Cloud Security for SD-WAN
Best Practices for Branch Office Transformation
Gartner estimates that by the end of 2019, 30% of enterprises will use SD-WAN technology in all their branches, up from less than 1% today. This is because SD-WAN is a transformational approach to simplifying branch office networking and optimizing performance. However, security is a critical factor for SD-WAN adoption, especially for cloud and Internet applications.
With Zscaler and Viptela, enterprises can protect their Cloud and enterprise against attacks and data leaks while migrating to a cost-effective Hybrid architecture. Customers have seen more than 50% WAN cost-savings while keeping their branch offices and employees protected.
Join Idris T Vasi, Managing Director, Asia-Pac, Viptela, Inc., and Lee Dolsen, Technical Director, Asia Pacific & Japan, Zscaler, Inc., for a compelling webcast discussing best practices approach for securing your distributed enterprise leveraging cloud security and SD-WAN. They will also cover:
- Common use case scenarios from Viptela and Zscaler of their widely adopted solution
- Best practices for improving your security posture with cloud security
- How to rapidly deploy 100% cloud based and easy to manage secure SD-WAN
Chris: Okay, we’re now going to start the webcast from Zscaler and Viptela Cloud Security for SD WAN, Best Practices for Branch Office Transformation. So, thank, everyone, for joining. I really appreciate your time. I’d like to start by introducing our speakers for today. We have two very distinguished speakers.
So, Idris Vasi from Viptela, he’s an entrepreneur, he’s worked for small companies, start ups, the large multinationals as well. So a vast amount of experience in the industry. And he’ll be sharing a lot of that insight with you today. And we’re very fortunate to have Lee [Dolsen 0:00:40] based out of [unintelligible] Singapore office. Lee has been with Zscaler for five years now, so he knows the Cloud security technology inside out.
So very fortunate to have them here today. So now I’m going to hand over to Idris and he’ll kick off, talking about the Viptela solutions. Idris, thank you very much for joining and over to you.
Idris: Thank you, Chris, and a very warm welcome to everyone on the session today. I see we have a number of attendees from Asia Pac, and beyond. So in today’s session we are going to touch upon three very hard topics, top of mind topics at a lot of IT departments and in a number of enterprises. Which is software defined Cloud and security and what we attempt to do is bring all these three topics together and talk about both software defined and Cloud based security.
Now move towards SD WAN. Now WAN transformation is a journey that a number of early adopter enterprises started back in 2014. So about three years back. And the real move towards software defined WAN actually started in earnest about two years ago, in 2015. That’s when we started seeing deployments at scale, at a number of midsized as well as large enterprises, globally.
Now this initially started off in the US and then slowly made its way to Asia and Europe as well. The best way to illustrate this is by an actual example of a very large bank in the US. A line of business at this bank when to the CIO of this bank about 18 months ago, and said that, look, we have this great of idea of bringing hundreds of millions of dollars worth of additional revenue if we can transform our branches to so-called branches of the future.
And in order for that to happen, we need you to enable video on demand or high res video at each of these branches. The CIO thought, yup, seems simple enough. I have high definitely video at home so there is no reason I could not, I cannot deploy this in the branches. However, when he started looking at this, he realized that most of his branches were connected by a T1, which is 1.5 megabits per second. So clearly that was not sufficient for high definition video. So, he had a couple of choices. Either he could do bandwidth augmentation and more lengths, more bandwidths on his MPLS links, which had its own cost challenges. Or he could completely transfer the underlying network infrastructure.
And that’s how his thinking and journey started to towards a software defined WAN. Another thing that happened around the same time for the CIO is the bank was embarking on an Office 365 journey. So, they were looking at software as a service, and again the CIO realized that in order to optimize software as a service the network in the middle also needs to be transformed.
So, this was, and this very large bank has already deployed more than 6,000 end points across all of its branches and corporate offices, and have completely moved and transformed their network from a traditional LAN to a software defined LAN. So, we are not surprised when we hear these analysts coming and making statements that by 2019 and the next couple of the years, 30 percent of the enterprises will have deployed SD WAN technologies in their branches.
And other analyst, IDC, says that the market could reach 6 billion by 2020. So, then we are seeing this happening in Asia Pac, where a large number of enterprises have either, some of them have already moved to a software defined LAN and some of them are in the process of implementing software defined LAN.
