palo-alto-networks-sase-overview-deck.pptx

Editor's Notes

• #2: Gartner published research that described how all of these technologies would begin to converge into what’s known as a Secure Access Service Edge (or SASE, pronounced “sassy”). Their thesis is that “Digital business and edge computing have inverted access requirements, with more users, devices, applications, services and data located outside of an enterprise than inside”. SASE addresses the digital transformation that is underway at organizations and shows us that a cloud delivered security platform is needed to address this shift.
• #3: The journey to the cloud presents two fundamental security challenges for organizations - how to enable users to access the public/hybrid cloud securely, and how to secure applications in the cloud. Prisma solves both problems by providing the most comprehensive visibility and security in the industry, protecting users, applications, and data, in all clouds (SaaS, Private, Hybrid Cloud and Public Cloud) regardless of where they are. Digital transformation is accelerating - driven by response to COVID 87% of all enterprises now make use of hybrid cloud (Flexera, 2020) Cloud provides greater business flexibility and agility This has led to apps and data going everywhere - SaaS, Public Cloud, on-prem. The world is hybrid. 87% of enterprises adopting hybrid cloud However, our latest analysis of more than 500 enterprise customers on Prisma Access shows that 53% all remote workforce threats are for non-web apps (non HTTP or HTTPS protocols). Work from anywhere - The future of work is remote 76% of global workers want to continue working from home (2020 Global Workplace Analytics Study) 48% of employees will work remotely at least some of the time in the post-pandemic world, compared to 30% before (2020 Gartner)
• #4: Organizations have been forced to adopt an array of point products to handle different network and security requirements, such as secure web gateways, application firewalls, secure VPN remote access, SD-WAN, etc. For every product, there’s a policy and interface to manage, as well as its own set of logs. This is creating an administrative burden that introduces cost, complexity and gaps in security posture.
• #5: Existing network approaches and technologies simply no longer provide the levels of security and access control digital organizations need. These organizations demand immediate, uninterrupted access for their users, no matter where they are located. With an increase in remote users and software-as-a-service (SaaS) applications, data moving from the data center to cloud services, and more traffic going to public cloud services and branch offices than back to the data center, the need for a new approach for network security has risen. Inconsistent Security: Users connecting from unsecured or unmanaged devices are granted the same access as users physically at HQ Implementing uniform policies across different vendors and products is extremely difficult and most organizations don’t do it Poor User Experience: Remote users experience latency when connecting to resources via VPN Backhauling of traffic to a central HQ for firewall and network security inspection causes additional connectivity issues Management Complexity: MPLS and site to site VPN management is difficult to manage and configure Scaling operations with hardware firewall, router, and switch deployments is time consuming Most vendor solutions lack required breadth and depth of functionality with integration across all components, a single management plane, and unified data model and data lake.
• #6: Secure access service edge, or SASE (pronounced “sassy”), is an emerging cybersecurity concept that Gartner described in the August 2019 report The Future of Network Security in the Cloud. SASE is the convergence of wide area networking, or WAN, and network security services like CASB, FWaaS and Zero Trust, into a single, cloud-delivered service model. According to Gartner, “SASE capabilities are delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions. Identities of entities can be associated with people, groups of people (branch offices), devices, applications, services, IoT systems or edge computing locations.” By removing multiple point products and adopting a single cloud-delivered SASE solution, organizations can reduce complexity while saving significant technical, human, and financial resources.
• #7: Three fundamental shifts are driving the need for network transformation in the enterprise - hybrid work, cloud and digital transformation, and branch transformation. Hybrid Workforce has become the new normal and a requirement for many organizations due to the pandemic. Research indicates that organizations expect 62% of their employees to work in a remote or hybrid manner even after COVID-19 mandates are lifted (ESG Research Report, 2021 SASE Trends Survey, July 2021). As a result, most organizations are planning to support a model where the majority of employees can work fluidly between corporate offices, branch offices, home offices, or on the road. Cloud and Digital initiatives are driving organizations to invest more in SaaS and other public cloud services. Cloud adoption enables companies to be more agile, efficient and flexible, indicative of why 92% of all enterprises are now adopting a multi-cloud strategy (Flexera, 2021). Branch Transformation is well underway, driven by new hybrid work and digital transformation initiatives. Organizations are fundamentally changing the branch -- leveraging them as collaboration hubs rather than primary places of work -- while retailers are transforming the way they engage in-store with customers. This trend is fueling the demand for WAN transformation from legacy MPLS to SD-WAN and SASE. According to Gartner, by 2024 more than 60% of software-defined, wide-area network (SD-WAN) customers will have implemented a secure access service edge (SASE) architecture, compared with about 35% in 2020.
