https://www.zscaler.jp/ Zscalerのブログ — クラウド セキュリティに関する最新のニュースや見解 ja https://www.zscaler.jp/blogs/product-insights/demystifying-workload-security-google-cloud-platform Fri, 01 12月 2023 08:01:01 -0800 Siripuram Pavan Kumar https://www.zscaler.jp/blogs/product-insights/demystifying-workload-security-google-cloud-platform https://www.zscaler.jp/blogs/product-insights/outsmart-evasive-html-smuggling-attacks-ai-powered-browser-isolation-and Fri, 01 12月 2023 08:00:02 -0800 Amit Jain https://www.zscaler.jp/blogs/product-insights/outsmart-evasive-html-smuggling-attacks-ai-powered-browser-isolation-and https://www.zscaler.jp/blogs/product-insights/sse-accolades-keep-coming Thu, 30 11月 2023 08:00:01 -0800 Simon Tompson https://www.zscaler.jp/blogs/product-insights/sse-accolades-keep-coming https://www.zscaler.jp/blogs/product-insights/new-zero-trust-start-here Wed, 29 11月 2023 08:00:01 -0800 Simon Tompson https://www.zscaler.jp/blogs/product-insights/new-zero-trust-start-here https://www.zscaler.jp/blogs/product-insights/turbocharge-your-byod-or-b2b-initiatives-secure-agentless-experience Thu, 16 11月 2023 08:00:01 -0800 Amit Jain https://www.zscaler.jp/blogs/product-insights/turbocharge-your-byod-or-b2b-initiatives-secure-agentless-experience https://www.zscaler.jp/blogs/product-insights/how-stay-protected-web-holiday-season Wed, 15 11月 2023 09:02:02 -0800 Apoorva Ravikrishnan https://www.zscaler.jp/blogs/product-insights/how-stay-protected-web-holiday-season https://www.zscaler.jp/blogs/product-insights/channel-reinvented-highlights-emea-partner-summit-2023 Tue, 14 11月 2023 08:00:01 -0800 Karl Soderlund https://www.zscaler.jp/blogs/product-insights/channel-reinvented-highlights-emea-partner-summit-2023 https://www.zscaler.jp/blogs/product-insights/extending-zero-trust-workloads-google-cloud-and-china-region Wed, 08 11月 2023 04:00:01 -0800 Sreekanth Kannan https://www.zscaler.jp/blogs/product-insights/extending-zero-trust-workloads-google-cloud-and-china-region https://www.zscaler.jp/blogs/product-insights/how-enable-user-defined-tags-identity-securing-cloud-workloads Wed, 08 11月 2023 04:00:01 -0800 Mrigank Singh https://www.zscaler.jp/blogs/product-insights/how-enable-user-defined-tags-identity-securing-cloud-workloads https://www.zscaler.jp/blogs/product-insights/unleashing-power-largest-security-cloud-high-performance-ssl-inspection Wed, 08 11月 2023 04:00:01 -0800 Mrigank Singh https://www.zscaler.jp/blogs/product-insights/unleashing-power-largest-security-cloud-high-performance-ssl-inspection https://www.zscaler.jp/blogs/product-insights/new-zero-trust-innovations-radically-simplify-cloud-workload-security Wed, 08 11月 2023 04:00:01 -0800 Sakthi Chandra https://www.zscaler.jp/blogs/product-insights/new-zero-trust-innovations-radically-simplify-cloud-workload-security https://www.zscaler.jp/blogs/product-insights/4-reasons-your-firewalls-and-vpns-are-exposing-your-organization-breaches Thu, 02 11月 2023 08:00:01 -0700 Jacob Serpa https://www.zscaler.jp/blogs/product-insights/4-reasons-your-firewalls-and-vpns-are-exposing-your-organization-breaches https://www.zscaler.jp/blogs/product-insights/new-zscaler-zero-trust-innovations-learn-how-you-can-secure-your-cloud Tue, 31 10月 2023 12:10:37 -0700 Franklin Nguyen https://www.zscaler.jp/blogs/product-insights/new-zscaler-zero-trust-innovations-learn-how-you-can-secure-your-cloud https://www.zscaler.jp/blogs/product-insights/8-recommendations-how-manage-shadow-it Mon, 30 10月 2023 08:00:01 -0700 Niharika Sharma https://www.zscaler.jp/blogs/product-insights/8-recommendations-how-manage-shadow-it https://www.zscaler.jp/blogs/product-insights/using-cloud-connectors-without-nat-gateway Tue, 24 10月 2023 08:44:03 -0700 Joost Hage https://www.zscaler.jp/blogs/product-insights/using-cloud-connectors-without-nat-gateway https://www.zscaler.jp/blogs/product-insights/navigating-data-security-innovative-data-discovery-dashboard Fri, 20 10月 2023 08:00:01 -0700 Shriyash Shete https://www.zscaler.jp/blogs/product-insights/navigating-data-security-innovative-data-discovery-dashboard https://www.zscaler.jp/blogs/product-insights/sec-s-new-cyber-rules-considerations-compliance Mon, 16 10月 2023 17:29:44 -0700 Dan Gould https://www.zscaler.jp/blogs/product-insights/sec-s-new-cyber-rules-considerations-compliance https://www.zscaler.jp/blogs/product-insights/journey-zero-trust Wed, 11 10月 2023 08:00:01 -0700 Simon Tompson https://www.zscaler.jp/blogs/product-insights/journey-zero-trust https://www.zscaler.jp/blogs/product-insights/lessons-learned-hundreds-it-professionals-improving-user-experience Mon, 09 10月 2023 08:00:01 -0700 Rohit Goyal https://www.zscaler.jp/blogs/product-insights/lessons-learned-hundreds-it-professionals-improving-user-experience https://www.zscaler.jp/blogs/product-insights/generative-ai-how-enterprises-can-mitigate-ai-powered-threats-and-risks Fri, 06 10月 2023 08:00:02 -0700 Will Seaton https://www.zscaler.jp/blogs/product-insights/generative-ai-how-enterprises-can-mitigate-ai-powered-threats-and-risks https://www.zscaler.jp/blogs/product-insights/empower-browser-ever-more-secure-enterprise Thu, 05 10月 2023 08:00:02 -0700 Dan Gould https://www.zscaler.jp/blogs/product-insights/empower-browser-ever-more-secure-enterprise https://www.zscaler.jp/blogs/product-insights/deterring-and-mitigating-insider-threats-zscaler-deception Fri, 29 9月 2023 08:00:02 -0700 Nagesh Swamy https://www.zscaler.jp/blogs/product-insights/deterring-and-mitigating-insider-threats-zscaler-deception https://www.zscaler.jp/blogs/product-insights/zscaler-terraform-modules-zia-zpa Thu, 28 9月 2023 08:57:59 -0700 William Guilherme https://www.zscaler.jp/blogs/product-insights/zscaler-terraform-modules-zia-zpa https://www.zscaler.jp/blogs/product-insights/deceiving-hidden-cobra Wed, 27 9月 2023 12:44:07 -0700 Amir Moin https://www.zscaler.jp/blogs/product-insights/deceiving-hidden-cobra https://www.zscaler.jp/blogs/product-insights/zscaler-and-okta-integrate-mitigate-identity-risk Wed, 04 10月 2023 05:55:01 -0700 Amir Moin https://www.zscaler.jp/blogs/product-insights/zscaler-and-okta-integrate-mitigate-identity-risk https://www.zscaler.jp/blogs/product-insights/saving-money-zero-trust-part-7-comprehensive-cost-cuts Tue, 03 10月 2023 08:00:01 -0700 Jacob Serpa https://www.zscaler.jp/blogs/product-insights/saving-money-zero-trust-part-7-comprehensive-cost-cuts https://www.zscaler.jp/blogs/product-insights/ensure-24-7-uptime-and-reliability-detailed-network-path-analytics-network Fri, 22 9月 2023 08:00:01 -0700 Rohit Goyal https://www.zscaler.jp/blogs/product-insights/ensure-24-7-uptime-and-reliability-detailed-network-path-analytics-network https://www.zscaler.jp/blogs/product-insights/ready-seriously-simple-endpoint-dlp 現在のエンドポイントDLPの課題 エンドポイントDLPは興味深いテクノロジーです。登場から長い時間が経ち、重要なユース ケースもいくつか存在しているものの、評判は芳しくありません。実装や運用の確立が難しい、または一貫性のないアラートによりインシデント管理が複雑になることが原因です。いずれにせよ、多くの組織で嫌われ者になっています。しかし幸い、セキュリティ サービス エッジ(SSE)によって時代は変わりつつあります。 エンドポイントDLPは、組織の抱える重要課題の解決に役立ちます。メリットの1つとして、エンドポイント データとその動きを詳細に可視化できることが挙げられます。多くの機密データがクラウドに移行していますが、依然、エンドポイントは大量のデータの発信元として極めて重要な存在です。データ保護の担当チームにとって、可視性の穴は何としても避けたいものであり、エンドポイントをデータ ポイントに含めることは極めて重要です。エンドポイントのデータの追跡は、コンプライアンスの維持だけでなく、従業員の急な離職(頻繁に起こります)の際にデータを守るうえでも鍵となります。 では、エンドポイントDLPにはなぜネガティブなイメージが付きまとっているのでしょうか。その理由を詳しく見ていきましょう。 1つ目の理由としては、前述したとおり、一貫性のないアラートの発生につながることが挙げられます。この問題は、組織内で複数のDLPテクノロジーが利用されている場合に起こります。エンドポイントDLPに加え、CASBやネットワークにDLPが実装されている場合です。ポリシー エンジンが複数存在していては、デバイスからネットワーク、クラウド アプリへとデータが移動してアラートがトリガーされた際、一貫した情報を得ることができません。結果的にインシデント管理に時間がかかり、生産性が低下します。 2つ目は、質の低いエンドポイント エージェントが引き起こす問題です。ポイント製品を使ったアプローチでは、誰も入れたがらないようなエージェントを各デバイスに複数入れることになります。これはユーザー エクスペリエンスに悪影響を与えます。また、膨大な数のデバイスを対象に複数のエージェントを管理することになれば、IT部門の負担が増えてしまいます。規模が大きくなれば、デプロイメントも複雑になることは言うまでもありません。 しかし、冒頭でも述べたように、時代は変わりつつあります。現在、エンドポイントのあり方は大きく変化しており、エンドポイントDLPを安心してデータ保護戦略に取り入れることが可能です。 進化したエンドポイントDLPのアプローチ 優れたエンドポイントDLPを実現するための基礎となるのが、Gartnerが「セキュリティ サービス エッジ(SSE)」と定義するアーキテクチャーです。SSEは高パフォーマンスのクラウド プラットフォームを通じてセキュリティ サービスを提供するもので、ポリシーと制御を1か所に集約、統合することを可能にします。クラウドへの一元化により、単一のDLPポリシーをさまざまな領域に配信して制御を適用できます。プロキシでのSSLインスペクションにより、インライン検査を簡単に行えるようになります。また、APIを活用することで、同じDLPポリシーでクラウド アプリの保存データを調べ、リスクの高いデータ共有(組織外との共有リンクやアクセス制限のない共有リンクなど)を特定できます。そして、特に重要なのが、このポリシーをエンドポイントにまで適用できるという点です。これにより、エンドポイント デバイスでデータの移動を制御することが可能です。 エンドポイントDLPの主要なユース ケースの1つとして、USBドライブやプリンター、ネットワーク共有への機密データの移動防止が挙げられます。これにより、ユーザーが機密データに対して危険な処理を行わないよう制御できます。また、クラウド同期に対応したアプリをインストールする際に起こりがちな、リスクの高い個人用ストレージ(BoxやDropboxなど)との同期を制御することも可能です。 SSEとエンドポイントDLPがもたらすもう1つのメリットとして、統合エージェントが挙げられます。SSEは統合エージェントを通じて提供されるため、すべての保護機能をこの単一のエージェントに統合することができます。したがって、従来のエンドポイントDLPを使用したアプローチに必要だったその他の複数のエージェントは不要になります。 ZscalerのエンドポイントDLPの特徴 セキュリティ サービス エッジを利用したエンドポイントDLPを導入する際は、ZscalerのエンドポイントDLPを選択することで、いくつかの点で非常に大きなメリットを得られます。 まず、すでにZscalerを利用しているお客様の場合、導入を簡単に行えます。機能の提供経路が確立され、Zscaler Client Connectorが展開されているため、DLPポリシーを非常に簡単にエンドポイントに適用できます。一度ポリシーを作成するだけで準備が整います。 さらに、Zscaler Endpoint DLPではデータの自動検出機能を提供しており、ポリシーの構成さえ行わずに利用することも可能です。エージェントに適用すれば、ポリシーが構成されていなくても、直ちにすべてのデータの移動が追跡されるようになります。これは「データ アクティビティー」と呼ばれ、展開先のデバイス上で確認されたリスクに関する有益な情報を、利用開始直後からダッシュボード上で確認でき、データ保護プログラムに役立てることができます。 Zscaler Endpoint DLPの次のメリットは、インスペクションのアーキテクチャーです。Zscalerのアプローチは慎重を期して設計されており、インターネットに接続されていない状態でもデバイス上のデータ移動を完全に制御することが可能です。これにより、穴のないデバイス制御を実現できます。インスペクション機能がエンドポイントに残るため、レイテンシーは少なく、ユーザーへの影響は最小限に抑えられます。これは、膨大な数のデバイスに拡張していく際、非常に大きなメリットになります。 最後は、調査に役立つフォレンジック機能やダッシュボードです。これにより、データ漏洩のインシデントを速やかに特定して対処することが可能です。 また、ワークフローの自動化により、データ保護プログラムを次のレベルに引き上げることができます。具体的には、インシデントの説明責任を負うユーザーを特定し、指導を行えるようになります。機密データの扱いに関して正しかった部分や間違っていた部分についてユーザーに学んでもらい、データ保護プログラムに関する認識を組織の全員で共有していくことができます。 ZscalerのエンドポイントDLPの詳細 ここまで見てきたとおり、エンドポイントDLPは、統合SSEプラットフォームを通じて利用することで革新的なソリューションとなります。デバイス データの保護、機密データに関わるユーザーの危険なアクティビティーへの対処に関心をお持ちの方に向け、より詳しい情報もご用意しています。 ソリューションのページまたはウェビナー(英語)をご覧ください。 Tue, 12 9月 2023 10:41:03 -0700 Steve Grossenbacher https://www.zscaler.jp/blogs/product-insights/ready-seriously-simple-endpoint-dlp https://www.zscaler.jp/blogs/product-insights/saving-money-zero-trust-part-6-minimizing-environmental-impact Organizations are grappling with the need to cut costs systematically. With inflation, supply chain issues, COVID lockdowns, and more, a confluence of issues has generated tremendous economic uncertainty over the last few years, breeding rampant fear of a recession. Even network and security teams are having to do more with fewer resources, but it’s proving to be incredibly difficult when their organizations rely on perimeter-based architectures. This blog series discusses the ways companies can save money with zero trust, with each blog containing a video about one of the key financial benefits of embracing such an architecture. Here are our prior topics for your consideration: Part 1: Cutting Infrastructure and Hardware Costs Part 2: Decreasing Operational Complexity Part 3: Accelerating M&A Time-to-Value Part 4: Stopping Costly Breaches Part 5: Enhancing User Experiences This blog focuses on: The carbon footprint of perimeter-based architectures For both our planet and organizations’ finances, hub-and-spoke networks and castle-and-moat security models come with significant costs. These perimeter-based architectures consume massive amounts of electricity, which expands the enterprise carbon footprint and leads to higher power bills. In light of the environment and the economy, this is an unsustainable reality for organizations the world over. Zero trust architecture Zero trust is a fundamentally different architecture from yesterday’s perimeter-based approaches, and it can overcome the challenges mentioned above. Whether an organization wants to save the world or its wallet, embracing a zero trust architecture is the ideal strategy for achieving modern ESG goals. Watch the video below to learn why. https://zscaler.wistia.com/medias/43k7a9wv8v To see real-world stories of organizations around the globe that saved money by embracing zero trust with Zscaler, download our ebook. To dig deeper and hear more detailed, long-form information about this topic, watch our on-demand webinar, 6 Ways to Cut Costs with a Zero Trust Architecture. Stay tuned for the final installment of this series, which will summarize where we’ve been and review all the ways organizations can save money with a zero trust architecture. Tue, 19 9月 2023 08:00:01 -0700 Jacob Serpa https://www.zscaler.jp/blogs/product-insights/saving-money-zero-trust-part-6-minimizing-environmental-impact https://www.zscaler.jp/blogs/product-insights/achieve-business-and-operational-goals-understanding-economics-monitoring Each department has a favorite monitoring tool to diagnose an issue when an IT outage happens. If the outage is widespread, multiple IT teams will eventually end up in a war room, trying to solve the issue and derive the root cause. Depending on the outage, it could take days. The challenge is that users and data are more distributed than ever, which makes it difficult to effectively triage an issue. Ensure end user productivity Many network operations, end user computing teams, and service desk teams have gone through similar situations. As a head of IT, the last thing you want is a call from the CIO asking for an update, and your answer is, “I need more time.” Each team is still sifting through all the data from multiple dashboards, and nobody has a silver bullet about what happened. These situations happen far too often, and it boils down to having the right solutions when an outage or disruption occurs. In today's world, IT must keep employees productive across their devices, networks, and applications, regardless of location. From publicly hosted email solutions (Microsoft Outlook) and unified communications (Microsoft Teams, Zoom, WebEx) to privately hosted applications, outages can be a significant source of frustration and lost productivity for organizations. The challenges many IT teams face is employee productivity, IT support and operational costs, and correlating/maintaining multiple monitoring solutions, all with a limited IT budget. Employee productivity is a vital aspect of any organization. However, poor application or network performance and downtime can significantly impact your employees' productivity, which results in lost hours, and ultimately affects the organization's bottom line. As such, assessing how much time the organization's employees are losing productivity due to these issues is essential. IT escalations are expensive Additionally, IT support and operational costs can also have a significant impact on the organization's expenses. Examining the current mean time-to-resolution (MTTR) for employee-impacting incidents and the costs per incident is crucial. Furthermore, it is essential to consider the impact on these costs concerning escalations from Level 1 to a Level 2 or Level 3 engineer. No more IT war rooms Fortunately, network, application, and device performance monitoring tools can help you address these issues. By adopting a comprehensive approach, you can replace multiple-point solutions with overlapping capabilities, thus saving on licensing costs. Moreover, streamlined operations can boost the IT teams' effectiveness, resulting in more efficient and cost-effective IT support. In conclusion, it is essential to prioritize employee productivity and minimize IT support and operational costs. By adopting a comprehensive approach to device, network, and application performance monitoring, you can simultaneously achieve business and operational goals. With Zscaler Digital Experience (ZDX), you can improve retention rates, help the business grow, increase profitability, and enhance organizational resilience, leading to more than $7 million in cost savings annually and 52% faster MTTR. In this white paper, we outline the costs and benefits associated with implementing ZDX. Download the white paper "Calculating the Financial Value of Zscaler Digital Experience (ZDX)" to learn more about optimizing your organization's productivity and reducing IT support costs. Thu, 24 8月 2023 08:00:01 -0700 Rohit Goyal https://www.zscaler.jp/blogs/product-insights/achieve-business-and-operational-goals-understanding-economics-monitoring https://www.zscaler.jp/blogs/product-insights/internet-egress-security-architecture-aws-workloads-part-2-isolated-vpcs Background and Recap of Part 1 In Part 1 of this blog series, Internet Egress Security Architecture for AWS Workloads - Regional Hubs, I discussed the complexities organizations encounter when securing AWS workloads, how Zscaler can help, and the details surrounding a hub-and-spoke architecture with AWS Transit Gateways. Diagram 1: A hub-and-spoke architecture example diagram with AWS Transit Gateways Using a hub-and-spoke architecture, customers deploy Zscaler Cloud Connectors into (regional) security VPCs with internet access, usually via a NAT gateway, to the Zero Trust Exchange. The workloads, which reside in the spoke VPCs, are then connected to the security VPC, with Cloud Connectors tunneling egress traffic to the Zscaler Zero Trust Exchange. There are many AWS compute and operational benefits to using this model. I also briefly introduced a hybrid approach. In this model, customers utilize an AWS Gateway Load Balancer and connect each isolated workload VPC to the security VPC via the GWLB endpoint rather than connecting the VPCs to a transit gateway. This is referred to as a Distributed (GWLB) Endpoint model. Now, in part two, let’s dive deeper into the