Cato Networks SD WAN & SASE Cybersecurity Solutions

Zscaler SASE Solution: Comparisons, Review, Benefits, Use Cases, Pros & Cons

Author: Netify Research Team

If you have questions about Zscaler and how their capability is aligned to your needs, email the Netify research team. UK: uk@netify.co.uk North America: northamerica@netify.com

(Please use the UK email for ROW - Rest of the World - questions or inquiries)

Netify Review

Zscaler offers a granular and comprehensive cloud-delivered SASE security solution with added security services and a cloud-based security stack. The offering is an option for clients with large multinational corporations who require SASE or granular security to secure their SD WAN network. The company also have solid solutions for remote users, as they leverage their cloud capabilities to offer clients remote access via their Work-From-Anywhere solution (see, How does Zscaler support remote users?). Enterprises looking to secure their distributed mobile workforce or SD WAN transformation, moving applications to AWS or Azure and Office 365, may find Zscaler’s offering valuable in these use cases. User reviews are generally mostly positive, with conflicting reports of ease of use. Due to the complex, granular nature of the service, it is strongly advised that only large multinational enterprises are typically suited to this solution. Any customer looking to implement Zscaler's solution should ensure that the IT teams responsible for the management of the service have sufficient resources and are experienced with this type of solution to provide a positive outcome.

However, caution is advised due to Zscaler’s large number of service provider and integrator partners and a wide range of SD WAN vendor partners. IT managers will have to choose an SD WAN solution to go with Zscaler SASE, then a service provider or integrator to provide most overlay services. Choosing can be a complex task, but it can be simplified using the Netify comparison tool - give it a try here

About Zscaler

Zscaler is a cloud-based information security company founded in 2008, with its headquarters in San Jose, California, United States. The company provides 150+ data centres and customers in 185 countries worldwide, as well as cloud-based security products, including SASE and a cloud-based security stack. They also hold a high Net Promoter Score of 76 for customer satisfaction. In 2022 Zscaler acquired the software development firm ShiftRight whose primary focus is closed-loop security workflow automation. This acquisition enables Zscaler to integrate ShiftRight’s workflow automation technology into the Zscaler Zero Trust Exchange™ cloud security platform.

What are Zscaler's Solutions?

Zscaler offers comprehensive, secure solutions that can be integrated with SASE or work as a separate security stack. 

• Zscaler Internet Access: A cloud-delivered security stack as a service designed to protect mobile remote users and connect to cloud applications; however, it can also provide security for branch offices and HQ/IoT. The service includes the following: URL filtering, CASB, cloud firewall/IPS, DLP, CSPM, sandboxing, browser isolation and complete SSL visibility.
• Zscaler Private Access (ZPA): Provides ZTNA for private applications, offering seamless zero-trust access to private applications running from within the data centre or out of the public cloud. Customers can connect to applications via inside-out connectivity instead of extending the network to them by preventing applications from being exposed to the internet, making them completely invisible to unauthorized owners. The ZTNA approach supports both managed and unmanaged devices and any private application. 
• Zscaler Business to Business: Designed to provide a consumer-like experience without putting businesses at risk. The service is delivered from the cloud and provides business customers with secure access to applications via the internet, regardless of whether they are hosted in private or public clouds or the data centre. Based on service-initiated ZTNA architecture, the product uses business policies to securely connect an authenticated customer to an authorized application - avoiding the need to expose the application to the internet. This brings the cloud closer to customer access to eliminate the complexity of legacy networks.
• Zscaler Cloud Protection: A service to ensure that cloud applications are correctly configured. This product consists of four solutions combined into one service: secure app-to-app communications, secure workload configurations, eliminate lateral threat movement and secure access to cloud applications, each of which helps to reduce the risk of security breaches due to misconfigured cloud applications. The service also includes Zscaler Zero Trust Exchange, Zscaler Workload Posture, Zscaler Workload Communications, Zscaler Private Access and Zscaler Zero Trust Exchange, and Workload Segmentation.
• Zscaler Digital Experience: Resolves user experience issues by analyzing and troubleshooting. The cloud-based service provides endpoint monitoring, cloud path analytics, digital experience store and application monitoring. Fast deployment is offered by instrumentation that begins at the Zscaler Client Connector, and the entire service can be integrated on top of the Zscaler Zero Trust Exchange.
• Zero Trust Exchange: Clients can enable fast and secure connections that allow employees to work from anywhere by leveraging the internet as a corporate network, using Zscaler’s zero trust network architecture, with policy enforcement and context-based identity. Makes use of the Zero Trust Exchange, which operates 150 data centres worldwide, ensuring a fast connection by keeping users close to the service. Also offers colocation with cloud providers and applications that users are accessing (for example, AWS or Microsoft 365), which guarantees that the shortest path between users and destinations will be used.
• Zscaler Client Connector: Formerly known as Zscaler App, the Zscaler Client Connector supports remote workers by connecting workforces to business applications from any device or location. The application sits at the endpoint device and enables business workforces to connect remotely, regardless of what application is being accessed or the device being used. Complies with BYOD, RF Scanner, POS System, corporate-managed or RF scanner, sending traffic to the nearest Zscaler service Edge, determining if a user is looking to access a SaaS application, internal application, data centre, a public or private cloud or the open internet. User traffic can also be auto-routed via the correct Zero Trust Service, which includes Zscaler Internet Access for SaaS and secure internet access or Zscaler Private Access for fast access to internal applications. Visibility insights are also available with the Zscaler Digital Experience.
• Privacy and Compliance: Zscaler compliance enablers ensure that products adhere to government and commercial standards. They focus on regulations such as ISO 27001, ISO 27701, SOC 2 and Fed Ramp. Global Commercial Certifications are ISO 27001, ISO 27701, ISO 27018, ISO 27017, SOC 2, SOC 3, CSA - Star and Sensitive Data Handling Assessment. Global Government Certifications include GDPR, Fed Ramp, FIPS 140 - 2, IRAP, ITAR, CJIS, VPAT/Section 508, NCSC Certificate, TIC 3.0 vendor overlay, NIST 800-63C, PIPEDA, APPI, CCPA and the Australian and New Zealand Data Privacy Shield. There are also several white papers and attestations that Zscaler complies with, such as HIPAA, PCI DSS, APRA and the Modern Slavery Act.
• Secure SD WAN Solution: Zscaler offer clients SD WAN security, working with vendor partners Silver Peak, Cisco Viptela, Velo Cloud and more (see, Which service providers and partners support Zscaler?). Using Zscaler security, clients can enable secure internet breakouts without the issues commonly associated with legacy products. Because it is cloud-delivered and leverages software-defined policies to route traffic, the solution simplifies branch office functions and supports remote users.

