Uploaded byZscaler
3 reasons-sdp-is-replacing-vpn-in-2019
The document discusses the advantages of software-defined perimeter (SDP) access over traditional VPNs, emphasizing a shift towards a user and app-centric approach for secure private application access. Key benefits of SDP include minimized risk through micro-segmentation, improved user experience, and enhanced visibility into user and app activity. The document also highlights a case study of Trimdex, a healthcare technology management organization that successfully leveraged SDP to streamline remote access and improve security.
More Related Content
Similar to 3 reasons-sdp-is-replacing-vpn-in-2019
![How Big Brands are Taking Your Traffic in Alberta [Data Inside].pptx](https://cdn.slidesharecdn.com/ss_thumbnails/howbigbrandsaretakingyourtrafficinalbertadatainside-260123180142-42d276f3-thumbnail.jpg?width=640&height=640&fit=bounds)
3 reasons-sdp-is-replacing-vpn-in-2019
- 1. ©2018 Zscaler, Inc.All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Three Ways Zero Trust Security Redefines Partner Access Three reasons SDP will replaceVPN in 2019 Kunal Shah Principal Product Manager Steve Bonek Information Security Manager
- 2. 2 INTERNET Hub-and-Spoke Architecture Castle andMoat architecture to protect the corporate network Inbound Gateway Risk is introduced by giving too much trust to users and networks Complexity of ACLs and firewalls can make remote access difficult to manage Users become frustrated with a poor experience Months often spent on getting infrastructure set up Today’s needs aren’t solved with yesterday’s technology
- 3. Virtual Private Network(VPN) access The challenges of legacy application access • Users are placed on the network to access apps • User experience is painful and slow • Lack of visibility into user and application activity Software-defined Perimeter (SDP) access Enable “least privileged” access to private apps without granting network access leveraging the software-defined perimeter (SDP) Introducing the new world of Private Application Access Remote user Policy Enforcement Checkpost Public Cloud Private Cloud / On- Premise DC Remote user
- 4. Software-Defined Perimeter (SDP) Amodern approach to remote access and zero trust: Abandons the network-centric design, and instead secures private application access using a user and app-centric approach: “By 2021, 60% of enterprises will phase out network VPNs for digital business communications in favor of software-defined perimeters.” Gartner, November 2017 • Decouples private application access from network access • 100% software-defined; No physical or virtual appliances needed • Application access is micro-segmented and provisioned on a “least privileged” basis • Advanced visibility into all user and app activity • Different approach to zero trust than firewalls and users placed on network
- 5. Three reasons SDPis the future of private application access App access is detached from network access 1 2 3 Minimize risk with micro-segmentation Monitor any suspicious activity Users are never placed on the network Stops overprivileged access via inside-out connections No longer need to leverage VPNs On-demand TLS microtunnels eliminates lateral movement between apps Granular visibility into all user and app activity Discover previously unknown apps and apply granular controls Automatic log streaming to SIEM in both past & real-time Enforce policies to create secure segments of one between user and app No more ACL and FW policies to manage
- 6. How TRIMEDX leveragesthe software-defined perimeter (SDP)
- 7. Location: Indiana, USA Industry:Healthcare Services User Count: 1,700 employees Who are we? The Challenge • TRIMEDX is a healthcare technology management organization performing clinical engineering and clinical asset management services. • TRIMEDX started in the 1990s in the basement of St. Vincent Hospital in Indianapolis, Indiana. • Today, the company is in more than 1,800 healthcare locations across the United States and the Cayman Islands. • Remote workstations not receiving approved patches in a timely fashion. • Remote users had no need to use the traditional VPN on a daily basis. • Remote users were not prompted to change their password.
- 8. The Benefits The Solution •Must work for remote TRIMEDX technicians • Must be seamless for the end-user • Must be secure Looking Forward? • Decreased vulnerabilities for remote workstations • Ensured compliance with policies and consistent password changes • Better user experience • Finalize retirement of existing VPN solution • Investigate possible uses as part of Aramark HCT acquisition • Utilize solution for any new Private Cloud applications
- 9. ©2018 Zscaler, Inc.All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Zscaler Private Access (ZPA) The cloud-based, SDP solution that provides fast, secure private application access to all users, from all locations.
