- Raspberry Robin: Highly Evasive Worm Spreads over External Disks
- Cisco Introduces Responsible AI – Enhancing Technology, Transparency and Customer Trust
- Managing Customer Trust in Uncertain Supply Chain Conditions
- Hope on the Horizon
- Toys of Tomorrow… What will spark your imagination? Fuel your imagination?
- Protecting Purses and Digital Wallets
- The Password that Felled the Kingdom + MFA vs 2FA
- The MOE’s RA 3.0 and Zscaler
- 7 Critical Reasons for MS Office 365 Backup
- Penetration Testing Important, but…
- Social Engineering and Poor Patching Responsible for Over 90% of Cybersecurity Problems
- Breach Incidence and Costs On the Rise Again + 5 Ways to Reduce Your Risk
- Cybersecurity Insurance Policies Require Security Audits and Pen Testing
- Wireless strategies for business continuity gain importance as enterprise expand IoT, cloud, and other technologies
- How Cybercrooks are Targeting YOU
- Enabling Digital Transformation with Cisco SD-WAN
- WFH Post Pandemic – What It Will Look Like. What You’ll Need.
- Leaders to looking to the IoT to improve efficiency and resiliency
- Cyber Security Vernacular – Well, some of it, for now
- Why You Need Disaster Recovery, NOT Just Back-Ups
- 10 Reasons Why Having an Expert Manage Your Cybersecurity Makes Sense and Saves Dollars
- Converting CapEx IT Investments into Manageable OpEx
- The Hybrid Workplace – Planning the Next Phase
- Cisco Cloud Calling: Empowering Customers to Thrive with Hybrid Work
- When You Can’t Access the Cloud
- How to Keep On Keeping On
- New Cisco Research Reveals Collaboration, Cloud and Security are IT’s Top Challenges
- Threats from Within on the Rise
- Cloud Covered? If Not, Take Cover!
- Zero Trust and Forrester Wave Report
- Password Based Cyber Attack: Like Leaving Keys Under Doormats
- So, What’s Up With Sensors?
- Sensors and Systems Create a Digital “Last Mile” and Help Skyrocketing Costs
- Scanners Provide Peace of Mind for Returning Students and Workers
- Sensors Improve Operations and Bottom Line… Easily and Cost-Affordably.
- Cisco Meraki Looks at 2021
- 2020 Holiday Shopping: Cybersecurity and Other Tips to Safeguard Wallets and Systems
- How to make the most of the technology you have
- Personnel, Planet and Business Progress: More Interdependent Than Ever Before
- Sure… you can get them all in the boat – but can you get them to work well together?
- Pushing the Zero Trust Envelope – Cisco is Named a Leader in the 2020 Forrester Zero Trust Wave
- Cloud Data Must be Protected, Too!
- Don’t Let Anyone Get the Dirt on You – Make It Instead!
- How IoT Devices Can Help You and Your business
- WebEx – A World of Possibility
- Creating Your Breach Response Plan Now Will Save You Thousands Down The Road
- Been hacked? Here’s what you must do next.
- The Need for Pen Testing is At an All-Time High
- 5 Ways an IT Reseller Improves Your Performance and Peace-of-Mind
- 5G and Wi-Fi 6: Faster, more flexible, and future ready. Are you?
- Network and Data Security for Returning and Remote Workers + Disaster Recovery Symposium
- Collaboration and Cisco WebEx: Protecting Your Data
- Thursday’s Virtual Conference Tackles Today’s Supply Chain Trials and Tribulations
- 10 Tips to Reduce Cloud Storage Risk
- COVID-19 Crisis Fuelling IT Spending
- Supply Chain/Logistics Experts Share Their Expertise
- Cisco Breach Defence Overview
- Announcing Our New Website and Blog
Every year, educators gather at the Bringing IT Together conference to learn what’s going in the tech… and every year we are an event sponsor because education is near and dear to our hearts… which may be why 28 school boards choose to work with Cloud Managed Networks.