So, moving to the next slide, okay, so before we talk about what is software defined WAN and what problem it solves, a brief introduction for those of you who haven’t heard of the Viptela or may know very little about Viptela. So, we were founded in 2012. We were the first pure play software defined WAN there in the market. Essentially, we were founded by people from, mainly from Cisco and Juniper. And some from Alcatel-Lucent TiMetra.
So, as a result, we from day one we had a lot of [doubting 0:05:42] expertise in the company and as proof of this we were able to launch our first product within 18 months of the company being formed. So, the product was launched in 2014. We had some early adopters in 2014 for software defined WAN, and then of course from 2015 onwards we started having large at scale deployments.
So, we were mainly funded initially by Sequoia, which is the leading VC in the world, so the [unintelligible 0:06:05] A and B rounds with Sequoia and then in our [CDC] round another European and one more American VC, Redline and Northgate came into our CDC round as well. We now have more than 20,000 production units deployed in the world, and these are real production units in real production networks. So, this is not beta, this is not proof of content, these are not lab units, this is production units and production environments across a number of verticals. So, the largest verticals for us right now is FSI, the financial, and financial retail in the US we have healthcare as a very large vertical.
In Asia I see technology, transportation and logistics, the public sector government is also big verticals in Asia Pac. So, suffice to say, any one with a lot of branch offices, with a lot of retail shops or offices, corporate environments, etc., anyone with a large number of these offices and sites is a prime candidate for software defined WAN and WAN transformation. Now having said that, we also have customers who have very few offices. So, we have customers who have five sites, 10 sites, 15 sites, all the way to thousands of sites. And everything in between.
So, we have over 250 customers right now. More than 50 of them are from Fortune 500, so very large companies. We also have partnerships with global managed service providers, for example [unintelligible 0:07:36] here in our part of the world, Verizon in the US, etc. So, and we are adding almost 30 to 40 new customers every quarter, which is again a good proof point, a good data point that a lot of companies have already begun the transformation to SD WAN, or software defined WAN.
Now why? Why are people moving to a software defined WAN environment? What are the challenges they are facing and what problems does SD WAN solve? So, the first issue as we have touched upon briefly in the bank example is bandwidth and the need for bandwidth augmentation and insufficient bandwidth right now as the number of applications, bandwidth hungry applications is increasing day by day. Video is increasing, the need for video at all the branches or sites, locations, offices, etc., is increasing.
So that’s why there is a move from a traditional MPLS based environment to a hybrid environment, which is, essentially counts for agnostic. So that’s one main reason. The other reason is complex operations. So, when you move, when you are transforming your network, obviously there are operational complexities because in typical cases if you are moving to hybrid environments and you are using traditional solutions, you have different endpoints or different routers for MPLS, different routers for broadband, in some cases, and then the management becomes quite complex.
SD WAN bring simplicity, because of centralized control management policy changes, etc. So, customers and particularly customers in Asia Pac have a number of choices. One is they can peek at the managed service and go to their managed services provider and let them manage the transformation from WAN to a software defined WAN. But the other option, because of the simplicity that it brings to operations, which we’ll touch upon briefly in the next few slides, enterprises can choose to do it themselves. Or they can work with a systems integrator. So, it’s, we bring total flexibility. Also, the move towards Cloud, infrastructure as a service, software as a service. So, this really increases the demand for security.
In the past, if you had a link between, if you had site to site links or if all your traffic was between sites or from sites to data centers, security was much more contained. But now as you’re going out to a hybrid environment and you’re going out to the Cloud, that’s where security becomes much more important and that’s where the need for Cloud based security becomes much more apparent, and this is something Zscaler will explain in detail after this.
So, the other big data point or need for SD WAN is limited application awareness currently. So, in terms of a lot of enterprises want to understand what is the traffic, what kind of traffic is flowing through, between the branches, between the head offices, between the data centers, between the branches and data centers, etc. So, they want to understand how much of it is [unintelligible 0:11:08] traffic, sales force CRN ERP, etc. And how much of it is [unintelligible] videos, for example, so that they can manage the traffic, manage the connectivity, much better and in a much more efficient manner.
