Cloud vs. On-Premises Security: Can you afford not to switch?

©2017 Zscaler, Inc. All rights reserved.0 ©2017 Zscaler, Inc. All rights reserved.
Cloud vs. On-Premise Security.
Can you afford the move?
Steve House – Vice President, Product Management
Gerry Festa – Vice President, Product Marketing

©2017 Zscaler, Inc. All rights reserved.1
To ask a question
• Use the Q&A function in the Webex panel or email us
at webcast@zscaler.com
• We’ll try to get to all questions during the Q&A
session. If we do not get to your question, we’ll make
sure to follow up afterwards
• At the end of the webcast – please let us know how
we did!
©2017 Zscaler, Inc. All rights reserved.
Ask your question here…

©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION2
CLOUD
INTERNET / MOBILITY
CLIENT / SERVER
MAINFRAME
80s
90s
00s
10s
Cloud and mobility are creating the biggest megashift
Megashifts create business
opportunities and new leaders

DIGITAL TRANSFORMATION
IS AN IMPERATIVE
54% of Fortune 500 Companies from
20 Years ago no longer make the cut.
LEGACY
JUMPED
THE
CHASM

CLOUD
TRANSFORMATION
IS HAPPENING
2MM
AWS Enterprise
Customers
80%
of Employees Use
Shadow Cloud
Applications
40%
Adoption by
Enterprises
320%
Increase in O365
Enterprise Adoption

UTM
Firewall
Restricted Network
Non-Compliant usersRemediation Servers
FirewallWeb
Scanners
NAC/NAPSecurity PolicySIEM Servers
Threat Analysis
Security Management
Network
Data Center
File Servers
Mainframe
DatabaseExchange ServersDomain Servers
Firewall
DLP
Storage
Public Key Infrastructure
KeysCertificate
Authority
UTM Firewall
LDAPManagement Console
Wireless Access
DLP
UTM
Firewall
Wi-Fi Network
IPS
Mobile
User
UTM
Firewall
Enterprise
Users
DC/ DNS ExchangeDHCP AV,
Anti Malware
Remote
Access
UTM
Firewall
Remote
Access
Gateway
DLP
RouterRegional
Office
VPN
Mobile Device
Management
DNS Exchange
VPN
FtpWeb
Users
Router
Outside
Firewall
Web
Server
WAF
Inside
Firewall
SwitchSwitch IDS / IPOS
UTM
Firewall
DLP
Analytics
/ SIEM
Networking
Security
Compute
Email
Server
CORPORATE
NETWORK
Internet
30 Years of Networking and Security ComplexityIf you could start over…..
UTM
Firewall
Restricted Network
Non-Compliant
users
Remediation
Servers
FirewallWeb
Scanners
NAC/NAPSecurity
Policy
SIEM
Servers
Threat
Analysis
Security Management
Network
Data Center
File Servers
Mainframe
DatabaseExchange
Servers
Domain
ServersFirewall
DLP
Storage
Public Key Infrastructure
KeysCertificate
Authority
UTM
Firewall
LDAPManagement
Console
Wireless
Access
DLP
UTM
Firewall
Wi-Fi Network
IPS
Mobile
User
UTM
Firewall
Enterprise
Users
DC/ DNS
Exchange
DHCP AV,
Anti
Malware
Remote
Access
UTM
Firewall
Remote
Access
Gateway
DLP
RouterRegional
Office
VPN
Mobile Device
Management
DNS
Exchange
VPN
FtpWeb
Users
Router
Outside
Firewall
Web
Server
WAF
Inside
Firewall
SwitchSwitch IDS / IPOS
UTM
Firewall
DLP
Analytics
/ SIEM
Networking
Security
Compute
Email
Server
CORPORATE
NETWORK
Internet
HQMOBILE BRANCHIOT
APPS
Network Security is
becoming
irrelevant
Securely connecting the
right user and device to
the right app and service
over the Internet

