Zscaler SASE Cybersecurity Solutions

Zscaler SASE Solution: Comparisons, Review, Benefits, Use Cases, Pros & Cons

Author: Netify Research Team

If you have questions about Zscaler and how their capability is aligned to your needs, email the Netify research team. UK: uk@netify.co.uk North America: northamerica@netify.com

(Please use the UK email for ROW - Rest of the World - questions or inquiries)

Netify Review

Zscaler offer a granular and comprehensive cloud-delivered SASE security solution, with added security services and a cloud-based security stack. The offering is an option for clients with large, multinational corporations who require SASE or granular security to secure their SD WAN network. The company also have strong solutions for remote users, as they leverage their cloud capabilities to offer clients remote access via their Work-From-Anywhere solution (see, How does Zscaler support remote users?). Enterprises looking to secure their distributed mobile workforce or SD WAN transformation, moving applications to AWS or Azure and moving to Office 365 may find Zscaler’s offering to be a useful tool in these use cases. 

However, caution is advised due to Zscaler’s large amount of service provider and integrator partners, as well as a wide range of SD WAN vendor parters. IT managers will have to choose an SD WAN solution to go with Zscaler SASE, and then a service provider or integrator to provide most overlay services. This is a complex task, but can be simplified by using the Netify comparison tool - give it a try here.

About Zscaler

Zscaler is a cloud-based information security company that was founded in 2008 with its headquarters residing in San Jose, California, United States. The company provides 150+ data centers and customers in 185 countries worldwide, as well as cloud-based security products, including SASE and a cloud-based security stack. They also hold a high Net Promoter Score of 76 for customer satisfaction.

What are Zscaler's Solutions?

Zscaler offer comprehensive secure solutions, that can be either integrated with SASE or work as a separate security stack. 

• Zscaler Internet Access: A cloud-delivered security stack as a service, which is designed to protect remote users who are mobile and connecting to cloud applications - however it can also provide security for branch offices and HQ/IoT. The service includes the following: URL filtering, CASB, cloud firewall/IPS, DLP, CSPM, sandboxing, browser isolation and full SSL visibility.
• Zscaler Private Access (ZPA): Provides ZTNA for private applications, offering seamless zero trust access to private applications running from within the data center or out of the public cloud. Customers are able to connect to applications via inside-out connectivity as opposed to extending the network to them, by preventing applications from being exposed to the internet, making them completely invisible to unauthorized owners. The ZTNA approach supports both managed and unmanaged devices and any private application. 
• Zscaler Business to Business: Designed to provide a consumer-like experience without putting businesses at risk. The service is delivered from the cloud and provides business customers with secure access to applications via the internet, regardless of whether they are hosted in private or public clouds, or the data center. Based on service-initiated ZTNA architecture, the product uses business policies to securely connect an authenticated customer to an authorized application - avoiding the need to expose the application to the internet. This brings the cloud closer to customer access, in order to eliminate the complexity of legacy networks.
• Zscaler Cloud Protection: A service to ensure that cloud applications are correctly configured. This product consists of four solutions combined into one service: secure app-to-app communications, secure workload configurations, eliminate lateral threat movement and secure access to cloud applications, each of which help to reduce the risk of security breaches due to misconfigured cloud applications. The service also includes: Zscaler Zero Trust Exchange, Zscaler Workload Posture, Zscaler Workload Communications, Zscaler Private Access and Zscaler Zero Trust Exchange as well as Workload Segmentation.
• Zscaler Digital Experience: Resolves user experience issues by analyzing and troubleshooting. The cloud-based service provides endpoint monitoring, cloud path analytics, digital experience store and application monitoring. Fast deployment is provided by instrumentation that begins at the Zscaler Client Connector, and the entire service can be integrated on top of the Zscaler Zero Trust Exchange.
• Zero Trust Exchange: Clients can enable fast and secure connections that allow employees to work from anywhere, by leveraging the internet as a corporate network, using Zscaler’s zero trust network architecture, with policy enforcement and context-based identity. Makes use of the Zero Trust Exchange which operates 150 data centers worldwide, ensuring a fast connection by keeping users close to the service. Also offers colocation with cloud providers and applications that users are accessing (for example, AWS or Microsoft 365), which guarantees that the shortest path between users and destinations will be used.
• Zscaler Client Connector: Formerly known as Zscaler App, the Zscaler Client Connector supports remote workers by connecting workforces to business applications from any device or location. The application sits at the endpoint device and enables business workforces to connect remotely, regardless of what application is being accessed or device is being used. Complies with BYOD, RF Scanner, POS System, corporate-managed or RF scanner, sending traffic to the nearest Zscaler service Edge, determining if a user is looking to access a SaaS application, internal application, data center, a public or private cloud or the open internet. User traffic can also be auto-routed via the correct Zero Trust Service, which includes Zscaler Internet Access for SaaS and secure internet access, or Zscaler Private Access for secure access to internal applications. Visibility insights are also available with the Zscaler Digital Experience.
• Privacy and Compliance: Zscaler compliance enablers ensure that products adhere to government and commercial standards. They are designed to focus on regulations such as: ISO 27001, ISO 27701, SOC 2 and Fed Ramp. Global Commercial Certifications are: ISO 27001, ISO 27701, ISO 27018, ISO 27017, SOC 2, SOC 3, CSA - Star and Sensitive Data Handling Assessment. Global Government Certifications include: GDPR, Fed Ramp, FIPS 140 - 2, IRAP, ITAR, CJIS, VPAT/Section 508, NCSC Certificate, TIC 3.0 vendor overlay, NIST 800-63C, PIPEDA, APPI, CCPA and the Australian and New Zealand Data Privacy Shield. There are also a number of white papers and attestations  that Zscaler complies with, such as HIPAA, PCI DSS, APRA and the Modern Slavery Act.
• Secure SD WAN Solution: Zscaler offer clients SD WAN security, working with vendor partners Silver Peak, Cisco Viptela, Velo Cloud and more (see, Which service providers and partners support Zscaler?). By using Zscaler security, clients can enable secure internet breakouts without the issues commonly associated with legacy products. Because it is cloud-delivered and leverages software-defined policies to route traffic, the solution simplifies branch office functions, and supports remote users.

