Transcript
My name is Nicole Lippert. I'm a security strategist at AWS. And I'm Niels Ullmann. I'm principal product specialist at Zscaler. Since 2022, Zscaler and AWS combine zero-trust policies and implications together with cloud innovation. What that means, what it entails, and how we can help you to accelerate your cloud journey, this is what you're going to see in the video today. Thank you, Nicole. Today, we'd like to talk about the zero-trust gateway. Before we talk about the zero-trust gateway, I'd really like to quickly talk about the entire Zscaler platform and the things you may already know or not know. So we started off with connecting your users and their devices to the zero-trust exchange. This is things that you might most likely have done already. Most recently, we also added the capability of connecting your branches, your offices, or your IoT devices through the zero-trust branch device also to the zero-trust exchange to be able to connect to your applications. Another innovation that we have recently released is connecting your AI infrastructure to the zero-trust exchange. And right in this, I'd like to introduce you to the capabilities that we have developed together with AWS in order to connect your workloads in a secure fashion to the zero-trust exchange. And from there, obviously, into the internet, with your SaaS applications, or with your private applications. But before we really look into the zero-trust gateway, let's quickly reiterate on what the zero-trust exchange can do for your workloads. The Zscaler zero-trust exchange is a full proxy architecture. That means that all your workloads in AWS, when they are forwarded to the zero-trust exchange, the first thing that happens in the full proxy architecture is that the connection has been terminated. With this, we ensure that we have full capabilities to inspect the entire traffic. But with what we really first start is that we do verify, or we can verify, the identity of your workloads. So it's not just important for your users to be correctly identified, it's even more important for your workloads, for your servers, for your really important applications. Now as we have the identity of the workload, we want to control the risk of this workload. So all the capabilities that we have put in place to figure out the risk exposure are now being in place. And ultimately, we are going into policy enforcement. All the types of policies that we can do enforce, you do see here on the right side. It starts with DNS control, all the way down to sandbox control policies. Most importantly, firewall policies, URL policies, intrusion prevention policies, all that can be set within the stack. And in combination with the risk and the identity that is applied to this workload. If everything is right, we are going again to initiate the connection from the zero-trust exchange out to the internet, to your private applications or SaaS services you are consuming from within your servers. Now as we have reiterated on the capabilities of the zero-trust exchange and what it can do for your workloads, let's have a look into a typical AWS deployment and the involved building blocks and capabilities. Very often and most customers like you do build a so-called transit gateway architecture. Transit gateway architecture means that you are using the AWS transit gateway to connect through routing all the different building blocks with each other. Very often, and as you can see here, it starts with a north-south security VPC. So in this north-south security VPC, we are bundling all the functions and capabilities that you do want to apply to the traffic from your workloads out to the internet. The next building block is typically the east-west traffic block. So here we have the firewall capabilities or other capabilities that you do bundle in this block to have inspection and security provided for your workload to workload traffic. So for example, when a workload in here needs to talk to a workload over here. And how that typically works in such an environment is in order to inject all those different functionalities, when this workload wants to connect to this application, we are going out to the transit gateway, we are going back in the east-west VPC and again back in the transit gateway, finally to your application. As you can imagine, and as you see, this is super complex setup. So this is basically the number one challenge with this kind of setup. You need a lot of terraform code or whatever you're using for deploying your workloads. It's not easy. And the most obvious one is routing. You need lots of routing tables, you need to understand how all that comes together and how to maintain that in the workflow. Ultimately, especially when one of those workloads wants to connect to the internet, it's also very often an identity problem. So how can I identify the workload and apply the right policies for those workloads? To make this even more complex, this is only one application in one VPC in one region. But as you look into your enterprise catalog, you will figure out you have lots of applications in many regions. And so the overall maintenance and operations effort for this solution is super high. This brings us right to Zscaler's latest innovation, the Zero Trust Gateway. So the Zero Trust Gateway is basically the cloud connector provided as a service to you. This was the number one ask from our customers, from you to us. You don't want to run the cloud connector on your own, but rather consume it as a service. So the cloud connector is running, the Zero Trust Gateway is running in our accounts. And we are running it for you. You don't need to worry about deployment, because this is happening automatically. You don't need to worry about logging, because we are taking care for the logs, as well as we are monitoring the solution. And obviously, the entire solution is built to scale, so that at no point you need to worry about the scalability or the availability of this service. With all these achieved, the cloud connector will automatically connect to the closest and best Zero Trust Exchange near to your infrastructure. How easy this really is? We have recorded a quick video for you, showing you how to deploy the Zero Trust Gateway in your region of choice. We are here in the experience center, the home of all Zscaler configurations, and within the connector section, you see a new menu item called Zero Trust Gateway. We do have already a gateway deployed in Frankfurt. Now we are adding a new gateway into the London region. All information that you do really need is to figure out a name that you want to give to the gateway, and figure out the availability zones in which you'd like to provide the service. On the next screen, all we need to define is who can use that gateway. Is it only you? Is it only one account? Is it all of the corporate accounts? So up to you. Now with the gateway being deployed, we can focus on how do we connect our applications to the actual Zero Trust Gateway. And to do so, let's look on what we have done. So we do have the Zero Trust Gateway now deployed in a given region. As a result, we do have a service name for this gateway load balancer service. If for each of your applications, you'd like to connect through the Zero Trust Gateway with the internet or other applications, you can connect by simply deploying a gateway load balancer endpoint, and connect it to the service name of the gateway load balancer that we have created as part of the Zero Trust Gateway. Again, this is a really easy process. Everyone who has worked with AWS knows very well how that works. But to show you, we have recorded another video that we would like to show you. Now we are in the AWS console. As I said, I created already a VPC called null-ztg-demo-pool. And we do need the subnets that are available within this VPC. In this VPC, we are going to create an endpoint service that will be linked to the service name that we have provided or created as part of the Zero Trust Gateway. You can look that up in the Zero Trust Gateway console, copy it, and enter it into the AWS management console. Now, with the endpoint service being verified, we can decide into which subnets and VPC we like to deploy the gateway load balancer endpoint service. And we are done on the AWS side. So we can move back to our Zero Trust Exchange, to our high-level overview, and repeat that process multiple times. So it really doesn't matter how many of your applications you are connecting to the Zero Trust Gateway. The process is always the same. Take a gateway load balancer endpoint and connect it with the service that we have provided for you. The usual scalability of that is, as I said earlier, really good. So don't worry about it. Typically, you are deploying one Zero Trust Gateway per region. And then you can connect all your applications, no matter if dev or ops or production, right to the same gateway. And now, let's go back to where we started. I hope I could show you how easy it is to connect your workloads in AWS through the Zero Trust Gateway with our exchange. And following this with your applications, with your SaaS services, or just with the internet. So really, you can onboard your workloads in the speed you need and in the dimension and scale you need for your business. Thank you very much. If you have any further questions, please reach out to our sales team or look on our website. And I hope to see you soon on this channel.
