Zscaler: Cloud Security with SD-WAN, Case Studies and Best Practices
Gartner estimates that by the end of 2019, 30% of enterprises will use SD-WAN technology in all their branches, up from less than 1% today. And as of Nov 2016, Gartner has estimated about 50,000 production SD-WAN deployments. SD-WAN is a transformational approach to simplifying branch office networking.
However, security is a critical factor for SD-WAN adoption, especially for cloud and Internet applications. With Zscaler and Viptela you can now secure all Internet traffic without having to backhaul it to centralized DMZs. Customers have seen more than 50% WAN cost-savings while keeping their branch offices and employees protected.
Join Viptela and Zscaler to discuss the best practices for securing your distributed enterprise with cloud security and SD-WAN. They will also cover:
- Common use case scenarios for SD-WAN and cloud security
- Real world deployment examples
- Best practices for improving your security posture with cloud security
- Zscaler and Viptela technical integration elements
Sri is an entrepreneur with a track record of delivering market leading products, including the crypto-processor now on every Intel motherboard, the #1 SSL VPN, market leading products in identity management, next gen talent management products, and a widely-adopted college admissions platform. Sri has a PhD in Computer Science from The Ohio State University.
David Klebanov is leading the Technical Marketing organization at Viptela, the Software Defined Wide Area Network (SD-WAN) company. David has more than 15 years of diverse industry experience architecting and deploying complex network environments. In his work, David sets strategic direction for industry-leading network platforms, which transform the world of wide area communications for enterprises and service providers alike. David also takes great pride in speaking at industry events, releasing publications, and working on patents. You can reach David on Twitter: @DavidKlebanov.
David: Hello; welcome to the Future WAN 2017 session on cloud security with SD‑WAN presented to you by Zscaler and Viptela. We’re going to talk about some case studies, some best practices, touch a little bit about technology, the what’s, the why’s and so let’s start this conversation.
So before we get into the details I just wanted to give a bit of an historical perspective of how we started on this journey between Zscaler and Viptela, and it all comes down to a customer that approached us and basically had a list, a laundry list of things that they wanted to achieve in their environment, right? Here we have highlighted a few things that are of the utmost importance there.
The customer was really a traditional customer deploying sort of a traditional networking insecurity element in their network and what they were after, is they were after eliminating the dependency or the sole dependency on an MPLS service provider and backhauling of the traffic that needed some security services all the way into the main data centers.
At the same time they wanted to eliminate the degraded cloud application performance while still keeping the security enforcement up to the InfoSec standards that they had there in their organization. So the improvement of the cloud application performance, the ability to deliver a segmented environment as far as traffic segmentation is concerned and their specific interest was to segment the guest Wi-Fi traffic at the remote location, so the traffic could be offloaded into the local breakouts – local internet breakouts without requiring any bandwidth resources from the corporate‑wide area network infrastructure.
Operations was a big topic; to streamline the remote office infrastructure to stop the proliferation of hardware devices at the branch [break in audio 00:02:14 to 00:02:46], not only that they’re getting a state of the art, next generation‑wide area network infrastructure but they’re also getting a zero compromise on their security posture and security policy enforcement, and that’s when Viptela and Zscaler came together to deliver the value to the customer.
So that’s how we started and let’s talk a little bit more about what happens in the marketplace around wide area network, and we’ll start with wide area network first and then we’ll talk about Zscaler and at the end we’re going to talk more detailed about how does the common solution look like, what are the use cases, what are the things that we should look for?
So if we focus on the Gartner research in the past year, year and a half, Gartner has been very bullish on the wide area network market. There are a whole lot of predictions that have been made around the enterprise adoption of the SD‑WAN technology that is really skyrocketing to 30 percent of the enterprises by the end of 2019. We’re talking about a very significant uptake in the adjusted dollar amount spent on the SD‑WAN infrastructure from around 130 million in 2016 all the way to over 1 billion in 2020.
So there’s definitely no shortage of very bullish predictions about what’s happening in a SD‑WAN market, and it’s not just the future, but we’re really seeing a tremendous traction with large enterprise, mid‑size and small businesses are also enjoying the advantages that the SD‑WAN brings into the wide area network that has really seen little innovation in the past decade, decade and a half or so.