We are among a select group of companies with which ZScaler has chosen to partner. We’re also the first to start implementing a Zscaler solution with an Ontario school board.
For these reasons, we invited Zscaler to share the stage with us this year because their offering fully addresses the Ministry of Education RA 3.0 requirements, including security compliance and pricing.
Karl St. Pierre a Zscaler engineer talked about Architecture 3.0, how the Zscaler solution not only takes care of cloud-related security, but also addresses other concerns such as the overall digital experience, student and network safety, and more.
Karl St-Pierre has a wealth of experience architecting solutions across multiple market segments including K-12, Higher Ed, Healthcare, Mid Market and Government, with specializations in SASE based architecture, Zero Trust adoption, workload segmentation, cloud-based networking, building next generation Campus/SD-WAN/Branch architectures, and secure segmentation.
If you’d like to hear Karl’s actual talk, so you can see him build the diagrams that go with the discussion, then please watch this video – that way you will also be able to hear from Vicky Bagwalla, one of our founders and Managing Partners.
Notes from Karl’s talk
- Zscaler is the leader, well ahead of all competitors, in Gartner’s Magic Quadrant for secure web gateways – for the 10th year in a row.
- High-performance (+120 B secure transactions daily, which is equivalent to 10X the number of daily searches on Google), local access, distributed cloud.
- SASE Approach → direct Internet access without backhauling + all inspection being done at the cloud edge, which permits in line traffic inspection. Seamlessly, simply.
- Based on Zero Trust: Securely connecting users, devices and applications, using clients’ business policies, over any network, as everything uses the Internet for transport.
- Very secure approach based on identity: Your applications are micro-segmented, and specific users are granted specific permissions to specific applications, without exposing your applications to the Internet.
What school boards typically experience today
- Today, it’s typical for school boards to protect their perimeters with physical appliance firewalls, protecting access from the Internet to the intranet, some with their own internal firewalls, too. There may also be some URL filtering, Gateway capabilities, IPS, SSL inspection etc. and supplemental products such as Sandbox, malware filters, etc. in place.
- Connections may be made through a combination of MPLS lines and SD-WAN – and you are deciding which traffic is being sent directly to the Internet, which is being backhauled to the Board Office, etc.
- Traffic is often VPNed from individual schools, back to the Board Office, so it can be inspected before going out to SaaS applications, or applications such as O365 that are sitting on the Internet, potentially in Azure or AWS, which means the physical firewalls are now being spun up into the cloud. To enable everything to connect, VPN tunnels are being created throughout your system configuration. For remote users, split tunneling might also be used so that people can connect directly to the Internet for some purposes. In many cases, the visibility IT managers counted on previously no longer exists – and the same can be said about Security.
- On premises: Whether it’s VLAN-based, or VRF, everything is network-centric with some degree of segmentation for applications – and lateral movement needs to be prevented, of course.
- With the way things have evolved, it’s hard for IT managers to have good visibility across the network, so they can monitor things to ensure that users are having a good network experience. Right now, taps, probes and other physical components that live on the network are used to identify and measure packet drops, throughput across links, latency, etc.
- Currently, if you have 25 schools in your board, you likely have 25 different points of management (or more), each with potentially different access policies. This also makes SSL inspection very difficult – and if you allow SSL decryption at scale on your main firewall, throughput can drop by as much as 80% or more.
- Zscaler lives on the Internet and its cloud is distributed worldwide; users connect to the closest geolocation.
- Every single data packet that traverses its cloud is inspected, which is very different from a traditional on-premises firewall, which does not function as a proxy.
- When data enters the Zscaler cloud, it is assessed by multiple inspection engines simultaneously so as not to introduce latency. With this approach latency is measured and experienced in microseconds. If on prem firewalls were used for this degree of inspection, through service chaining, you’d be introducing far more latency that happens with the Zscaler cloud.
- With Zscaler, there is visibility on all traffic – and all traffic is inspected.
