1) The document discusses Zscaler's cloud-based platform for providing secure access to applications in AWS and hybrid cloud environments. It outlines how Zscaler Private Access (ZPA) implements a zero-trust network architecture by brokering secure connections between users and applications without placing users on the internal network. 2) ZPA provides policy-based access to internally managed applications using software-defined perimeters rather than traditional VPNs. It segments applications and enforces security policies through the Zscaler cloud. 3) The document provides an example workflow showing how ZPA can be configured to enable secure access to migrated applications in AWS within an hour, without requiring inbound connectivity or remote access to internal networks.

1. ©2018 Zscaler, Inc. All rights reserved.0
Faster, Simpler, and more Secure
access to apps on AWS
Sam Hennessy
Senior Solution Architect, AWS
samhen@amazon.com
Patrick Foxhoven
CIO, Zscaler
p@zscaler.com

2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Migration Patterns
• Dev/Test
• New Applications
• Existing Applications
• Business Critical Applications
• Data Center Migrations
• All In

3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Metrics
• Millions of Active Customers Every Month
• S3 Holds Trillions of Objects and Peaks at Millions of
Requests per Second
• More than 73,000 Databases Have Been Migrated with
Database Migration Service
• More than 100,000 Customers Use Amazon DyanmoDB
• Tens of Thousands of Customers are Using AWS
Machine Learning Services

4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Shared Responsibility Model
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
Network configuration
Security groups
OS firewalls
Operating systems
Applications
Proper service configuration
AuthN & acct management
Authorization policies
+ =
Customer
.
• Scope of responsibility depends on the type of service offered by AWS:
Infrastructure, Container, Abstracted Services
• Understanding who is responsible for what is critical to ensuring your AWS data and
systems are secure!
More secure and
compliant systems
than any one entity
could achieve on its
own at scale

5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Shared Responsibility Model
Customers are
responsible for their
security and
compliance IN the
Cloud
AWS is responsible
for the security OF
the Cloud
CustomerAWS

6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits and Challenges
• Benefits
• Abstract the Responsibility
• Experienced Security Team
• Ease of Adoption of Complex Security Requirements
• Large Set of Security Tools, and a Huge Partner Ecosystem
• Challenges
• There Are No Restrictions on Your Configuration
• A Lack of Understanding Can Lead to Serious Consequences

7. ©2018 Zscaler, Inc. All rights reserved.6

8. ©2018 Zscaler, Inc. All rights reserved.7©2018 Zscaler, Inc. All rights reserved.
The IT world has evolved…
but app access hasn’t

9. ©2018 Zscaler, Inc. All rights reserved.8 ©2018 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION8
Public CloudSaaS Open Internet
MPLS
MPLS MPLS
MPLS
“GE will run 70% of our
workloads in the cloud by 2020.”
Jim Fowler, CIO, GE(1)
Backhauling traffic is expensive
and providers a poor user
experience. Who likes VPN?
Over 60% of browser-based
traffic is encrypted using SSL(3)
“The Internet will become
the new corporate network”
Frederik Janssen, Head of
Infrastructure, Siemens(2)
Network security is becoming less relevant. A new approach is needed.
Do we control the Internet? How do you secure the network?
Cloud and mobility extend the perimeter to the internet

10. ©2018 Zscaler, Inc. All rights reserved.9
Business critical apps like SAP are now running on AWS
Common Threats
• Malicious insiders – Data purposely exposed to public by
an employee
• Cyber criminals – Stolen data used for ransom or
personal financial gain
• State sponsored attacks
• Hacked employee devices – Malware that spreads
laterally across network
• Third-party users – Partners with overprovisioned access
to internal apps
• High value asset with sensitive customer data
• Mission-critical business functions
• Attacks can be extremely costly
• Often complex with large attack surface

11. ©2018 Zscaler, Inc. All rights reserved.10
Global LB
DDoS
Ext. FW / IPSInternal LB
Internal FW
RAS (VPN)
Site-to-site VPN
The Problem – Application access often looks like this
Remote User
(C-Level Exec)
Users become frustrated with
slow VPN experience.
Risk is introduced as users
placed on network, or they find
workarounds
Complexity ACLs, firewalls
make remote access difficult to
manage
Months spent on just getting
infrastructure set up

12. ©2018 Zscaler, Inc. All rights reserved.11
How mobile users feel
with current experience

13. ©2018 Zscaler, Inc. All rights reserved.12
Common challenges of cloud adoption
1. Legacy technology lacks ability to provide cloud-like user experience
2. Takes months to implement, slowing app migration efforts
3. Requires additional appliances to be purchased and deployed
4. Setting up site-to-site VPN for user traffic to traverse
5. Connecting employees to cloud means access to the network

14. ©2018 Zscaler, Inc. All rights reserved.13
Enterprises need to embrace a zero-trust security model
• Never automatically trust anything inside or outside perimeters
• Reduce the attack surface by reducing # of users able to access an application
• Provide access on a strict “need to know” basis
• Verify before granting any level of access to an application
• Create a segment of one between a named user and a named application

15. ©2018 Zscaler, Inc. All rights reserved.14
Zero trust via software-defined perimeter
• New approach that uses software to provide policy-based access to specific applications
• Fully software-based allowing for decommissioning of inbound gateway appliances
• Based on Defense Information Systems Agency (DISA) work in 2007
• Popularized by Google BeyondCorp
• Two key criteria before providing access to an app:
User device – device posture
User identity – authorized user access
User device
(requests connection)
Centralized Policy Engine
(approves user connection)
Applications
(Access based on policy)