• #8: SASE offerings will provide policy-based, software defined secure access from a network fabric in which enterprise security professionals can precisely specify the level of performance, reliability, security, and cost of every network session based on identity and context. SASE securely enables the dynamic access requirements of digital transformation, providing secure access capabilities to a variety of distributed users, locations and cloud-based services. Enterprise demand for cloud-based SASE capabilities, and market competition and consolidation, will redefine enterprise network and network security architectures and reshape the competitive landscape.
• #9: Mobile Users - The #1 strategic priority for CIOs, post-COVID - …a typical employer can save about $11,000/year for every person who works remotely half of the time. Securing mobile users with traditional types of network security can be a challenge, especially when users work in areas where you don’t have IT staff or it’s cost-prohibitive to have IT staff in many locations. With the number of applications and workloads moving to the cloud, they need secure access to cloud applications and the Internet as well. Using cloud applications over remote-access VPN can hurt the user experience, and as a result, end users tend to avoid using remote-access VPN whenever possible. Branch & SD-WAN - SASE provides Significant cost-savings and ROI, enabling digital transformation Cloud adoption is affecting branch and retail networking strategies. With the growing number of applications in the cloud, it doesn’t make sense to carry all of an enterprise network’s traffic back to headquarters over expensive multiprotocol label switching (MPLS) connections. As a result, many organizations are adopting new strategies to redesign their wide area networks (WANs) to enable branch offices and retail stores to go directly to the cloud. With the drive to reduce the IT footprint at the branch in order to cut operational costs and reduce complexity, organizations are also looking for ways to reduce the amount of hardware that needs to be physically installed and managed at each location.
• #10: Best-in-class security meets best-in-class SD-WAN, delivered from the cloud, with these suite of products Our PA-series Next-Generation Firewall hardware appliances are designed for simplicity, automation, and integration. As you are moving to the cloud, we believe a Secure Access Service Edge (SASE) is the right approach. Prisma Access + Prisma SD-WAN is our (SASE) solution for branch offices, retail locations and mobile users. With the addition of Prisma SD-WAN, customers can leverage machine learning and automation to simplify management, enable app-defined SD-WAN policies and implement a secure, cloud-delivered branch. Panorama gives you a single place to manage all of your Palo Alto Networks Next-Generation Firewalls.
• #11: Prisma Access delivers the security and Prisma SD-WAN the networking that organizations need in a Secure Access Service Edge architecture designed for all traffic, all applications, and all users. Rather than creating single purpose technology overlays that are normally associated with point products, our SASE solution uses a common cloud-based infrastructure that delivers multiple types of security services, including advanced threat prevention, web filtering, sandboxing, DNS security, credential theft prevention, DLP and next-generation firewall policies based on user-to-application, and host information profile. The combination is the most comprehensive SASE solution in the industry. Our SASE solution provides: Protection for All App Traffic: Access to all apps and secures against all threats, not just web-based apps and threats, reducing the risk of a data breach. Complete, Best-in-class Security: Industry-leading capabilities converged into a single cloud-delivered platform, providing more security coverage than any other solution. Exceptional User Experience: Massively scalable network with ultra-low latency, backed by industry-leading SLAs, ensuring the best digital experience possible for end-users.
• #12: A cloud-native architecture designed on the biggest backbones and across a multi-cloud manner ensures a high availability We take advantage of the highest performing, most available public cloud providers such as Google and AWS - and we have a private instance across their private back bones, with access to their private fiber and load balanced across their global backbones to deliver very high performance everywhere. What this allows our customers is to do is globally have their users, their branch offices, their applications, data centers, cloud locations, SaaS applications all come together on the back of this extremely powerful solution.