What is the Zscaler SASE security solution?

Zscaler offers a granular and comprehensive SASE security solution, which they call their Cloud Security Platform. The solution is globally available, ensuring high performance for users worldwide by peering with hundreds of partners in significant internet exchanges worldwide - delivered across 150 data centres worldwide. 

The SASE offering includes native multi-tenant cloud architecture for dynamic scalability on-demand and a proxy-based architecture that inspects encrypted traffic at scale. It also brings security and policy close to the user to eliminate unnecessary backhaul, with ZTNA and a zero attack surface which avoids exposing your source networks and identities to the internet, preventing targeted attacks. 

The Zscaler SASE solution can be deployed and managed as a cloud-delivered and automated service. It provides low latency and optimal bandwidth by bringing the user closer to security and policy across 150+ locations, with security being built into the fabric of the platform to ensure that all connections are secured and inspected. 

SASE Features: 

• SSL Inspection: SSL inspection will locate and analyze SSL-encrypted internet traffic communications between the server and users.
• Bandwidth Control: Allows clients to prioritize business-critical applications over other traffic- for example, users may prioritize Office 365 over YouTube.
• Advanced Threat Protection: Constantly protects against zero-day threats, unknown malware and ransomware by analyzing all user packets, both on and off-network. Also capable of inspecting SSL.
• Machine Learning Security: Cloud-scale machine learning to protect against security threats. Designed to react to phishing, ransomware and malware attacks quickly by identifying threat patterns across volumes of data to block advanced threats without the need for human interaction.

What ZTNA (Zero Trust Network Access) Solution is Supported by Zscaler?

Zscaler provides cloud-delivered ZTNA, which creates secure connections between users and applications, regardless of location. It allows users to verify identities, improve and adapt visibility and set contextual policies.

What CASB (Cloud Access Security Broker) Solution is Supported by Zscaler?

Provides security for PaaS, IaaS offerings and SaaS applications. Real-time visibility and the ability to control access and user activity across sanctioned and unsanctioned applications are also provided. Also includes inline data protection capabilities to eliminate overlay architectures and proxy-chaining, which have the potential to break SWG implementations. Out-of-band data protection (data at rest) capabilities leverage API integrations to look inside IaaS offerings and SaaS applications - for example, AWS S3, to identify exposed or sensitive data and compliance violations.

What SWG (Secure Web Gateway) Solution is Supported by Zscaler?

A cloud-delivered secure web gateway, preventing users from accessing potentially malicious web traffic from the internet and in the cloud itself.

What FWaaS (Firewall as a Service) Solution is Supported by Zscaler?

The Zscaler Cloud Firewall is designed to replace legacy firewall technology. The solution enables users to secure off-network connections and local internet breakout for all user traffic without appliances. The firewall is scaleable across all ports and protocols for all cloud application traffic - can also be used in remote locations and branch offices.