- 10. Zscaler Private Access fast,secure, software-defined access to private apps BYOD Branch Users Public Cloud Private Cloud / Data Center INTERNALLY MANAGED Remote User The 4 Tenets Application access is decoupled from network access. Micro-segmentation, not network segmentation. Inside-out connectivity makes private apps invisible Double encrypted micro-tunnels ensure secure, segmented access to private apps.
- 11. Zscaler App / BrowserAccess 1 2 Zscaler Enforcement Node (enforces policy) 4Brokered connection How it works Traffic is directed to the Zscaler Enforcement Node (ZEN) • User is authenticated through IDP provider • Custom access policies are applied • Access request signal is sent to nearest App Connector 2 User attempts to access app in the datacenter or cloud (i.e., SAP). Leveraging either Z App or Browser Access 1 App-to-user connection is securely stitched together within Zscaler cloud 4 App Connector closest to the app location responds and establishes an inside-out connection 3 How Zscaler’s SDP architecture works App Connectors 3 3
- 12. Top use casesfor ZPA VPNReplacement Multi-cloud Adoption Accelerated M&A Secure Partner Access
- 13. 13 What makes ZPAdifferent from SSL/IPsec VPNs?1 Do I need to rip out my existing VPNs?2 How is ZPA different from other SDP solutions?3 The top questions asked about ZPA
- 14. Thank You! Try aSDP solution for yourself! Take ZPA for a test drive with our free 7-day hosted demo: https://www.zscaler.com/zpa-interactive Kunal Shah Principal Product Manager Steve Bonek Information Security Manager VPN vs. ZPA Side-by-side comparison See the performance difference as ZPA goes up against the VPN https://zscaler.wistia.com/medias/161ir7rs9p
Editor's Notes
- #4 New approach - policy-based access to specific applications Fully software-based – no inbound gateway appliances Based on Defense Information Systems Agency (DISA) work in 2007 Popularized by Google BeyondCorp Two key criteria before providing access to an app: User device – device posture User identity – authorized user access
- #5 SDP – Coined by Gartner
- #12 Key talking points: - Comparing between the difference of a VPN or other SDP solutions as you walk through our ZPA specific architecture
- #13 VPN Replacement: No physical or virtual appliances Effortless user experience Application segmentation by default No inbound connections to the network or apps Multi-cloud Adoption: Enable secure and accelerated adoption of cloud Direct-to-cloud access creates optimized user experience Lessens network complexity, no site-to-site VPN needed Secure Partner Access: Application segmentation without network segmentation Visibility and control of user/app activity Simplicity for users accessing partner apps Accelerate M&A: No need to converge networks or NAT? Security to apps is standardized across all assets and users. Consistent user experience across all acquired or divested assets
- #14 How is ZPA different from an SSL/IPsec VPN? • SSL VPNs and IPsec VPNs differ in how they create the tunnel between the user and an app, but not in what they do—both types of VPNs create a network connection. ZPA does not create a network connection to enable application access. Cloud-based VPNs? • No. VPN stands for Virtual Private Network. Zscaler Private Access doesn’t make a network connection, so it’s no kind of VPN at all. (As an aside, we considered naming the product ZPN for Zscaler Private Network…and we were hammered by the analysts for even bringing up the word “network!”) How is ZPA different from other SDP solutions? inside-out only connections Other SDP solutions serve as a proxy which still needs DDoS protection and still grants network access Additionally we are SDP as a service and operate on our established Zscaler Cloud. Also we are FedRamp Certified. ● Do I need to rip out my existing VPNs? • No. You can migrate on your schedule. How, exactly do we ensure that a user (regardless of user rights on endpoint) can´t bypass Z APP? Can’t the user just revert to using their VPN and go right past ZPA? • To ensure that this could not happen, the admin would need to ensure that VPN access to the application is disabled.