So where are the customers today as far as the wide area network infrastructure is concerned? So customers are generally not happy with their wide area network. Multiple [calls] and multiple researches that have been done all point to the same conclusion, and there’s very few organizations out there that are actually happy about the wide area network and a few organizations that actually consider their wide area network as something that is modern and agile enough to accommodate the business needs and the customers the organizations have in their infrastructure.
This spans all the way from bandwidth constraints to application downtimes, to fragmented security, application adoption or the ability to adopt cloud applications such as [SATs] or infrastructure as a service. These are all sort of high ticket items that organizations are just not able to deliver or not able to deliver in a streamlined fashion without going through a transformation and taking wide area networks really to the next generation, being software‑defined.
The operations and the high costs are also something that is very [due] to lots of the organization because, at the end of the day, everything is achievable, everything is doable but the question is at what cost, and we’re talking about the operational costs and the capex. These are the costs that the organizations have to incur to be able to procure it and run their wide area network infrastructure, and those are not in favor of the IT department.
So as far as Viptela we’re going to spend – touch a little bit; we’re not going to go very deep as far as Viptela’s solution is concerned, and there are plenty of resources out there. You can also look at – in this particular session you can see in the attachment and link section you can see lots of good resources. You’re also welcome to [unintelligible 00:06:48] other Future WAN sessions that happened in the past couple of days that will give you plenty of information about the internals of Viptela products.
But it’s a general solution philosophy where it identifies multiples tiers that would provide a customer to go through this sort of transformational journey. At the bottom of it we identified Transport Independent Fabric with the zero touch principles to make sure there is zero compromise on security elements, and the zero trust elements that again made sure that everything is nice and secure.
Abstracting at the end of the day, the physical transport such as broadband, MPLS, cellular, point to point satellite and whatever the case may be; in that case to be able to deliver a delivery – an application delivery platform that consists of a toolset that includes things like routing, security and segmentation, quality of service, a [unintelligible 00:07:50] of service insertion, even things like streaming, multimedia services through multi‑guest, and of course high visibility and survivability. These are all sort of application delivery toolsets that are available to the customers to be able to actually deliver application policies.
And application policies in the case of Viptela is a very robust policy framework that allows organizations to basically mold their wide area network infrastructure or wide area network policies the way that fits whatever we were trying to do as far as delivering SLAs to the application, determining things like traffic engineering and segmentation and security perimeters, cloud application adoption and things like that. So it’s a very robust framework, policy framework for being able to deliver on the wide area network.
And of course, the solution would not be complete without an extensive ability to perform operations, monitoring, and analytics on the entire solution, which eventually everything comes together as a single software‑defined wide area network product.
Now the elements of Viptela’s solutions just to baseline – so we have a more comprehensive conversation when we talk about Zscaler and Viptela collaboratively delivering solutions, so as far as the Viptela solution elements are concerned there are vEdge routers which are the softer or physical appliances that are deployed at the locations that are enabled for a software‑defined wide area networking. These are the small offices, branch offices, campuses, data centers and even cloud data centers, and what we mean by cloud data centers are really the AWS, the Azure, which is the public cloud offerings that allow you to extend your organization or wide area network all the way into the public cloud infrastructure.
Now all of those elements really are under the centralized control and management infrastructure and they communicate through a secure control plane communication with centralized controllers, which can be either deployed on [prem] for an organization that is more security conscious and would like to deploy those elements on prem or they can be hosted in the cloud by Viptela or they can also be hosted by our managed service providers.
So at the end the control plane communication drives the data plane, which is really the secure SD‑WAN fabric that gets established across all the locations that participate in this SD‑WAN network. Once it’s been established that’s where you have the ability to start utilizing that policy framework that I mentioned earlier, to be able to deliver those service in either a graphical user interface way or in a more programmatic way.
We have a spread of customers that some of them prefer to more of a graphical user interface app[roach, the other ones take a more blended approach as far as leveraging graphical user interfaces or the application programming interfaces. The APIs are also leveraged by the third party management vendors that interface to our system in order to be able to provide sort of monitoring and management services for our solution.