Isolated VPC topology. “One size fits all” does not apply here; namely, there’s no right or wrong answer today as to which topology is best. In my opinion, a fully isolated VPC topology is the clear winner. So, in the market, why isn’t it a clear winner today? There are certain aspects that make it unfavorable from a security perspective. That said, as we will cover, there are hurdles that might prevent organizations from moving to a fully isolated VPC model today. It’s important to note that these disadvantages are generally applicable to large environments with hundreds of VPCs spread across many regions. So What Exactly Does an Isolated VPC Mean? Diagram 2: Isolated VPCs have direct-to-internet connections and no inter-VPC connections Let me clarify what I mean by isolated VPCs. I’m purely describing an AWS environment in which none of the VPCs have connectivity to one another—no transit gateway, no VPC peering, nothing. Despite their challenges, adopting an isolated VPC topology can become a simpler decision when the following situations come up: Your organization starts to explore moving some workloads to a new cloud provider Your organization already has isolated VPCs that have no security Your organization is looking to rebuild its cloud environments Diagram 2 shows that each VPC has its own internet connection. Now, there can be variations, such as VPCs with public subnets where each workload receives a public IP address and doesn’t require a NAT gateway. Although I’ve seen this, it’s more common for workloads to be in private subnets and only have very specific resources remain public. Usually, these public resources are bastion hosts, load balancers, WAFs, or other services that either allow for or help secure inbound internet connections. This could be your public facing website, for example. These workloads are business-critical, however, they don’t make up a majority of workloads we typically see when implementing Zscaler. *Note: For the purposes of this article, I’m still focused on internet egress security. Keep in mind, a fully isolated VPC topology is generally possible when you can provide secure access to both internal and external resources. I’ll dive into those details in Part 3 of this blog series. Note as well, the Cloud Connector component integrates with Zscaler Private Access (ZPA) to provide secure access to private applications without connecting to the internet or routing between sources and destinations. For context, one of the options I discuss is one where the AWS Gateway Load Balancer (GWLB) can enable a unique deployment topology we refer to as Distributed GWLB Endpoints. This is a unique AWS offering that is not like traditional load balancers. I highly recommend reading the following AWS articles to better understand GWLB: What is a Gateway Load Balancer? Introducing AWS Gateway Load Balancer Diagram 3: Example diagram with Distributed GWLB Endpoints across 2 AWS Regions without networking/VPC Connectivity between workloads and Zscaler VPC An Isolated VPC Approach with Cloud Connectors An interesting point of discussion in many of my workshops is the design and topology required by Zscaler. Technically, there’s no direct limitation or requirement from the Zscaler side. Such an approach will work as long as the desired workloads/VPCs are able to route to the respective GWLB VPC Endpoints connected to the Cloud Connectors. That said, customers have a need to optimize and follow vendor best practice recommendations. In many cases, I will simply observe and gain an understanding of your current architecture so I may demonstrate where our components will be deployed. Let’s say, for the sake of argument, that your organization is already using isolated VPCs or has a desire to move to an isolated VPC model. If this decision has already been made on an environmental or enterprise scale, the question then becomes: how do you get all these environments secured? There are currently two options I commonly see and recommend for isolated VPC deployments. In both scenarios there’s no VPC connectivity, peering, transit gateway, or third-party network overlays that are really just site-to-site IPSEC tunnels to centralized VPCs. Deciding which option to go with comes down to cost and operational fit: Option 1: Deploy Cloud Connectors into each Workload VPC Option 2: Deploy Cloud Connectors into a Regional Zscaler VPC and distribute GWLB Endpoints in each Workload VPC As you’ll see in the diagrams below, the end result for both options is identical. Workloads route to Cloud Connectors to be securely tunneled to Zscaler Service Edges for inspection. Take a look at these diagrams for some of the major differences, then we’ll cover some more details after to help in the decision making process. Please note, for simplicity I have added a dashed blue line to indicate outbound communication from each Workload VPC to the internet using two Availability Zones. It’s assumed that the workload subnets in these VPCs (EC2 instances, RDS instances, Lambda functions, EKS nodes, etc) are routing to Zscaler. Diagram 4: Cloud Connectors with GWLB deployed into each VPC with 2 Availability Zones to secure all outbound-initiated workload traffic to the internet Diagram 5: Zscaler Regional VPC with Cloud Connectors and GWLB Service, with the GWLB Endpoints deployed to all isolated Workload VPCs to secure outbound-initiated workload traffic to the internet Ok, so which option should you go with? This requires a bit of discussion to understand all your requirements, but here is a matrix to help with the major differences. The first part explains the differences in AWS infrastructure and the second part of the matrix discusses the differences in Zscaler infrastructure: Requirement Cloud Connectors in each VPC Centralized Cloud Connectors with Distributed GWLB Endpoints Each Workload VPC has Cloud Connector EC2 Instances and associated GWLB Yes No *Each AWS Region would have a Zscaler VPC dedicated to Cloud Connector EC2 instances and GWLB service Workload VPCs Require Internet Gateway Yes No Workload VPCs Require NAT Gateway Yes *Zscaler best practice but Cloud Connectors (without ASG) can be deployed with EIP to replace NAT gateways in certain circumstances No Workload VPCs Require additional subnets for Zscaler Yes No *However, many organizations deploy GWLB Endpoints into a unique subnet if there are many workload subnets in the VPC Each Workload VPC shows up in Zscaler Internet Access (ZIA) as a unique Location Yes No *However, sublocations can be created for each Workload VPC with GWLB Endpoints ZIA Policies for these Workloads can be applied using Locations, Sublocations, and/or the Workload Traffic Location Group Yes Yes All ZIA Security, inspection, threat protection, DLP, etc., can be applied Yes Yes Of course, you cannot make this decision without factoring in cost. To this end, let’s look at a hypothetical deployment and the potential differences in AWS costs based on the three common topologies. I can’t stress this enough: Please use these calculations as directional guidance in order to compare the 3 topologies. The dollar amounts will vary on many factors, so it’s more productive to focus on percentage differences. Cost Comparison Matrix example: AWS Service Costs Annualized Cloud Connectors in each VPC Distributed GWLB Endpoints Transit Gateway Regional Hubs Cloud Connector EC2 On-Demand 20 Cloud Connectors $13,706 2 Cloud Connectors $3,561 2 Cloud Connectors $3,561 GWLB Services and Endpoints 10 Services 20 Endpoints $2,340 1 Service 2 Endpoints $763 1 Service 2 Endpoints $763 Transit Gateways 0 attachments $0 0 attachments $0 11 attachments $6,396 Total Annual AWS Cost $16,046 $4,324 $10,720 *Costs were calculated with https://calculator.aws on August 7, 2023 using the following: Region: us-east-1 10 Workload VPCs with 2 Availability Zones EC2 On-Demand Instance Pricing for c5.large instances 4TB/monthly Workloads traffic egress out of AWS Is there a clear winner? From a pure AWS cost perspective, the Distributed GWLB Endpoint topology is 50-75% lower cost than other options! However, the reality is your organization’s existing AWS topology, operations, and process might already be tied to a specific option. The operational cost of changing topologies without proper design and planning might exceed the cost of infrastructure cost saved. If your organization has invested in AWS Transit Gateways, as described in Part 1 of this blog series, I’m not suggesting you simply rip it out and move to a Distributed GWLB Endpoint model. Perhaps you prefer a hybrid approach, or, maybe you are looking to migrate over time. In any case, there are many possibilities! Are there any caveats? In short, yes. The biggest caveat to the isolated VPC topology is the lack of connectivity between VPCs. You could argue that this is actually the best thing to do from a security perspective and, in fact, falls in line with the principles of a zero trust architecture, but it’s still a critical operational aspect. How do you solve this, with or without Zscaler? I’ll cover this in more detail in the next part of this blog series. As a quick teaser, I’ll just list out a few critical questions: Can you identify which AWS workloads need to communicate with private apps that aren’t in the same VPCs? Are there shared services environments that workloads in all VPCs must connect to? How does your team access the private workloads (SSH, RDP, etc.) in these VPCs? Are VPCs configured to use default AWS DNS or an internal DNS server? If you’re using AWS DNS, are you utilizing Private Hosted Zones or Outbound Resolvers? As with all technology and design, this is not an all-or-nothing decision. Many organizations support multiple topologies based on a variety of project and security requirements. It all boils down to having a solid runbook that can operationalize your desired topologies and configurations… make it rinse and repeat! What’s Next? I always recommend signing up for our Workload Communications Self-Guided Workshop & Lab. This provides you with a (free) guided experience that shows you how to integrate Cloud Connectors and various workload policies in a self-contained environment. Additionally, if you have a project for securing your public cloud workloads (AWS, Azure, GCP, etc.), please reach out to your Zscaler account team to schedule a discovery workshop with one of us! At this point, you might be wondering: wouldn’t I still need a firewall to protect my east-west traffic? Stay tuned for Part 3 of this blog series as I will share my provocative thoughts on why this is mostly unnecessary. Wed, 23 8月 2023 08:00:01 -0700 Zoltan Kovacs https://www.zscaler.jp/blogs/product-insights/internet-egress-security-architecture-aws-workloads-part-2-isolated-vpcs https://www.zscaler.jp/blogs/product-insights/saving-money-zero-trust-part-5-enhancing-user-experiences Over the last few years, global events, including pandemic lockdowns, rising inflation, and much more, have dramatically increased economic uncertainty. In the business world, this has inevitably led to tighter budgets and a demand for organizations to do more with fewer resources. Even mission-critical teams like security, networking, and IT have not been immune to these challenges. Unfortunately, perimeter-based networking and security architectures have proven to be highly unwieldy and costly—particularly for modern organizations that embrace cloud and hybrid work. This blog series looks at the six key ways that organizations can save money with a zero trust architecture—something that Zscaler delivers with unparalleled excellence. Each post includes a video that explains the topic in detail. Subjects discussed thus far include: Part 1: Cutting Infrastructure and Hardware Costs Part 2: Decreasing Operational Complexity Part 3: Accelerating M&A Time-To-Value Part 4: Stopping Costly Breaches This blog focuses on: The cost of poor user experience and impaired productivity Because of how they are designed to provide connectivity and security, perimeter-based architectures introduce latency into the end user’s experience, leading to frequent disruptions of enterprise productivity as a whole. This waste of employee time inevitably squanders enterprise finances as well as value creation opportunities. Unfortunately, traditional monitoring tools are optimized for on-premises environments and do little to help the problem. For organizations that are trying to cut costs and use their money responsibly, this status quo must go. Zero trust architecture Rather than being a specific capability, zero trust refers to a modern architecture that overcomes countless costly challenges associated with hub-and-spoke networks and castle-and-moat security models. For organizations looking to save money by enhancing user experiences, a zero trust architecture is an indispensable asset—particularly when it comes with built-in, end-to-end digital experience monitoring (DEM). Watch the video below to learn more. https://zscaler.wistia.com/medias/2f915r5p7c Want to hear more information about the ways that Zscaler can help your organization save money? Listen to our on-demand webinar, “6 Ways to Cut Costs with a Zero Trust Architecture.” If you want to see how these economic benefits play out in the real world, download our ebook for examples of customers that have cut costs with Zscaler. Stay tuned for the next installment in this blog series, which will discuss the importance of decreasing your carbon footprint in order to save the world and your wallet. Tue, 29 8月 2023 08:00:01 -0700 Jacob Serpa https://www.zscaler.jp/blogs/product-insights/saving-money-zero-trust-part-5-enhancing-user-experiences https://www.zscaler.jp/blogs/product-insights/saving-money-zero-trust-part-4-stopping-costly-breaches Reducing costs has skyrocketed to the top of the priority list for organizations everywhere. For the last few years, economic uncertainty has been fueled by COVID lockdowns, supply chain issues, inflation, and more. This has inevitably placed immense financial pressure on companies of all sizes as they strive to brace for a potential recession. As a result, their security and networking teams are being tasked to do more with fewer resources—but that is a tall task when relying upon perimeter-based architectures. Throughout this blog series, we are explaining how organizations can save money on both networking and security by leveraging a zero trust architecture. Each of the posts includes a video that describes one of the ways that companies can cut costs with zero trust. The first installment in the series focused on technology cost optimization through simplifying infrastructure and retiring appliances. The second revolved around increasing operational efficiency through point product consolidation and hardware maintenance elimination. Blog number three detailed how organizations can accelerate M&A time-to-value and decrease the costs of IT integration. This blog post discusses: The rising costs of data breaches Cybercriminals are constantly looking for new ways to breach enterprise defenses. Unfortunately, perimeter-based architectures (sprawling hub-and-spoke networks defended by castle-and-moat security models) only serve to increase risk in a modern world with cloud apps, remote workers, highly sophisticated cyberthreats, and more. As a result, organizations are more likely to experience data breaches and their corresponding costs, from legal fees and compliance fines to brand damage and lost business opportunities. In other words, to save money on security, organizations need to retire yesterday’s architectures and improve their security postures. Zero trust architecture Zero trust is the panacea to these problems. As a fundamentally different architecture, it eliminates the potentially fatal flaws of hub-and-spoke networks and castle-and-moat security models. Organizations can reduce risk, stop cyberthreats, and avoid the financial fallout of data breaches by embracing a zero trust architecture. Watch the video below to hear all about how this works. https://zscaler.wistia.com/medias/y1wbmsgt1w Want to see concrete examples of organizations that choose Zscaler for a zero trust architecture and reap the financial benefits? Download our ebook. Want to hear more in-depth information about the various ways that Zscaler can save money for customers? Watch our on-demand webinar, The next post in this blog series will dive into the way that poor user experiences disrupt productivity, wasting employees’ time and the enterprise’s money. Tue, 15 8月 2023 08:00:01 -0700 Jacob Serpa https://www.zscaler.jp/blogs/product-insights/saving-money-zero-trust-part-4-stopping-costly-breaches https://www.zscaler.jp/blogs/product-insights/mapping-zscaler-solutions-dod-zero-trust-strategy The federal government has taken on the task of transforming its cybersecurity approach to Zero Trust. This transformation is uniquely challenging for the largest government agency, the Department of Defense (DoD). To undergo this behemoth of a task, DoD has approached each Zero Trust pillar's capabilities and timeline with a mix of strategic, tactical, and operational focus. Moreover, DoD purposefully drafted its Zero Trust Strategy and Zero Trust Reference Architecture (ZTRA) with enough flexibility to enable each MILDEP, and their