Direct-to-cloud Issues & Implications Dale McCarty

DTC in the News “Just Like Everything Else in the Enterprise Space, Security is About to be Disrupted”

“ Trends Transforming IT 50% 90% 50% 75% Business Users go Mobile Users work from home or on-the-go Users who BYOD 50% 90% Cloud Apps go Mainstream Cloud-based applications used by an enterprise 50% Social goes Enterprise employees use Facebook at work 75% Mobile, Cloud & Social: Driving business beyond the corporate network (often without policy & protection) 80% of my MLPS traffic used to be for applications at my HQ and 20% was Internet bound. Now it’s just the opposite.” – CIO, Fortune 50 company “ This is the biggest transformation in IT security in the last 20 years.

MPLS backhaul kept life under control for IT Traditional it Branch Home/Hotspot Servers, applications & Data at Corp HQ or DC Protect the perimeter with firewalls Gateway proxies to protect Users MPLS backbone connected various offices No policy or protection Internet Backhaul Headquarters Internet MPLS Servers, applications & Data at Corp HQ or DC Internet access was not critical Protect the perimeter with firewalls On-prem firewall/IPS appliances protect servers from incoming attacks Gateway proxies to protect Users On-prem gateway proxies (URL, AV, DLP) enforced policies for users accessing Internet MPLS backbone connected various offices Branch – backhaul traffic to HQ or regional hub Road warriors – Require VPN 90% of the users were in the office. 90% of the access was to on-prem applications. The model worked fine. VPN Backhaul Regional Gateway Branch On the Road/Mobile MPLS backhaul kept life under control for IT

Internet breakout off-loaded MPLS circuits for ”trivial” applications The net effect Branch Home/Hotspot Perimeter becomes dynamic Applications & data are moving to the cloud Users embrace mobile apps Gateway proxies and firewalls get bypassed No policy or protection Internet Backhaul Headquarters Internet MPLS Servers, applications & Data at Corp HQ or DC Internet access was not critical Protect the perimeter with firewalls On-prem firewall/IPS appliances protect servers from incoming attacks Gateway proxies to protect Users On-prem gateway proxies (URL, AV, DLP) enforced policies for users accessing Internet MPLS backbone connected various offices Branch – backhaul traffic to HQ or regional hub Road warriors – Require VPN 90% of the users were in the office. 90% of the access was to on-prem applications. The model worked fine. VPN Backhaul Regional Gateway Branch On the Road/Mobile Internet breakout off-loaded MPLS circuits for ”trivial” applications

disappearing perimeter Branch Home/Hotspot Perimeter becomes “the world wide web” The Cloud becomes a Data Center Users are going direct to net for applications Policy can only be enforced in the Cloud Full policy & protection MPLS Headquarters Internet Applications & Data moved to the cloud A few years ago, 90% of my MPLS backbone traffic was for applications in my corporate DC and 10% was Internet bound. Now, it is just the opposite.” CIO, Fortune 50 company Users - often outside the corporate network VPN is not a desirable option. 3G/4G traffic does not go thru appliances even from the office Gateway proxies or firewalls get bypassed MPLS Backhauling is expensive Backhauling causes latency – unhappy users Enabling business beyond the corporate network Local breakout for Internet traffic - direct to the cloud Policy enforcement & protection – cloud-based Regional Gateway Branch On the Road/Mobile Direct-to-Cloud reduces MPLS backhaul & improves user experience

Geoip & “REAL” clouds Stockholm Oslo Moscow Amsterdam Gdansk Toronto Chicago (West) London Frankfurt (West) Frankfurt (South) Chicago (East) New York Paris Bern San Francisco Denver Herndon Sunnyvale Washington DC Madrid Tokyo Los Angeles Dallas Atlanta (North) Amman Ft. Worth Atlanta (South) Kuwait City Cairo S. Amer. Hub (Miami) Dubai Hong Kong Taipei Riyadh Mumbai Chennai Kuala Lumpur Nigeria Singapore Lima Sao Paulo Johannesburg Sydney Cape Town Santiago

DIRECT-to-Cloud topology Block the bad, protect the good Global check post Enforces business policy Mobile & Distributed Workforce Regional Office Home or Hotspot HQ On-the-go Cloud Services Social Media Cloud Apps Mobile Apps Botnet Exploits In a more simplistic picture – the best way to think of Zscaler, is as a global check-post sitting between your employees and the Cloud. In a more technical term some of you might view Zscaler as a Massively scalable and fast Proxy available anytime, globally from any device. Compliance-based security: URL filters & A/V Protection Risk-based security: Behavioral Analysis & Data Loss Prevention

What DIRECT-to-Cloud CAN …and CAN’t do Secure Users Not Infrastructure! (That is the role of traditional firewalls, IPS, etc.) Protect Data Proxy-based Data Loss Prevention and SSL Intercept & Decrypt Enable Applications Improve Response Time and Selective Access Streamline WAN Prioritize bandwidth by application and reduce backhaul

(and thank you for your attention!) Questions? (and thank you for your attention!)