Securing and Protecting

DevSecOps with
Cloud-Enabled Technologies
Lisa Lorenzin, Director Transformation Strategy, Zscaler
lisa@zscaler.com

©2021 Zscaler, Inc. All rights reserved.

Is this the current
state of your
DevOps and
security practices?

©2021 Zscaler, Inc. All rights reserved. 2

Leveraging the cloud
for DevSecOps

©2021 Zscaler, Inc. All rights reserved. 33

Cloud-Enabled DevSecOps
Deliver identity-based
microsegmentation
for app-to-app
(Workload
Segmentation)

Achieve zero trust

WORKLOAD Secure server access to
security by keeping
internet and private apps
applications off
CONNECTIVITY
CONNECT-
CONNECTIVITY
CONNECT-
in multi-clouds
the network IVITY IVITY

PLATFORM (E/W Zero Trust Access)

(N/S Zero Trust Access)

Remediate cloud
misconfigurations and
compliance issues
(CSPM)

• Use zero trust security to stop exposing applications to the network

• Leverage user identity instead of the network to segment and protect applications
• Apply continuous cloud security posture management to avoid misconfigurations
©2021 Zscaler, Inc. All rights reserved. 4
Simplify DevSecOps by keeping apps off the network
Legacy Network and Security Architectures Cloud-Delivered Zero Trust
Architecture
On-Prem Appliances Virtual Appliances in Public Cloud

Data
Center

ZERO TRUST
IoT EXCHANGE OT

Factory Data Center

Workforce Customers

Any-to-Any connectivity: User to Apps, App to App, M2M

Any network, Any location

You control and secure your network Internet is the new network; it can’t be secured
Two Opposing
Castle-and-moat security creates a perimeter Securely connect users and apps using business policies
Approaches

©2021 Zscaler, Inc. All rights reserved. 5

 Minimize exposure by keeping applications invisible
If you publish your If you publish apps on the Unpublished number, Unpublished apps, cloud as
phone number internet (public cloud) AI-powered exchange service an exchange service

No app exposure
Exposed apps

ZERO TRUST
EXCHANGE
Internet

Good and bad guys Apps can be attacked Only good guys Only good guys can access apps
can call you by bad guys can call you For others they are invisible

Publishing apps on the internet using a traditional firewall increases your attack surface.
North-South Zero Trust Access makes your apps invisible and accessible only by authorized users.
6 ©2021 Zscaler, Inc. All rights reserved.
 Enhance security by connecting users to applications
Unescorted Connect a user Escorting visitors Connecting a user to an
office visitor to a network to a meeting room app (not a network)

File File
SAP Shares HR SAP Shares HR

Inbound VPN
ZERO-TRUST
EXCHANGE

Strangers snooping = Network scanning = No snooping by strangers = No scanning =

security risk security risk better security better security

Unlike traditional VPN/FW, North-South Zero Trust Access

connects a user to an app, not a network – better security
7 ©2021 Zscaler, Inc. All rights reserved.
Simplifying security of the workload and platform
Gain Visibility Harden Platforms Protect Workloads Secure Connectivity Continuously Validate

Discover assets and Remediate Verify software-identity Secure access across multi Enforce least-privilege in
configurations misconfigurations before communication clouds and internet dynamic environments

IAAS / PAAS / SAAS

©2021 Zscaler, Inc. All rights reserved. 8

Simplifying security of the workload and platform
Gain Visibility Harden Platforms Protect Workloads Secure Connectivity Continuously Validate

Discover assets and Remediate Verify software-identity Secure access across multi Enforce least-privilege in
configurations misconfigurations before communication clouds and internet dynamic environments

POLICIES

IAAS / PAAS / SAAS ZERO TRUST

EXCHANGE

©2021 Zscaler, Inc. All rights reserved. 9

Simplifying security of the workload and platform
Gain Visibility Harden Platforms Protect Workloads Secure Connectivity Continuously Validate

Discover assets and Remediate Verify software-identity Secure access across multi Enforce least-privilege in
configurations misconfigurations before communication clouds and internet dynamic environments