- Everything is delivered through the cloud as a service, so there is no need to scale up at the local level to handle increased traffic, SSL inspections, etc. With Zscaler, things are scaled up and down automatically depending on requirements, because it is a service.
- All traffic destined for the Internet can simply be pointed at the Zscaler cloud, which has full Layer 7 firewall protection and data packet inspection, so you have full security with centralized policies, for each and every user.
- The IT manager has full visibility without having to delve into individual firewalls or do upgrades, because it’s all part of the SaaS service.
- The client connector enables SSL decryption to be performed very easily, at scale, without extra performance being required because it’s all within the cloud. When the agent is pushed, the Zscaler root certificate, or the school board’s root certificate is pushed.
- 95% of traffic on the Internet today is encrypted with SSL, so if you are not doing SSL decryption, then you are open to any and all potential threat vectors and other vulnerabilities. You are still vulnerable even if you’re only going to Microsoft sites, because Microsoft, like everyone else, has its own set of vulnerabilities.
- By defining policies, school boards can also decide if there is certain content they don’t want students and/or faculty and/or staff having access to – this can/would be stopped at the cloud level.
- Email traffic that talks about self-harm, bullying or other topics would not be stopped, but could be sent to an auditor for follow-up.
- Traffic from school servers, IOT devices, etc. can be intercepted through an IP stack or GRE tunnel, leveraging whatever device is currently in the school, so there’s no need to rip and replace hardware. You may, however, be able to downgrade some of your licenses from Fortinet, Cisco Meraki, Palo Alto, etc. and, instead, capture the traffic transparently through a tunnel that sends it to Zscaler for inspection.
- Zscaler becomes your core platform (“next hop destination”) from a network perspective – though there’s no longer a real network concept at play because each of the “users” (people, schools, etc.) is secured individually, with individualized access policies.
- No individual user ever connects directly to a VPN or any part of your “network”, but goes through the Zscaler cloud to connect to an application. If the user changes application, authentication happens once again before they can switch to the new application. This means the network can’t be extended to the remote user, limiting the potential for a bad actor to do network reconnaissance . Excess is always based on the identity in the identity provider and the policies that are defined in ZScaler, which can be mapped into ID groups, etc.
In the same vein, none of your applications is exposed directly to the Internet, instead being stitched together through tunnels and client connectors. This makes your data centre completely dark to the Internet. The result is that the “Internet” has no visibility into your actual users and applications, greatly improving security and reducing vulnerabilities.
- As applications get moved from on premises to the cloud, it takes less than 10 minutes for a new connector to be deployed, so a tunnel can be created from the application to the Zscaler cloud, and all the tunnels get stitched together. This process gets used for all SaaS and private applications.
- This transforms how users access their applications and the network. In terms of monitoring the experience, there is functionality built into the client connector that automatically collects data from the endpoint, looking at CPU usage, memory, disk space, processes. Wi-Fi signals, ISP egress performance, connectivity in all its iterations, etc. eliminating the need for the taps and probes that are currently in place in many instances.
- As clients move to cloud-based services and SASE-based architectures, a very different set of monitoring and troubleshooting tools are required. This approach enables you to understand an individual user’s experience, so if he or she calls the Help Desk, it’s very easy to narrow down where the problem lies.
What it could look like with Zscaler
As you can see, introducing Zscaler is a paradigm shift – but one whose time has come.
Why Work With Us?
As mentioned, we are the first to start implementing a Zscaler solution with an Ontario school board. As you know, we work with 28 school boards, so are familiar with the needs to be addressed, and challenges you face.
We have teams in place to ensure everything is installed and deployed correctly… and can provide you with some very attractive financial benefits, too.
If you like to learn more and/or arrange a meet with a Zscaler engineer to discuss RA 3.0, and how its cloud-based, Zero Trust solution meets all Ministry requirements, including price, please reach out to us at [email protected] or (416) 429-0796 or 1.877.238.9944 (Toll Free).