It’s 2019 and your users are working from anywhere but the office, enterprise applications have migrated to the cloud or hybrid environment, and VPN is no longer the answer to private application access in this new world of user-to-app connectivity.
2. 2
INTERNET
Hub-and-Spoke Architecture
Castle and Moat architecture to
protect the corporate network
Inbound
Gateway
Risk is introduced by giving too much
trust to users and networks
Complexity of ACLs and firewalls can
make remote access difficult to manage
Users become frustrated with
a poor experience
Months often spent on
getting infrastructure set up
Today’s needs aren’t solved with yesterday’s technology
3. Virtual Private Network (VPN) access
The challenges of legacy application access
• Users are placed on the network to access apps
• User experience is painful and slow
• Lack of visibility into user and application activity
Software-defined Perimeter (SDP) access
Enable “least privileged” access to private apps without
granting network access leveraging the
software-defined perimeter (SDP)
Introducing the new world of Private Application Access
Remote
user
Policy Enforcement
Checkpost
Public Cloud
Private Cloud / On-
Premise DC
Remote user
4. Software-Defined Perimeter (SDP)
A modern approach to remote access and zero trust:
Abandons the network-centric design, and instead secures private application
access using a user and app-centric approach:
“By 2021, 60% of enterprises will phase out network VPNs for digital
business communications in favor of software-defined perimeters.”
Gartner, November 2017
• Decouples private application access from network access
• 100% software-defined; No physical or virtual appliances needed
• Application access is micro-segmented and provisioned on a “least privileged” basis
• Advanced visibility into all user and app activity
• Different approach to zero trust than firewalls and users placed on network
5. Three reasons SDP is the future of private application access
App access is detached
from network access
1 2 3
Minimize risk with
micro-segmentation
Monitor any
suspicious activity
Users are never placed
on the network
Stops overprivileged access via
inside-out connections
No longer need to
leverage VPNs
On-demand TLS microtunnels eliminates
lateral movement between apps
Granular visibility into all
user and app activity
Discover previously unknown apps
and apply granular controls
Automatic log streaming to
SIEM in both past & real-time
Enforce policies to create secure
segments of one between user and app
No more ACL and FW
policies to manage
7. Location: Indiana, USA
Industry: Healthcare Services
User Count: 1,700 employees
Who are we?
The Challenge
• TRIMEDX is a healthcare technology management
organization performing clinical engineering and clinical
asset management services.
• TRIMEDX started in the 1990s in the basement of St.
Vincent Hospital in Indianapolis, Indiana.
• Today, the company is in more than 1,800 healthcare
locations across the United States and the Cayman Islands.
• Remote workstations not receiving approved patches in a timely fashion.
• Remote users had no need to use the traditional VPN on a daily basis.
• Remote users were not prompted to change their password.
8. The Benefits
The Solution
• Must work for remote TRIMEDX technicians
• Must be seamless for the end-user
• Must be secure
Looking Forward?
• Decreased vulnerabilities for remote workstations
• Ensured compliance with policies and consistent password changes
• Better user experience
• Finalize retirement of existing VPN solution
• Investigate possible uses as part of Aramark HCT
acquisition
• Utilize solution for any new Private Cloud applications
10. Zscaler Private Access
fast, secure, software-defined access to private apps
BYOD Branch Users
Public Cloud
Private Cloud /
Data Center
INTERNALLY
MANAGED
Remote User
The 4 Tenets
Application access is decoupled
from network access.
Micro-segmentation, not
network segmentation.
Inside-out connectivity
makes private apps invisible
Double encrypted micro-tunnels
ensure secure, segmented access
to private apps.
11. Zscaler App /
Browser Access
1
2
Zscaler Enforcement
Node (enforces policy)
4Brokered
connection
How it works
Traffic is directed to the Zscaler
Enforcement Node (ZEN)
• User is authenticated through IDP provider
• Custom access policies are applied
• Access request signal is sent to
nearest App Connector
2
User attempts to access app in the datacenter
or cloud (i.e., SAP). Leveraging either Z App or
Browser Access
1
App-to-user connection is securely stitched
together within Zscaler cloud
4
App Connector closest to the app location
responds and establishes an inside-out connection
3
How Zscaler’s SDP architecture works
App Connectors
3 3
13. 13
What makes ZPA different from SSL/IPsec VPNs?1
Do I need to rip out my existing VPNs?2
How is ZPA different from other SDP solutions?3
The top questions
asked about ZPA
14. Thank You!
Try a SDP solution for yourself! Take ZPA for a
test drive with our free 7-day hosted demo:
https://www.zscaler.com/zpa-interactive
Kunal Shah
Principal Product
Manager
Steve Bonek
Information Security
Manager
VPN vs. ZPA
Side-by-side comparison
See the performance difference as
ZPA goes up against the VPN
https://zscaler.wistia.com/medias/161ir7rs9p
Notes de l'éditeur
New approach - policy-based access to specific applications
Fully software-based – no inbound gateway appliances
Based on Defense Information Systems Agency (DISA) work in 2007
Popularized by Google BeyondCorp
Two key criteria before providing access to an app:
User device – device posture
User identity – authorized user access
SDP – Coined by Gartner
Key talking points:
- Comparing between the difference of a VPN or other SDP solutions as you walk through our ZPA specific architecture
VPN Replacement:
No physical or virtual appliances
Effortless user experience
Application segmentation by default
No inbound connections to the network or apps
Multi-cloud Adoption:
Enable secure and accelerated adoption of cloud
Direct-to-cloud access creates optimized user experience
Lessens network complexity, no site-to-site VPN needed
Secure Partner Access:
Application segmentation without network segmentation
Visibility and control of user/app activity
Simplicity for users accessing partner apps
Accelerate M&A:
No need to converge networks or NAT?
Security to apps is standardized across all assets and users.
Consistent user experience across all acquired or divested assets
How is ZPA different from an SSL/IPsec VPN?
• SSL VPNs and IPsec VPNs differ in how they create the tunnel between the user and an app,
but not in what they do—both types of VPNs create a network connection. ZPA does not create
a network connection to enable application access.
Cloud-based VPNs?
• No. VPN stands for Virtual Private Network. Zscaler Private Access doesn’t make a network
connection, so it’s no kind of VPN at all. (As an aside, we considered naming the product ZPN
for Zscaler Private Network…and we were hammered by the analysts for even bringing up the
word “network!”)
How is ZPA different from other SDP solutions?
inside-out only connections
Other SDP solutions serve as a proxy which still needs DDoS protection and still grants network access
Additionally we are SDP as a service and operate on our established Zscaler Cloud. Also we are FedRamp Certified.
● Do I need to rip out my existing VPNs?
• No. You can migrate on your schedule.
How, exactly do we ensure that a user (regardless of user rights on endpoint) can´t bypass Z
APP? Can’t the user just revert to using their VPN and go right past ZPA?
• To ensure that this could not happen, the admin would need to ensure that VPN access to the
application is disabled.