sub-organizations, to fail fast, pivot to what works for their environment, and fulfill the mission put forth in DoD's Zero Trust strategy. Under this modernized cybersecurity banner, the world has acknowledged that more and more, access control evolves. It decouples itself from the network and requires seamless, automated enforcement across the enterprise—in order to support DoD's operational requirements that traverse persistent and episodic network terrains. Alright. What changed? Because 'Evolved' is a loaded word. Short answer: Technology. From the era of Operation Buckshot Yankee leading to Zero Trust, DoD's cybersecurity mission has always been about securing data via network-centricity. However, single-purpose siloed solutions supported this mission with limited cross-platform and architectural integration functionality—propagated by a family of systems TTP for isolated and disjointed mission sets. This situation inadvertently spawned a multi-verse of vendor variants of the same product while vendors capitalized on per-user/per-device cost models. While this is not a referendum on hardware and appliances, there's no denying: Cloud-native technologies augment hardware platforms and leverage API integrations to enhance operations, automate at scale, and secure hardware and software on-prem and in the cloud. Just as important, cloud-native technologies secure hardware and software on-prem and in the cloud, and the data that flows through them, executing on the new focus in a Zero Trust world. Ok. Tell me you've read DoD's Zero Trust Strategy without telling me you've read DoD's Zero Trust Strategy. Short answer: Maturity. Solutions/tools brought to the DoD for inclusion in the reference architecture need the maturity to deliver. The DoD is not a place to incubate good ideas. Too obvious, right? Well, the finer detail in any maturity model is not on the capability itself but on the sets and reps, stress tests, and scrutiny put on the capability before placing it into DoD's hands. A LOT of capabilities out there will be able to (air quote) meet DoD's ZT Capability and Activity requirements - but will they be able to do it globally? Will they be already vetted to accomplish an ATO? Or have the organizational expertise to assist? Will they be able to be leveraged for more than ONE use case? Will they be able to lower security and operational risk? Or be more secure or faster than alternatives? These capability characteristics hide in plain sight within every ZT activity requirement and should be validated realistically. Using cloud-native integrations and automation, DoD can improve security and operational efficiency and expedite fielding new technologies, like a Capability Exercise (CAPEX) but one that can be conducted globally. Cloud benefits overlap with DoD's Zero Trust, Cloud CONUS/OCONUS, and C-JADC2 strategic visions to support multi-domain operations, especially cyber, across the enterprise to tactical environments to conduct full spectrum warfare regardless of whoever has administrative control over the network terrain. I’m following along. What’s Zscaler's place in this ZT wicked problem? Short Answer: Automate, integrate, and unify security everywhere. Zscaler integrates with capabilities across our partner ecosystem to provide best-of-breed proven solutions to natively unify threat intelligence, security posture, and policies across pillars - not only networks or domains. Like the Visibility & Analytics and Automation & Orchestration pillars, Zscaler's capabilities crosscut each DoD Zero Trust pillar's family capabilities within the DoD's warfighting apparatus while providing consistent best-of-breed security services. This matured 'Zero Trust JTF' empowered by technology and API integrations allows the DoD to cut to the BLUF: "Technology is not the challenge; siloed, immature technologies are." Below is a view of Zscaler's alignment to each of the DoD's Zero Trust seven pillar activities, resulting in a cross-pillar integration that enhances each pillar's cybersecurity mission readiness and visibility to automate, integrate, and unify security and optimize access control. Over 6,000 commercial, federal, and defense agencies trust Zscaler as their foundational ZTA capability to "prep the battlefield" for their Zero Trust implementation and secure over 40 million concurrent users globally. With over 130 technology partner integrations and Open APIs, empower Commanders with a true cloud-native technology platform founded in encrypted secure access, scalability, and API integrations that deliver, integrate, and achieve most of DoD's Zero Trust capabilities…again, thousands of organizations have accomplished this granular sophistication in their production environments, impacting their bottom lines and our national security. We invite you to visit Zscaler at TechNet Augusta 2023 to meet with our zero trust experts and see a full mapping of the Zero Trust Exchange to the DoD Zero Trust Strategy. Browse our event page here for more details about our booth, exclusive AFCEA chapter course, networking receptions, and to book a meeting. For more information about how we serve the Federal government with our FedRAMP high and moderate as well as DoD IL5 authorized solutions, visit our Federal page. Thu, 10 8月 2023 07:58:08 -0700 Jeffrey Adorno https://www.zscaler.jp/blogs/product-insights/mapping-zscaler-solutions-dod-zero-trust-strategy https://www.zscaler.jp/blogs/product-insights/why-should-cisos-take-managed-security-service-approach-cybersecurity Generative Artificial Intelligence (AI) has been the talk of the cyber community ever since ChatGPT came into existence. While most people are zeroing in on the benefits and risks of said technology, it is important for us to take a step back and ask ourselves: has this been the first time we’ve seen such a debate about a new technology? Not really. From the advent of the Internet of Things to 5G networks, we have seen the same debate come about over and over again. However, if we delve deeper from a cybersecurity perspective, the same challenges seem to arise with each new generation of technology. As we reap the benefits of these new technologies, it is undeniable that every new addition significantly expands the attack surface. Couple the increase in entry points with advanced threats–like evolving ransomware attacks–and IT teams are tasked with the impossible task of tracking and blocking attacks from multiple sources. In fact, a recent study on alert fatigue found that more than half of the respondents received over 500 public cloud security alerts daily, and 55 percent also shared that critical alerts are being missed on a weekly, and even daily, basis. IT teams are facing increased dwell times and successful infections–taking over nine months on average to identify and contain data breaches. Companies need to reverse this trend given the added scrutiny lawmakers are placing in various Asian markets. The evergreen approach: zero trust Regardless of the technology being adopted, zero trust provides a holistic approach to securing modern enterprises. Hinging on least-privileged access and that no user or application should be inherently trusted, communications between users and workloads or even workload and workload are blocked until validated by identity-based policies. Armed with the zero trust approach, organizations will be able to: 1.Strengthens security against advanced threats With zero trust validation across any network environment, enterprises no longer need to rely on the network location of an entity or rigid network segmentation to secure their organizations against advanced threats or web application attacks. This essentially helps IT teams to broaden the security, especially for sensitive data. 2. Simplifies network security A zero trust-based architecture enables more visibility and control over the enterprises’ infrastructure–allowing the business to simplify infrastructure while also reducing the cost and complexity of legacy network security. Enterprises no longer need to be concerned about which entity is connecting to which network as with zero trust; all entities are directly connected based on the business policies–regardless of origin or destination. 3. Provides secure remote access Zero trust is not all about keeping threats out–it is also about how enterprises can securely provide access to a wide range of users, from employees to third-party partners. As access does not need to be tied to specific traffic flows, enterprises are better positioned to secure remote access to applications compared to when they were using traditional firewalls and VPNs. Leveraging managed security services partnerships to help enterprises on their zero trust journey The benefits of zero trust are evident to most but deploying it can be a challenge, especially with lean IT teams. We understand this challenge and have been partnering with organizations like Singtel in Asia to launch Managed Security Services (MSS) partnership that can help enterprises leverage the Zscaler Zero Trust Exchange effectively for the secure delivery of digital transformation initiatives and hybrid work models in the face of increased cyberthreats. Our partnership with Singtel—a first for Asia—will deliver a holistic solution that addresses the security concerns and requirements of today’s digital businesses and future-proofs security for the enterprise. Enterprises of all shapes and sizes will now have seamless access to the Zero Trust Exchange through Singtel’s Managed Security Service Edge (MSSE) suite of services, which include pre-sales to post-sales support from dedicated cybersecurity experts as well as resources such as platform consultation, build implementation, maintenance and, round-the-clock threat mitigation. Figure. Overview of the Zscaler Zero Trust Exchange with Singtel Managed Security Service We have a common goal with our partners and are committed to offering a simpler, scalable, and managed security solution that helps customers reduce cost and complexities in their security stack. To learn more about our partner program, head over to our Partner Portal. To learn more about Zscaler and Singtel MSSP, delve into the “Unlocking the full potential of zero trust with a trusted Managed Security Service Provider” ebook. Thu, 10 8月 2023 08:00:01 -0700 Foad Farrokhnia https://www.zscaler.jp/blogs/product-insights/why-should-cisos-take-managed-security-service-approach-cybersecurity https://www.zscaler.jp/blogs/product-insights/introduction-otz-use-cases-zscaler-zero-trust-exchange Introducing the Zscaler “One True Zero” Use Case Video Series? Most people that we talk to are already bought into some or all of the core tenets of zero trust, whether or not they use that term. They employ things like least-privileged access, identity management, logging, and endpoint protection. But they’re also contending with existing infrastructures that often look like this: Figure 1: Legacy network architectures are complex and insecure That’s hard to transform overnight. But Zero trust adoption is almost always a stepwise approach, implemented piece-by-piece, use case by use case. And the One True Zero Use Case series is here to help you along the path. In this video and blog series, we’ll look at common Zscaler use cases through the lens of “Acme Corp,” and walk through some of the challenges our various Acme users like Remote Rob, Hybrid Hannah, and Contractor Kevin experience. We’ll then show how the Zscaler Zero Trust Exchange can bring order and security to their day-to-day chaos. Figure 2: Acme users leveraged for Zscaler zero trust use cases In this series, we’ll cover challenges such as: Zero-Day Attacks Phishing attacks Ransomware Browser Isolation Sandboxing with Advanced Inline Protection Data Loss/Protection https://zscaler.wistia.com/medias/et4ykqdzwl What does having an effective Zero Trust strategy really mean? The industry likes to label everything Zero Trust but the reality is most platforms are not truly suited for a zero trust strategy. You simply cannot stop unknown threats, nor can you limit the blast radius of successful attacks, with passthrough detection tools and legacy VPNs and Firewalls that increase your attack surface, degrade your user experience, and still leave your network flat. Conversely, the Zscaler Zero Trust Exchange acts like a lightning-fast switchboard. It verifies identity and context and applies controls to ensure that users are not carrying threats or leaking sensitive data. Then, it enforces policies to determine whether to connect the requestor to a destination source. All of this happens with almost no added latency, for a seamless user experience. Figure 3: The Zscaler Zero Trust Exchange can secure all your users Zscaler: The “One True Zero” Zscaler's Zero Trust Exchange is the one true global, inline and comprehensive zero trust platform, securing all users, workloads and devices. It protects inline and out-of-band data with advanced data classification and controls, connects to apps not to networks to prevent lateral movement and can identify and resolve performance issues with its digital experience management system. The ZTE minimizes the attack surface by hiding users and applications behind a proxy; inspecting all traffic (including encrypted traffic) and applying AI-powered threat protection powered by the world's largest security cloud. Figure 4: Zscaler's ZTE is the one true comprehensive zero trust platform Be sure to check out the use case blogs in this series or watch the accompanying videos at: https://www.zscaler.com. Tue, 08 8月 2023 11:43:52 -0700 Josh Oelrich https://www.zscaler.jp/blogs/product-insights/introduction-otz-use-cases-zscaler-zero-trust-exchange https://www.zscaler.jp/blogs/product-insights/unleashing-power-zscaler-cloud-operations-unprecedented-cloud-resilience Rapid adoption of cloud services has helped organizations innovate, save on costs, and more. However, as more critical services rely on cloud resources, organizations need to plan for unexpected interruptions and outages. That's why we created the Zscaler Zero Trust Exchange: to offer one of the world’s most powerful and resilient security clouds. Our platform’s cloud native infrastructure and operational excellence ensure high availability and serviceability at all times, giving organizations and their customers peace of mind. A security cloud you can trust Zscaler operates the largest security cloud in the world, serving 7,000+ customers and 50+ million users, processing over 300 billion transactions a day, and receiving 500 trillion health performance and security metrics. Building a cloud of this size and scale takes millions of hours and deep experience across four key areas: capacity, availability, performance, and security. Enterprises need enough capacity to handle large-scale events, from a company meeting to a holiday rush. It's also important to ensure availability, even if cables are cut or ISPs are down, to minimize downtime and avoid support desk calls. When it comes to security, a zero trust strategy enables strict user authentication and least-privileged access controls to establish context and apply policies. Finally, a good user experience—the ultimate measure of performance in a security cloud—is achieved through a zero trust architecture that seamlessly routes traffic without compromising on security. Ensure performance at every path To ensure a seamless user experience, it's crucial to prioritize performance at every stage of the data path. At Zscaler, this is exactly why we developed our own security cloud. While most issues reported by users occur between the user and the Zero Trust Exchange, the majority of issues actually happen along the path to the application from the Zero Trust Exchange. Unless we’re dealing with a complete outage, detecting degradation of an individual user experience across 300 billion transactions a day is next to impossible. Our goal is to find a solution across the entire data path to help our customers automatically route around the problem, restoring user performance regardless of the underlying root cause. Zscaler Digital Experience for CloudOps At Zenith Live ’23, we introduced our latest innovation: Zscaler Digital Experience (ZDX) for CloudOps, an AI- and ML-driven user performance platform, which the Zscaler CloudOps team uses internally to detect, analyze, and remediate degradations. Here’s a screenshot of the CloudOps dashboard, indicating that operations are healthy. Issues are easy to locate on the global map. Let’s look at an incident from March 21, 2023, when Zscaler observed decreased performance for users in and around Singapore, and how we resolved the situation with ZDX for CloudOps. Below is a baseline view of performance in Singapore before the incident. You can see hundreds of last mile ISPs, ISPs Zscaler uses, and the Zscaler cloud. Here, there are no issues indicated and performance is green. As the issue developed, our CloudOps team noticed an issue between two major Asian ISPs: Singtel and Testra. Issues like these often resolve on their own, but in this case, it got worse, and the Zscaler Network & Infrastructure Team had to intervene. Drilling into the connection between the ISPs, we can see it’s not a simple connection. There are multiple connection points in Singapore