Maximize your cloud app control with Microsoft MCAS and Zscaler
3 likes2,461 views
The document discusses the integration of Zscaler and Microsoft Cloud App Security (MCAS) to enhance security for cloud applications, emphasizing the shift to a direct internet connection model for corporate networks. It highlights the challenges organizations face with cloud service deployment, particularly issues around bandwidth and latency impacting critical applications like Office 365. Zscaler provides visibility, control, and compliance capabilities to manage cloud apps securely while enabling effective data loss prevention (DLP) and user access management.
Maximize your cloud app control with Microsoft MCAS and Zscaler
- 1. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION0 ZSCALER CONFIDENTIAL INFORMATION Maximize your cloud app control with Microsoft MCAS and Zscaler Dhawal Sharma | Director of Product Management at Zscaler Niv Goldenberg | Group Program Manager at Microsoft
- 2. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION1 To ask a question • Type your questions into the chat box in the Webex panel or email us at communications@zscaler.com • We’ll try to get to all questions during the Q&A session. If we do not get to your question, we’ll make sure to follow up afterwards • At the end of the webcast – please let us know how we did! ©2017 Zscaler, Inc. All rights reserved. Ask your question here…
- 3. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION. HQ Branch Branch Branch Branch Branch Branch BranchBranch Home, Coffee Shop Airport, Hotel SaaS Open Internet IaaS Cloud and Mobility Break Network Security The Internet is Your New Corporate Network “GE will run 70 percent of its workload in the cloud by 2020” Jim Fowler, CIO “The Internet will be our new corporate network by 2020” Frederik Janssen, Head of Infrastructure “Office 365 was built to be accessed via direct Internet connection” How do you secure a network (Internet) you don’t control? EMEAAPJ
- 4. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION. Cloud and mobility break network security HQ EMEA Branch APJ Branch Branch Branch Branch Branch BranchBranch Zscaler enables secure network and application transformation NEW SECURITY MODEL Secure the Network Securely connect users to apps Direct to Internet Broadband / Wi-Fi / LTE / 5G NEW NETWORK MODEL OLD SECURITY MODEL Hub-and-Spoke MPLS / VPN OLD NETWORK MODEL Secure the Corporate Network SaaS Open Internet IaaS Home, Coffee Shop Airport, Hotel
- 5. On average, an organization has 28 cloud storage apps and 41 collaboration apps routinely used by its employees. On-premises
- 6. But Office 365 Deployments are stuck in the slow lane! A deployment survey of over 200 customers had problems accessing business-critical applications including Office 365. 45% Many were plagued by bandwidth and network latency issues on a daily and weekly basis 70%Weekly issues reported 33%Daily issues reported Despite appliance upgrades, after deployment:
- 7. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION. Categorize Cloud Apps Into Categories • After discovery, categorize cloud services (CSP) using risk ratings and company policies • Separate cloud services into sanctioned, permitted, and restricted services • Enforce appropriate controls for each category Sanctioned Apps Permitted Apps Restricted Apps
- 8. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION. Zscaler Provides CASB Functions for Inline Content Internet & Shadow Apps (managed devices and on-premise) Allow enterprises to securely enable cloud apps by providing Cloud App Visibility, Content Inspection, Security and Cloud App Compliance Visibility App Logging & Discovery Threat Prevention Stop Malware Data Protection DLP & Encryption Compliance UEBA, Access Controls User Experience Bandwidth Control, Peering Vision HQMobile BranchIOT Inline Policy Controls
- 9. © 2017 Riverbed Technology. All rights reserved. 8 Cloud App Security
- 10. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION9 Microsoft Cloud Application Security (MCAS) Overview
- 11. A comprehensive, intelligent security solution that brings visibility, real-time controls and security to your cloud applications. ControlDiscover Protect Integrates with your SIEM, Identity and Access Management, DLP and Information Protection solutions
- 12. Discover and assess risks Protect your information Detect threats Control access in real time Identify cloud apps on your network, gain visibility into shadow IT, and get risk assessments and ongoing analytics. Get granular control over data and use built-in or custom policies for data sharing and data loss prevention. Identify high-risk usage and detect unusual behavior using Microsoft threat intelligence and research. Manage and limit cloud app access based on conditions and session context, including user identity, device, and location. 101010101 010101010 101010101 01011010 10101
