Are you using or ready to deploy Microsoft Cloud App Security (MCAS)? While having CASB visibility and control is key to a good cloud app strategy, it is only as good as the traffic it can see. Zscaler and Microsoft have partnered to deliver key MCAS integrations that help you confidently embrace cloud apps and minimize the risks associated with unsanctioned apps.

1. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION0
ZSCALER CONFIDENTIAL INFORMATION
Maximize your cloud app control with
Microsoft MCAS and Zscaler
Dhawal Sharma | Director of Product Management at Zscaler
Niv Goldenberg | Group Program Manager at Microsoft

2. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION1
To ask a question
• Type your questions into the chat box in the Webex
panel or email us at communications@zscaler.com
• We’ll try to get to all questions during the Q&A
session. If we do not get to your question, we’ll make
sure to follow up afterwards
• At the end of the webcast – please let us know how
we did!
©2017 Zscaler, Inc. All rights reserved.
Ask your question here…

3. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION.
HQ
Branch
Branch
Branch
Branch
Branch Branch BranchBranch
Home, Coffee Shop Airport, Hotel
SaaS Open Internet IaaS
Cloud and Mobility Break Network Security
The Internet is Your New Corporate Network
“GE will run 70 percent of its
workload in the cloud by 2020”
Jim Fowler, CIO
“The Internet will be our new
corporate network by 2020”
Frederik Janssen, Head of Infrastructure
“Office 365 was built to be accessed
via direct Internet connection”
How do you secure a network (Internet) you don’t control?
EMEAAPJ

4. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION.
Cloud and mobility break network security
HQ
EMEA
Branch
APJ
Branch
Branch
Branch
Branch Branch BranchBranch
Zscaler enables secure network and application transformation
NEW SECURITY MODEL
Secure the Network
Securely connect users to apps
Direct to Internet
Broadband / Wi-Fi / LTE / 5G
NEW NETWORK
MODEL
OLD SECURITY
MODEL
Hub-and-Spoke
MPLS / VPN
OLD NETWORK
MODEL
Secure the Corporate Network
SaaS Open Internet IaaS
Home, Coffee
Shop
Airport, Hotel

5. On average, an organization has 28 cloud storage apps and
41 collaboration apps routinely used by its employees.
On-premises

6. But Office 365 Deployments are stuck in the slow lane!
A deployment survey of over 200 customers
had problems accessing
business-critical applications
including Office 365.
45%
Many were plagued by bandwidth
and network latency issues on a
daily and weekly basis
70%Weekly issues
reported
33%Daily issues
reported
Despite appliance upgrades, after deployment:

7. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION.
Categorize Cloud Apps Into Categories
• After discovery, categorize cloud services (CSP) using risk ratings and company policies
• Separate cloud services into sanctioned, permitted, and restricted services
• Enforce appropriate controls for each category
Sanctioned Apps Permitted Apps Restricted Apps

8. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION.
Zscaler Provides CASB Functions for Inline Content
Internet &
Shadow Apps
(managed devices and on-premise)
Allow enterprises to
securely enable cloud apps
by providing Cloud App
Visibility, Content
Inspection, Security and
Cloud App Compliance
Visibility
App Logging & Discovery
Threat Prevention
Stop Malware
Data Protection
DLP & Encryption
Compliance
UEBA, Access Controls
User Experience
Bandwidth Control, Peering
Vision
HQMobile BranchIOT
Inline Policy Controls

9. © 2017 Riverbed Technology. All rights reserved. 8
Cloud App Security

10. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION9
Microsoft Cloud Application
Security (MCAS) Overview

11. A comprehensive, intelligent security solution that brings visibility, real-time
controls and security to your cloud applications.
ControlDiscover Protect
Integrates with your SIEM, Identity and Access Management, DLP and Information Protection solutions

12. Discover and
assess risks
Protect your
information
Detect
threats
Control access
in real time
Identify cloud apps on your
network, gain visibility into shadow
IT, and get risk assessments and
ongoing analytics.
Get granular control over data
and use built-in or custom
policies for data sharing and
data loss prevention.
Identify high-risk usage and
detect unusual behavior using
Microsoft threat intelligence
and research.
Manage and limit cloud app
access based on conditions and
session context, including user
identity, device, and location.
101010101
010101010
101010101
01011010
10101

13. Get anomalous usage alerts, new app and
trending apps alerts.
On-going analytics
Discover 15K+ cloud apps in use across your
networks and sensitive data they store.
Discovery of cloud apps and data
Assess cloud app risk based on ~60 security and
compliance risk factors.
Cloud app risk assessment
Protect your employees’ privacy while discovering
cloud apps in your environment.
Log anonymization
Investigate cloud use profiles of specific users,
machines, apps and groups.
Advanced investigation tools

14. Control access to cloud apps as well as to
sensitive data within these apps based on user,
location, device, and app (any SAML-based
app, any OS).
Context-aware session policies
Limit activities performed within user sessions
in SaaS apps based on user identity, location,
device state, and detected sign-in risk level.
Unique integration with Azure Active Directory
Enforce browser-based “view only” mode for
low-trust sessions. Classify, label, and protect
on download. Gain visibility into unmanaged
device activity.
Investigate & enforce app and data restrictions