What is the Zscaler SASE security solution?

Zscaler offer a granular and comprehensive SASE security solution, which they call their Cloud Security Platform. The solution is globally available, ensuring high performance for users world-wide by accessing peering with hundreds of partners in major internet exchanges around the world - delivered across 150 data centers worldwide. 

The SASE offering includes native multi-tenant cloud architecture, for dynamic scalability on-demand, and a proxy-based architecture that inspects encrypted traffic at scale. It also brings security and policy close to the user to eliminate unnecessary backhaul, with ZTNA and a zero attack surface which avoids exposing your source networks and identities to the internet, preventing targeted attacks. 

The Zscaler SASE solution can be deployed and managed as a cloud-delivered and automated service. It provides low latency and optimal bandwidth by bringing the user closer to security and policy across 150+ locations, with security being built into the fabric of the platform to ensure that all connections are secured and inspected. 

SASE Features: 

• SSL Inspection: SSL inspection will locate and analyze SSL-encrypted internet traffic communications between the server and users.
• Bandwidth Control: Allows clients to prioritize business-critical applications over other traffic- for example, users may prioritize Office 365 over YouTube.
• Advanced Threat Protection: Constantly protects against zero-day threats, unknown malware and ransomware, by analyzing all packets from users, both on and off-network. Also capable of inspecting SSL.
• Machine Learning Security: Cloud-scale machine learning to protect against security threats. Designed to react to phishing, ransomware and malware attacks quickly by identifying threat patterns across volumes of data in order to block advanced threats without the need for human interaction.

What ZTNA (Zero Trust Network Access) Solution is Supported by Zscaler?

Zscaler provide cloud-delivered ZTNA, which creates secure connections between users and applications, regardless of location. It allows users to verify identities, improve and adapt visibility and set contextual policies.

What CASB (Cloud Access Security Broker) Solution is Supported by Zscaler?

Provides security for PaaS, IaaS offerings and SaaS applications. Real-time visibility and the ability to control access and user activity across sanctioned and unsanctioned applications is also provided. Also includes inline data protection capabilities to eliminate overlay architectures and proxy-chaining which have the potential to break SWG implementations. Out-of-band data protection (data at rest) capabilities leverage API integrations to look inside IaaS offerings and SaaS applications - for example, AWS S3, in order to identify exposed or sensitive data and compliance violations.

What SWG (Secure Web Gateway) Solution is Supported by Zscaler?

A cloud-delivered secure web gateway, preventing users from accessing potentially malicious web traffic from the internet and in the cloud itself.

What FWaaS (Firewall as a Service) Solution is Supported by Zscaler?

The Zscaler Cloud Firewall is designed to replace legacy firewall technology. The solution enables users to secure off-network connections as well as local internet breakout, for all user traffic without appliances. The firewall is scaleable across all ports and protocols for all cloud application traffic - can also be used in remote locations as well as branch offices.

What NDR (Network Detection and Response) Solution is Supported by Zscaler?

