Every year, educators gather at the Bringing IT Together conference to learn what’s going in the tech… and every year we are an event sponsor because education is near and dear to our hearts… which may be why 28 school boards choose to work with Cloud Managed Networks.
We are among a select group of companies with which ZScaler has chosen to partner. We’re also the first to start implementing a Zscaler solution with an Ontario school board.
For these reasons, we invited Zscaler to share the stage with us this year because their offering fully addresses the Ministry of Education RA 3.0 requirements, including security compliance and pricing.
Karl St. Pierre a Zscaler engineer talked about Architecture 3.0, how the Zscaler solution not only takes care of cloud-related security, but also addresses other concerns such as the overall digital experience, student and network safety, and more.
Karl St-Pierre has a wealth of experience architecting solutions across multiple market segments including K-12, Higher Ed, Healthcare, Mid Market and Government, with specializations in SASE based architecture, Zero Trust adoption, workload segmentation, cloud-based networking, building next generation Campus/SD-WAN/Branch architectures, and secure segmentation.
If you’d like to hear Karl’s actual talk, so you can see him build the diagrams that go with the discussion, then please watch this video – that way you will also be able to hear from Vicky Bagwalla, one of our founders and Managing Partners.
Notes from Karl’s talk
About Zscaler
- Zscaler is the leader, well ahead of all competitors, in Gartner’s Magic Quadrant for secure web gateways – for the 10th year in a row.
- High-performance (+120 B secure transactions daily, which is equivalent to 10X the number of daily searches on Google), local access, distributed cloud.
- SASE Approach → direct Internet access without backhauling + all inspection being done at the cloud edge, which permits in line traffic inspection. Seamlessly, simply.
- Based on Zero Trust: Securely connecting users, devices and applications, using clients’ business policies, over any network, as everything uses the Internet for transport.
- Very secure approach based on identity: Your applications are micro-segmented, and specific users are granted specific permissions to specific applications, without exposing your applications to the Internet.
What school boards typically experience today
-
-
- Today, it’s typical for school boards to protect their perimeters with physical appliance firewalls, protecting access from the Internet to the intranet, some with their own internal firewalls, too. There may also be some URL filtering, Gateway capabilities, IPS, SSL inspection etc. and supplemental products such as Sandbox, malware filters, etc. in place.
- Connections may be made through a combination of MPLS lines and SD-WAN – and you are deciding which traffic is being sent directly to the Internet, which is being backhauled to the Board Office, etc.
- Traffic is often VPNed from individual schools, back to the Board Office, so it can be inspected before going out to SaaS applications, or applications such as O365 that are sitting on the Internet, potentially in Azure or AWS, which means the physical firewalls are now being spun up into the cloud. To enable everything to connect, VPN tunnels are being created throughout your system configuration. For remote users, split tunneling might also be used so that people can connect directly to the Internet for some purposes. In many cases, the visibility IT managers counted on previously no longer exists – and the same can be said about Security.
- On premises: Whether it’s VLAN-based, or VRF, everything is network-centric with some degree of segmentation for applications – and lateral movement needs to be prevented, of course.
- With the way things have evolved, it’s hard for IT managers to have good visibility across the network, so they can monitor things to ensure that users are having a good network experience. Right now, taps, probes and other physical components that live on the network are used to identify and measure packet drops, throughput across links, latency, etc.
- Currently, if you have 25 schools in your board, you likely have 25 different points of management (or more), each with potentially different access policies. This also makes SSL inspection very difficult – and if you allow SSL decryption at scale on your main firewall, throughput can drop by as much as 80% or more.
- Zscaler lives on the Internet and its cloud is distributed worldwide; users connect to the closest geolocation.
- Every single data packet that traverses its cloud is inspected, which is very different from a traditional on-premises firewall, which does not function as a proxy.
- When data enters the Zscaler cloud, it is assessed by multiple inspection engines simultaneously so as not to introduce latency. With this approach latency is measured and experienced in microseconds. If on prem firewalls were used for this degree of inspection, through service chaining, you’d be introducing far more latency that happens with the Zscaler cloud.