Now if you think about a cloud and how the enterprises sort of embarking on the cloud journey you can really view the cloud as having two elements, right, or two types of cloud solutions. First is the infrastructure as a service, which as I mentioned earlier, this is the Amazon’s and the Microsoft Azure of the world where you have the public cloud offering that allows you to position your computer resources all the way into the public cloud.
The question is, is how do you tie those resources back into your organization or wide area network? Viptela’s philosophy in this case is seamlessly extending the wide area network all the way into the Amazon DC or Microsoft Azure VNET and be able to maintain the full range of services that are available to each one of the SD‑WAN sites – each one of the organizational SD‑WAN sites and being able to extend those services all the way into the public cloud, and that includes things like quality of service, security, segmentation. So basically, you stop treating the public cloud as sort of a foreign entity to your wide area network and it becomes an integral part of your wide area network, which of course a single [unintelligible 00:12:55] for monitoring and managing that.
Now the second sort of element of the cloud‑enabled enterprise is the software to service. This is where you have basically internet‑bound services that are provided or that are consumed by the organizations. And the question in here is how are the quality of services, and more importantly how are the security aspects delivered for those resources that are really residing in a public cloud, in the form of a cloud application?
This could be – the most prominent one is of course the Office 365 which is the most commonly encountered, but there are of course others such as Google applications, sales force, Drop Box; there’s a whole slew of cloud applications that organizations are consuming and the question is how is the security handled for those? When talking about cloud applications and SaaS it’s not necessarily just the cloud applications themselves but also overall the internet resources.
So when you’re talking about, for example as I mentioned earlier, the guest Wi-Fi user that walks into one of the facilities and guest Wi-Fi services is offered, how is the traffic being secured? How is the organization being able to enforce an organizational sort of policy around the guest Wi-Fi user? Instead of just letting the Wi-Fi user be sort of uncontrolled in the internet space, how is it possible to enforce a sort of security policy around that? These are all very acute questions that organizations are battling with and that’s exactly one of those significant touch points between Zscaler and Viptela that brought this partnership to light. So I’d like to transition to my Zscaler counterpart and talk more about the Zscaler cloud security platform and the benefit that it brings.
Sri: Thank you, David. This is Sri here; my name is Sri Subramanian and I am the Senior Product Manager at Zscaler and I’d love to talk a little bit more about how you can secure your public cloud and internet access from your breakout points. We’re seeing a lot of customers right now going with a cloud first strategy. It’s actually changing per Gartner. We’re going to see more and more customers actually going towards a cloud‑only policy by 2019; 30 percent of the largest vendors are going to be cloud‑only, so there is going to be more and more resources on the cloud.
That’s coming because we’re realizing that cloud and cloud services are actually very secure because of the scale of resources that it can put towards security compared to an enterprise. But there are still questions about how an enterprise might consume those cloud services and Gartner finds that 99 percent of the vulnerabilities continue to be things that sometimes even IT professionals know about but there are issues and constraints that disallow us from fixing it in the corporate environment.
And so how do we work where – from the customer side we want to make sure – from people point of view we want to make sure that these cloud environments actually are secure. In addition there are also some CIO and other concerns that we’ll talk about in just a bit. The final prediction that Gartner has said, 60 percent of enterprises that implement the appropriate cloud visibility and control tool will actually have one third fewer security failures.
Now to give a different perspective into the security issue let’s look at some of the big breaches that have happened. These are all big brand names, Home Depot, Apple, Target, New York Times, and they’re not customers who are not security aware. They have a lot of security appliances and a lot of investment in that area so how is it that we’re seeing, with all this investment we’re seeing some of biggest brands being breached?
The answer lies in the fact attack always shifts to wherever the weakest link is, and today the weakest link is your employee or your partner or anyone who comes into your network and is given access to your network. And so a lot of hackers are infecting sites like facebook.com where people go, and when they go there they get infected and then they get access to the network with [unintelligible 00:18:06] in their machine and now there is a path from your network resources to the hacker, directly to your user.
So protecting users has become a really big concern for us as a community, as an IT community. The question is how is it that reputed sites like Facebook are getting infected? So we just looked at one of the Facebook BBC pages and we found 167 potential threats. How is that possible and these are reputed sites?