POLICIES

/ / ZERO TRUST
EXCHANGE

©2021 Zscaler, Inc. All rights reserved. 10

Simplifying security of the workload and platform
Gain Visibility Harden Platforms Protect Workloads Secure Connectivity Continuously Validate

Discover assets and Remediate Verify software-identity Secure access across Enforce least-privilege in
configurations misconfigurations before communication multi-clouds and internet dynamic environments

/ / ZERO TRUST
EXCHANGE

IAAS / PAAS / SAAS

CONNECTIVITY

DATA CENTER

©2021 Zscaler, Inc. All rights reserved. 11

Simplifying security of the workload and platform
Gain Visibility Harden Platforms Protect Workloads Secure Connectivity Continuously Validate

Discover assets and Remediate Verify software-identity Secure access across Enforce least-privilege in
configurations misconfigurations before communication multi-clouds and internet dynamic environments

POLICIES

/ / ZERO TRUST
EXCHANGE

IAAS / PAAS / SAAS

CONNECTIVITY

DATA CENTER

©2021 Zscaler, Inc. All rights reserved. 12

Remediate cloud misconfigurations and compliance
Cloud Security Posture Management (CSPM) offers continuous security assurance and remediation

IMMEDIATELY DISCOVER
ASSETS AND CONFIGURATIONS

AUTO-REMEDIATE ZERO TRUST

MISCONFIGURATIONS 4 EXCHANGE 2 IDENTIFY NON-COMPLIANT
CONFIGURATIONS

CONTINUOUS
ASSURANCE

PRIORITIZE BASED ON RISK OF

LIKELIHOOD AND IMPACT
©2021 Zscaler, Inc. All rights reserved. 13
Protect workloads easily using identity
Workload Segmentation provides identity-based microsegmentation, delivered through automation

VISIBILITY & ZERO TRUST SIMPLER SECURITY QUANTIFIED RISK

EXPOSURE ANALYSIS ENFORCEMENT POLICIES REDUCTION

©2021 Zscaler, Inc. All rights reserved. 14

Simple, secure cloud app access to internet, multi-cloud
East-West Zero Trust Access provides secure connectivity with automated deployment

Integrated connectivity and security INTERNET /

MULTI-CLOUD
Unified control plane – traffic forwarding, security, and access

Flexible traffic steering – internet and private traffic

Automated deployment – public cloud and on-premises

Deep visibility – detailed logs and SIEM integration ZERO TRUST

EXCHANGE

THREAT ACCESS DATA

PREVENTION CONTROL PROTECTION
SECURE
CONNECTIVITY

CLOUD CONNECTOR

PUBLIC CLOUD

DATA CENTER

©2021 Zscaler, Inc. All rights reserved. 15

Best practices for enabling DevSecOps

Culture and politics Skillsets and process

 Get executive-level buy-in
 Address cultural obstacles and silos
 Promote security as a shared responsibility
 Engage with progressive thought leaders
 Cross-train staff on DevOps and application
security best practices
 Understand and leverage the new DevSecOps
abstraction model
 Create defined insertion points for zero trust
security in the DevOps toolchain

Technology
 Take applications off the network
 Protect workloads using identity
 Continuously validate security

©2021 Zscaler, Inc. All rights reserved. 16

Cloud-enabled
technologies
support agile
application
development and
deployment with
robust application
security

©2021 Zscaler, Inc. All rights reserved. 17

How to eat the elephant
 First Day
 Engage with stakeholders on creating alignment among DevOps and security teams and processes
 Assess the state of current application security processes with current and planned applications

 30 Days
 Establish joint groups of DevOps and security personnel to break down silos
 Cross-educate both security and DevOps on the benefits of taking apps off the network
 Evaluate the use of zero trust security, identity-based microsegmentation, and cloud security posture
management

 90 Days
 Adopt zero trust security, identity-based microsegmentation, and cloud security posture management
 Establish processes whereby new and existing applications are automatically provisioned within the Zero Trust
Exchange

©2021 Zscaler, Inc. All rights reserved. 18