Using Zscaler to turn on secure WFH now!

Before we get started we want to address the likelihood that posting this will be seen as taking advantage of the evolving COVID-19 situation.

We were contacted yesterday by four significant organisations looking to rapidly implement Zscaler to rapidly extend their secure Work From Home / Business Continuity plans. Two of these organisations provide essential services. The other two may not be able to afford to pay staff if they aren’t able to continue working.

On this basis, we have taken the decision to publish the information we have shared with them, as it may assist others in similar situations. We will keep this educational.

Who are Zscaler 

Zscaler is a publicly-traded, cloud security company, now over 10 years old. Zscaler’s underlying premise is that the Internet will replace the corporate network, with users increasingly mobile and apps increasingly cloud-based. As a SaaS service, Zscaler requires no hardware to implement.

What is Zscaler Private Access

Zscaler Private Access (ZPA) is a product offered by Zscaler that provides access to applications hosted in your own data centre or a public cloud such as AWS, GCP or Microsoft Azure. ZPA provides secure access through a zero-trust security model.

Here are the facts about ZPA:

  • ZPA does not provide network-level access - it provides users with access to applications it discovers in the data centre whether that is your own or a public cloud provider.
  • In your data centres, you install a piece of software called a Connector which discovers the applications and makes them available to publish to users. The Connector establishes an outbound connection to the Zscaler cloud, meaning you do not need to expose any network VPN endpoints to the Internet or provide network-level access to users.
  • Users install a piece of software called ZApp on their machine. ZApp simply creates a secure connection to the Zscaler cloud and forwards relevant traffic.
  • The Zscaler cloud brokers a connection between the data centre and users, who are authenticated using your own existing identity source (e.g. Azure AD), and allows you to create policies to define who can access which applications.
  • ZPA does not provide any form of application streaming like Citrix. It provides a secure connection between the end-user and private applications. You can use it with software like Citrix.

What is Zscaler Internet Access

Zscaler Internet Access (ZIA) provides secure Internet access to users, regardless of which network they are on. This is ideal for SaaS applications such as Office 365, G-Suite, Workday, Salesforce, Xero and general internet browsing. ZIA is a full-service proxy, which can provide next-generation firewall protection across all ports, not just web traffic. This makes it ideal to provide users with the same level of security they would expect in the office regardless of the network they are connected to. This means at home, or in a cafe, they still get the same level of network security.

Here’s how it works:

  • Traffic is forwarded to the Zscaler cloud either via a VPN tunnel from a network device, using the ZApp software on the client device or through a PAC file. For the purpose of BCP plans and WFH, using the ZApp client is ideal and can also be used for Zscaler Private Access. If you need an urgent BCP solution, this is the best option.
  • Zscaler has cloud nodes all around the world including in NZ and Australia. The Zscaler ZApp will discover the closest node to the end-users, ensuring they get the best experience.
  • Users are able to access Internet services based upon the policy defined for them. This can be based upon their network location, or who they are. Identifying the individual is done through integrating with your existing identity source (e.g. Azure AD).
  • ZIA is designed to work well with cloud services such as Office 365, and includes prebuilt policies for simplified configuration as well as optimizing network traffic for O365.

In summary

Depending on whether your users require access to private applications, Internet-based services such as SaaS apps, or both, you can implement ZPA or ZIA.

Zscaler is purchased as a subscription service, with a minimum term of one year. Implementation can all be performed remotely and does not require any hardware to be ordered and delivered, meaning it can be implemented without delay.

The Instillery is a Zscaler partner. We are currently considering how we can best offer a level of free implementation services to organisations that require an urgent solution to keep up and running. Contact us if this is something you require. We will also prioritise organisations who provide essential services.

Here is a post by Zscaler CEO Jay Chaudhry on using Zscaler to enable remote working due to COVID-19.

For more information on getting started with Zscaler, please contact us here.