- With Zscaler, there is visibility on all traffic – and all traffic is inspected.
- Everything is delivered through the cloud as a service, so there is no need to scale up at the local level to handle increased traffic, SSL inspections, etc. With Zscaler, things are scaled up and down automatically depending on requirements, because it is a service.
- All traffic destined for the Internet can simply be pointed at the Zscaler cloud, which has full Layer 7 firewall protection and data packet inspection, so you have full security with centralized policies, for each and every user.
- The IT manager has full visibility without having to delve into individual firewalls or do upgrades, because it’s all part of the SaaS service.
- The client connector enables SSL decryption to be performed very easily, at scale, without extra performance being required because it’s all within the cloud. When the agent is pushed, the Zscaler root certificate, or the school board’s root certificate is pushed.
- 95% of traffic on the Internet today is encrypted with SSL, so if you are not doing SSL decryption, then you are open to any and all potential threat vectors and other vulnerabilities. You are still vulnerable even if you’re only going to Microsoft sites, because Microsoft, like everyone else, has its own set of vulnerabilities.
- By defining policies, school boards can also decide if there is certain content they don’t want students and/or faculty and/or staff having access to – this can/would be stopped at the cloud level.
- Email traffic that talks about self-harm, bullying or other topics would not be stopped, but could be sent to an auditor for follow-up.
- Traffic from school servers, IOT devices, etc. can be intercepted through an IP stack or GRE tunnel, leveraging whatever device is currently in the school, so there’s no need to rip and replace hardware. You may, however, be able to downgrade some of your licenses from Fortinet, Cisco Meraki, Palo Alto, etc. and, instead, capture the traffic transparently through a tunnel that sends it to Zscaler for inspection.
- Zscaler becomes your core platform (“next hop destination”) from a network perspective – though there’s no longer a real network concept at play because each of the “users” (people, schools, etc.) is secured individually, with individualized access policies.
- No individual user ever connects directly to a VPN or any part of your “network”, but goes through the Zscaler cloud to connect to an application. If the user changes application, authentication happens once again before they can switch to the new application. This means the network can’t be extended to the remote user, limiting the potential for a bad actor to do network reconnaissance . Excess is always based on the identity in the identity provider and the policies that are defined in ZScaler, which can be mapped into ID groups, etc.
In the same vein, none of your applications is exposed directly to the Internet, instead being stitched together through tunnels and client connectors. This makes your data centre completely dark to the Internet. The result is that the “Internet” has no visibility into your actual users and applications, greatly improving security and reducing vulnerabilities.
- As applications get moved from on premises to the cloud, it takes less than 10 minutes for a new connector to be deployed, so a tunnel can be created from the application to the Zscaler cloud, and all the tunnels get stitched together. This process gets used for all SaaS and private applications.
- This transforms how users access their applications and the network. In terms of monitoring the experience, there is functionality built into the client connector that automatically collects data from the endpoint, looking at CPU usage, memory, disk space, processes. Wi-Fi signals, ISP egress performance, connectivity in all its iterations, etc. eliminating the need for the taps and probes that are currently in place in many instances.
- As clients move to cloud-based services and SASE-based architectures, a very different set of monitoring and troubleshooting tools are required. This approach enables you to understand an individual user’s experience, so if he or she calls the Help Desk, it’s very easy to narrow down where the problem lies.
What it could look like with Zscaler
As you can see, introducing Zscaler is a paradigm shift – but one whose time has come.
Why Work With Us?
As mentioned, we are the first to start implementing a Zscaler solution with an Ontario school board. As you know, we work with 28 school boards, so are familiar with the needs to be addressed, and challenges you face.
We have teams in place to ensure everything is installed and deployed correctly… and can provide you with some very attractive financial benefits, too.
If you like to learn more and/or arrange a meet with a Zscaler engineer to discuss RA 3.0, and how its cloud-based, Zero Trust solution meets all Ministry requirements, including price, please reach out to us at [email protected] or (416) 429-0796 or 1.877.238.9944 (Toll Free).
-