• #13: Data plane isolation ensures a truly enterprise-grade multi-tenant environment without commingling data or having “noisy neighbors” impacting performance We’ve built our solution with enterprise-class multi-tenancy. What this means for you is we isolate every tenants’ and every customers data plane. This provides a more secure cloud environment and prevents other customers from affecting your performance or your data. Of course you’d expect this from any cloud security solution, however in the industry, many leading solutions have shared or commingled data planes. This creates a situation where a “noisy neighbor” that generates a bunch of traffic can adversely impact the performance of all shared customers on that data plane. Likewise, any potential security impact also will adversely impact all customers who are sharing that data plane. A The better approach that ensures the highest performance is an enterprise-class multitenant environment that provides true data plane isolation / dedicated data plane per each customer.
• #14: native and pervasive visibility with ADEM that leverages all the deep insights to choreograph itself to deliver truly exceptional user experiences That’s where ADEM comes in. All the visibility that is required is being captured and analyzed so if there is a challenge, IT can identify it instantly and, more importantly remediate the situation. When you take all these three things into account, you can clearly see how Prisma Access is purpose-built and tailored to delivered the best user experiences: A cloud-native architecture designed on the biggest backbones and across a multi-cloud manner ensures a high availability Data plane isolation ensures a truly enterprise-grade multi-tenant environment without commingling data or having “noisy neighbors” impacting performance And native and pervasive visibility with ADEM that leverages all the deep insights to choreograph itself to deliver truly exceptional user experiences
• #15: Unified Product Simplify Network Management and Operations Integrated SD-WAN simplifies site to site connectivity and remote user configuration Single pane of glass for role based access control and policy creation through Panorama Reduces security risk with consistent best-in-class network security across your entire enterprise Granular, identity based access control to applications and services, regardless of location Delivers protection to all applications (public cloud, private cloud, SaaS, internet) and protocols Full single pass inspection and detection capabilities including malware, behavior based IDS, exploit detection, DNS security, and data-loss prevention Provides Best User Experience through ADEM Cloud native architecture supports infinite, on-demand scalability Global, high-performance network of over 100 points of presence in 76 countries Industry-leading latency SLAs of less than 10ms. And native and pervasive visibility with ADEM that leverages all the deep insights to choreograph itself to deliver truly exceptional user experiences
• #16: Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) Zscaler Internet Access is a secure web gateway built on a proxy architecture with add-ons like firewall and sandboxing to address security use cases. Low starting price for basic package, with expensive add-ons. Does not inspect all traffic. Requires separate Zscaler Private Access for access to public cloud/data center (as an offering in the Software Defined Perimeter market). Cisco AnyConnect and Umbrella Cisco AnyConnect is a traditional remote access VPN. Cisco pitches Umbrella for mobile user protection when the user disconnects from AnyConnect. Solution does not provide consistent security, and the multiple products are not integrated. Pulse Secure Remote access VPN spun off from Juniper. Does not provide comprehensive security. Company is moving to pivot away from remote access VPN to Software Defined Perimeter.
• #18: Most organizations utilize remote access VPN for off-prem users that need access to internal applications. When these remote users need access to temporarily connect to the VPN when they need to use an application, and then disconnect to get better performance to internet/cloud. Users lose performance when connected to the VPN, and security teams lose visibility and control when users disconnect.
• #20: The #1 strategic priority for CIOs, post-COVID - …a typical employer can save about $11,000/year for every person who works remotely half of the time. Big Revenue: Market to reach $15B by 2024 according to Gartner and 36% CAGR High Growth: Gartner expects that, “by 2024, at least 40% of enterprises will have explicit strategies to adopt SASE, up from less than 1% at year-end 2018.” A SASE architecture identifies users and devices, applies policy-based security, and delivers secure access to the appropriate application or data. This approach allows organizations to apply secure access no matter where their users, applications or devices are located.