If we decide to inspect all traffic, so Gartner says that 60 percent of all of the top sites have malware. Gartner also says that 40 percent – not Gartner, I’m sorry, this is the Virtual Networking Index – says that 40 percent of internet traffic crosses CDNs and goes uninspected and 54 percent of advanced threats hide behind SSL.
And if we had to actually increase our appliance throughput and ability to inspect all of this traffic we’ll need eight times as much equipment as we that today and that is where the issue begins. Zscaler’s mission is to secure your internet, your internet experience, so we sit between your users and your devices and the internet and make sure nothing bad comes in and nothing good leaves.
We have 100‑plus data centers worldwide, so this something that is distributed and your users will get localized content and quick delivery. We actually process 25 billion transactions per day. That’s almost six times the number of Google search transactions that happen per day. We have 125 million threats that we block every day and 120,000 security updates that we apply every day. This goes to that point that Gartner made about 95 percent of the issues being threats that we actually know about.
If you look at the name that we came up with, Zscaler, it stands for the Zenith of Scalability. Scalability has been what we’ve been working with throughout and we’ve purpose‑built our architecture around that. We can actually serve customers who have locations in 185 different countries. We serve customers who have 30,000 different locations. We serve customers who have 1.6 million users. So no matter which direction you want to scale in, whether you have a distributed footprint or a lot of users or a lot of different locations, we’re able to serve all of the customers with those challenges.
We also bring the cloud‑effect. Because we see all of the customer’s traffic actually going through our website 25 billion transactions from 15 million users across 185 countries, we actually get a very quick knowledge of things that are happening in the internet. And when we detect something once it’s immediately propagated to all of our 100 data centers, which means you get protected for any threats that are seen in any of the other customers’ networks. And all of these updates happen – a lot of them happen immediately, a lot of them happen at a 15, 30 or 60 minute interval, so these happen pretty quickly and are propagated pretty quickly to you.
How are we able to do this? We have a very purpose‑built, multi‑tenant modular architecture. We have 97 patents and many more pending. We have paid a lot of attention to reliability, availability and scalability, which means that we have specific servers that do specific services so they are not intra‑dependent and your ability for data processing is not dependent on something getting overloaded on the login server or the authorization server or the authentication server or maybe the admin/UI server because all of those are differently situated.
Also, the enforcement node, which is where the data processing happens, is distributed and easily replicated across a number of different geographies. So when users move from one place to the other they actually get the best performance that is possible.
It’s also not something that we host on a regular Amazon or RackSpace type of infrastructure. We have a purpose‑built infrastructure, Tier III, Tier IV data centers. We have the best certifications. We have the best connectivity. We peer with a lot of different people so you’re getting the best route possible into the intranet and the best peering to your end cloud applications.
Also, the customer experience, the end user experience is going to be the same whether they’re at home, whether they go a branch office, whether they go to a hotspot or an airport or a café or they are in their headquarters because it’s the same policy that’s supplied no matter where they are.
And this is the reason that all of the analysts agree with us too; we have been for the last six years in the leader quadrant of Gartner. We’re far to the right compared to any of the other vendors. If you look at Forrester they rank us the highest for our current offering strength, also for our strategy and for our market presence, so we’re pretty much the bigger circle to the top right on the Forrester wave.
So let’s recap – why Zscaler? So from CISO perspective we have unmatched security. You get single policy protection. We’re always up to date. We’re taking care of all of the security concerns and we’re getting SLAs on all of them. From a CTO concern there is IT simplification. We consolidate all the point products. We simplify your IT. It’s a cloud‑enabled network. It’s rapidly deployed. You can turn it on very quickly.
From CIO perspective or a CFO perspective there is no capex. It’s elastic. We charge by the number of users. There is reduced Opex because you do not need to manage your boxes or upkeep your boxes or attach your boxes and there is reduced MPLS costs.
We also improve the end user productivity and so overall, along with Viptela’s ability to secure and great quality of service to your network, when you’re looking at breakouts to the intranet Zscaler is a very complementary and wonderful product that you can use in addition to Viptela, and I will hand back to David.
David: Excellent. Well, thank you very much for covering the value of Zscaler. So now we kind of started off talking about the common solution, we want to circle back in this last portion and talk about a joint solution and talk about some more recent customer success stories, give a little bit more for the technical folk out there; give a little bit more information on the technical pieces of the integration.