So, these are some of the reasons, these are some of the challenges that today’s wide area networks is facing and that’s why a lot of enterprises are moving towards a software defined WAN architecture. So, what does the architecture look like? So, at the very basic level it stands for independent fabric, meaning it’s transport agnostic. So, software defined WAN architecture supports MPLS, supports broadband, supports CG4G connections, etc.
And it also supports hybrid connectivity. So not every site is MPLS only or broadband only or TG40 for backups only. There are a lot of sites, which are hybrid, which are both MPLS and broadband. And even 3G or 4G for backup connections. And then there are some pure sites are purely – sorry…
Idris: So, then there are some pure sites, which are MPLS only or broadband only. Now, the key thing for managing this and simplifying the operations is this needs to be zero touch. And what zero means, if you have centralized management and control, centralized policies, etc., then the operations of, the operation of this network becomes very easy and very simple. If I were to summarize the benefits of SD WAN, it’s like 4 S’s. Security, scalability, segmentation and simplicity.
The other very important things, many of you are moving, transforming your WAN to a software defined one, is [unintelligible 0:13:07]. So, nothing goes in and nothing goes out without it being explicitly allowed by the controller and by your management platform. And when you are moving to hybrid environment, security becomes all that important, and that’s why you have Cloud based security as an optimal solution. Now the layer about that is the delivery platform, your standard [doubting 0:13:29] security. But again, security as multi-faceted in this environment, segmentation.
So, you are moving away from previously the way segmentation was done, it was mainly done in data central via V-LANs, they’re different lines of businesses at different V-LANs. But what you can do right now is you can literally have end to end segmentation and for all types of traffic. So, this is particularly important for a lot of verticals, like manufacturing, like in the manufacturing example on a manufacturing floor you had your ecosystem partners coming in, you had your vendors coming, into your manufacturer floor, with various connections.
And you want to make sure that their connectivity is fully segmented and fully separate from each other. Standard things like quality of service, multi-task. Service insertion is another very important point there, again, Cloud based security also fits in very well into service insertion, where anything that is going outside to the Internet. You want to scrub that solution. Now previously it was well contained. Any traffic that used to, that needed to go out to the Internet used to go out to well defined centralized DMZ or regional DMZ.
But that is not very efficient. In a lot of cases it’s, the [fax 0:14:53] is not optimal, and especially if you’re moving to software [unintelligible] service, it’s, it doesn’t give you optimal performance. So, with service insertion you can define regional points where you are scrubbing your traffic, which is firewall solutions, IPS, IBS, etc., before it goes, before traffic goes out and before traffic comes in.
On top of that, you have your application policies, so you have SLAs on a per application basis, because we support DPI, Deep Packet Inspection. You also have segment topologies. So, when you segment your network, each segment can have a different topology. So, for example, if you’re running voice, voice needs to be a full mesh connection. If you are running some ERP applications, that may just need to be a hub and spoke connectivity type of segment. Or it can be [start 0:15:42] segment, etc.
The key thing is, you can define your segments, or you can define the topology per segment. And then this whole movement towards Cloud and Cloud based applications, you need to make sure that you have optimal paths to the Clouds. Now, across all of these layers you have your management and control, and what you really want is a single pane of glass, which is controlling your entire Wide Area Network, it is providing you with operations capabilities, monitoring capabilities, as well as giving you analytical capabilities. So, what are some of the elements of the Viptela solution? Essentially the solution, think of it as data plane and control plane. So, we have full separation between the data plane and control plane, so at your branches, at your small office, home office, campus, data center environments, the Viptela solution consists of VH routes which could be appliance based or it could be software based.
So, it could be a virtual appliance that is essentially a VM on an X86 platform, or it’s an appliance base and we have a very simple set of appliance, so starting a 100 megabits at the low end, to 1 gigabit to 10 gigabits. So typically, the 100 meg appliance is used at the branches, campus, etc., and, or in some cases one gig is also used at the branches depending on the size of your bandwidth requirements, and the 10 gig appliance is useful at the data center.
But we also have the software versions of these appliances, which could be a VM instance. It could also be an instance in [unintelligible 0:17:28] or in AWS. So, this is the data plane version. The brains of the system, the control plane essentially sits in the Cloud. So, the controller can sit in your Cloud, it can sit in Viptela’s Cloud, it can sit in your service provider’s Cloud, it can sit in your systems integrator’s Cloud anywhere. You have full flexibility.