alone, and at least three unique routes between Telstra and Singtel. The connectivity graph shows that one of the three paths is impacted. With the available information and our advanced technology, we can quickly resolve issues through automated remediation or targeted actions. This is crucial in maintaining dependable and efficient performance. To address the performance issue, our Networking team optimized the path by redirecting some traffic via NTT while still allowing unaffected traffic to flow along its original path, minimizing the impact on users. In this incident, although all paths were outside the user’s ability to change, Zscaler was able to detect and remediate the incident to ensure a seamless user experience. Join the digital transformation journey and learn more about Zscaler cloud operations ZDX for CloudOps enables Zscaler Operations teams to easily visualize comprehensive issues in real time and take priority-based action using data-driven recommendations to prevent user experience issues. If you’re interested in discovering more about how Zscaler manages operations on a global scale, please request a demo. We hope you were able to join us at Zenith Live ’23 in Las Vegas or Berlin to celebrate innovation, collaboration, and succeeding together. If you missed it, you can still catch up: watch select innovation and insight sessions on demand. Fri, 04 8月 2023 08:00:01 -0700 Diana Vikutan https://www.zscaler.jp/blogs/product-insights/unleashing-power-zscaler-cloud-operations-unprecedented-cloud-resilience https://www.zscaler.jp/blogs/product-insights/unprecedented-cloud-resilience-and-disaster-recovery-zscaler Zenith Live ’23 was chock full of announcements about ongoing innovations shaping the worlds of cybersecurity, data protection, and network transformation. Zscaler has a track record of reimagining these areas and transforming businesses for the better with modern cloud native solutions. As the cloud security leader, we secure traffic and data for more than 40% of the Fortune 500, making Zscaler a critical component of the technology stack. On any given day, the Zscaler Zero Trust Exchange processes over 300 billion requests as we strive to make our customers more agile, efficient, and secure. Fig. 1: Misha Kuperman, SVP of Cloud Operations for Zscaler, presenting at Zenith Live 2023 Resilient by design The reliability, availability, and serviceability (RAS) of our products is a top priority. We designed our hardware systems from the ground up with over-provisioned processing capacity and redundancy to provide the foundation for high resilience. Combined with our cloud native multitenant data center architecture and carrier-neutral connectivity, this ensures the Zscaler cloud stays resilient in the face of network or workload stresses. In addition, we’ve perfected a set of equally resilient operational processes through our experience operating our inline security cloud—the world’s largest—for over 15 years and counting. This is why our products have a long history of near-perfect uptime, backed by industry-leading service level agreements (SLAs). Detecting local issues at global scale Having a robust architecture for the cloud allows Zscaler to offer services at scale without downtime. However, what really keeps our operations resilient day in, day out is our unique proactive cloud monitoring and incident management approach, which ensures that any disruption (at Zscaler or otherwise) is handled quickly and elegantly to minimize disruption for our customers. After all, unforeseen events such as natural disasters or nation-state attacks can impact even the most robust systems. Most cloud technology providers observe and monitor disruptions in their cloud operations at the macro level in a centralized location. This time-tested method works for most scenarios, but at Zscaler, we take it a few notches higher, adding in the on-device monitoring capabilities of Zscaler Client Connector to get precise, near-real time feedback on any traffic interruptions or delays. This precision also lets us take highly targeted measures to quickly address or switch to optimal alternatives to keep customers functioning normally. At Zenith Live ’23, we demonstrated the use of Zscaler Digital Experience (ZDX) in cloud operations for identifying performance bottlenecks and quickly zoning in on problem areas before resolving them. You can read about how we’ve already applied it to address several real-life incidents in this blog. Fig. 2: ZDX showing global trends of network issues, helping the support team quickly narrow down and resolve them Dynamic path optimization and Disaster Recovery (DR) capabilities While most issues we see and address are related to traffic handling between the Zero Trust Exchange and a target application, customer traffic can sometimes have trouble getting to the Zero Trust Exchange to begin with. This could be due to blackouts (e.g., data center outage), brownouts (e.g., connectivity issues), complete outages during natural disasters, and more. Mitigating blackout issues could be as simple as switching to an alternate carrier or data center provider, or leaning on the over-provisioned capacity of the data center itself. However, brownouts and disasters can be more challenging and can prove costly, in terms of both lost productivity and revenue. To address these scenarios, Zscaler announced a robust set of capabilities to enhance the resilience of Zscaler cloud earlier this year. Read this blog for additional details, and check out this webpage for more information. At Zenith Live ’23, we demonstrated two capabilities, Dynamic Service Edge Selection and Disaster Recovery, with our longtime customer Charles Schwab. Dynamic Service Edge Selection helps customers quickly recover from brownouts with automated latency-based path selection, which ensures that at any given time, user traffic chooses the lowest-latency path to the Zero Trust Exchange. In catastrophic scenarios where the Zero Trust Exchange might be impacted, Disaster Recovery ensures that access to SaaS and internet apps is restricted to certain critical applications only, while private applications are still accessible via Zscaler Private Service Edge, where the most updated security policies are still applied. Unprecedented resilience from an unmatched cloud Fig. 3: Unparalleled growth in daily transactions secured by Zscaler Today, Zscaler is a cloud security leader with a reputation for peerless innovation and execution. When customers engage with Zscaler solutions, they get not only our best technology, but also solutions built on the most resilient security cloud—with architecture and operations that have been perfected across more than 15 years. At Zscaler, we will continue to innovate and offer differentiated solutions to our customers, but the greatest differentiator is the Zscaler cloud itself, upon which we build and deliver our solutions. As Misha Kuperman, SVP of Cloud Operations at Zscaler, likes to say: “There’s no compression algorithm for experience.” We hope you were able to join us at Zenith Live ’23 in Las Vegas or Berlin to celebrate innovation, collaboration, and succeeding together. If you missed it, you can still catch up: watch select innovation and insight sessions on demand. Fri, 04 8月 2023 08:00:01 -0700 Harsha Nagaraju https://www.zscaler.jp/blogs/product-insights/unprecedented-cloud-resilience-and-disaster-recovery-zscaler https://www.zscaler.jp/blogs/product-insights/new-vpn-risk-report-third-party-access-identified-huge-risk-organizations Ninety percent of organizations are apprehensive that attackers will target them through third-party-owned VPNs. Not only that—user satisfaction and security will also take a beating. Read on to find out more. A just-released 2023 survey report by Cybersecurity Insiders, accredited by Zscaler, highlights the many benefits to organizations when they move away from legacy solutions, spurring on any organization that may be delaying the adoption of zero trust network access (ZTNA) and its clear user productivity and security advantages. Virtual private networks (VPNs), the de facto remote access solution for the last 30 years, have more recently been constant targets of sophisticated cyberattacks. In the world of hybrid work, where users and applications are distributed, traditional remote access solutions that backhaul traffic to a single data center hinder productivity with a poor user experience, connectivity issues, and inconsistent access experience. In addition, VPNs give all users—employees and third-party users alike—access to the full network to reach applications. This has resulted in many threats recently, even overcoming security measures of user credentials. The 2023 VPN Risk Report details the challenges users and IT professionals face in using and maintaining VPNs, and examines new technologies that can help them overcome these challenges to support user efficiency and business growth. Third-party security concerns with VPN access The report shows that 90% of organizations are concerned about attackers exploiting third-party vendors to gain backdoor access into their networks. Outside users like contractors and vendors remain integral to business growth, but they can put an organization at risk due to varied security standards, lack of visibility into their network security practices, and more, further complicating the job of managing third-party access and network security in general. Poor user experience leads to poor user productivity The 2023 report (and the 2021 and 2022 reports) shows that user experience is a big challenge for users connecting with VPN. Users see a constant drop in VPN connections, and sluggish application speeds hamper productivity. Cyberattackers exploiting VPN vulnerabilities According to the report, nearly 1 in 2 organizations have experienced VPN-related attacks in the past 12 months and are aware of potential threats to their organizations opened up by VPNs. This underlines the need for a remote access tool that doesn’t expose organizations to external and internal threats. The report also shows security and IT leaders are increasingly concerned about cyberattackers exploiting VPN vulnerabilities, emphasizing the urgent need to address the security of current VPN architectures. Fortunately, as phishing, ransomware, credential theft, malware and application attacks increase in frequency and severity, organizations are swiftly replacing their VPNs with ZTNA. The risks exposed in this report, including the growing threat of VPN exploits, should prompt organizations to completely rethink their remote access solutions, reevaluate their security posture, and migrate to a zero trust architecture. The push to quickly adapt to remote work at a large scale, especially during the COVID-19 pandemic, brought zero trust to the forefront of the conversation. This paradigm shift away from traditional security architecture has proven a robust way to connect remote users to applications securely. The report strongly recommends organizations implement a zero trust architecture to effectively mitigate the risks associated with VPN vulnerabilities as well as protect their sensitive data and applications from cyberattacks. With 92% of organizations already considering, planning, or in the midst of a zero trust implementation, it’s clear that zero trust is the future of hybrid work. Zscaler’s next-generation ZTNA solution, Zscaler Private Access (ZPA), enables secure access to private applications while ensuring users have the best experience to maintain high productivity. ZPA can help you: Minimize the attack surface: ZPA can replace your VPN infrastructure and provide direct access to internal applications. With these apps invisible to the internet, you minimize the visibility and accessibility of critical assets, making them more difficult for attackers to discover and target. Prevent compromise: ZPA analyzes network traffic for malicious content and data loss. Implementing inline traffic and content inspection mechanisms allows you to detect and block malicious activities, effectively shielding resources from unauthorized access or data exfiltration. Eliminate lateral movement: With ZPA, users connect directly to applications instead of the network. By isolating users from the internal network, you limit attackers’ opportunities for unauthorized access and lateral spread within your infrastructure. Zscaler has helped thousands of organizations like Molson Coors, Southwest Gas, Colt Technology, and more migrate from their legacy VPN to our next-generation ZTNA to secure private access. Download the report Read the Press Release Mon, 31 7月 2023 23:30:01 -0700 Kanishka Pandit https://www.zscaler.jp/blogs/product-insights/new-vpn-risk-report-third-party-access-identified-huge-risk-organizations https://www.zscaler.jp/blogs/product-insights/zscaler-posture-control-cnapp-now-supports-oracle-cloud-infrastructure Today, nearly all organizations have adopted multicloud environments such as Oracle Cloud Infrastructure (OCI) to optimize their business operations and accelerate growth. But managing security risks in a complex multicloud environment is far different than on-premises security architectures. Organizations often address security challenges by continuously adding security tools and point solutions to their infrastructure. This increases the burden on security teams as they need to manage consistent security across the multicloud infrastructure with disparate tools with distinct features, interfaces, and functions, often operating in silos with limited resources and budgets. As a result, many business-critical risks go undetected and unresolved for days or weeks. Given this, organizations need a single unified platform that integrates with the multiple CSP’s cloud-native services they have already invested in to minimize integration friction and maximize their value. This empowers them to manage consistent security and experience across all their clouds. Stronger Together: Zscaler Posture Control and Oracle Cloud Infrastructure (OCI) As part of our commitment to secure multicloud environments and support a broad and varied ecosystem, we are excited to announce Zscaler Posture Control, a cloud native application protection platform, supporting Oracle Cloud Infrastructure (OCI). Organizations can now include Oracle Cloud in their multicloud security management with a unified platform and secure digital acceleration of applications and workloads. The support for OCI is an important milestone that will enable organizations to maintain a strong security posture by monitoring OCI and multicloud environments, identifying problems, and fixing them. Fig 1: Posture Control OCI dashboard Proactive and secure OCI with Posture Control With Posture Control, organizations can address security challenges and meet the OCI security demands at scale. ZPC offers broader security coverage, in-depth visibility, and control across OCI services including VMs, OKE, Developer Tools (ODT), Containers, Vault, data storage, and more with agentless deployment. ZPC enables seamless, effective, and efficient security operations. It reduces the toil of repetitive tasks that plague security teams, like aggregating and correlating security data to gain a more complete understanding of risks and where to focus. Fig 2: Posture Control dashboard featuring OCI Asset categories Fully integrated security includes the following benefits: An agentless architecture for visibility and agility: Gain complete visibility and control across OCI resources, data, and identities, and streamline security without slowdowns and management headaches. Advanced correlation and ML: Automatically consolidate findings, speed up investigations, and reduce MTTR with actionable insights to minimize gaps and uncover hidden risks. Governance and compliance: Streamline alignment with compliance requirements and remediate violations from established security policies and protocols. Rapid threat detection: Identify damaging threats, malicious activities, and anomalies across the entire cloud native stack to minimize the risk of business disruption and data breaches. Streamlined security operations: Integrate ZPC with different tools, services, and workflow and get best practice recommendations, unified notifications, and remediation guidance to help respective stakeholders take action against risk and threats. Fig 3: Posture Control dashboard featuring CIS OCI foundation benchmark Optimize your OCI security investment with Posture Control In today's economy, organizations and security teams are trying to do more with less with limited budgets and resources. ZPC helps to optimize the return on investment by consolidating the security stack as it combines the power of CSPM, CIEM, IaC, and much more. By bringing these capabilities together, security teams can get rid of siloed point products and more accurately correlate hidden risks caused by the combination of misconfigurations, threats, and vulnerabilities across the entire cloud stack. Moreover, it also helps security teams to address the shortage of security talent by automating repetitive security tasks, correlating risk, and helping non-experts to secure OCI assets without highly specialized domain knowledge or deep tools expertise. It gives security and cross-functional teams a highly accurate view and remediation guidance on what truly needs to be remediated, rather than just a dashboard of signatures and control changes. In a nutshell, ZPC can help organizations: get in-depth visibility into OCI and multicloud environments, detect threats, speed up response and remediation, mitigate data exposure risks, ensure complete application lifecycle security, and strengthen policy compliance. Fig 4: Posture Control OCI audit and remediation Availability Security teams can rapidly deploy the Zscaler Posture Control 100% agentless solution in minutes and extend their multicloud protection to include OCI. If you are an existing ZPC customer and using OCI, please refer step by step guidance to onboard your OCI accounts. Want to try it? We encourage you to see how ZPC operates with a free security risk assessment of your OCI and multicloud environments. This complimentary assessment will deliver a comprehensive overview of misconfigurations, vulnerabilities, compliance violations, anomalies, or hidden threats within your multicloud footprint. 