So the traditional way of delivering wide area network services through backhaul and the traffic all the way to the data center to access any sort of internet of cloud resources, has been the predominant way of doing things for the longest time. Zscaler has really come in and disrupting that notion of being able to deliver security while eliminating the need for a traffic backhaul, right?
And Zscaler’s architecture is really very supportive of that, of that notion, and that’s why there’s a great feed between Zscaler and Viptela and that’s why customers are seeing some real value between the collaboration between the two companies. Basically what we track is we track – instead of customers that are maybe a little bit sort of not ready to make the jump to acquire direct internet access at every remote location because of certain sort of organizational challenges or security policy challenges.
And what they’re looking for is they’re looking for the regionalization of those services through regional hub facilities that are geographically distributed closer to the user population, and still control the access to internet resources and search resources from those locations. So not quite backhaul, everything into the data center or stop backhauling everything into the data center and not quite doing a breakout at every site, but rather do a regionalization of services to steer the traffic, the cloud – the traffic that is destined to the cloud test applications and the traffic that is destined to the internet resources, through those regional hub facilities over the Viptela SD‑WAN network.
And as the traffic traverses those regional hub facilities it gets forwarded to the Zscaler cloud enforcement nodes to be checked for security compliance and then for any sort of security policies as far as malicious activity, SSL inspection and URL filtering, all the great services that Zscaler offers. It provides a regional cloud path, a regional access to the cloud application, but it doesn’t compromise on an application’s visibility or any of the security elements. And we’re seeing that with the customers who are a little bit more cautious as far as providing direct internet access at every remote site.
Now of course the customers who wouldn’t mind doing direct internet access at every remote site, Zscaler and Viptela offer a very comprehensive solution to allow direct communication from every site that has been enabled with Viptela technology, straight into the Zscaler enforcements nodes in the cloud. And as we mentioned, the Zscaler enforcement nodes are spread all around the world and they are within the geographical proximity of the organizational sites.
So once Viptela SD‑WAN solution has been deployed in those sites and direct internet access has been allowed, it is really the shortest direct path into the cloud application from that remote site, through the Zscaler cloud security enforcement node, all the way into the cloud application and the internet resources. So it’s a direct cloud that – and again with the application visibility and advanced security.
So those are the two sorts of intersection points of how customers are consuming the service, in either a regional fashion, through regional hubs, or through a direct internet access from the branch offices, campuses, small offices, home offices directly into the cloud resources.
Now the notion of security is really – when we look at it we really identify this as a zero trust security on both Viptela and the Zscaler side of things, and so what you’re seeing here is sort of a typical branch that has been deployed with both a Viptela SD‑WAN solution and has also been configured and provisioned for the Zscaler connectivity.
What you see here is the zone‑based network segmentation that allows to segment the user population that is connected to that remote site, into the trusted, semi‑trusted or maybe not really trusted or untrusted zones such guest Wi-Fi users, and bringing that segmentation and carrying that segmentation throughout the SD‑WAN fabric, but also being able to send the traffic of interest maybe from a semi‑trusted zone or a non‑trusted zone such as Wi-Fi, guest Wi-Fi services, into the Zscaler for the policy enforcement.
So you’re really looking here at the zone‑based network segmentation and the ability for an SD‑WAN network to steer through the policies, to steer the traffic of interest into the Zscaler enforcement nodes where the comprehensive security policies are being applied and the user traffic is inspected, right? So this zero trust, zone‑based security approach is what really resonates well with common Zscaler and Viptela customers.
Now as far as high visibility and redundancy it’s also a very important element that many customers are looking for. It’s all great that we can have sort of a closest of direct path into the cloud application and we can maintain the security, but what about high visibility because outages can happen. It’s something that is sort of unpredictable out of the organizational IT department’s control.
So what happens when outages occur? How can we achieve high visibility and redundancy at the branch offices while still maintaining the security enforcement capabilities? So here we’re really sort of surveying the three different options for organizations to adopt, and there are some organizations that are adopting the rightmost one for their remote locations, which is really a single Viptela vEdge device that has been provisioned with multiple tunnels to numerous Zscaler enforcement nodes to provide the redundancy on the Zscaler side.
