cost of appliances & additional infrastructure

• Standardize security across all entities

Secure third‐party access

• Control third‐party access

• Minimize lateral movement to other apps

• Never place them on‐net

• Gin visibility into activity

Multi‐cloud access

• Provide secure access across hybrid cloud

• Avoid lock‐in/enable multi‐cloud strategies

• Improve user experience

• Streamline adoption of IaaS

ZPA

10


Location: Germany

Industry: Manufacturing

User Count: 12,000 users in over 100 locations and 70 countries

Zscaler Products: ZPA, ZIA

Use Case: • VPN retirement• Secure cloud adoption• Zero-trust adoption

The challenge

Benefits of Zscaler Platform

• MAN was undertaking a massive cloud (AWS) adoption, and needed a better way to provide remote access to internal applications.

• Needed more visibility into their network and to ensure true zero trust access to their internal applications

• Enabled zero trust security through application segmentation and enforcing granular policies via the Zscaler Security Cloud.

• Users and devices are never allowed on the network, which increases security and decreasing risk. Creating a Zero-trust network.

Securing MAN’s move to cloud


Thank you.

Documents

14May2019 Avantec Zscaler Private Access Webinar · 2019. 5. 21. · Location Datacenter Network Architecture “Hub-and-spoke” backhaul traffic to the data center Security Approach