1 https://info.zscaler.com/ve-immersion-day-presented-by-aws-and-zscaler 2 https://www.securitymagazine.com/articles/92395-of-organizations-use-more-than-50-cybersecurity-products-to-address-security-issues Thu, 27 7月 2023 08:00:01 -0700 Mahesh Nawale https://www.zscaler.jp/blogs/product-insights/zscaler-posture-control-cnapp-now-supports-oracle-cloud-infrastructure https://www.zscaler.jp/blogs/product-insights/saving-money-zero-trust-part-3-accelerating-m-time-value As economic uncertainty continues to run amok and give rise to fears of a recession, organizations the world over are trying to reduce their costs across the board. Unfortunately, even critical teams like security and networking are needing to tighten their belts. But how can these groups accomplish this while still stopping the onslaught of increasingly sophisticated cyberthreats and ensuring the ongoing functioning of their organizations’ day-to-day operations? This blog series discusses the various ways that companies can save money with a zero trust architecture. Each installment includes a video that details one of the key financial benefits of embracing zero trust. The first blog revolved around simplifying infrastructure and eliminating appliances to optimize technology costs. The second reviewed the importance of decreasing complexity to increase operational efficiency and reduce management overhead. This post focuses on: Wasted time and money during M&A Mergers and acquisitions (M&A) are of strategic importance for many organizations. Unfortunately, perimeter-based architectures get in the way of completing meticulously planned M&A processes and capturing the benefits of doing so. Because of how these architectures are designed to deliver connectivity and security, they create immense complexity (not to mention risk) and make it difficult to perform IT integration when two organizations are being combined into one. As a result, time and money are wasted. Zero trust architecture Zero trust provides a fundamentally different approach to security and connectivity. It changes the status quo and helps organizations to avoid the complex shortcomings of hub-and-spoke networks and castle-and-moat security models. The result? Faster mergers and acquisitions with fewer costs. Watch the below video about the common financial challenges of M&A and how zero trust can help. https://zscaler.wistia.com/medias/b8oe7vfnjx To see real-world examples of organizations that unlocked these and other financial benefits with the Zscaler Zero Trust Exchange, download our ebook. To learn more about the ways that Zscaler saves money for customers, watch our on-demand webinar, “6 Ways to Cut Costs with a Zero Trust Architecture.” Keep an eye open for the next post in this blog series, which will review the importance of stopping cyberthreats and data breaches in order to save money. Wed, 02 8月 2023 08:00:01 -0700 Jacob Serpa https://www.zscaler.jp/blogs/product-insights/saving-money-zero-trust-part-3-accelerating-m-time-value https://www.zscaler.jp/blogs/product-insights/zdx-data-privacy-summary-zdx-context-workers-council-concerns Controlling access to data collected by ZDX In this blog post, I’d like to share details about the data that is collected and used for Zscaler Digital Experience (ZDX) and especially, the administrative means to: firstly, control what data is collected, and secondly, how to restrict access so that only defined personnel with defined roles can access and work with the data. Information accessed by ZDX This blog may not point out every single data point that is collected or produced by ZDX, but will give an overview of the different areas and the intention of the collection and aggregation. The general reason for data collection is to provide performance data to inform you on the impact for the End User Experience Score (ZDX Score) and quickly identify which areas improvement actions need to be initiated. IT Area Reason for data collection Application Determine if … Synthetic uptime and response time tracking of web SaaS applications and websites. … the application itself is down or has issues. Metrics for UCaaS applications that are brought in through API integration. Applications: Webex, Microsoft Teams, Zoom Metrics: Meeting ID, participants, latency, jitter, etc. … UCaaS has an issue or the network path between user and service has issues. Network IP addresses of the end device, the network hops, and the application are discovered and presented. … there is an issue with any specific network segment and to find the owner of that network segment e.g. the ASN and the name of ISP. If those parts of the network are managed by the company itself, actions can be implemented immediately, or if contracts with the ISP exist, they can be asked to implement changes. IP addresses are used to determine user location. … the issues are bound to the local network. Administrators could help resolve issues that are bound to geographic areas, e.g. service down in that area. Device Hardware details of the device are collected. … there is an issue with hardware usage, e.g. memory at 100%, or CPU fully loaded. Installed software repository is collected. … there might be a software (version) that is incapable of delivering a good service. Location (Lat/Long as determined by Operating System). … the issues are bound to the local network. Reading the location from Windows devices is an alternative to the default of estimating the location based on the IP address. Optional integration with Microsoft Intune endpoint analytics. Device-specific data on Boot performance and software stability. … there is an issue with the user’s device or its performance, and quickly identify if it is a hardware or software issue. It is important to understand that application and network traffic data is acquired by synthetic monitoring, not actual user traffic. ZDX does not inspect actual user data in motion, so no information about visited websites or actual user activity is being monitored. ZDX may integrate with third-party providers like Microsoft Teams, Zoom or Webex for meeting data. Content of those meetings is not collected, but metrics like meeting ID, duration of meeting, technical KPIs, and other meeting participants can be visible in the ZDX portal. Personally identifiable information (PII) ZDX collects the following PII information: Device IDs and device usage information. Zscaler Client Connector (ZCC) captures detailed device fingerprint and usage information. Device geolocation. ZCC can communicate with location services on a device and picks up the device’s geolocation coordinates. This is a configurable setting. If the coordinates are not available, geolocation is provided through IP address geo lookup for the internet-facing egress IP. Home network IP address. ZDX cloud path records the name and IP address of a user’s Wi-Fi network, including its SSID. A ZDX administrator can configure ZDX and ZCC to protect user privacy and exclude PII entries. This includes: Login username Machine hostname MAC address of the network interface SSID and BSSID of the wireless LAN Overview of controlling access ZDX offers multiple layers of: 1. Collecting information 2. Giving access to the collected information Define what information from whom to collect Enabling and Disabling ZDX ZDX is enabled on two different layers. First, ZDX is enabled in ZCC. This can be done either by selecting “ZDX Enabled by Default” to enable ZDX for all ZCC users, or it can be activated for specific User Groups. If you have enabled posture based services, there will be two more options, as you can see in the below screenshot. The Device Groups in this case will be taken from Posture Profiles. User Groups and Device Groups are connected with logical AND. A use case would be, for example, to differentiate company devices and private devices and enable ZDX only on company devices. Users, User Groups, etc. for ZDX are taken from the ZIA repository. If ZIA is connected to AD, an option would be to use a specific AD group for ZDX. In the screenshot, you see that ZDX is activated only for the group “IT.” Our recommendation is to have as many users active in ZDX as possible in order to be able to see global trends—geographically as well as for applications—so that in case of a decreased ZDX Score, actions can be initiated quickly to improve the digital experience. Zscaler Client Connector user privacy options The configuration to protect PII information is controlled in Mobile Portal and at the administrator management level, where obfuscation can be enforced. Please see the screenshot below for ZCC User Privacy Options. Those are not only relevant to ZDX, but used by other Zscaler offerings as well. Specific to ZDX are the two options “Enable Local Packet Capture in Zscaler Client Connector” and “Collect Location Info for ZDX.” Sharing device location information There are two mechanisms for collecting the user’s geolocation. The first method is to enable the collection from Windows device by enabling the collection in Mobile Portal. If that option is disabled, the location is estimated by the egress IP address and the public/internet-facing IP address of that connection. The second option is the default, that can’t be disabled, but can be obfuscated. Device inventory setting The collection of device software inventory can be enabled or disabled on a tenant level. Sample of Software Inventory Overview Sample overview for zscaler software Enabling applications and probes After the enablement of ZDX, applications and probes need to be configured. Those two can be assigned to all users or a subset of users. Synthetic monitoring depends on applications and their assigned probes. Without any defined probes, no data is collected. In the context of data protection, it is important to understand that for each probe the applicable users or groups, etc. can be defined. See the screenshot below for the available configuration options. Controlled access to the collected information Operational use and role-based access control (RBAC) Only assigned administrators will be able to log in and see the data collected by ZDX. Additionally, ZDX has multiple means of protecting personal information of a single user. This is implemented by RBAC. Different roles with different permissions for certain aspects of ZDX and the collected data can be defined in ZDX to limit access as needed. There are three predefined roles: ZDX Read-only Admin ZDX Service Desk Tier 1 ZDX Super Admin An example is presented in the following screenshot. Keep in mind that roles can be set up and added as needed for your organization. Furthermore, each individual administrator can be assigned to a specific scope, organization-wide, or just a specific department or location. Obfuscation - Masking user information (PII) Permissions can be applied for an admin to be able to see the following data in clear text in the dashboard, or in obfuscated format: Username Location Device Name IP Address The setting can be as follows: Visible: Allows admins to view user and device information. Obfuscated: Does not allow admins to view user and device information. Custom: Allows admins to view specific user or device information. The effect of obfuscation can be seen in the following screenshots: The following examples show all four data points (Username, Location, Device Name, IP Address) obfuscated: Application Dashboard User Dashboard Cloud Path Zscaler compliance For further information on legal documentation, consult our privacy website and let your account manager know to arrange a meeting with our legal team. Further resources Information on internet protocol (IP) addresses to access the ZDX service. https://config.zscaler.com/zdxcloud.net Data Protection and Privacy https://www.zscaler.com/products/data-protection-and-privacy. Zscaler Sub-processors https://www.zscaler.com/privacy-compliance/subprocessors Company > Compliance https://www.zscaler.com/privacy-compliance/compliance Best Practices Operationalization https://www.zscaler.com/resources/white-papers/best-practices-operationalizing-zdx.pdf Fri, 21 7月 2023 08:00:01 -0700 Christian Bock https://www.zscaler.jp/blogs/product-insights/zdx-data-privacy-summary-zdx-context-workers-council-concerns https://www.zscaler.jp/blogs/product-insights/enhancing-security-flow-logging-exploring-zscaler-client-connectors-key Organizations face increasing cyberthreats in today’s digital landscape, making robust security measures a top priority. As a leader in cloud security, we offer a powerful feature in Zscaler Client Connector called Flow Logging, which enhances visibility, threat detection, and incident response capabilities. Let’s dive into the details of Flow Logging and how it contributes to a secure and efficient network environment. “Let’s try excluding the traffic.” Does that sound familiar? If you’re in IT and have been in troubleshooting sessions or tried to get an application to work, you’ve probably tried it. With the massive increase in remote users and the rate at which IT needs to scale, you sometimes have to move corporate policies around to address top priorities. Zscaler Client Connector is a software agent that provides secure access to the Zscaler Zero Trust Exchange platform. Flow Logging, available from Client Connector 4.0 onward, provides critical visibility into traffic not sent through Zscaler Internet Access or Zscaler Private Access (i.e., excluded traffic). For instance, if you need to exclude Microsoft Teams traffic from ZIA, Flow Logging ensures all Teams session connectivity is artificially logged to ZIA. 3 Key Benefits of Flow Logging 1. Enhanced visibility Many customers are looking for ways to send only desired traffic through ZIA, but excluding traffic comes with a key downside: losing visibility of traffic and user activity. Flow Logging enables tracking of excluded traffic, giving security teams comprehensive visibility and deep insights into user activity, application usage, and data flows. 2. Threat detection and incident response Security analysts can proactively monitor and detect malicious activities by leveraging the captured flow logs. With Flow Logging enabled, you can proactively track and correlate any malicious activity across endpoints and users, even for excluded traffic. 