From Event to Action: Accelerate Your Decision Making with Real-Time Automation
John Merline - How make your cloud SASE
1. FISHTECH GROUP June 10, 2020
HOW TO MAKE YOUR CLOUD SASE
John Merline | June 11, 2020
2. 2
FISHTECH GROUP June 10, 2020
• Access requirements have inverted, with more
users, devices, applications, services and data
located outside of an enterprise than inside.
• Complexity, latency and the need to inspect
encrypted traffic once will consolidate networking
and security-as-a-service into a cloud-delivered
secure access service edge (SASE).
• Low-latency access to users, devices and cloud
services from anywhere require SASE offerings with
a worldwide fabric of points of presence (POPs) and
peering relationships.
• SASE is the new branding buzzword…
The Future of Network Security is in the Cloud - Gartner
3. 3
FISHTECH GROUP June 10, 2020
Application1
Application2
….
The World Turned Upside Down…
Corporate
data center
Remote
Workers
Peoplesoft
Exchange
SharePoint
Payroll
Internet
VPN
Application1
Application2
….
Internet
Office 365
Salesforce
…
Websites
Corporate
data center
Legacy App 1
Legacy App 2
….
Remote
Workers
VPN?
Security
Controls
Perimeter
1
23
4. 4
FISHTECH GROUP June 10, 2020
Secure Access Service Edge
Inline Real-Time Controls (SaaS + Web + IaaS + Private Access
Control
Type
Out of Band API Controls (SaaS + IaaS)
Web Traffic (SWG, DLP) SaaS (CASB, DLP) IaaS/PaaS (CSPM)
Private Access
(ZTNA)
Web Content
Classification
Real-Time
Protection
Private App
Access
Continuous Security
Assessment
Data At Rest
Protection
Privileged Account
Monitoring
Cloud Intranet
On-Premise
Custom Apps
Discovery
Unmanaged
Devices
Data At Rest
Protection
Products
Capabilities
SaaS Granular
Access Control
Activity Visibility
Understand Cloud
Apps
SD-WAN
Integration
App Control
Instance
Awareness
Advanced DLP
Cloud App
Discovery
Reverse Proxy
Compliance
ML / AI
Analytics
Insider Threat
API / JSON
Decode
SSL
Decryption
3rd Party Risk
Analytics and
Insights
Proxy
Data
Protection
Threat
Protection
Security
Services
6. 6
FISHTECH GROUP June 10, 2020
• IP address and location cannot establish trust for
network access
• Provide access to applications, not networks
• Enhanced user experience for remote workers
• Allow unmanaged devices to securely access
applications
• Think of ZTNA as Tunneling as a Service (TaaS?)
• App Connectors reside near the application service,
often on the same subnet
• Cloud brokers act as a hub connecting tunnels from App
Connectors to the Endpoint Client
• App Connector require only private IP addresses and
outbound Internet access
Zero Trust Network Access (ZTNA)
Users
Corporate
data center
Legacy App 1
Legacy App 2
….
Application1
Application2
….
Internet
Cloud Broker
App Connector(s) App Connector(s)
Endpoint
Client
7. 7
FISHTECH GROUP June 10, 2020
• How do you access your EC2 hosts or other services that
may not have a public IP address?
• Private connectivity to VPC via AWS Site-to-Site VPN or
Direct Connect.
• A Site-to-Site VPN that terminates on EC2 instance (Firewall
or OpenVPN server).
• AWS Client VPN or even AWS Session Manager
• How do we maintain the Bastion Host?
• Where does the logging and alerts go?
• How do we manage the user and group access to the Bastion
and the servers reachable from it?
• What about the security principle of Least Privilege?
• Can we limit access to a specific application/port instead of
allowing access to the entire servers and subnets?
Bastion Hosts
VPC
Private subnet
Public subnet
Bastion
Host
Instances
Corporate
data center
Internet
AWS Direct
Connect
Remote
Users
Site-to-Site
VPN
8. 8
FISHTECH GROUP June 10, 2020
WHAT CAN SASE DO FOR THE PUBLIC CLOUD?
1. Use Bucket Policy to lockdown access to source IP range of SASE cloud
2. Set explicit proxy on EC2 instance to send web traffic through SWG
3. Use APIs to assess security of Data at Rest and Cloud Security Posture
4. Install SASE client AWS Workspace image to secure endpoints
5. Configure firewalls in Outbound VPC to forward traffic to SASE cloud
Bucket with
objects
SASE
DLP
CASB
SWG
CSPM
ZTNA
…
Internet
VPC
Amazon
EC2
Users
11. 11
FISHTECH GROUP June 10, 2020
Applications are invisible
to unauthorized users
• Users can’t access
what they can’t see
2
PRIVATE ACCESS – FOUR SECURITY TENETS IN ACTION
Remote users are
never placed on the
network
• Application
access, not
network access
1
Policy-based access to
specific apps
• Define which users
access which apps
3
The internet is the new
secure network
• Double-tunneling for
secure access
4
Z-App
Workloads
Z-broker
AWS
1
ZPA
Cloud
3
2
12. 12
FISHTECH GROUP June 10, 2020
USER ACCESS TO MIGRATED WORKLOADS USING ZPA
us-west-1
Z-broker
Legacy Datacenter
Internet
Users
Z-broker
US West (N. California) EU (London)
Z-broker
Z-broker
ZPA
Connectors
ZPA Connectors
Private Subnet
eu-west-2
ZPA Connectors
Private Subnet
13. 13
FISHTECH GROUP June 10, 2020
Magic Quadrant for Cloud Access Security Brokers Magic Quadrant for Secure Web Gateways
14. 14
FISHTECH GROUP June 10, 2020
EMPLOYEESPARTNERS
Policy Console
ZSCALER PRIVATE ACCESS – HOW IT WORKS
GETTING STARTED
• Deploy Z-App on endpoints
• Deploy Z-Connectors in front of your apps
• Define user and app access policies
HOW IT WORKS
DC
ID PROVIDER
User attempts to access an app1
User identity/role is verified (before DNS)2
Policy is checked to determine if access is permitted3
If allowed:
- Z-Connector initiates outbound connection
- Z-App initiates a connection (per app)
- Zscaler cloud broker stitches connection together
5
1
2
3
4
7
Z-Connector provides app load balance across VMs/servers6
5
Public Cloud
LB for
apps
Z-Connector
ZENs/Brokers
Optimal path to app is determined4
Monitor app usage – anomaly detection7
New York London Sydney
6
Z-App