So, all of the management, the control, the policies, the configuration, all of this is done centrally with our V-managed controller, and all of these policies are then pushed down to each of the edge devices at the branches. And then there is free flow of traffic between the branches. So, you have a secure control plane, you have a secure data plane, and the three bandwidth piers that I was talking about, I’m talking about full [infected 0:18:16] WAN bandwidth, so you have 100 megabits, one gigabit, and 10 gigabits. So, these are the essential solution elements of Viptela SD WAN network.
Now the most important point nowadays is Cloud. And you have two instances of Cloud. You have infrastructure as a service, where some of you are taking a hybrid approach. You have both your private clouds as well as public clouds, and you have a combination of these two environments. What we can do is we can essentially extend your WAN to the public Cloud, to either Azure or Amazon, AWS, where you can [unintelligible 0:19:02] on AWS or Microsoft Azure, as a software version, and so you are extending your Wide Area Network from your branches, from your campus, from your data centers into the public Cloud as well.
So here you have a very well defined security element. Now if you move to software as a service, where these applications, these services can be hosted anywhere, so there are multiple options on how you access software as a service. So, one is, of course, you go to a centralized DMZ before you go on to wherever your service is hosted, but that’s not highly efficient because of latency, etc., and it’s not the optimal way to access software as a service. So, you may have regional breakouts, so each region would have regional breakouts, aggregation, and then you’d go on to software as a service. Or for example, as Office T65, as they recommend, they recommend that you do a direction Internet access. You do a DIA. And this is where of course the security element becomes much more important because if you’re doing a direct Internet access, you have to still make sure that your traffic is secure and that’s where Cloud based security and Zscaler comes into the picture.
And I think that’s, this is a good point to hand it over to Lee from Zscaler so he can talk about the Zscaler Cloud based security solution.
Chris: Thank you very much. That was fantastic, Idris. Really appreciate it, and it’s a very compelling solution. So that is very much appreciated. As you said, we’re now going to hand it over to Lee, the technical director for Zscaler in the Asia Pacific region who will take us through the Zscaler platform. So, Lee, over to you.
Lee: All right, thank you, Chris, and thank you, Idris. It really excites me, you know, think about what, you know, SD WAN solutions [unintelligible 0:21:00] help customers on board with Zscaler, and I’ll dig into that as we go through our section.
And before, you know, get into the details of the technical solution and the solution itself, let me talk a little bit about Zscaler as a company and give, for those of you who aren’t well aware of Zscaler, Zscaler has actually been around for quite a while. Zscaler was founded in 2007, so we’ve been around for 10 years and you know, over that time we’ve, you know, we’ve been focused 100 percent on delivering, you know, Cloud Internet gateway as a service.
And so, you know, built from the ground up delivering this. And so, you know, tied that we actually have a lot of patents, we have over 80 patents, most of which are actually awarded at this point, and we have grown into the world’s largest security Cloud, over 100 data centers around the world. So, points of presence in almost every major country and geography around the world. And across that Cloud infrastructure we’re seeing, you know, over 100 million threats blocked every day, across 25 billion transactions that we see across the Cloud every day.
And to put that 25 billion in a bit of perspective, you know, you look at something like Google Search, where, you know, that’s 3 to 5 billion transactions on a typical day, so, and the reason for that, the reason Zscaler’s transactions comes out so high is because when customers entrust us, they entrusting Zscaler for all of their Internet traffic, routing through us. And you can see in that next section we’ve got over 5,000 customers. A very, very large percentage of the Fortune 500 are using Zscaler distributed across over 185 countries around the globe. Very well recognized and respected in the analyst area, with Gartner and Forrester and we’ll go into some more detail there. And then, you know, very tightly aligned with global partners in the service provider and the system integrator space, many of whom are also leveraging Viptela to help customers move to this next generation network transformation.
You know, from a financials perspective, the company has been growing very, very rapidly. Probably one of the most telling, you know, statistics around our financial strength is the customer renewal rate, which you actually see there as more than 125 percent. And the reasons for that is typically when it comes time for renewal, customers are actually expanding their service with Zscaler, either looking at adding additional seats or adding additional security capabilities from Zscaler’s portfolio.