FW / IPS
Internet Gateway
URL Filter
Antivirus
DLP
SSL
Sandbox
Global LB
DDoS
Ext. FW/IPS
RAS (VPN)
Internal FW
Internal LB
Internet gateways
Secure access to the Internet
VPN gateways
Remote access to DC apps
CORPORATE NETWORK
Internet & VPN Gateway
Internet Gateway: Security perimeter to protect the corporate network
Circa 1987 – 1994– 1999 – 2000 – 2004

HQ
EMEA
Branch
APJ
Branch
Branch
Branch
Branch Branch BranchBranch
Home, Coffee Shop Airport, Hotel
SaaS Open Internet IaaS
Cloud and mobility break network security
The Internet is Your New Corporate NetworkHow do you secure a network (Internet) you don’t control?
“GE will run 70 percent of its
workload in the cloud by 2020”
Jim Fowler, CIO
“The Internet will be our new
corporate network by 2020”
Frederik Janssen, Head of Infrastructure
“Office 365 was built to be accessed
via direct Internet connection”

Cloud and mobility break network security
HQ
EMEA
Branch
APJ
Branch
Branch
Branch
Branch Branch BranchBranch
Home, Coffee Shop Airport, Hotel
NEW SECURITY MODEL
Secure the Network
Securely connect users to apps
Direct to Internet
Broadband / Wi-Fi / LTE / 5G
NEW NETWORK MODEL
OLD SECURITY MODEL
Hub-and-Spoke
MPLS / VPN
OLD NETWORK MODEL
Secure the Corporate Network
SaaS Open Internet IaaS

So….now what?
9

Security costs fall into three buckets
Security
infrastructure
Cost of the
unknown threat
Time spend
maintaining
infrastructure

Zscaler
Appliance
Alternative
Today
Competitive bake-off, feature-for-
feature, similar costs
Year 3
• Internet Consumption CAGR ~20%
• Appliance scale to handle internet growth
• MPLS scale to handle internet backhaul
growth
Zscaler
Appliance
Alternative
Internet BW
Additional
Appliances
Additional
Appliances
MPLS Bandwidth
Internet BW
Core Service
CAGR ~20%
SSL Decrypt
Branches /
O365
Backhaul
Internet
Year 2
• Internet Consumption CAGR ~20%
• Turn on SSL Decryption
• Some sites backhaul Internet over MPLS
• Other sites using local breakouts and
O365
Zscaler
Appliance
Alternative
Internet BW
Additional
Appliances
Additional
Appliances
MPLS Bandwidth
Internet BW
Reduced
due to
Bandwidth
Control
Cost Driver
The Value of Switching from On-Prem to Cloud Security
Security infrastructure costs

IT Time spent on patching and update cycles
12
Percent of
vulnerabilities patched
Weeks to patch vulnerability
• In 2017 there were over
11,000 vulnerabilities
announced
• Many organizations take
weeks or months to patch
their systems
• Finding the resources and
hours need for IT to patch
a constant challenge.
Maintaining infrastructure

Los Angeles Dallas
Denver
Toronto
New York
Washington DC
Atlanta
Miami
Paris
Sao Paulo
Johannesburg
London
Amsterdam
Oslo
Brussels Frankfurt
Gdansk
Stockholm
Moscow
Mumbai
Singapore
Sydney
Hong Kong
Tokyo
Madrid
TaipeiDubai
Riyadh
Cairo
Kuwait City
Kuala Lumpur
Cape Town
San Francisco Chicago
Lagos
Tel Aviv
Milan
Copenhagen
Melbourne
Zurich
Chennai
Tianjin
Manila
Doha
Abu Dhabi
Jeddah
Al Khobar
WarsawSeattle
Secure
Ongoing third-
party testing
CertifiedReliable
Redundancy within and
failover across DCs
Transparent
Trust portal for service
availability monitoring
Zscaler Cloud – Reliable. Available. Fast. No More Change windows!
35B+
Requests/day
125M+
Threats
blocked/day
120K+
Unique security
updates/day
100 data centers
across 5 continents
Peering in
Internet exchanges
150+
Vendors peered
O365 Peering Data Center