15. Set granular policies to control data in the
cloud—either automated or based on file
label—using out-of-the-box policies or ones
you customize.
Granular Data loss prevention (DLP) policies
Control and protect sensitive files through
policies and governance to comply with
regulations (e.g., GDPR, HIPAA, PCI, SOX).
Compliance policies
Identify policy violations, enforce actions such
as quarantine and permissions removal.
Policy enforcement
Apply protection, including encryption and
classification, to files with sensitive
information
Native protection – at rest and inline

16. User manually classifies a file in Office apps,
Cloud App Security reads classification from the
file to give admins visibility to cloud activities on
this data: Upload, sharing & download.
Sharing control based on user input
Proxy automatically encrypts files labeled as
“internal” upon download to non-corporate
owned devices
Prevent corporate data leakage based on
classification

17. Assess risk in each transaction and identify
anomalies in your cloud environment that may
indicate a breach.
Behavioral analytics
Enhance behavioral analytics with insights
from the Microsoft Intelligent Security
Graph to identify anomalies and attacks.
Threat intelligence
Customize detections based on your findings.
Customization
Gain useful insights from user, file, activity, and
location logs. Pivot on users, file, activities and
locations.
Advanced investigation & multiple views
Remediate threats and security issues
with a single click.
Single-click remediation

18. Why Cloud App Security is different
Discover SaaS apps & assess risk
Identify more than 15,000 apps and assess their
risk based on 60 different parameters, including
regulatory compliance.
Gain unified information protection
Set granular control policies and enforce them
on your cloud apps and data—whether from
Microsoft or other vendors—using powerful
remediation actions.
Control and limit access in real time
Set granular access- and activity-level policies,
such as allowing access from an unmanaged
device while blocking downloads of sensitive
data.
Support your compliance
journey with key regulations
Discover and control data in the cloud with
granular policies to help you comply with
regulations such as Payment Card Industry (PCI)
and General Data Protection Regulation (GDPR).
Detect & mitigate ransomware attacks
Identify potential ransomware activity with a
built-in template that can search for unique file
extensions, suspend suspect users, and prevent
further encryption of user files.
Integrate with your existing
SIEM & DLP solutions
Preserve your usual workflow and set a
consistent policy across on-premises and cloud
activities while automating security procedures.

19. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION18
MCAS and Zscaler Use Cases

20. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION.
Users: Identify and Control Restricted Apps
Protect users and data
using closed loop control
(Zscaler)
Restricted Apps
Discover risky cloud usage
(Zscaler + Microsoft Cloud
App Security)

21. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION.
Users and Data: Securely Enable Permitted Apps
Permitted Apps
DLP to block sensitive data
(e.g. Source code uploaded to GitHub)
(Zscaler)
Granular visibility
(e.g. GitHub repositories in use)
(Microsoft Cloud App Security)
Visibility into mobile users
(e.g. GitHub use from a coffee shop)
(Zscaler)
Granular DLP
(e.g. Allow uploads to
permitted GitHub repositories,
block uploads to others)
(Zscaler & Microsoft Cloud App Security)
Detect and prevent malware
(e.g. malware distributed via personal email)
(Zscaler)

22. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION.
Data: Securely Enable Adoption of Sanctioned Apps
Sanctioned Apps
Enforce DLP and collaboration controls
(e.g. Prevent sharing files from OneDrive with
unauthorized domains)
(Microsoft Cloud App Security)
Encrypt data using customer-controlled keys
(e.g. Encrypt PII within Salesforce)
(Microsoft Cloud App Security)
Audit data and configuration,
identify violations
(Microsoft Cloud App Security)
Enforce access control policies on
managed/unmanaged devices
(e.g. Block download of a Salesforce
report to an unmanaged device)
(Zscaler + Microsoft Cloud App Security)
UEBA to protect against malicious insiders,
negligent use, and compromised accounts
(e.g. Download customer list from Salesforce)
(Microsoft Cloud App Security)
Data exfiltration by malware and
malicious insiders to shadow apps
(e.g. Download customer list from
Salesforce and upload to ZippyShare)
(Zscaler)
Predictable user experience
(e.g. Guaranteed bandwidth for
O365 vs. YouTube)
(Zscaler)

23. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION.
Zscaler and MCAS Integration

24. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION.
Setting up Zscaler & Microsoft Cloud App Security Integration
Microsoft
Cloud App
Security
Tenant Bonding Tenant Bonding
SSO
Zscaler NSS Log Forwarding
Create Unsanctioned
App PolicyAPI Polling
Unsanctioned Apps
URL category
SSO
Enforce
Policy
End User
PAC/ZApp
Planned with 5.6

25. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION.
Solution Demo

26. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION.
Thank You!
Questions and Next Steps
25
Dhawal Sharma
Director, Product Management at Zscaler
dhawal@zscaler.com
Zscaler Cloud App Control
zscaler.com/cloudapp
Microsoft Cloud App Security
aka.ms/Cloudappsecurity
Overcoming the Challenges of
Architecting for the Cloud
Slow Office 365 Deployment?
Let Zscaler help you get in the fast lane!
zscaler.com/webcasts
Niv Goldenberg
Group Program Manager at Microsoft
Niv.Goldenberg@microsoft.com
Learn more about Microsoft Cloud App Security
zscaler.com/webcasts
Other On-Demand Webcasts

27. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION.
June 25-27, 2018
The Cosmopolitan, Las Vegas
Register at zenithlive.zscaler.com
Join the conversation at
community.zscaler.com