Zscaler offer NDR solutions via their partnership with Vectra. The hybrid product combines Vectra Network Detection and Response with Zscaler Zero Trust platform and enables users to identify and remove security threats early on in the kill chain. This allows for improved network performance, as applications remain accessible whilst security threats are removed before they become a major problem. 

What XDR (Extended Detection and Response) Solution is Supported by Zscaler?

Zscaler offers integrated XDR services provided by their technology partners SecBI and Secureworks. The SecBI solution leverages machine learning in order to identify malicious behavior, collecting it and using related stored data to remote the threat. Secureworks XDR collects and analyzes data, and provides an alert should anything suspicious be found.

How does Zscaler deliver cloud security?

Zscaler is able to access cloud vendors via Zscaler Internet Access for SaaS applications and open internet. Vendors can also be accessed through Zscaler Private Access for secure access to internal applications in auxiliary storage or data centers without the need for a VPN or network access. 

• AWS: Zscaler is an AWS Advanced Technology Partner as well as an AWS Certified Cloud Practitioner. Utilizing application segmentation, zero trust access policies and one-time login provides a single service, secure access and visibility into applications on AWS or hybrid IT environments. 
• Microsoft: Zscaler is a Microsoft Azure partner, certified networking partner for Office 365 and integrations available via the Azure marketplace. Zscaler are able to access over 20 globally peered Microsoft Cloud data centers to provide secure access to private applications on Azure.   Shadow IT and cloud applications are able to be controlled both on or off the network and the Zscaler client can be deployed onto Intune-managed iOS devices. 
• Google: Zscaler is a Google Cloud Security Infrastructure Partner. Google Cloud tools enhance Zscaler security services. 

Zscaler offer a wide range of cloud-based security technologies. These include: 

• Cloud Configuration Security/Cloud Security Posture Management (CSPM): Protects access routes to SaaS applications, Azure, Google Cloud Platform and AWS. It reduces risk by remediating misconfigurations in SaaS, PaaS and IaaS applications, whilst maintaining a sound security posture. The solution covers 2,700 pre-built policies mapped across 16 standards, which include CIS benchmarks, SOC2, NIST, PCI DSS and AWS best security practices. The product is part of the cloud-delivered data protection capabilities in the Zscaler Zero Trust Exchange.
• Cloud Identity And Entitlement (CIEM): Allows clients to control access to all resources, clouds, identities and APIs. Provides zero disruption to DevOps teams. A component of the Zscaler Cloud Protection solution.
• Cloud Data Loss prevention (DLP): Protects sensitive data in all cloud channels, including confidential, health and personal data. Leverages advanced features such as machine learning, Exact Data Match (EDM) and Indexed Document Matching (IDM). Works with office and remote workers.
• Cloud Browser Isolation: Isolates users and endpoints from active content, in order to protect from zero-day vulnerabilities, unsanctioned plug-ins, ransomeware, data theft and more.
• Cloud Sandbox: Designed to prevent patient-zero attacks, including automated quarantine of high-risk unknown threats and instant verdicts for common file types. This service is integrated with the Zscaler cloud-native security platform.
• Cloud IPS: Zscaler Cloud IPS is delivered from the cloud, which allows it to provide security for all users in office, or in remote locations. Protects from botnets, zero days and advanced threats, and provides contextual information about the application, threat and user - delivered as a service.

How does Zscaler support remote users?

Zscaler Work-From-Anywhere supports remote users by providing secure access to all applications, with cloud identity access management, data protection, visibility and troubleshooting and cyberthreat protection. Remote users still get fast and direct access to applications such as Microsoft 365 or Zoom, and can use BYOD devices. Leverages Zscaler SASE cloud-native services architecture.

What is the Zscaler managed, co-managed and DIY services solution?

Zscaler’s security cloud is offered as a managed solution that includes cloud intelligence, native SSL inspection, real time threat correlation and over 60 industry threat feeds. Security advisories and tools are offered by Zscaler’s ThreatlabZ security research team, highlighting vulnerabilities and providing free browser plug-ins to negate threats. This managed service solution, as well as many others, is available from one of Zscaler’s managed service provider partners.

What Reporting and Management is available via the Zscaler Portal?

SD WAN/SASE reporting and management is available via the applicable third party provider portal. Zscaler do offer however, the Zscaler Digital Experience. This cloud based service provides CloudPath Analytics, Digital Experience Scores, Application and Endpoint Monitoring. These services are provisioned via a unified dashboard to enable efficient troubleshooting and resolution of connectivity issues at the user end.

What is the Zscaler SLA?

Below is a table displaying the main focus points of the Zscaler Service Level Agreement (SLA). 

Zscaler support tiers (Zscaler, 2020.) See more at: https://www.zscaler.com/resources/data-sheets/zscaler-premium-support.pdf