14
11%
82%
6% 1% 1% 1% 0%
Seconds Minutes Hours Days Weeks Months Years
68%
21%
7% 2% 1% 1% 0%
breach time to compromise
breach time to exfiltration
Average cost of a breach
is now $4 million in total
organizational cost
That’s a 29% increase of
total cost since 2013
The impact of one wrong download
Infect Quicker Steal More
Propagate and Control
841
847
980
1031
1095
Spyware/Keylogger
Phishing
Command and Control
Export Data
Stolen Credentials
Top threat action activities within incidents
involving credentials
of attacks spread from Victim 0 to
Victim 1 within one day
of confirmed data breaches involved
weak, default or stolen passwords.63%
75%
Verizon Data Breach Report ‘16 Verizon Data Breach Report ‘15 Ponemon Institute ‘16
Unknown Threat Costs

Web content scanning, Risk based
analysis, App Control
Browser Control
Risk Based Scoring
File, User, Group and QoS Control,
Signature-based AV and IPS
Inline Content Control
Complete Packet ByteScan
Malicious Hosts, Sites, Botnets
Phishing, GEO, Protocol & ACLs
Destination Based Blocking
Dynamic & Behavioral
Analysis of User ContentSandboxing
Fill the IT skills gap with an Integrated Security Stack
Recon and
Creation
Survey defenses
Planning attack
Create Payload
Delivery
Via trusted/untrusted
sites and web content
Exploitation
Payload exploits
unpatched
vulnerability
Installation
Installing malware
onto asset
Command &
Control (C2)
Remote Control.
Additional malware
downloads
Action on
Objectives
Lateral movement,
data exfiltration,
disruption, etc.
DNS
Security
Botnet and
Callback
Detection
DLP
Security
Full SSL Inspection Full SSL Inspection
Zscaler’s Security-as-a-Service

Direct to Internet
Block the bad, protect the good
The best approach for SD-WAN and Office 365
Zscaler Internet Access – Fast, secure access to the Internet and SaaS
Data Center
APPSMPLS
HQMOBILE
BRANCHIOT
Your security stack as a service
Data Loss Prevention
Cloud Apps (CASB)
File Type Controls
Data Protection
Cloud Firewall
URL Filtering
Bandwidth Control
DNS Filtering
Access Control
Adv. Protection
Cloud Sandbox
Anti-Virus
DNS Security
Threat PreventionReal-time policy engine
Polices follow the user
Changes are immediately enforced, worldwide
Business analytics
Global visibility into apps and threats blocked
Identify botnet infected machines for remediation
Real-time policy and analytics
SaaS Open Internet

New Threat New Threat New Threat New Threat New Threat
DNS at 100Tbps
NGFW at 100Gbps
IPS at 10Gbps
LB at 100Gbps
Full AV at 10Mbps
SSL Proxy at 100Mbps
DLP at 10Mbps
Sandbox 1 file 5
every minutes
Challenges
• Single-tenant systems (kernel)
• Separate control, enforcement
and logging
• No single policy object to
share context
• Expensive to deploy and scale
• Poor user experience
+1
+2
+3
+4
+5
+6
+7
+8
+9
+10
+11
+12
Latency
State of the art in 2010
Control, Enforce, Log
How do you scale this
stack to 40Gbps?

DNS at 100Tbps
NGFW at 100Gbps
IPS at 10Gbps
LB at 100Gbps
Full AV at 10Mbps
DLP at 10Mbps
Sandbox 1 file 5
every minutes
Remaining Challenges
• Single-tenant systems (kernel)
• Separate control, enforcement
and logging
• No single policy object to
share context
• Poor user experience
+1
+2
+3
+4
+5
+6
+7
+8
+9
+10
+11
+12
Latency
In 2017: SDN, NFV, and VNFs!
VM VM VM VM
VM VM VM VM
VM VM VM VM
VM VM VM VM
VM VM
VM
VM
VM
VM
VM
VM
VM
Solves
• Horizontal scaling
• Hardware headaches