3. Troubleshooting and reporting Flow logs are easy to filter and navigate in ZIA Analytics to assist with security investigations and network troubleshooting. By analyzing flow logs, IT teams can identify and resolve any events related to bypassed traffic. Reports are embedded in the Insights section and spread across all the Insights sections in the ZIA dashboard. Easily, Flexible Configuration Configuring Flow Logging takes just a couple of clicks. In the app profile, we’ve introduced a new section for enabling Flow Logging. Flow tracking is enabled per app profile, and an administrator can start or stop a flow based on your organization's needs and policies. Admin can select specific flows: VPN: VPN connection (outer tunnel toward VPN server) VPN tunnel: Inner tunnel traffic (actual traffic flows within the VPN tunnel) Direct: Direct internet traffic Intranet: RFC 1918, IPv6 Intranet Loopback: Loopback IPv4 and IPv6 Block traffic: T2 fallback option, drop IPv6 configuration, block due to strict enforcement mode, block due to disaster recovery configuration Flow Logging, available through Zscaler Client Connector, offers your organization a powerful tool that enhances visibility, threat detection, and incident response capabilities for bypassed traffic. By capturing and analyzing detailed flow logs, you can gain key insights to proactively identify and mitigate security risks while facilitating audit, troubleshooting, and operational efficiency. Incorporating Flow Logging into your security strategy can significantly strengthen your organization's defenses and ensure a secure, efficient network environment. Fri, 21 7月 2023 08:00:01 -0700 Vishnu Pandey https://www.zscaler.jp/blogs/product-insights/enhancing-security-flow-logging-exploring-zscaler-client-connectors-key https://www.zscaler.jp/blogs/product-insights/internet-egress-security-architecture-aws-workloads-part-1-regional-hubs Some Background Over the past 18 months I have been working with organizations and the Zscaler team to help deliver security for public cloud workloads, such as AWS, Azure, and GCP. As many of you know and have been doing for many years, it's possible to send your internet-bound traffic to the Zscaler Internet Access (ZIA) platform using a variety of methods. Getting traffic to ZIA Service Edges includes GRE Tunnels, IPSEC Tunnels (including SD-WAN integrations), Client Connector, and even PAC files. This flexibility is one of the many things that make the Zscaler platform so amazing. Enter public cloud. AWS. Azure. GCP. You can just configure some GRE or IPSEC tunnels and forward internet-bound workload traffic to ZIA easily, right? Well, not really. Some cloud providers don't support GRE tunnels and some of the native VPN/IPSEC tunnel capabilities do not support the resiliency/HA many organizations require. There are third party solutions, such as deploying virtual cloud routers, and then setting up IPSEC tunnels to ZIA. This can work but in most cases we are seeing this is not scalable. Not just from a throughput perspective but operationally. Zscaler for Workloads offers a component called Cloud Connectors. They are Zscaler purpose-built gateways that can be deployed into public cloud platforms and forward traffic to both Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) platforms. Cloud Connectors are EC2/VMs, integrate with cloud provider's native load balancers, scale horizontally, and are deployed with IaC Tools such as Terraform and CloudFormation. Cloud Connectors securely forward traffic to Zscaler using DTLS/TLS tunnels, something many customers will be familiar with because it is the same underlying tunneling technology Zscaler offers with Client Connectors . If you want to learn more please visit our page here. What is a Workload, anyways? Any service or machine that communicates on the network and typically does not have a user logged into it. This can be EC2 Instances, RDS Instances, EKS (containers) Nodes, Lambda Functions, etc. Cloud Connectors on AWS Let's quickly cover the Cloud Connector component to provide more familiarity and context for the rest of the article. In this example, we have decided to create a Zscaler VPC in the AWS Account that has the regional Transit Gateway. Zscaler can automate the creation of the VPC using Terraform, but many organizations utilize existing code or processes for the underlying network. Zscaler generally recommends a minimum of 2 AZs and to deploy the components into private subnets because no inbound connectivity from the internet is needed. In this case, we have: Deployed public subnets with 1 NAT Gateway per subnet/AZ, and configured a default route from the public subnets to the Internet Gateway Deployed private subnets with a default route to the NAT Gateways. *Note: NAT Gateways are not required but this is recommended deployment from Zscaler. Please contact Zscaler if you prefer to deploy Cloud Connectors into a public subnet and remove the need for NAT Gateways. This is supported but not our recommendation. Deployed private subnets that have the Transit Gateway attachments. Prior to deploying the Cloud Connectors, the default route will most likely point to the NAT Gateways Zscaler Cloud Connectors with AWS GWLB Example Once the underlying network is in place, we deploy using Terraform or CloudFormation. In this example, the default Zscaler TF/CFT templates will deploy a Lambda Macro, one Cloud Connector per Subnet/AZ (m5.large), a GWLB Service, a Target Group including the Cloud Connector service ENIs, and a GWLB VPC Endpoint in the same subnets as the Cloud Connectors. Upon successful enrollment with Zscaler, the Cloud Connectors, by default, will each discover and establish 2 outbound tunnels (can be unencrypted, DTLS/TLS) to the closest optimal Zscaler Service Edges. Each Cloud Connector will have an Active tunnel for forward workload traffic to Zscaler, will the secondary/backup tunnel is in standby modes. Please note this is the default configuration and behavior. Organization can utilize forwarding rules to send traffic to different destinations and service edges. This means that when a Cloud Connector processes traffic it is possible for it to have multiple active tunnels established to forward the traffic to the different destinations per the forwarding rules: Select which Zscaler Service Edges to utilize. This includes public edges, private/virtual edges, and ZIA subclouds Utilize different Zscaler Service Edges for different types of traffic based on criteria. This includes but is not limited to: Cloud Connectors, Network Services, Source IP/CIDR, Destination IP/CIDR/FQDN. For more information please read more here. That should be a good enough introduction to what and how the Cloud Connectors work in AWS for the purposes of this article. Let's move on to the design and topology decisions! AWS Topologies Many organizations have massive AWS footprints. Surprisingly, the complexities I see are not tied to the quantity or types of workloads running in AWS: EC2 instances, RDS instances, Lambda functions, EKS nodes, etc. Operationalizing granular security policies does take time but is not the forefront of most conversations. So what is? Cloud Network Topology & Design Decisions. There are so many considerations to account for and many are not Zscaler-specific. The right design will optimize costs, reduce operational overhead, and not compromise security. I hope to share some insight and my experiences having designed and deployed this with many organizations. Let me reiterate one more thing: There is no single answer or design that works for every deployment, but I am starting this blog series with what I have seen to be the most common on AWS: Regional Security Hubs using Transit Gateway (TGW). In a nutshell this is basically a hub-and-spoke model in which the Workload Spoke VPCs are connected to a regional TGW, routing can be centralized, and security products can be deployed into a "security", "inspection" or "egress" VPC to service all the Spoke VPCs. There are many configuration options that would require me to write a 50 page document on, so I will keep to the point and not talk about every single nuance. I'll refer to these hubs being per-region, but it is possible to have multiple hubs/TGWs per region. Large organizations may separate the workloads across environments: Test/Dev, QA, Production. So just keep in mind your exact design will vary. There are many benefits of using TGW, and you can learn more at https://docs.aws.amazon.com/prescriptive-guidance/latest/integrate-third-party-services/architecture-3.html and https://aws.amazon.com/transit-gateway/features/ or just use your favorite search engine. Is this model right for us? Let's make it simple. When you are wondering if this is the best or possible topology when it comes to Zscaler, ask yourself these 3 questions: Are we already using Transit Gateways? Have we already made a decision to migrate to using Transit Gateways? Do we have 100's or 1000's of VPC spreads across AWS Accounts and/or Regions? If you answered yes to at least 1 of the questions then this might be the best option for you as an enterprise standard. Does that mean you will be "all or nothing"? Nope. Thanks to AWS innovation, the AWS Gateway Load Balancer (GWLB) offering enables security services and vendors like Zscaler to utilize what is called a Distributed GWLB Endpoint model. This means you can have centralized regional Security VPCs with Zscaler Cloud Connectors and secure Isolated VPCs that are not peered or connected to the Security VPC via TGW! If this concept is new to you, don't worry, I will explain this a bit more if you keep reading... What about other design options? We'll cover that in the Part 2 but to give you a sneak peak.. it's a fully decentralized model where each VPC is Isolated without any peering or TGW connectivity. For this article we are only talking about the centralized hub model! Architecture Overview Regional Hub with TGW and Distributed Endpoint connectivity to Zscaler example Let's take a look at this high level design example where the organization has decided to deploy Zscaler Cloud Connectors into regional hubs because most of the workload spoke VPCs are already connected via Transit Gateway. However, the organization also has a few Isolated VPCs that do not require access to private resources or applications, but needs internet egress protection. Instead of deploying Cloud Connectors directly into the Isolated VPC, the organization simply connected to GWLB Service fronting the Zscaler Cloud Connector by deploying a GWLB VPC Endpoint into the Isolated VPC. This hybrid model provides the benefits of: Lowered costs. Not needing to deploy Cloud Connector EC2 instances in each VPC, but rather just a few Cloud Connectors per regional hub. There is always give and take with vendor and cloud provider costs (networking, compute, storage, etc) but generally this benefit applies today. Less operational overhead. Only needing to deploy a group of Cloud Connectors and related components per region is must easier and faster than per VPC. It is important to note that organizations further along in the IaC journey will not have bigger overhead when deploying per VPC as it is very "cookie-cutter" and can be automated. Organizations that do not have all the VPCs, network configurations, etc across AWS deployed using IaC such as Terraform, will find that deploying per VPC will require more manual steps than doing it centrally. Less complex routing. Most of the VPCs already default route to the TGW, so it is possible to essentially route all outbound traffic to the Cloud Connectors by adjust a TGW route table. In reality you will cut over VPCs in phases but the point is simplification. The diagram depicts a hybrid approach but there are some variables I want to call out just because a single diagram can't account for every possibility: Availability Zones. Zscaler recommends deploying Cloud Connectors across a minimum of 2 AZs, but usually it's best to match your enterprise standard GWLB. Zscaler deploys a GWLB Service and respective GWLB VPC Endpoints into the subnets of each Cloud Connector by default. Connecting additional GWLB VPC Endpoints (distributed) can be done too using the same GWLB Service. Routing. Instead of routing to Cloud Connector Service ENI, you will always route the the respective GWLB VPC Endpoints. A default route is most common, but some organizations only forward proxy-aware web traffic (PAC file / explicit proxy) to Zscaler. Cloud-Native or Virtual Firewalls. Many organizations might have existing firewalls in AWS that are used for "east-west" inspection and control. The firewalls might be the next hop from a routing perspective. If so, we generally talk through the options of where to deploy Cloud Connectors. We can deploy into a separate VPC, deploy into the same VPC, and have workloads next hop point to the Cloud Connectors or firewalls first. This topic alone will be a blog as there are many options here depending on your organization's requirements. Brief note: Many customers bring up questions around traffic they do not want to send to Zscaler. The implementation details vary based on the use case but with the use of routing, forwarding rules, and other configurations it is possible to send all or some traffic to Cloud Connectors and/or Zscaler. We will not cover this topic in this article but it's an important consideration that Zscaler is aware of! Spoke VPCs to Zscaler via TGW In many cases, most of the VPCs will be connected to the Transit Gateway where the Cloud Connectors are deployed. As we zoom into this portion of the network diagram, we can see the Spoke will route all traffic destined outside of its own VPC to the TGW. If the TGW Route Table is configured to send the default route to the Zscaler VPC, the TGW route table in the Zscaler VPC will default route to the GWLB VPC Endpoints fronting the Cloud Connectors. Spoke VPC connected via Transit Gateway to Zscaler The Cloud Connectors will then forward the traffic appropriately, such as using the established DTLS tunnels to the Zscaler Service Edges as depicted in the diagram below. When GWLB Cross-Zone Load Balancing is Enabled (which is our recommendation), GWLB will be able to send traffic to Cloud Connectors across all AZs instead of only the workload source AZ. This is important from an HA/resilience perspective because if the Cloud Connector(s) in AZ1 are unable to tunnel the traffic to Zscaler, the healthy Cloud Connector(s) in AZ2 can forward that traffic without interruption. It is also important to note that if a primary tunnel fails to connect to Zscaler from a Cloud Connector, a secondary tunnel will be marked as active and used to forward traffic (as depicted in red below). Now we have traffic routing from a Spoke VPC to Zscaler so the workloads are protected. Although I am simplifying this for the purpose of this article, you would start associating other workload Spoke VPCs in this region to the TGW Route Table that is pointing to the Zscaler VPC to protect them as well. It is mostly "rinse and repeat" at this point for all VPCs in the region, and then the next region, etc. Isolated VPCs to Zscaler with Distributed Endpoints Last but not least, what about those Isolated VPCs in the same region that have no peering or TGW connectivity to the Zscaler VPC? This is where we zoom into this portion of the diagram and show the connectivity looks almost identical to TGW from a diagram perspective. A minor, but critical detail, is that instead of TGW attachment we have simply deployed a GWLB VPC Endpoint that connects to the existing GWLB Service fronting the Cloud Connectors (from the TGW diagram). This connection is basically just using AWS PrivateLink to stay on the AWS backbone/network, but allows for the same connectivity out to the Internet via Zscaler protection! Isolated VPC with Distributed GWLB Endpoint to Zscaler So in the above diagram you'll notice the architecture/topology is still centralized, but the AWS GWLB Service enables connectivity to Zscaler without VPC connectivity! From a routing perspective the differences in this method are: Workload VPC routes to the local GWLB VPC Endpoint instead of TGW The GWLBe connects to the GWLB Service to the Cloud Connectors using AWS PrivateLink (not depicted in diagram) instead of TGW Are there any advantages or disadvantages to the Distributed Endpoint model instead of just attaching them to TGW? Biggest Advantage: Support for overlapping VPC CIDRs. The Isolated VPCs can all have the same CIDR and utilize the same centralized Cloud Connectors. VPCs attaching to the same TGW cannot have overlapping CIDRs. Biggest Disadvantage: This is "one-way" communication for the Isolated Workload VPC getting to the internet through Zscaler. Yes, return traffic is inspected and sent back to the workloads, but they must initiate all communication. If another VPC or service outside of the Isolated VPC needs to communicate inbound to this VPC, it will not work since GWLB Endpoints only support the "inbound" side. However, this disadvantage is actually a good reason to explore the ZPA for Workloads offering from Zscaler :) If workload to app and workload to workload communication is needed, you can simply deploy ZPA App Connectors into the Isolated VPC and publish the required applications(s) through Zscaler Private Access! However, this bullet point is a disadvantage specifically in the context of this article's topic around internet egress security only use cases. What's Next In Part 2 of this article series, we will cover a fully decentralized AWS model where you deploy the Cloud Connectors into each Workload VPC with direct secure internet access. Don't worry, the next articles will cover Azure, GCP, and then ZPA-specific use cases too. I plan to write a new part every few weeks! Now, you might have some questions. Please don't hesitate to reach out to your Zscaler Customer Success Manager or Account Team and ask for a Workload Communications Discovery Workshop. Nothing beats some diagrams, digital or in-person white boarding, and talking through all the details of the design. Thu, 20 7月 2023 08:00:01 -0700 Zoltan Kovacs https://www.zscaler.jp/blogs/product-insights/internet-egress-security-architecture-aws-workloads-part-1-regional-hubs https://www.zscaler.jp/blogs/product-insights/saving-money-zero-trust-part-2-decreasing-operational-complexity In the face of increasing economic uncertainty, organizations are doing whatever they can to prepare themselves for a recession. Budgets are shrinking, headcounts are decreasing, and employees are being challenged to do more with fewer resources. While one may hope that teams like security would be insulated from these pressures, that is sadly not the case. They also are being asked to cut costs and do more with less. This blog series discusses how companies can save money in security and networking with a zero trust architecture. Each installment in the series includes a video that details one of the financial benefits of zero trust. Part one looked at how organizations can optimize their technology costs and spend less money on infrastructure, hardware, and bandwidth. This blog focuses on: The operational inefficiency of