So, let’s talk about some of the challenges that come from Cloud and mobility. So, you know, there’s actually, you know, Cloud and mobility are massive business enablers. But the shifts in the entire, you know, IT and security environment have really fundamentally changed because of Cloud and mobility. What we’ve really seen is a massive shift in attack vectors. You know, as an industry, we’re all very good at protecting our data centers and protecting our servers, but because of the migration to Cloud, what’s happened now is the users no longer have to be on our network to use applications and we see massive levels of mobility in the user community, where users can be working from anywhere.
And when they are working from anywhere, that means the traditional security investments we’ve made for our, you know, traditional Internet gateways are actually not even, you know, being applied for those user populations. So, we’re also seeing the attacks become very sophisticated, so you know, the attackers are leveraging the sophistication of Cloud. We often see from our own threat research and threats that we find that the attackers are using Cloud services like, you know, CDNs, AWS, etc., to deliver components of their own attacks.
You know, that’s two-fold benefit. They’re doing it partially because it’s easy. Cloud infrastructure is already there. And they’re doing it because those environments are trusted by the industry and many, you know, security industry veterans and players will white list, you know, sites that use reputable. And what we see is you cannot trust a reputable site in today’s market. There’s just too many ways to take advantage of the way the modern Internet works.
And you know, what we’ve seen because of this sophistication, you know, for the gateways we are managing, security components that we do have, we’re seeing massive amounts of sprawl, where you get more and more unique point products solving a specific aspect of the security problem. You know, the challenge is these things don’t work together and as I mentioned before, often users aren’t browsing through this equipment in the first place. And then the last piece is, because of this Cloud adoption people still are often, you know, from a 9 to 5 perspective, still coming back to the office they’re working, and you know, IT administrators and network administrators are now dealing with networks where users need to access fast applications more than they need to access the traditional data center applications that back all of our MPLS.
So, then the challenge is how do I modernize and transform my network to enable users to access those [SAS 0:26:32] applications in a very secure way. And that’s exactly where Viptela works very beautifully, hand in hand with Zscaler. And this is, you know, this is actually, you know, typically what we see in real customers. This is actually a Fortune 100 banking customer that actually said, you know, allowed us to share, you know, to put this slide into the deck and we thought it was a beautifully slide of what a typical Internet gateway looks like.
And you know, we share this with customer and the vendor names may change, but general components are often very, very similar, where there’s appliances doing, you know, proxy and basic URL filtering type security. There’s appliances doing SSL, there’s sandboxing, data loss prevention, you know, firewalls in bound and out bound, etc., etc. Multiple components from multiple different vendors. For this particular, you know, slide, it’s difficult to see the details. It would actually measure through the number of hops that a use would need to go through to get out to the Internet retrieve that content. Its’ actually going through 28 different security hops.
And the challenge, you know, there’s multiple challenges here. One is every single one of those hops is adding some latency. And if there’s some bug or some incident, trying to figure out which vendor is actually the cause and trying to figure out what the right fix is, is it a software patch, is my box overloaded, do I need to add more equipment? You know, it’s a real challenge. Learning, you know, having IT staff that can manage all these different, disparate administrative interfaces also a huge challenge.
And I think probably one of the biggest challenges associated with this is the actual migration to SAS, and you know, moving to applications like Office 365, etc. Every SAS application that you adopt, you’re suddenly taking that traffic that used to be going across your MPLS to your data center, and that traffic is now suddenly going across this infrastructure. And it’s making the performance of this infrastructure very, very critical, but then it’s also making, creating risk. You know, as each new SAS can add considerable load, and we are seeing some SAS providers like Microsoft in particular with Office 365, you know, telling their customer base, their customers, do not use particular types of security stack components because these are known to cause challenges.
So, a lot of big issues here. And then what we’re seeing from a network transformation and driven by SAS is their need to create more and more breakouts. And when you look at this architecture, it actually becomes quite untenable to pile those other challenges along with the [Capex 0:29:23] investment of trying to replicate this infrastructure across more breakouts to improve latency around the world. So what Cloud can do, what Zscaler can do is essentially what Zscaler has built is a Cloud based platform delivering all the different capabilities you see there on the left, but as a pure Cloud service.
