The addition of sandboxing capabilities has provided a new layer of protection for a cloud-based security environment that has helped industrial giant CSR enforce content-security policies across thousands of endpoints while managing limited bandwidth to over 200 sites across Australia and New Zealand.
That security environment – built on Zscaler’s cloud-based content filtering and security capabilities – had been implemented several years ago as it became increasingly clear to IT staff that conventional perimeter-based defence tools were being outflanked by new malicious attacks targeted at a range of endpoints.
“The existing toolset wasn’t adequate to prevent incidents of malware on our endpoints,” security and architecture manager Dave Edge told CSO Australia. “This had led to an inability to apply policies consistently on a variety of devices, and to keep pace with the sorts of threats that we were seeing.”
Another key driver for the company’s security practice was the enforcement of filtering policies around access to social media and other sites, which Edge said used to be managed using an “old school, fairly Draconian approach” that involved blacklisting and limiting access to non-business sites to a certain number of minutes per day.
These policies had eased somewhat as the call for digital transformation took root within the company, but CSR’s interoffice network – which spans some 200 branch locations linked by often-congested 2Mbps WAN links – presented a very real need to limit the volume of traffic.
“We want to restrict non-work use of the Internet as far as possible,” Edge said, noting that access policies might ban streaming media in the offices but allow it when employees were at home using their own Internet connections.
Yet the proliferation of tablet devices had added complexity to the effort: “It is quite a challenge to enforce that consistently across every device type,” Edge explained, “and we had basically decided to abandon efforts to try to police traffic on all devices.”
As the company looked towards embracing cloud-based productivity tools like Microsoft Office 365 and OneDrive, it became clear that a cloud-based security solution would be a good platform for consolidating its security environment.
CSR surveyed the market and opted to embrace cloud-based security from ZScaler, which offered a raft of monitoring, authentication and filtering capabilities. “What you want from an Internet filtering service is the ability to intercept traffic and provide as much by way of security assurance as you can,” Edge said, noting that application identification was also a “core component” of what he ultimately wanted to be a “set and forget policy”.
Rather than designing the policies around the idiosyncrasies of each device, centralising enforcement has been simplified by leveraging the Zscaler App tool, which allows the creation of consistent policies that are enforced regardless of device.
Policies are only one part of the security mix, however: appropriately managing the network also required good visibility into, and management of, the many types of application traffic on the network: “You’ve got all this internet traffic that you want to be able to identify,” Edge said, “and to apply policies to it appropriately; if you don’t want to use Slack, for example, you’ve got to be able to identify it first.”
As had been hoped, embracing the cloud-based security architecture has seen a dramatic improvement in the company’s security posture. There has been a “measurable decrease in the number of malware incidents that we see on managed devices as a result of sending this traffic through a platform which is much more capable,” Edge explained.
Zscaler’s sandboxing capability, which provides a robust method for isolating threats, was also playing an “absolutely fundamental” role in CSR’s malware defence. “We could choose to have done that elsewhere,” Edge said, “but we prefer to have a single place to do that.”
The architecture of the Zscaler solution had also proved well suited for CSR’s widely distributed business, he added, since its design as “a true cloud service” – instead of being just “another vendor that buys AWS IaaS and sticks a virtual instance up there” – had provided a high degree of scalability as well as amalgamation of highly granular logging information.
This architecture also supported CSR’s network of bandwidth-limited offices, which have benefited from an Internet-based architecture that lets them communicate directly with the centralised Zscaler service – avoiding potential latency and network congestion issues from an on-premises option.
Rapid growth in Zscaler’s Asia-Pacific business, supported by the introduction of data-centre capacity in Australia and other sites across the region, had given it a commanding market share, according to a recent Frost & Sullivan analysis that gave the company 35.7 percent market share based on 75 percent year-on-year growth rates. This reflected overall demand for cloud-based solutions, which is expected to outpace adoption of on-premises solutions by 17 percentage points.