perimeter-based architectures Yesterday’s hub-and-spoke networks and castle-and-moat security models breed complexity that keeps admins focused on menial tasks and prevents them from performing their job duties efficiently. In other words, time and money are wasted. This occurs for multiple reasons. As an example, for every piece of hardware that is purchased, the burden of integration and ongoing maintenance increases. Similarly, for every point product security appliance that is deployed to address a specific threat or vulnerability, it means more disjointed dashboards, alert fatigue, and difficulty in manually duplicating policies across separate interfaces. Beyond these brief examples, there are many challenges that demand a great deal of oversight from high-skill, expensive labor. Zero trust architecture Zero trust is a fundamentally different architecture that successfully decreases operational complexity. This simplification leads to greater operational efficiency, reduced admin time requirements, and minimized management overhead. Watch the video below to learn how zero trust can accomplish this for your organization. https://zscaler.wistia.com/medias/2z2edhzq1o If you would like to see examples of how these savings play out in the real world, download our ebook and learn about customers who reduce costs with the Zscaler Zero Trust Exchange. For more detailed information about the ways that Zscaler helps organizations to save money, check out our recent webinar, “6 Ways to Cut Costs with a Zero Trust Architecture.” Stay tuned for the next installment in this blog series, which will focus on accelerating time-to-value during mergers and acquisitions (M&A). Tue, 18 7月 2023 08:00:01 -0700 Jacob Serpa https://www.zscaler.jp/blogs/product-insights/saving-money-zero-trust-part-2-decreasing-operational-complexity https://www.zscaler.jp/blogs/product-insights/new-ai-powered-analyses-help-it-teams-ensure-flawless-digital-experiences According to a recent survey, most IT leaders are in favor of a hybrid workplace model, but at the same time, 90% of employees are frustrated by workplace technology and its impact on their productivity. Point Monitoring Tools Leave IT Teams Unprepared Making matters worse, Network Operations and Service Desk teams are forced to rely on point solutions that leave them unprepared. Device, network, and application monitoring tools only see fragments of the application delivery chain, leaving blind spots between the user’s device and the app that require teams to manually export and correlate data from each tool. This lack of end-to-end visibility into digital experience forces IT teams to firefight problems after they have been reported, rather than proactively identifying and resolving them before users are impacted. Zscaler Digital Experience (ZDX) gives you the visibility you need to ensure optimal digital experiences for all your users—in the office, at home, and on the move. By securely monitoring your business’s SaaS-, public cloud-, and data center-based applications right from within your end user devices, ZDX can present user experience insights across your organization, along with an end-to-end view of performance and availability across the entire application delivery chain. Armed with these insights: Network Operations teams can review digital experience health and root causes of bottlenecks across all enterprise applications in real time as well as rapidly resolve service degradation before users complain. Service Desk teams get what they need to troubleshoot complaints—a wealth of information including device health, active processes and events, network performance from the user’s Wi-Fi and ISP and through the Zscaler Zero Trust Exchange, and application performance and availability metrics. No other digital experience monitoring solution provides a unified view of performance from the device, through the network and the Zero Trust Exchange, and up to the SaaS-, cloud-, or data center-based application, along with root cause analysis that exposes issues impacting user experience. NEW: Faster IT Resolutions with AI-Powered Root Cause Analysis and Troubleshooting When ZDX detects anomalies or poor user experience, it can automatically create ServiceNow tickets that present service desk analysts with multiple insights into device, network, application, and more. AI-Powered Root Cause Analysis To help service desk analysts expedite triage and resolution, ZDX includes the root cause of a reported problem as determined by AI and ML. The figure below shows the integration of AI-powered root cause analysis with ServiceNow, with the top contributing factors shown directly in ServiceNow. In this example, an analyst could easily see that the top factor is high DNS latency, and then escalate the ticket to a network specialist. AI-Assisted Troubleshooting For the network team to continue with analysis, service desk analysts can simply create a ZDX Snapshot so that network specialists can review the incident. From within the snapshot, network specialists can dig deeper. Using the “compare” function, they can review what factors have changed since the last time the user experience was good. This side-by-side comparison view offers a quick understanding of the right focus areas to implement lasting resolutions. In this example, there is a service chain between a third-party proxy and the Zero Trust Exchange, so the DNS configuration needs to be checked. NEW: Reduce Ticket Volume by Empowering End Users to Fix Problems We have introduced self-help capabilities designed to tackle work-from-home or Starbucks moments, aiming to put an end to an old problem: “I don’t want to troubleshoot the user’s home network, nor do I have the tools to do so.” ZDX now empowers end users to fix problems that impact their digital experience, if a fix is under their control. A lightweight AI engine running in Zscaler Client Connector notifies users of issues like poor Wi-Fi or high resource utilization, and then offers suggestions on how users can resolve those issues themselves. The result is a pair of benefits: end users can restore their own productivity faster without creating support tickets, and Service Desk teams have lower ticket volumes to address. NEW: Proactive Problem Resolution Using Incident Dashboard Customers have told us they want to know the big picture—big problems that affect multiple users. The most common issues in the past few years have been related to ISP and Wi-Fi connectivity. The new ZDX Incident Dashboard includes new ML models to detect problems in applications, Wi-Fi, Zscaler data centers, last mile and intermediate ISP, and the endpoint, with automated AI-powered correlation. The dashboard includes incidents that have occurred in the last two weeks, with details on who was impacted, when, and where. Analyzing Wi-Fi Incidents Let’s look at Wi-Fi incidents that have occurred across all locations worldwide. You can drill down into the incident details page to further understand the area of impact, epicenter, who is affected, and where. In addition, you can categorize the list of affected users for additional pivots as “trust but verify.” This is due to the fact that, ZDX, by design incorporates explainable AI to understand root cause. Every incident incorporates the most relevant metrics to understand what triggers the incident. For Wi-Fi incidents like the one above, metrics include access point latency, packet loss, jitter that carries over, signal strength, bandwidth, and channel usage. Analyzing the Impact of ISPs on Digital Experience In the hybrid workplace, where the internet is the corporate network, every home network, every branch, and every location becomes a source of possible network problems. How can you manage the unmanageable? We have introduced two incident classifications, Last Mile ISP and Intermediate ISP, to detect ISP related glitches and quickly surface when the ISP is affecting performance, including blackouts or brownouts. This allows Network Operations teams to rule out every other possible root cause and focus on restoring reliable connectivity as soon as possible. ZDX looks holistically across billions of signals collected from billions of probes, alongside petabytes of telemetry data, to understand the root cause and pinpoint problem areas. This approach benefits all customers, even those with only a small deployment of ZDX. In this next example, let’s look at a Last Mile ISP incident. Drilling down in the Incident details page, you can see the impacted users, the drop in score, and some key metrics. The most important metric is the latency observed during the first internet hop. If We Don’t Own the ISP, Why Is It Important to Detect Problems There? Users will complain about performance problems. Being able to communicate exactly where a problem is avoids unnecessary troubleshooting time, even if the source of the problem is outside your control. Customers with multiple egress points to the internet can change BGP settings to switch ISPs, avoiding one with a brownout or blackout. When the problem is on the core ISP of the internet, Zscaler cloud operations will work to overcome it, either rerouting the traffic or switching the customer-serving data center to one not experiencing the impact of the faulty ISP. ZDX is the most intelligent DEM in the market, designed to help Network Operations and Service Desk teams ensure flawless digital experiences and employee productivity. From inception, we designed ZDX to simplify detection and troubleshooting by quickly understanding the source of problems, providing deep metrics and AI/ML support to enable teams to find the needle in the haystack. With ZDX, you can: Unify your monitoring toolset and insights into a single pane of glass to help multiple teams—device, network, security, and application teams—ensure optimal performance Empower end users to learn about and fix problems within their control, reducing ticket volume Detect developing incidents early and proactively resolve them using AI-powered correlation and insights Learn more about the ZDX and how you can use it in your organization: Request a demo! Fri, 14 7月 2023 13:10:01 -0700 Javier Rodriguez Gonzalez https://www.zscaler.jp/blogs/product-insights/new-ai-powered-analyses-help-it-teams-ensure-flawless-digital-experiences https://www.zscaler.jp/blogs/product-insights/reduce-mean-time-resolution-zscalers-digital-experience-monitoring-and It's no secret that moving to the cloud can boost productivity and create a happier workforce. Many organizations have already made the switch and are allowing employees to work from anywhere at any time. However, even with these benefits, human error can still occur. At Avanade, we understand this and strive to minimize mistakes as much as possible. While we aren't perfect, we enforce practices that have been successful in the past to protect against errors and attacks. With the ability to proactively identify and fix issues before they pose a risk, we can ensure the safety and productivity of our workforce. With a lot of us using the cloud, Office 365, or Azure, we know from Signhouse that 49% of organizations are using Microsoft 365, but with any cloud provider, you as an organization need to be proactive, you need to monitor devices, networks, and applications. If you want to have a happy, enthusiastic, productive, and innovative workforce, it's important to ensure that your systems are operating smoothly and accessible to everyone. One great solution we at Avanade recommend is Zscaler, our trusted partner. In particular we've used Zscaler Digital Experience Monitoring (ZDX) to detect outages across multiple cloud service providers before anyone even reports an issue. It's a great tool that can help you keep your systems running smoothly so your team can focus on what they do best. ZDX has transformed how the Avanade business operates by providing unrivaled visibility and depth of information for our customers. See below for a detailed description of exactly how ZDX operates and how it can benefit your business, too. Early detection and proactive notifications As organizations rely on these cloud-based applications, IT operations must quickly identify if there are any issues with the application. With the internet as the new backbone, it’s challenging to monitor from the endpoint to the application and everything in between. IT operations have gone from managing a network of one, to thousands of networks, and how each device operates in those environments. The question is how to quickly rule out if it’s the device, network, or application to identify the root cause. Reduce MTTR with full end-to-end visibility ZDX provides a high-level view from the dashboard with the most impacted applications being monitored. In the following example, Microsoft Outlook is impacted globally, which is highlighted by the red circles on the map. Just by glancing at the map, IT operations teams will know who’s impacted, what regions, and which applications. For example, if the application has issues, it’s important to know who is impacted so IT can proactively communicate with all the impacted users. ZDX dashboard highlights applications impacted globally You can further drill down into the ZDX dashboard and see the ZDX Score, which represents all users in an organization, across all applications, locations, and cities. The ZDX Score is based on a scale of 1 (lowest) to 100 (highest), with the low end indicating a poor user experience. ZDX Score indicating a poor user experience for Microsoft OneDrive As IT operations look to further triage the issue, they can leverage ZDX to look at the entire path for every user and identify any issues. Below you will find that there is a spike in latency between two of the hops in the network and as you drill into the hops, it’s clear that it’s between two Microsoft Azure routers. ZDX provides hop-by-hop analysis between the endpoints to the application ZDX provides detailed information to identify exactly where latencies occur Armed with this information, IT operations teams can quickly open tickets with Microsoft to get the issue resolved and get users back to work faster. With ZDX, it’s only a matter of a few clicks to get insights into the entire environment. Supporting the Microsoft 365 Suite is important for collaboration, however, for communications, Microsoft Teams is equally important. One of the most challenging calls IT support can receive is from a user complaining about poor call quality. It’s challenging for many reasons, from isolating the issue to resolving it. With ZDX, Microsoft call quality metrics are pulled into the dashboard to help support teams troubleshoot if the issue is with the entire call, or maybe a single user. You can also get the mean opinion score (MOS) which is a numerical measure of the human-judged overall quality of voice and video during the session. ZDX dashboard highlights Microsoft Teams call quality details With this information, you can identify which users are having issues and dive deep into their entire path from the device to the application to find the root cause. ZDX provides quick, granular information that IT support can act upon to improve the user experience and ensure a happy, productive workforce. Granular analytics to accelerate mean time to resolution ZDX helps network operations teams discover network issues and empowers service teams to quickly diagnose device issues for remote workers no matter where they are located. ZDX offers a range of key metrics including device health and active processes, OS metrics that are critical to troubleshooting device issues. ZDX integrates with Microsoft Endpoint Analytics to identify issues with user software or devices that might impact performance. Metrics are pulled from the Microsoft Intune API and mapped to the individual ZDX users and devices to provide Endpoint Analytics scores and data. So, the next time a user opens up a ticket and complains about their Windows device running into issues, you can easily dive into the dashboard to check the overall health. Watch this video to see it in action! ZDX integrates with Microsoft Intune to reduce troubleshooting time There are times when users run into slow device issues, and it’s not always clear to them what’s causing the issue. With ZDX, you can quickly pinpoint the top processes, which are consuming the device CPU, memory, disk IO, and network IO to identify what is causing it. Service desk teams can use this information to have the end user stop the application to get them back to work. Watch this video to see it in action! One of the key features that stands out is the ability to proactively identify issues before they become major problems. This has proven to be a game-changer for our customers, as it has helped them to quickly address issues that may have been lingering for years, or to address more recent issues that could have a major impact on user experience. By having this lead time, users can be informed and infrastructure changes can be made as needed, such as switching front door locations. This has allowed customers to maintain a seamless user experience, even in the face of downtime in specific locations, all while minimizing any potential impact to performance. ZDX indicates the top process impacting device performance Achieve faster