And because it is a single vendor, the security is fundamentally better. You know, all components of the Zscaler service are managed by the same security team, same engineering, making sure the correlation of data and the information being shared between different aspects of security is, you know, you know, the best possible. From a customer perspective, you know, massive simplification, essentially you’re taking that entire stack and you’re moving that to a virtual secure gateway, Internet gateway in the Cloud.
So, you’re managing one service, you’re managing it globally for all of your breakouts all around the world. You go to one place, you manage all your policies. Those policies go to infect wherever the users are breaking out, wherever they are in the world. And fundamentally it’s optimized your Cloud. Zscaler, you know, has built from the ground up for Cloud but has continued to invest and innovate to insure that the Zscaler platform is the absolute best performance with other SAS applications.
There’s a number of investments Zscaler has made specifically around SAS applications like Office 365 and Google Apps to insure that, you know, Zscaler is providing the best performance to those applications through [unintelligible 0:31:03] and their breakouts. And you know, what we’re seeing is, this is driving, you know, this is a very natural shift in the industry. We’ve seen this already happen with a number of software solutions, and the example here in this slide is sales force where we’ve seen the traditional on premise based application providers, you know, lose out essentially to the pure Cloud based providers and sales forces.
It’s an excellent example in the CRM area, but we’ve seen this over and over and over again in multiple spaces. So, here’s the basic idea with Zscaler. Essentially, you know, as I said, Zscaler at the top of that image there has built a perimeter around the Internet. So rather than trying to build a perimeter at every single customer gateway, we’ve put the perimeter in the Internet with our hundred pops letter just distributed around the world.
And then from that point what you do is at a network level or potentially at a user level, you configure the traffic to be routed to Zscaler as a global checkpoint. And this is where the partnership with Viptela comes into play. While we are agnostic and can use [GREIP Sec 0:32:21] with any vendors, traditional networking vendors will require you to go manually touch every single box that you need to set up tunnels with. And with something like Viptela you can orchestrate that all from the crowd management and you know, very easily set up tunnels to get your network traffic routed up to the Zscaler Cloud.
And then mobile users are also covered when they’re on the road, when they actually leave the network. Their endpoints are still routed through the Zscaler Cloud and they’re protected. Then from a management perspective, you can consider this Cloud, as I said, it’s a global Internet gateway, but it is, you know, multi-tenanted and customizable per customer. So, you actually have a single policy then which you can log in and set the policies for your company and your different locations, meeting whatever local, regulatory and legal rules you may need to meet around the world.
And then as that traffic is flowing through the Zscaler Cloud, it’s actually correlated in real time, and that data, about what the user activities are, what the new threats are, is available in real time in a dashboard. That can also filter into your existing [Sim and Sock 0:33:29] solutions that you may have managing yourself or managing with different partners. And these are all the components of the platform. As you’ll see, there’s, you know, many, many components of the Zscaler platform available for customers.
Often when customers start with Zscaler, they’re often looking at replacing legacy proxy type solutions and we’ll start with basic Web security, URL filtering, which is sort of the entry level point of starting with Zscaler. And then often customers will enable additional advanced protection capabilities. So, we have a number of different types of engines at a base level. There’s entry level to the service, there’s anti-virus, that’s always happening in the Cloud. But Zscaler has a number of additional security features and engines that can run using Zscaler’s advanced protection engines and framework, which is more like IPS in the Cloud, providing a number of different ways to lock vulnerability and vulnerable applications and protect users, no matter where they are.
And for unknown threats, Zscaler also has the ability to provide sandboxing in the Cloud. They actually take executables as they, before they’re delivered to users, run them in a sandbox, see what the behaviors are. If that executable or application happens to wind up displaying malicious behavior, we can then actively block users from being delivered that content and proactively protect them.
We also have the ability with that sandbox to do quarantine, which is actually unique in the market. And this is, you know, this is again tied to being an in-line gateway vs. something that’s out of band and particularly potentially just listening for out of band events. In addition, from managing those SAS applications and prioritizing SAS applications, there’s bandwidth and QOS controls, there’s Cloud firewall to manage rules for non-Web traffic. And from a data protection perspective, we have the capability to do Cloud application controls or [CAS-B 0:35:36].