16. ©2018 Zscaler, Inc. All rights reserved.15 ©2018 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION15
Zscaler enables secure IT transformation to the cloud
Fast and secure policy-based access to applications and services over the Internet
Global load balancing
Distributed denial of service protection
External firewall / intrusion prevention
VPN concentrator
Internal firewall
Internal load balancer
Firewall / intrusion prevention
URL filter
Anti-virus
Data loss prevention
Secure sockets layer inspection
Sandbox
Open internetSaaS
Private cloud /
On-premise
data center
Any device, any location, on-network or off-network
EXTERNALLY MANAGED INTERNALLY MANAGED
Securely connects users to externally managed
SaaS applications and internet destinations
Zscaler Internet Access
Securely connects authorized users to
internally managed applications
Zscaler Private Access
HQMOBILE BRANCHIOT

17. ©2018 Zscaler, Inc. All rights reserved.16
Zscaler Private Access
Zero trust access to internal applications

18. ©2018 Zscaler, Inc. All rights reserved.17
Built on key security tenets that enable secure cloud migration
1 Users are never placed on the corporate network
2 Applications never listen for inbound pings or connections
3 Application segmentation, not network segmentation
4 The internet becomes the new corporate network

19. ©2018 Zscaler, Inc. All rights reserved.18
ZPA: Zero trust security for all apps, users and environments
Public Cloud
Private Cloud
& Data Center
INTERNALLY
MANAGED
HQMOBILE BRANCHIOT
• Simplify access to hybrid cloud
apps
• VPN Replacement
• Accelerate M&A processes
• Secure third-party access
Fast and secure policy-based access
to applications over the Internet
Primary Use Cases
• Remote users never placed on
network. Reduces lateral attacks
• No inbound connectivity to apps.
Invisible to unauthorized users
• Application segmentation
• Standardized access for all users
& environments
Modern Approach to remote Access

20. ©2018 Zscaler, Inc. All rights reserved.19
ZPA: How it works
Z-App
Zero trust security architecture
The Zscaler cloud brokers a secure connection
between the Z-Connector and Z-App
Workloads
Z-broker
AWS
1
ZPA
Cloud
3
2
Z-APP – carries access request for app1
Z-broker (aka ZEN) – control user app
access rights (auth before access)
2
Z-Connectors – sit in front of apps,
outbound-only connection
3
Datacenter
AWS Direct Connect
For server to server traffic

21. ©2018 Zscaler, Inc. All rights reserved.20
User access to AWS migrated workloads using ZPA
us-west-1
Z-broker
Legacy Datacenter
Internet
Users
Z-broker
US West (N. California) EU (London)
Z-broker
Z-broker
ZPA
Connectors
ZPA Connectors
Private Subnet
eu-west-2
ZPA Connectors
Private Subnet

22. ©2018 Zscaler, Inc. All rights reserved.21
Enterprise benefits
CostExperience Security Simple
• Direct access to AWS
• No VPN login
• Cloud-like experience
• Users never on network
• Apps segmented via policy
• Visibility into user activity
• Simple implementation
• Access from any device
• Less Network complexity
• No appliances
• Less inbound service spend
• Optimize bandwidth use

23. ©2018 Zscaler, Inc. All rights reserved.22
Location: Germany
Industry: Manufacturing
User Count: 12,000 users in over 100
locations and 70 countries
Zscaler Products: ZPA, ZIA
Use Case:
• VPN retirement
• Secure cloud adoption
• Zero-trust adoption
The challenge
Benefits of Zscaler Platform
• MAN Diesel was undertaking a massive cloud
(AWS) adoption, and needed a better way to
provide remote access to internal applications.
• Needed more visibility into their network and to
ensure a true zero trust access to their internal
applications
• Enabled zero-trust security through application
segmentation and enforcing granular policies via the
Zscaler Security Cloud.
• Users and devices are never allowed on the network,
which increases security and decreasing risk. Creating a
Zero-trust network.

24. ©2018 Zscaler, Inc. All rights reserved.23
Step 1:
Configure User Auth
20 MINUTES
5 Minutes
Add ZPA as a new Service
Provider (SP) within your
AD
5 Minutes
Assign ZPA to test users
within IdP, select SAML
attributes to send
5 Minutes
Import IdP’s metadata into
ZPA admin console
5 Minutes
Test User Authentication
and SAML Attributes
1 2
3 4
5 Minutes
Configure connector
provisioning keys via ZPA
Setup Wizard
10 Minutes
Download and deploy ZPA
Connector VPN or RPM
package from AWS
Marketplace
20 Minutes
Configure Connector
Networking and Network
Security policies
10 Minutes
Verify and Test Connector
Health: Access to DNS,
Routing to Internal Apps
1 2
3 4
10 Minutes
Configure Z-App Traffic
Forwarding Policy and App
Profile
5 Minutes
Download and deploy Z-
App on User Devices
1
2
45 MINUTES
Step 2:
Deploy Connector
Step 3:
Install Zscaler App
15 MINUTES
Getting ZPA setup within AWS in an hour

25. ©2018 Zscaler, Inc. All rights reserved.24
Zero trust access to internal apps across hybrid infrastructure
Cloud-based security
The access users want,
with the security you need
1. Secure access to apps in
datacenter & AWS
2. Authorized access to specific apps
3. Fast and seamless experience
4. Optimize bandwidth usage
HQON-THE-GO BRANCHES

26. ©2018 Zscaler, Inc. All rights reserved.25
Visit zscaler.com/aws to learn more
Take ZPA for a Test-drive with ZPA Interactive!
zscaler.com/zpa-interactive
Learn about the AWS Shared Responsibility Model
https://aws.amazon.com/compliance/shared-responsibility-model/
Thank You!
Questions and Next Steps
Sam Hennessy
Senior Solution Architect, AWS
Patrick Foxhoven
CIO, Zscaler

27. ©2018 Zscaler, Inc. All rights reserved.26