resolutions using AI Oftentimes, end users are in a rush to either get on a call or connect to a public cloud app (e.g., OneDrive), and don’t have time to wait for a typical diagnosis. Standard runbooks are cumbersome and frustrate the end user. To quickly identify the root cause of an end user’s issue across the device, networks, or applications, ZDX leverages machine learning and artificial intelligence to pinpoint the root of an issue. This spares IT teams the labor of sifting through fragmented data and troubleshooting, thereby accelerating resolution and keeping employees productive. With AI-powered automated root cause analysis, in a few clicks, service desk teams can quickly identify the issue and take the necessary steps to resolve it. Watch this video to see it in action! ZDX AI-powered root causes analysis Get started today As organizations look to support the millions of Microsoft Suite users, it’s important to think about driving increased end user productivity while reducing overall costs. ZDX helps organizations ensure a great user experience across devices, networks, and applications. Follow us on Twitter @zscaler for the latest news on network outages. We publish what we see and oftentimes are able to provide you with information on outages before they are known. If you want to learn more about ZDX, click here. We know digital transformation can feel overwhelming at times. Zscaler and Avanade are here to help answer any questions you may have about getting started, deployment details, and how it can address the specific needs of your organization. Tue, 18 7月 2023 08:00:01 -0700 Rohit Goyal https://www.zscaler.jp/blogs/product-insights/reduce-mean-time-resolution-zscalers-digital-experience-monitoring-and https://www.zscaler.jp/blogs/product-insights/dynamic-latency-based-zia-service-edge-assignment Zscaler is dedicated to providing an improved end user experience. After many companies started adapting work-from-anywhere and hybrid work environments, and because users have different network environments at home, it became essential to implement an intelligence method into Zscaler Client Connector to allow choosing the best service edge with the lowest latency. This enhancement can substantially improve the end user experience and reduce the administrator’s workload by minimizing the number of support tickets. Client Connector connects users to the service edge that is configured in the PAC file. Administrators can manually add the ZIA public service edge to the PAC file, or use $ {GATEWAY} and $ {SECONDARY_GATEWAY} Zscaler specific variables to connect users based on geo-proximity. Prior to Zscaler Client Connector 4.2, it would fail over to the secondary service edge if, and only if, the primary service edge becomes unreachable. In other words, if the tunnel to the primary is up and the user experiences a latency issue with that DC, the Client Connector won’t fail over to the secondary DC that can offer a better performance. To overcome this limitation, a new feature was added into Client Connector 4.2 in which a constant HTTP-based probing to the primary and the secondary service edges is conducted. Zscaler Client Connector utilizes time to first byte (TTFB) to compare the latency between both service edges and then, based on the following parameters: Probe Interval Threshold and Probe Sample Size, the failover may occur. Zscaler supports this feature with all traffic forwarding methods; tunnel with local proxy, tunnel 1.0, and tunnel 2.0. In tunnel 1.0, Client Connector utilizes HTTP CONNECT to the public service edge for 407 (Proxy Authentication) response to calculate the latency. In Tunnel 2.0, Client Connector utilizes HTTP GET to http://gateway.[cloud].net /generate_204 response to calculate the latency (Figure 1). Figure 1 The switchover criteria are fully controlled by administrators. They can enable the feature in Client Connector portal and configure the three main parameters: Probe Interval, Probe Sample Size, and Threshold Limit (Figure 2). Probe Interval dictates how often the probe is made to the primary and secondary service edge (The minimum value is 0.5, and the maximum value is 10 min). Probe Sample Size dictates the confidence level required to fail from the primary to the secondary service edge or vice versa. To fail over, it requires all consecutive n tries (i.e., the value set by the administrators) to meet the Threshold value. Finally, the Threshold Limit, which represents the minimum percentage delta in latency between the primary and the secondary that is required to trigger the failover. Figure 2 To illustrate how this feature works, Figure 2 shows Probe Interval = 60 seconds, Probe Sample Size = 5, and Threshold Limit = 50. According to this configuration profile, Zscaler Client Connector will perform HTTP-based probing to the primary and the secondary service edge every minute. Then it will calculate the latency based on TTFB for every probe. If the secondary service edge demonstrates more than a 50% (Threshold limit) better latency than the primary for 5 conductive times (Probe Sample Size), then Client Connector will fail over to the secondary service edge. After switching over to the secondary, Client Connector will keep performing the same test every minute and once the primary establishes a better performance, the Client Connector will switch back to the primary. Finally, once the failover criteria are met, the end user will be notified that the connection was moved to another data center to provide a better performance. Figure 3 To test and validate this feature, we recommend using third party tools that can simulate high latency and packet loss such as Clumsy (Figure 4). Using these tools, you can add a delay overhead, a packet loss, and throttle the bandwidth for a specific destination. For example, you can add 200ms and/or drop 20% of the connection that is destined to the primary data center in beta cloud to simulate the failover to the secondary. Figure 4 Fri, 14 7月 2023 08:00:01 -0700 Jamil Alomari https://www.zscaler.jp/blogs/product-insights/dynamic-latency-based-zia-service-edge-assignment https://www.zscaler.jp/blogs/product-insights/introducing-zscaler-easm In fast-evolving distributed digital environments, staying ahead of the curve is no longer an option: it’s a necessity. With cyberthreats and attack vectors multiplying every day, businesses must understand and minimize their external attack surfaces. Enter external attack surface management (EASM)—a formidable tool against cyberthreats. EASM is a proactive approach to security—get ahead, stay ahead Whatever the type of security incident, the first step is always about discovery. Threat actors are always looking for ways and means to infiltrate and steal information, and it starts with knowing where the weak links are. Sometimes, especially in the midst of digital transformation, unknown asset sprawl makes it challenging for large, complex organizations themselves to understand where their vulnerabilities might be. In the past, we’ve offered customers our internet attack surface report—a comprehensive, point-in-time assessment that helps them see where their apps are distributed and better understand their exposed domain names, IPs, public cloud footprint, and more. Now, we’re excited to bring these capabilities as a standalone, web-based, automated external attack surface analysis tool to help customers not only understand their exposure to internet-facing threats in near-real time and trends over time, but also assess the severity of their vulnerabilities and continuously map them directly to their application assets and servers. Trend chart of vulnerabilities to external threats as shown by Zscaler’s External Attack Surface Management Tool The larger your attack surface, the greater your risk Digital expansion can increase your external attack surface, and with it, your vulnerability to cyberthreats. This includes but is not limited to shadow IT, public cloud web apps, increased usage of open source code, unsecured servers running RDP/VNC/SSH/Telnet/SNMP, IoT systems with legacy services, TLS/SSL misconfigurations, and vulnerable remote access systems like VPNs. Traditional security tools often fall short in identifying these weak points across today’s vast, complex digital environments. Combining the broad Open Source Intelligence (OSINT) provided by Zscaler EASM with deep threat intel from Zscaler ThreatLabz, vulnerabilities can be found before they’re even disclosed as CVEs in NIST’s National Vulnerability Database (NVD). Leveraging the world's largest inline security cloud, the Zscaler Zero Trust Exchange can identify and fingerprint emerging threats in a small subset of customers and extend protection to all customers. As a real-world example of this “cloud effect,” when Zscaler identified a weakness in the 3CX phone system, we scanned customers the same day to determine if they had internet-facing systems susceptible to this exploit—all before it was assigned a CVE by MITRE. Visualize exposure across your attack surface The Zscaler EASM web portal displays your organization’s attack surface in an intuitive dashboard, enabling you to quickly access key information such as assets by geographical location. Why is EASM gaining momentum now? The NIST CSF published in 2014 identified the need to discover unknown assets as a critical first action, but need didn’t immediately translate to demand. So why is EASM getting attention now? Tools by various category names have been in use for digital footprinting over the last 5+ years Port and vulnerability scanners, OSINT search engines (e.g., Shodan) ASM coalesced over the last 3 years, with EASM emerging as a subcategory in 2021 Recent advancements in asset discovery prioritization have helped create actionable findings Forrester reports that, on average, organizations find 30% more assets than they expected when using EASM tools EASM is now an established market—Gartner named attack surface expansion the #1 trend in their Top Security and Risk Management Trends for 2022 Ultimately, EASM is evolving into a capability that will be absorbed into larger security platforms, such as the Zscaler Zero Trust Exchange, to enable integrated actions such as holistic risk quantification, threat hunting, and remediation Why are Zscaler and EASM better together? Exposure remediation: The straightforward answer to protecting discovered assets is to make them invisible externally. After all, if they can’t be seen, they can’t be attacked. For years, Zscaler has been helping customers achieve this with an elegant solution called Zscaler Private Access (ZPA) for seamless and secure access to sensitive apps. Pairing EASM findings with ZPA is an effective tactic for securing OS and applications even when they cannot be patched due to numerous factors, such as being EOL, fragile to change, or having uptime requirements. Zero trust project hygiene: A critical phase of zero trust network access (ZTNA) projects is to validate that legacy systems (e.g., VPN concentrators) are retired post ZTNA adoption. EASM provides a continuous view of the internet-facing landscape to ensure that these assets are decommissioned to minimize the attack surface, realizing the full benefits of zero trust. Broad risk management: EASM acts as a feeder to the multifaceted Zscaler Risk360, where signals from across all threat origins (internal/external surfaces, inline traffic, out-of-band APIs, and more) are aggregated in a single view, together with guided investigative workflows and prioritized actions to prevent likely breaches. Competitive advantage: Armed with insights from your EASM, you can stay ahead of evolving threats and assure your clients about the safety of their data. Additionally, this is a potent tool for automating a portion of the footwork for performing due diligence as part of M&A. Take your security strategy to the next level with EASM Understand your external attack surface like never before, and take control of your digital footprint. Our team is ready to help you get started. Zscaler EASM is offered today with limited availability and is expected to become generally available soon. Until then, please request your EASM report through your Zscaler account team. Wed, 12 7月 2023 08:00:01 -0700 David Sedgwick https://www.zscaler.jp/blogs/product-insights/introducing-zscaler-easm https://www.zscaler.jp/blogs/product-insights/simplifying-zscaler-administrative-experience-consolidated-identity Overview ZSLogin is a new common identity service for Zscaler that centralizes and simplifies identity management, user authentication, and entitlement assignment for users to services. The initial release supports administrators, and support for end users is in development. Problem Prior to ZSLogin, Zscaler products directly implemented identity services. This led to scenarios where identity data was stored separately, services that supported identities were implemented separately, and customers needed to maintain multiple connections from SAML identity providers to Zscaler. Although customers could successfully achieve their zero trust goals, maintaining multiple implementations of identity services made it more difficult for customers to use and limited Zscaler’s pace of innovation with identity. ZSLogin Zscaler recognized the opportunity to improve customer experience and increase efficiency by advancing both identity capabilities and the other security capabilities of Zscaler products. By extracting identity into a common service, other Zscaler products can focus more on other areas. In the first release, we targeted the administrator user, and ZSLogin became the central point of entry to all Zscaler products. If admins authenticate with credentials hosted at Zscaler, they only need to manage a single credential. If admins use single sign-on from identity providers, customers only need to maintain a single connection with those IdPs. With a single authentication into Zscaler, admins are able to seamlessly access all services in use by their organization and determine which services admins are able to access. They no longer need to keep track of different sets of credentials depending on which services they administer. User identity is stored in ZSLogin and then made available to other Zscaler services. Users can be manually created, updated, enabled, disabled, and deleted in the ZSLogin admin UI. Users can also be automatically synchronized with identity providers through SAML just-in-time provisioning or SCIM provisioning. With ZSLogin, customers can automate the provisioning and deprovisioning of administrators, something that was not possible previously. Users that authenticate with hosted credentials at ZSLogin can be authenticated with a password, password plus second factor, or passwordless authentication. The second factors supported include SMS one-time-passcode (OTP), email OTP, Google Authenticator (TOTP), and FIDO. FIDO can also be used for passwordless multi-factor authentication, which is also a phishing resistant credential. Although Zscaler products previously had some support for MFA of administrators, ZSLogin’s support ensures consistency and provides authentication factors that are stronger, more user friendly, and phishing resistant. Having industry-leading authentication options will give customers more options for enabling users of secondary population types, such as contractors, partners, or users from acquisitions. Customers have also been asking for the ability to control from where admins could access and administer their Zscaler products. ZSLogin provides controls to limit administrator access based on source IP address. This gives customers the options to ensure that admins to their zero trust solution are accessing the system from authorized locations. All ZSLogin configuration changes are logged. ZSLogin provides an audit report, so administrators can review changes that have been made in their ZSLogin tenant over time. What’s next Building on what’s been implemented to support administrators, Zscaler is developing support for end users on ZSLogin. The core principles for end users are the same: a single identity record and centralized entitlement management for the services to which users should be enrolled. Prior to ZSLogin, it wasn’t possible for customers to host users on Zscaler for access to private resources. ZSLogin solves this problem with support for hosted users along with service entitlement assignment for Zscaler Private Access. Now that ZSLogin can ensure a guaranteed unique identity, it will make it much easier to share all context signals about users and related activities throughout the Zscaler ecosystem. Zscaler is looking at ways to enable consistent policy criteria across policies from any Zscaler product, making it easier for customers to define policy criteria and ensure consistency. To learn more, watch our breakout on ZSLogin that was presented at Zenith Live ‘23 here. Learn More To learn more about ZSLogin, contact your account team and request to meet with Product Management. We can review your use case and discuss how ZSLogin can help improve your zero trust posture. Wed, 12 7月 2023 08:00:01 -0700 Eric Fazendin https://www.zscaler.jp/blogs/product-insights/simplifying-zscaler-administrative-experience-consolidated-identity