We’ve got the ability to actually look at the actual data in motion and, you know, do forensic data, actually look at the data for different, you know, industry specific challenges or specific strings configured for customers, strings or patterns, to actually identify data in transit as it’s leaving the network as part of our data protection strategy.
And security is actually one of the biggest differentiators for Zscaler, so this is, this, you know, covers some of the ways that Zscaler differentiates. One that really key differentiates, differentiators, is that Zscaler is always scanning all content all the time. What we see for a lot of providers, a lot of vendors will trust a number of sites, you know, trust high reputation sites, trust things like CDNs, you know, high profile websites, and not actually look at a content level, at their content. And this is often done increase scalability of traditional science based solutions.
As cloud based solutions, Zscaler, you know, wanted to set the bar at a level of scanning all content all the time. And it is something that we do frequently see in the real world, that popular sites are compromised in some way or another. And that may not be a direct compromise, it may be a partner site compromise, it may be through a CDN compromise. There’s multiple ways we see it happen, but we do see frequently, you know, malicious content being, you know, sent via good reputation channels.
And the best way to combat that is to scan all content all the time, including SSL traffic, so encrypted traffic is actually a big challenge for a lot of traditional appliance based solutions. Not that they cannot do it, but the scale and the amount of boxes you need to look inside SSL is quite challenging. That’s a basic part of the Cloud.
And then because it is a Cloud, there’s actually a lot of correlation between the different security components in the Cloud and the Cloud intelligence itself of having 15 million users across five thousand customer, different verticals, etc., sending traffic through the Cloud. And it puts out own security research team in a very unique position. Because unlike a lot of security vendors that build a security platform and then shipped that out to the customer site and crossed their fingers, because they don’t actually get a real time view of what that system is doing when it’s on the customer premise.
You know, Zscaler security research team is actively managing the Cloud and its security and can see in real time what is going on from a security perspective, use that data to in many times, in many ways automatically protect users from these threats, you know, and an example would be if we detect a new threat through sandboxing. You know, one customer detects that threat, we immediately, instantly and automatically put MB5 signatures into the Cloud and automatically all Zscaler’s users are protected.
And again, you know, as our research team is doing research, they write specific signatures based on the trends and the threats that we see, and they can very rapidly respond and write new signatures to block new threats. And of course they don’t work in a vacuum. Our security team is great, but we actually do partner with a number of other partners. We’ve got over 40 different industry threat feeds that we get. Probably one of the best examples of industry programs though is Microsoft Match program, where they actually give us proactive notice of patch [Tuesday 0:39:19] events.
So you know, it’s not an overnight transition. So you know, we actually recommend multiple steps. It would be great if we could all just go overnight and have that fully transformed network where we have SD WAN to flood across all our branches and tunnels connecting up the Cloud. But the real world, there’s often, you know, multiple things you have to work through. So Zscalers recommend starting, you know, step one is to actually start using Cloud security, use Zscaler to take your Cloud security up a level.
And then step 2, you know, remove point products as they become obsolete. And you can replace those functions with Zscaler and over time move to that step 3, where you’re actual network is fully Cloud enabled, where you have those direct Internet breakouts all over the world and you’re fully transformed for using Cloud and SAS applications.
And you know, why Zscaler? You know, there’s actually multiple reasons to look at Zscaler from different stakeholders within an organization. From a security perspective we’re looking at reduced risk with the level of security Zscaler can provide and the uniform security Zscaler can provide across all users for any network. From an IT head, CIO, CTO, we’re looking at, you know, consolidation of a lot of different point products and massive simplification of what the company needs to manage.
And from the CFO and CIO perspective, you know, the operating model, you know, huge ROI, pure [unintelligible 0:41:00] based model. And from an engineer user perspective, massive productivity through enabling those direct breakouts, giving users localized content from direct breakouts, and just, you know, and through that massively increasing the end user performance.
And with that I will had this back to Idris to talk about a success story
Idris: Thank you, Lee. So I think proof of the pudding is in the eating, and we have a number of joint customers global between Viptela and Zscaler, and what we do here is we talk about a specific example. But before we talk about a specific example, let’s talk about an architectural framework of how Zscaler and Viptela work together. So in a typical environment, if you look at the bottom of your screen, you have your branches, you have your campuses, you have your small offices, you have your data centers, all freely passing traffic with each other.