- 13. Get anomalous usage alerts, new app and trending apps alerts. On-going analytics Discover 15K+ cloud apps in use across your networks and sensitive data they store. Discovery of cloud apps and data Assess cloud app risk based on ~60 security and compliance risk factors. Cloud app risk assessment Protect your employees’ privacy while discovering cloud apps in your environment. Log anonymization Investigate cloud use profiles of specific users, machines, apps and groups. Advanced investigation tools
- 14. Control access to cloud apps as well as to sensitive data within these apps based on user, location, device, and app (any SAML-based app, any OS). Context-aware session policies Limit activities performed within user sessions in SaaS apps based on user identity, location, device state, and detected sign-in risk level. Unique integration with Azure Active Directory Enforce browser-based “view only” mode for low-trust sessions. Classify, label, and protect on download. Gain visibility into unmanaged device activity. Investigate & enforce app and data restrictions
- 15. Set granular policies to control data in the cloud—either automated or based on file label—using out-of-the-box policies or ones you customize. Granular Data loss prevention (DLP) policies Control and protect sensitive files through policies and governance to comply with regulations (e.g., GDPR, HIPAA, PCI, SOX). Compliance policies Identify policy violations, enforce actions such as quarantine and permissions removal. Policy enforcement Apply protection, including encryption and classification, to files with sensitive information Native protection – at rest and inline
- 16. User manually classifies a file in Office apps, Cloud App Security reads classification from the file to give admins visibility to cloud activities on this data: Upload, sharing & download. Sharing control based on user input Proxy automatically encrypts files labeled as “internal” upon download to non-corporate owned devices Prevent corporate data leakage based on classification
- 17. Assess risk in each transaction and identify anomalies in your cloud environment that may indicate a breach. Behavioral analytics Enhance behavioral analytics with insights from the Microsoft Intelligent Security Graph to identify anomalies and attacks. Threat intelligence Customize detections based on your findings. Customization Gain useful insights from user, file, activity, and location logs. Pivot on users, file, activities and locations. Advanced investigation & multiple views Remediate threats and security issues with a single click. Single-click remediation
- 18. Why Cloud App Security is different Discover SaaS apps & assess risk Identify more than 15,000 apps and assess their risk based on 60 different parameters, including regulatory compliance. Gain unified information protection Set granular control policies and enforce them on your cloud apps and data—whether from Microsoft or other vendors—using powerful remediation actions. Control and limit access in real time Set granular access- and activity-level policies, such as allowing access from an unmanaged device while blocking downloads of sensitive data. Support your compliance journey with key regulations Discover and control data in the cloud with granular policies to help you comply with regulations such as Payment Card Industry (PCI) and General Data Protection Regulation (GDPR). Detect & mitigate ransomware attacks Identify potential ransomware activity with a built-in template that can search for unique file extensions, suspend suspect users, and prevent further encryption of user files. Integrate with your existing SIEM & DLP solutions Preserve your usual workflow and set a consistent policy across on-premises and cloud activities while automating security procedures.
- 19. ©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION18 MCAS and Zscaler Use Cases
- 20. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION. Users: Identify and Control Restricted Apps Protect users and data using closed loop control (Zscaler) Restricted Apps Discover risky cloud usage (Zscaler + Microsoft Cloud App Security)
- 21. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION. Users and Data: Securely Enable Permitted Apps Permitted Apps DLP to block sensitive data (e.g. Source code uploaded to GitHub) (Zscaler) Granular visibility (e.g. GitHub repositories in use) (Microsoft Cloud App Security) Visibility into mobile users (e.g. GitHub use from a coffee shop) (Zscaler) Granular DLP (e.g. Allow uploads to permitted GitHub repositories, block uploads to others) (Zscaler & Microsoft Cloud App Security) Detect and prevent malware (e.g. malware distributed via personal email) (Zscaler)
- 22. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION. Data: Securely Enable Adoption of Sanctioned Apps Sanctioned Apps Enforce DLP and collaboration controls (e.g. Prevent sharing files from OneDrive with unauthorized domains) (Microsoft Cloud App Security) Encrypt data using customer-controlled keys (e.g. Encrypt PII within Salesforce) (Microsoft Cloud App Security) Audit data and configuration, identify violations (Microsoft Cloud App Security) Enforce access control policies on managed/unmanaged devices (e.g. Block download of a Salesforce report to an unmanaged device) (Zscaler + Microsoft Cloud App Security) UEBA to protect against malicious insiders, negligent use, and compromised accounts (e.g. Download customer list from Salesforce) (Microsoft Cloud App Security) Data exfiltration by malware and malicious insiders to shadow apps (e.g. Download customer list from Salesforce and upload to ZippyShare) (Zscaler) Predictable user experience (e.g. Guaranteed bandwidth for O365 vs. YouTube) (Zscaler)
