Putting zero trust into practice: An overview of Zscaler’s

This is the ninth and final commentary in the series “Defining Zero Trust Security.”

Zero trust for users, workloads, and IoT/OT

The multi-tenant Zscaler Zero Trust Exchange (ZTE) platform products work together to provide out-of-band cloud-native application protection and inline security and networking transformation.

Figure 1. The Zscaler Zero Trust Exchange is a multi-tenant platform that modernizes infrastructure and transforms security.

The Zscaler zero trust platform is unique. It’s comprehensive, integrated, and is the reference implementation of zero trust delivered as a service. The Zscaler Zero Trust Exchange platform is fundamental for network and security transformation. Unlike firewalls (both physical-appliance and cloud-based), ZTE is a multi-tenant service architecture. It’s built for a world in the cloud: It’s globally distributed, meets all privacy and compliance requirements, and is driven by innovative technology engines.

The ZTE delivers infrastructure modernization, providing non-routable zero trust connectivity over any type of network. It helps CxOs reinvent branch and factory connectivity, enables zero trust cloud connectivity, and offers extensive digital-experience monitoring and measurement.

Ultimately, the Zero Trust Exchange platform is designed to secure users, apps, devices, and data no matter where they reside. Utilizing its suite of platform service products, the Zscaler Zero Trust Exchange provides zero trust security and networking transformation for users, workloads, and IoT/OT systems.

Zero Trust for Users

Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) services work together to secure user access to the internet and private applications respectively, wherever those apps may live, and even if those users are connecting from remote locations. ZTE also delivers cloud data-loss prevention (DLP) protection.

Zero Trust for Workloads and SaaS Applications

ZTE secures workload-to-workload communications using underlying ZPA technology. Similarly, ZTE secures workload-to-internet communications using underlying ZIA technology. In a Zscaler zero trust environment, data in movement is secured. But so is data at rest. Zscaler provides comprehensive posture, cloud configuration, and entitlements management to ensure data is always secure.

Zero Trust for IoT/OT

Zscaler secures connections from IoT and OT devices, whether data is routed to private resources, the cloud, or the internet; as well as access to those same IoT and OT systems. Zscaler delivers zero trust for industrial operations (read: factory) and branch connectivity. Zscaler also offers microsegmentation to further protect IoT/OT communications.

Solution elements of the Zscaler Zero Trust Exchange Platform

The Zscaler Zero Trust Exchange (ZTE) is the zero trust architecture (ZTA) for accelerating

secure digital transformation. ZTE delivers both inline and out-of-band security capabilities. Inline, ZTE offers Zero Trust for Users with secure internet access, secure private app access, data loss protection, and remote user connectivity; Zero Trust for Workloads with secure workload-to-internet connectivity, secure workload-to-workload communication, application microsegmentation, and comprehensive cloud connectivity; and Zero Trust for IoT/OT with secure access to OT systems, IoT telemetry to private apps, and branch and factory connectivity.

Out of band, ZTE delivers public cloud native app protection, including cloud access service brokering (CASB) functions, cloud security posture management (CSPM)/cloud entitlement management (CIEM), and active threat defense.

Figure 2. The Zscaler Zero Trust Exchange transforms security and the network with inline and out-of-band Zero Trust security coverage

The ZTE achieves its comprehensive security coverage via six integrated, infinitely scalable product solutions: Zscaler Internet Access (ZIA) for securing access to the open internet, Zscaler Private Access (ZPA) for securing connectivity to datacenter-hosted and private-cloud applications, Zscaler Business to Business (ZB2B) for securing direct customer and supply-chain connectivity, Zscaler Cloud Protection (ZCP) for securing workload and cloud connectivity, Zscaler Digital Experience (ZDX) for measuring and optimizing connectivity performance, and Zscaler Deception Technology (ZDT) for active threat defense.

Zscaler Internet Access (ZIA): Secure user-to-internet connectivity

Applications have moved to the cloud, and users have led the enterprise way to that cloud, often dragging their CIOs along reluctantly. Most employee work is now done on the internet or in the cloud. It’s a way of work that legacy security infrastructure cannot secure. Zscaler Internet Access (ZIA) secures user access to the internet, blocking the “bad” and protecting the “good.” ZIA protects data, blocks cyber threats, and provides local internet breakouts.