Zscaler built from scratch a highly scalable and
ultra-fast multitenant cloud security architecture
THE ZSCALER CLOUD
• Disparate redundant control, logging, and enforcement policies
• Multiple appliances, multiple hops — slow user experience
• Expensive and complex to scale and manage
• Integrated control, logging, and enforcement
• Single pass architecture — performance SLA and security efficacy
• Infinitely scalable — cost effective
Would you build a power plant
with home generators?
HOME POWER
GENERATORS
POWER PLANT
NY
USER A
(policy
follows)
USA
EU
USER A
Private
London Sydney
ENFORCE
LOG
CONTROL
Legacy technology cannot be repurposed for the cloud
DNS at 100Tbps
NGFW at 100Gbps
IPS at 10Gbps
LB at 100Gbps
Full AV at 10Mbps
DLP at 10Mbps
Sandbox 1 file 5
every minutes

Enabling leadings brands to securely transform their IT to the cloud
Business Drivers
• Enable a user-centric experience
• Build a scalable architecture
• Enable a fast and secure direct-to-cloud experience
Bringing secure Internet access to 315K employees
The Zscaler Difference
• Immediate 30% savings on MPLS costs
• Fast Internet experience – home experience
• Foundation for the Internet-only branch
Secure 270 retail locations
Business Drivers
• Reduce number of botnet infected machines
• Support an aggressive acquisition strategy
• Meet external security requirements
• Eliminated the need to buy 540 branch NGFWs/UTMs
• Full security stack – SSL inspection
• Deployed in 2 months – quick to turn on new sites
WAN Transformation: Fast Office 365 experience
Business Drivers
• Fast Office 365 experience – eliminate WAN congestion
• Support increase in firewall sessions without refreshing firewalls (cost)
• Avoid deploying branch NGFWs – too expensive (650 locations)
• Local Internet breakouts for fast connections
• Cloud Firewall - scales elastically, per user, not bandwidth
• One-click Office 365 URL and IP updates
Office 365 is finally the highest use – not YouTube
40% of bandwidth
reserved for O365
during periods of
contention
YouTube
capped at 20%

A three-step journey to secure IT transformation
(BROADBAND)
Enable secure SD-WAN / local Internet
breakouts – optimize backhaul
Deliver a better and more secure
user experience
TRANSFORM
Cloud-enable your network
SIMPLIFY
Remove point products
Phase out gateway appliances at
your own pace
Reduce cost and
management overhead
SECURE
Up-level your security
Make Zscaler your next hop
to the Internet
Fast to deploy
No infrastructure changes required

Want to learn about other companies doing
Secure IT transformation?
22
Lessons for thriving –
not just surviving - in the cloud
Frederik Janssen – Siemens
On-demand webcast:
zscaler.com/company/webcasts

Questions and next steps
23
Learn more about Zscaler
Zero-Day Best Practices
zscaler.com/resources
Free Security Health Check
www.zscaler.com/securitypreview
Other Webcasts
Lessons for thriving - not just surviving - in the cloud
Jay Chaudhry - Zscaler & Frederik Janssen – Siemens
On Demand: zscaler.com/company/webcasts

©2017 Zscaler, Inc. All rights reserved. Zscaler™, SHIFT™, Direct-to-Cloud™ and ZPA™ are trademarks or registered trademarks of Zscaler, Inc.
in the United States and/or other countries. All other trademarks are the property of their respective owners. | ZSCALER CONFIDENTIAL INFORMATION
24

Cloud vs. On-Premises Security: Can you afford not to switch?

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cloud vs. On-Premises Security: Can you afford not to switch?

Similar to Cloud vs. On-Premises Security: Can you afford not to switch? (20)

More from Zscaler

More from Zscaler (20)

Recently uploaded

Recently uploaded (20)

Cloud vs. On-Premises Security: Can you afford not to switch?

Editor's Notes