Now whenever there’s a need to go to the Internet, or there is a need to access software as a service, that’s where Cloud based security and that’s where Zscaler comes into the picture. So the moment you need to inspect traffic, you essentially, you put a policy in place that can make a dynamic decision to secure your traffic. Now those policies can be based purely on content. That can be based on critical applications. Or for example, it can be based on [unintelligible 0:42:34] or 443 traffic, or you can say I want to inspect everything that goes through the Internet.
So the way Viptela and Zscaler work together is very simple. It’s a two step solution essentially. What you need, what you, you go through the, we manage Viptela controller and basically define what kind of traffic needs to be inspected by Zscaler or by Cloud security. So again, it could be application based traffic, it could be content or it could be everything.
So you define what needs to go through Zscaler from the Viptela portal, then you go through the Zscaler portal and basically define what needs to be inspect and what is the security framework for the inspection. That’s it. And as soon as that is done, a tunnel gets automatically established between Viptela and the Zscaler Cloud, and you are on your way.
So having set the stage as for a reference framework, Lee, if you can perhaps walk us through a specific use case where the two of us have the [unintelligible 0:43:41] solution jointly for a very large customer.
Lee: Sure, if you could help me move to the next slide. Yeah, so this is a great joint case study between Viptela and Zscaler. This is a Fortune 500 healthcare and, you know, test and measurement equipment. This is actually [Adulant] Technologies, so they actually publicly reference Zscaler [O-Nug 0:44:08] Open Network Users Group, so that’s something that you can actually look up and see. But you know, they’re a, you know, perfect example of a, you know, prospect, prospective customer for both Zscaler and Viptela, with over 100 locations around the globe, 12,000 users, you know, highly distributed.
And they were looking at, you know, how they can optimize their network for, you know, optimizing it for Cloud as well as centralizing security for all of their Internet breakups around the world. And so what, you know, what they were looking for was a hybrid solution where they would continue to use MPLS for specific functions but then enable direct Internet breakouts around the world.
But manage all of that centrally, manage all of the security centrally, manage all the network centrally, and Zscaler and Viptela were the perfect solution for this. So from a Zscaler perspective, they’re using all of Zscaler’s advanced security, they’re using the firewall, URL filtering, Cloud sandboxing to provide all that security and Viptela is the enabling solution that is giving them this new WAN architecture and then routing that traffic to Zscaler.
And this was done with redundancy from, you know, giving multiple transit options around the world and optimizing that application access to SAS applications. And then again, all of this being fully Cloud controlled. Yeah.
Idris: Yeah, so closer to home we have a very good case student, here in Asia Pac as well, where we have gone to work with a life sciences company. It’s a global, it’s a multinational, but they started off their WAN transformation journey in Asia Pac, in their sites across Asia. So essentially they wanted to move from an MPLS only solution to a hybrid solution, and what they also wanted to do is obviously they did not want to – they have many branches, many locations. They did not want to implement a firewall at each branch individually, so they were looking at a Cloud based approach.
They wanted to Cloud-ify the whole solution, so not just moving to a software defined WAN but also Cloud-ified their security posture. And essentially what they wanted to do was for any traffic going through the Internet, they wanted to inspect everything. And they wanted to do it as close to the sites as possible. And this is enabled by Zscaler. Zscaler has deployments across the globe.
So at every one of these sites, any packet that was routed to the Internet, we manage via policy so that that traffic got directed to the nearest Zscaler Cloud location and everything was inspected and then it sort of moved onwards. And we did that in – from a Viptela perspective. We worked with our global partner, Dimension Data, to implement this for our customer.
So that’s an example similar to the Adulant case study, but it’s an example more local to us here in Asia Pac, where one of our customers, one of our joint customers jointly went to a transformation journey, both for, from a WAN perspective as well as from a security perspective.
So Chris, over to you.
Chris: Thank you very much, gentlemen. That was a fantastic presentation. It really does look like the solution of the next generation. SD WAN is obviously I think a bit of a no brainer in terms of the next generation of WAN, and Zscaler is by far the most elegant solution for connecting those branches and head offices securely to the Internet.
So thank you very much for that. Greatly appreciated.
Idris: Thank you. Thank you to all the attendees on the session today, and thank you, Chris, and…