ZIA is an amalgam of traditional security services, including multiple security services including Cloud Firewall/IPS, Sandboxing, URL Filtering, DLP, CASB (both inline and out-of-band), Browser Isolation, and CSPM, all integrated into an SSMA-delivered ZIA service. (In that way, ZIA – in conjunction with all Zscaler services – eliminates the costly and slow single-function-per-machine model of legacy security infrastructure appliance-stacking.)

Zscaler Private Access (ZPA): Securing user-to-private-app connectivity

Zscaler Private Access (ZPA) performs an analogous service function to ZIA, but with private resources. ZPA provides users with direct access to private applications, whether they are running in a private cloud, in a public cloud, or within the datacenter. ZPA connectivity is the same whether a user logs on from the office or from a remote location. That negates the need for cumbersome, unsecure VPNs.

ZPA ensures that only authorized users have access to specific private applications by creating secure segments of one between individual devices and apps. The ZPA service enables the applications to connect to users via inside-out connectivity versus extending the network to each and every individual user. This zero trust network access (ZTNA) approach supports both managed and unmanaged devices, and any private application (even if it’s on a mainframe).

Figure 3. ZIA and ZPA conceptual architecture and capabilities

Zscaler Business to Business (ZB2B): Secure supply-chain connectivity

Supply chains are only as secure as their weakest connection. Zscaler B2B (ZB2B) secures connectivity between business partners, protecting B2B communications and reducing enterprise vulnerability to island-hopping and supply-chain attacks.

Like ZPA, ZB2B is based on a service-initiated ZTNA approach and uses business policies to securely connect an authenticated customer to an authorized app, without ever exposing the app to the internet or bringing a partner, third party, or customer onto a corporate network.

Zscaler Cloud Protection (ZCP): Secure workload and cloud connectivity

Zscaler Cloud Protection (ZCP) facilitates the management of cloud workload security. ZCP encompasses four components (including ZPA above):

Zscaler Workload Posture provides new visibility into cloud application and resource configuration via its Cloud Security Posture Management (CSPM) capabilities. It enables IT leaders to identify, prioritize, and address potential misconfigurations within cloud environments proactively, before they could impact operations.
Zscaler Private Access (ZPA) secures user-to-app connectivity for private applications housed in corporate data centers, private clouds, or even public clouds. It achieves that secure connectivity without exposing applications to the outside world.
Zscaler Workload Communications provides zero trust app-to-app and app-to-internet connectivity across hybrid and multi-clouds. That security includes cloud-to-internet, cloud-to-cloud, and cloud-to-datacenter connections.
Zscaler Workload Segmentation lets IT leaders segment app workloads in a faster, more secure manner than traditional IP-based segmentation.

Zscaler Digital Experience (ZDX): Connectivity performance measurement and optimization

Zscaler Digital Experience (ZDX) is a digital experience-monitoring solution that provides end-to-end visibility and troubleshooting of end-user performance issues for any user or application, regardless of location. In addition, it enables continuous monitoring for network, security, desktop, and helpdesk teams with insight into the end-user device, network, and application performance issues. With ZDX, IT teams can proactively analyze and troubleshoot user experience issues before they impact user experience.

Zscaler Deception Technology: Active threat defense

Zscaler Deception adds an extra threat-detection layer to an enterprise’s active defense front against cyberattack. Zscaler Deception detects active threats by populating an environment with decoys: fake endpoints, files, services, databases, users, computers, and other resources that mimic production assets for the sole purpose of detecting adversary presence. The decoys and false user paths lure and then trap attackers, all without operational overhead or risk of false positives. Security analysts and SOCs can leverage Zscaler Deception to generate threat intelligence, stop lateral movement, and orchestrate threat response and containment without human supervision.

Extending the Zscaler Zero Trust Exchange Platform Ecosystem

The Zscaler platform provides comprehensive application access security no matter where those applications live. But its capabilities extend beyond its rich suite of products. The Zscaler Zero Trust Exchange platform integrates with a broader ecosystem of partner technologies.

Figure 4. The extended Zscaler ZTE ecosystem eliminates the need for point solutions, and allows for vendor service consolidation.

The Zscaler Zero Trust Exchange integrates with complementary zero trust solutions to provide Identity Access Management (IAM/CIAM), Endpoint Security and Management, Security Operations, and SD-WAN services, all delivered through the Zscaler platform. Moving down the stack, the ZTE also optimizes cloud access to enterprise cloud SaaS applications like Microsoft 365, cloud PaaS solutions like SAP, and cloud IaaS providers like Azure, AWS, or GCP.