- 23. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION. Zscaler and MCAS Integration
- 24. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION. Setting up Zscaler & Microsoft Cloud App Security Integration Microsoft Cloud App Security Tenant Bonding Tenant Bonding SSO Zscaler NSS Log Forwarding Create Unsanctioned App PolicyAPI Polling Unsanctioned Apps URL category SSO Enforce Policy End User PAC/ZApp Planned with 5.6
- 25. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION. Solution Demo
- 26. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION. Thank You! Questions and Next Steps 25 Dhawal Sharma Director, Product Management at Zscaler dhawal@zscaler.com Zscaler Cloud App Control zscaler.com/cloudapp Microsoft Cloud App Security aka.ms/Cloudappsecurity Overcoming the Challenges of Architecting for the Cloud Slow Office 365 Deployment? Let Zscaler help you get in the fast lane! zscaler.com/webcasts Niv Goldenberg Group Program Manager at Microsoft Niv.Goldenberg@microsoft.com Learn more about Microsoft Cloud App Security zscaler.com/webcasts Other On-Demand Webcasts
- 27. ©2017 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION. June 25-27, 2018 The Cosmopolitan, Las Vegas Register at zenithlive.zscaler.com Join the conversation at community.zscaler.com
Editor's Notes
- #4: As users moved out side corporate networks and applications moved out of data center into SaaS and IaaS platforms, Internet became your corporate network. By 2020, many progressive CIOs like at Siemens and GE will adapt Internet as corporate network and start getting rid of the whole DMZ or corporate ‘moat and castles’ they have built since 1990s.
- #6: Statistic source: ** http://www.computing.co.uk/ctg/news/2321750/more-than-80-per-cent-of-employees-use-non-approved-saas-apps-report https://www.mcafee.com/us/solutions/lp/cloud-security-report.html
- #10: “We are the perfect complement” We are the Ying and the Yang. Riverbed provides the SD WAN to allow local internet breakout and banch internet offload, which Zscaler secures the new perimeter i.e. Internet with its 100+ data centers.
- #13: Purpose of slide: Describe Cloud App Security at a high level Key takeaways Microsoft Cloud App Security is a comprehensive service providing deep visibility, granular controls and enhanced threat protection for your cloud apps. It identifies 14,000+ cloud applications in your network—from all devices—and provides ongoing risk assessment and analytics. No agents required: information is collected from your firewalls and proxies to give you complete visibility and context for cloud usage and shadow IT.
- #17: Purpose of slide: Describe integration of Cloud App Security and Azure Information Protection Key takeaways Through integration with Azure Information Protection, you can use the Cloud App Security portal to set policies for files sharing – based on their level of sensitivity to the business as set by Azure Information Protection. Integration of Azure Information Protection and Cloud App Security extends visibility into sensitive data at it moves to cloud locations. Cloud App Security admins can configure policies to read Azure Information Protection labels and take appropriate actions or raise alerts. When there is a violation against your policies, you will receive an alert. After you have thoroughly investigated and learned about this violation, you can use governance actions to protect your data in the cloud apps right away. Every insight is actionable, allowing you to remediate with a single click or implement data sharing and granular usage policies. For instance, you can: Put files into quarantine so only user can access the file Restrict sharing (i.e. make a link private) Send notifications to users who shared these sensitive files
- #18: Purpose of slide: Describe how Cloud App Security assists with threat detection Key takeaways In addition to the capabilities we outlined earlier, Cloud App Security helps you to protect your data in cloud apps from cybersecurity threats. You can identify anomalies in your cloud usage that may be indicative of a data breach. Cloud App Security advanced machine learning heuristics learn how each user interacts with each SaaS application and, through behavioral analysis, assesses the risks in each transaction. This includes simultaneous logins from two countries, the sudden download of terabytes of data, or multiple failed login attempts that may signify a brute force attack. Anomaly detection draws from Microsoft’s vast amount of threat intelligence and security research data. Cloud App Security benefits from Microsoft’s holistic, agile security platform, and is informed by insights from Microsoft Intelligent Security Graph.