Of course, should something happen on the SD‑WAN network and that single device, single Viptela SD‑WAN appliance has an issue, right, of course that site may encounter connectivity issues or service issues because if the problem is at the device where the tunnels are terminating, then that will be a problem. But that site will be survivable for an outage that happens on an individual tunnel and that individual tunnel could be carried over internet service provider A, and the other tunnel could be carried over internet service provider B, so should one internet service provider go down you still can reroute through another tunnel.
And of course, should something happen on a Zscaler enforcement node you always have an ability to reroute through another tunnel to a different Zscaler enforcement node, both being in sort of geographical proximity of that remote site so there is really no service degradation. So on the remote site, that’s on a smaller site, remote site and that is a very common deployment methodology.
Now if you really want to step up and say that I’m not comfortable with having an SD‑WAN appliance at a single point of failure in here, of course there is an option for you to deploy dual SD‑WAN appliances and then you can leverage either VRRP – this is a bridged environment – or you can leverage a dynamic routing protocol such an OSPF/BGP to peer with your existing core routers and provide connectivity redundancy on the SD‑WAN site from the Viptela vEdge appliances, right?
And again, the same philosophy that we talked about as far as redundancy on the Zscaler, applies in all three cases; its numerous tunnels and its numerous Zscaler enforcement nodes that the traffic would be going to. So really, out of these three items it’s the importance of the site and the high visibility requirements for the site that is going to dictate which one of those three modes or which one of these three architectures, three solutions, would want to deploy that particular site.
Of course, it’s a side by side decision. The sites that have sort of lower importance, maybe some administrative site, may just enjoy single SD‑WAN appliance and just a dual connectivity into the Zscaler, and some of the larger and more important sites may start leveraging a dual SD‑WAN connectivity. And of course data centers, they most likely have a more significant integration into an existing routing protocol and that’s when the leftmost deployment becomes more prevalent.
So now just quickly – we’re sort of surveying the more recent customers wins – that is a common customer win between the Zscaler and Viptela is we’re talking about the Fortune 500 healthcare equipment manufacturers with over 100 locations worldwide, over 10,000 global employees, very significant market share and revenue targets.
And what this customer was really after is a pretty common theme across the majority of the customers that we are seeing, is an ability to integrate an MPLS and broadband together and being able to deliver a cost effective capacity into the site, be those broadband only sites or the sites that still have a hybrid connectivity such as MPLS and broadband.
Being able to split internet traffic directly at the remote site, not to put any of those – not to put any of that traffic onto the actual MPLS or broadband circuits – of course, they’re providing more capacity for traffic that is more bound to organizational data centers – and centralization of the security policy and WAN management and the ability to introduce services such as firewall, IPS, IDS, URL filtering and behavioral analysis into the traffic that originated from the remote offices.
So all of those were customer requirements, and as I mentioned, they are not uncommon and we see them across the board from numerous customers. And the solution to this customer was basically a collaborative solution between Zscaler and Viptela to provision Viptela SD‑WAN solution at the branch office. Provide a direct internet access at those branch offices into the Zscaler based on the three modes that we have discussed in a previous slide, be that a single SD‑WAN appliance, a dual SD‑WAN appliance in breach mode or a dual SD‑WAN appliance with a routed integration.
Being able to use deep packet inspection to identify the application of interest and steer only the applications of interest into the Zscaler for inspection, to make sure that basically not all the traffic that originates from remote sites is steered into the Zscaler but some traffic that is actually data center‑bound would still traverse the SD‑WAN fabric and is not going to be forwarded to Zscaler.
For the traffic that does go into the SaaS application, through those direct internet access and through the Zscaler, we were able to provide of course the optimal SaaS and SaaS experience and the ability to monitor the SaaS experience, to be able to choose based on an actual performance characteristics of which one of the connections through the Zscaler route is delivering the best performance through that specific SaaS application, and the redundancy that we kind of touched on earlier and in the previous slide.
