Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

John Merline - How make your cloud SASE

How make your cloud SASE
John Merline

AWS Community Day | Midwest 2020

  • Be the first to comment

  • Be the first to like this

John Merline - How make your cloud SASE

  1. 1. FISHTECH GROUP June 10, 2020 HOW TO MAKE YOUR CLOUD SASE John Merline | June 11, 2020
  2. 2. 2 FISHTECH GROUP June 10, 2020 • Access requirements have inverted, with more users, devices, applications, services and data located outside of an enterprise than inside. • Complexity, latency and the need to inspect encrypted traffic once will consolidate networking and security-as-a-service into a cloud-delivered secure access service edge (SASE). • Low-latency access to users, devices and cloud services from anywhere require SASE offerings with a worldwide fabric of points of presence (POPs) and peering relationships. • SASE is the new branding buzzword… The Future of Network Security is in the Cloud - Gartner
  3. 3. 3 FISHTECH GROUP June 10, 2020 Application1 Application2 …. The World Turned Upside Down… Corporate data center Remote Workers Peoplesoft Exchange SharePoint Payroll Internet VPN Application1 Application2 …. Internet Office 365 Salesforce … Websites Corporate data center Legacy App 1 Legacy App 2 …. Remote Workers VPN? Security Controls Perimeter 1 23
  4. 4. 4 FISHTECH GROUP June 10, 2020 Secure Access Service Edge Inline Real-Time Controls (SaaS + Web + IaaS + Private Access Control Type Out of Band API Controls (SaaS + IaaS) Web Traffic (SWG, DLP) SaaS (CASB, DLP) IaaS/PaaS (CSPM) Private Access (ZTNA) Web Content Classification Real-Time Protection Private App Access Continuous Security Assessment Data At Rest Protection Privileged Account Monitoring Cloud Intranet On-Premise Custom Apps Discovery Unmanaged Devices Data At Rest Protection Products Capabilities SaaS Granular Access Control Activity Visibility Understand Cloud Apps SD-WAN Integration App Control Instance Awareness Advanced DLP Cloud App Discovery Reverse Proxy Compliance ML / AI Analytics Insider Threat API / JSON Decode SSL Decryption 3rd Party Risk Analytics and Insights Proxy Data Protection Threat Protection Security Services
  5. 5. 5 FISHTECH GROUP June 10, 2020 Netskope Cloud Infrastructure
  6. 6. 6 FISHTECH GROUP June 10, 2020 • IP address and location cannot establish trust for network access • Provide access to applications, not networks • Enhanced user experience for remote workers • Allow unmanaged devices to securely access applications • Think of ZTNA as Tunneling as a Service (TaaS?) • App Connectors reside near the application service, often on the same subnet • Cloud brokers act as a hub connecting tunnels from App Connectors to the Endpoint Client • App Connector require only private IP addresses and outbound Internet access Zero Trust Network Access (ZTNA) Users Corporate data center Legacy App 1 Legacy App 2 …. Application1 Application2 …. Internet Cloud Broker App Connector(s) App Connector(s) Endpoint Client
  7. 7. 7 FISHTECH GROUP June 10, 2020 • How do you access your EC2 hosts or other services that may not have a public IP address? • Private connectivity to VPC via AWS Site-to-Site VPN or Direct Connect. • A Site-to-Site VPN that terminates on EC2 instance (Firewall or OpenVPN server). • AWS Client VPN or even AWS Session Manager • How do we maintain the Bastion Host? • Where does the logging and alerts go? • How do we manage the user and group access to the Bastion and the servers reachable from it? • What about the security principle of Least Privilege? • Can we limit access to a specific application/port instead of allowing access to the entire servers and subnets? Bastion Hosts VPC Private subnet Public subnet Bastion Host Instances Corporate data center Internet AWS Direct Connect Remote Users Site-to-Site VPN
  8. 8. 8 FISHTECH GROUP June 10, 2020 WHAT CAN SASE DO FOR THE PUBLIC CLOUD? 1. Use Bucket Policy to lockdown access to source IP range of SASE cloud 2. Set explicit proxy on EC2 instance to send web traffic through SWG 3. Use APIs to assess security of Data at Rest and Cloud Security Posture 4. Install SASE client AWS Workspace image to secure endpoints 5. Configure firewalls in Outbound VPC to forward traffic to SASE cloud Bucket with objects SASE DLP CASB SWG CSPM ZTNA … Internet VPC Amazon EC2 Users
  9. 9. 9 FISHTECH GROUP June 10, 2020 Questions?
  10. 10. 10 FISHTECH GROUP June 10, 2020 APPENDIX
  11. 11. 11 FISHTECH GROUP June 10, 2020 Applications are invisible to unauthorized users • Users can’t access what they can’t see 2 PRIVATE ACCESS – FOUR SECURITY TENETS IN ACTION Remote users are never placed on the network • Application access, not network access 1 Policy-based access to specific apps • Define which users access which apps 3 The internet is the new secure network • Double-tunneling for secure access 4 Z-App Workloads Z-broker AWS 1 ZPA Cloud 3 2
  12. 12. 12 FISHTECH GROUP June 10, 2020 USER ACCESS TO MIGRATED WORKLOADS USING ZPA us-west-1 Z-broker Legacy Datacenter Internet Users Z-broker US West (N. California) EU (London) Z-broker Z-broker ZPA Connectors ZPA Connectors Private Subnet eu-west-2 ZPA Connectors Private Subnet
  13. 13. 13 FISHTECH GROUP June 10, 2020 Magic Quadrant for Cloud Access Security Brokers Magic Quadrant for Secure Web Gateways
  14. 14. 14 FISHTECH GROUP June 10, 2020 EMPLOYEESPARTNERS Policy Console ZSCALER PRIVATE ACCESS – HOW IT WORKS GETTING STARTED • Deploy Z-App on endpoints • Deploy Z-Connectors in front of your apps • Define user and app access policies HOW IT WORKS DC ID PROVIDER User attempts to access an app1 User identity/role is verified (before DNS)2 Policy is checked to determine if access is permitted3 If allowed: - Z-Connector initiates outbound connection - Z-App initiates a connection (per app) - Zscaler cloud broker stitches connection together 5 1 2 3 4 7 Z-Connector provides app load balance across VMs/servers6 5 Public Cloud LB for apps Z-Connector ZENs/Brokers Optimal path to app is determined4 Monitor app usage – anomaly detection7 New York London Sydney 6 Z-App
  15. 15. 15 FISHTECH GROUP June 10, 2020 ENDPOINT CLIENT