What NDR (Network Detection and Response) Solution is Supported by Zscaler?

Zscaler offers NDR solutions via its partnership with Vectra. The hybrid product combines Vectra Network Detection and Response with the Zscaler Zero Trust platform and enables users to identify and remove security threats early on in the kill chain. This allows for improved network performance, as applications remain accessible whilst security threats are removed before they become a significant problem. 

What XDR (Extended Detection and Response) Solution is Supported by Zscaler?

Zscaler offers integrated XDR services provided by their technology partners SecBI and Secureworks. The SecBI solution leverages machine learning to identify malicious behaviour, collect it and use related stored data to remove the threat. Secureworks XDR collects and analyzes data and provides an alert should anything suspicious be found.

How does Zscaler deliver cloud security?

Zscaler can access cloud vendors via Zscaler Internet Access for SaaS applications and open internet. Vendors can also be accessed through Zscaler Private Access for secure access to internal applications in auxiliary storage or data centres without a VPN or network access. 

• AWS: Zscaler is an AWS Advanced Technology Partner and Certified Cloud Practitioner. Utilizingapplication segmentation, zero trust access policies, and one-time login provide a single service, secure access and visibility into applications on AWS or hybrid IT environments. 
• Microsoft: Zscaler is a Microsoft Azure partner, a certified networking partner for Office 365 and integrations available via the Azure marketplace. Zscaler can access over 20 globally peered Microsoft Cloud data centers to provide secure access to private applications on Azure. Shadow IT and cloud applications can be controlled on or off the network, and the Zscaler client can be deployed onto Intune-managed iOS devices. 
• Google: Zscaler is a Google Cloud Security Infrastructure Partner. Google Cloud tools enhance Zscaler security services. 

Zscaler offers a wide range of cloud-based security technologies. These include: 

• Cloud Configuration Security/Cloud Security Posture Management (CSPM): Protects access routes to SaaS applications, Azure, Google Cloud Platform and AWS. It reduces risk by remediating misconfigurations in SaaS, PaaS and IaaS applications whilst maintaining a good security posture. The solution covers 2,700 pre-built policies mapped across 16 standards, which include CIS benchmarks, SOC2, NIST, PCI DSS and AWS best security practices. The product is part of the cloud-delivered data protection capabilities in the Zscaler Zero Trust Exchange.
• Cloud Identity And Entitlement (CIEM): Allows clients to control access to all resources, clouds, identities and APIs. Provides zero disruption to DevOps teams. A component of the Zscaler Cloud Protection solution.
• Cloud Data Loss Prevention (DLP): Protects sensitive data in all cloud channels, including confidential, health and personal data. Leverages advanced features such as machine learning, Exact Data Match (EDM) and Indexed Document Matching (IDM). Works with office and remote workers.
• Cloud Browser Isolation: Isolates users and endpoints from active content to protect from zero-day vulnerabilities, unsanctioned plug-ins, ransomware, data theft and more.
• Cloud Sandbox: Designed to prevent patient-zero attacks, including automated quarantine of high-risk unknown threats and instant verdicts for common file types. This service is integrated with the Zscaler cloud-native security platform.
• Cloud IPS: Zscaler Cloud IPS is delivered from the cloud, which allows it to provide security for all users in an office, or in remote locations. Protects from botnets, zero days and advanced threats and provides contextual information about the application, threat and user - delivered as a service.

How does Zscaler support remote users?

Zscaler Work-From-Anywhere supports remote users by providing secure access to all applications, with cloud identity access management, data protection, visibility and troubleshooting and cyber threat protection. Remote users still get fast and direct access to applications such as Microsoft 365 or Zoom and can use "Bring-Your-Own" devices. The solution leverages Zscaler SASE cloud-native services architecture.

What is the Zscaler managed, co-managed and DIY services solution?

Zscaler’s security cloud is a managed solution that includes cloud intelligence, native SSL inspection, real-time threat correlation, and over 60 industry threat feeds. Zscaler’s ThreatlabZ security research team offers security advisories and tools, highlighting vulnerabilities and providing free browser plug-ins to negate threats. This managed service solution, as well as many others, is available from one of Zscaler’s managed service provider partners.

What Reporting and Management is available via the Zscaler Portal?

SD WAN/SASE reporting and management is available via the third-party provider portal. Zscaler does offer, however, the Zscaler Digital Experience. This cloud-based service provides CloudPath Analytics, Digital Experience Scores, and Application and Endpoint Monitoring. These services are provisioned via a unified dashboard to enable efficient troubleshooting and resolution of connectivity issues at the user end.

What is the Zscaler SLA?

Below is a table displaying the main focus points of the Zscaler Service Level Agreement (SLA). 

Zscaler support tiers (Zscaler, 2020.) See more at: https://www.zscaler.com/resources/data-sheets/zscaler-premium-support.pdf