So that’s an anatomy of a recent customer win between the Zscaler and Viptela, and of course it’s just one example. We have many more examples which are kind of similar to that as far as the customer requirements are concerned and the solution offered. It’s a very flexible solution on both the Zscaler and the Viptela side and that’s what customers really love about that. Is the ability to deliver it the way that it fits the organizational needs; it’s not just one specific way that it can be delivered and that has to be uniform across everybody. There are customers that have sort of unique requirements as far as how the traffic forwarding between the Viptela and Zscaler has to occur and the flexibility of the two products is really what allows that to happen. So Sri, any –
Sri: Yeah; I think that the best way to get started is to go to a security preview that we have. This is just a tool where we actually have some potential malware type things that will not infect your machine but it’s just a great way for you to check if your infrastructure, current infrastructure is able to test them or not, so it’s a great way to start your journey towards making your cloud access more secure.
David: Right; awesome, yes, and thank you for that. As we mentioned, there is a whole lot of interesting content that we put together for the – that was put together by our customers and partners for the Future WAN Summit event, so you’re more than welcome – just go and read up and view the content.
Sri: And thank you, everyone.
David: Sure; go ahead, sorry.
Sri: Sorry; no, I was just saying thank you to everyone. I think we have just a few minutes left and there are a few questions out there, so if you want to get to the questions maybe quickly?
David: Sure. Sri; any particular question you want to take first?
Sri: Yes; so I see a question over here which says we repeatedly hear Office 365 recommends quickest access to the internet with no web secure gateway in the past. What is the true story and will this be common by other SaaS apps? So yes, it is true that Office 365 does not want anyone proxying your traffic and breaking those TCP connections and we do not do that.
We do some TCP optimizations. You actually end up getting about – we’ve measured with our customers who are using Office 365 through us – that they actually get 40 percent better latency on those connections. We also have a one‑button turn on, so all of the IP addresses and everything that you need to configure it in order to configure access to Office 365 is all automated for you.
We have a very deep partnership with Microsoft and our understanding is that they’re evolving in this space and they don’t want to have people proxying things because things can change, and when they change then it breaks up and that becomes a support issue for them.
So we actually do not proxy the Office 365 connections that you have and a lot of times the email protection is something that people have other ways that they’re doing right now. And we do protect – so on an email, when you get a link which is a phishing link or something and you click on it, that goes to our proxy, so that is the way that we protect your email and your ability to not get [unintelligible 00:43:45] and other issues on your computers.
How does a joint Zscaler/Viptela solution handle guest Wi-Fi use is the other question? We actually have customers who are taking all of their guest Wi-Fi traffic, which typically is all going to the cloud, and streaming it to either our [DIA] solution which is our full proxy and they get the fully proxy effect for it, or to our [shift] solution which is a DNS proxy type of solution where what we do is we actually scan – all the DNS requested are coming out and we’ll block any domains [unintelligible 00:44:26] or however they have been configured by the customer.
And then in certain domains if we find that there are some URLs that are actually malicious but some are not, then we will resolve that domain to our proxy server, so you actually get limited proxying for just those domains and that’s the way that a lot of customers are configuring Zscaler, Viptela for the guest Wi-Fi. David, is there anything from the Viptela side that you want to add to that?
David: Yeah; so I concur with everything you said. I would just add on the Viptela side itself you really described sort of two solutions. One of them, what we do on our side is we’re able to segment the guest users into their own virtual private network, into their own VPN, into their own segment and make sure that the traffic from those guest users is really not mixing with any other traffic.
Now that segmentation is not just done on one individual’s site, but that’s something – that’s a policy that gets applied and it takes it up in your entire network. So should you decide that you want a segmented guest Wi-Fi traffic on your entire wide area network you can just carve a separate virtual private network on the Viptela infrastructure, map your users into that segment and then out of that segment is really where the Zscaler security comes in, so that the traffic that gets out of the segment can only be – basically can only go to Zscaler and be inspected by the Zscaler security. So it’s really sort of a combination of being able to segment the traffic on the branch offices and an ability for Zscaler to then enforce its security policy for that traffic.
Sri: Sorry; go ahead.
David: I think I was trying to be cognizant of time. I think we only have two minutes left on this webinar so I think it makes sense to me to wrap up this time. There are quite a few questions we didn’t get to and so we are collecting all the questions. We have collected them and we will get back to you individually to respond to your questions, and of course, feel free to reach out to us, either Zscaler or Viptela, and we’ll make sure to discuss any topics of interest.
Sri: Thank you, David. It was a pleasure.
David: Thank you very much, Sri; it was a pleasure and good day to everybody.