Zscaler Cloud Security Essentials E-Book

Zscaler Cloud Security Essentials

Discover how to securely embrace cloud efficiency, intelligence, and agility with Zscaler

Ravi Devarasetty

BIRMINGHAM—MUMBAI

Zscaler Cloud Security Essentials

Copyright © 2021 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Wilson Dsouza

Publishing Product Manager: Rahul Nair

Senior Editor: Rahul Dsouza

Content Development Editor: Sayali Pingale

Technical Editor: Shruthi Shetty

Copy Editor: Safis Editing

Project Coordinator: Neil Dmello

Proofreader: Safis Editing

Indexer: Tejal Soni

Production Designer: Jyoti Chauhan

First published: May 2021

Production reference: 1070521

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80056-798-6

www.packt.com

To the Supreme Lord, Sri Krishna, who is the driving force for every atom in the universe. To my wife, Lata, who inspired and encouraged me at every step of this adventure. To my children, who were very patient with me throughout this journey.

– Ravi Devarasetty

Contributors

About the author

Ravi Devarasetty is originally from India and came to the United States for his higher education. He started his IT career in embedded software development, moved into 24x7 network operations, later transitioned into secure web gateways, and now works in public cloud security. He likes constant learning, both through self-study and via mentoring relationships. He likes to tinker with technology and loves it when he is able to put the things he has learned toward creating a unique solution. He has experience working as a Zscaler solution deployment engineer as part of a Managed Security Service Provider (MSSP) and as a Zscaler consultant. He holds multiple Zscaler certifications, and is also certified in CISSP, CCSK, AlienVault, AWS, and Microsoft Azure.

About the reviewer

Anil Kumar Chennojwala is a seasoned security practitioner with a focus on the information security domain, comprising architecture, design, implementation, and service management. He has been helping customers spanning different verticals, from aviation to banking and finance, retail, and technology consulting. He hails from a small town called Karimnagar in the state of Telangana, India. Having received his master's degree in information systems security, he began his career as a network security engineer, and his enthusiasm for security got him into various IT and cybersecurity positions at companies such as United Airlines, Dell Technologies, Santander Bank, and Speedway LLC. Security is everyone's responsibility, and as such, his objective is to help foster that mentality across the technology industry and assist in developing solutions with a strong security architecture as a vital component of success.

I am eternally grateful to my ever-patient family for having supported me so much. A very special thanks to my managers, Eugene Silas, Johnny Kaissieh, and Rajneesh Bhambri, who have mentored me and helped me rise through the ranks to become who I am today.

Table of Contents

Preface

Section 1: Zscaler for Modern Enterprise Internet Security

Chapter 1: Security for the Modern Enterprise with Zscaler

Fundamental definitions in security

Active Directory

Authentication

Bad actors

Bandwidth

Certificate

DLP

DNS

Firewall

FTP

Identity Provider

Intrusion Prevention System

Kerberos

Logging

Malware

PAC file

SAML

Sandbox

Secure Web Gateway

Secure Sockets Layer/Transport Layer Security

Surrogate IP

Tunnel

VPN

XFF

Understanding the evolution of the modern enterprise and its workforce

Evolution of the workforce

Enterprise infrastructure evolution

Exploring the need for scalable, cloud-based security

Workforce evolution requirements

Enterprise preferences

Scalable, highly available, cloud-based solutions

Internet security for everyone

Using Zscaler Internet Access for a safe and secure internet experience

Why safe internet?

How ZIA works

Using Zscaler Private Access for secure application access

What is Private Access?

How ZPA works

ZCC

Summary

Questions

Chapter 2: Understanding the Modular Zscaler Architecture

Introducing the Zscaler cloud architecture

SSMA

High availability and redundancy

Understanding the CA – where the core resides

Admin Portal

Using Zscaler PSEs – where the policies are applied and enforced

SSL inspection

Virtual Service Edge (formerly called Virtual ZEN or VZEN)

Monitoring user and application activity using Nanolog clusters

Nanolog Streaming Service (NSS)

Protecting enterprise users and infrastructure with Sandbox

Understanding the need for a sandbox

Cloud Sandbox configuration options

Summary

Questions

Further reading

Chapter 3: Delving into ZIA Policy Features

Technical requirements

Understanding the ZIA Web policy

Security

Access Control

DLP

Exploring the ZIA Mobile policy

Zscaler Client Connector Configuration

Zscaler Mobile Security

Zscaler Mobile Access Control

Learning about the ZIA Firewall policy

Firewall Control

NAT Control Policy

DNS Control

FTP Control

IPS Control

Order of policy enforcement

Summary

Questions

Further reading

Chapter 4: Understanding Traffic Forwarding and User Authentication Options

Technical requirements

Understanding traffic forwarding

GRE tunnel forwarding

IPsec tunnel forwarding

Creating GRE or IPsec locations

PAC file forwarding

Exploring ZCC internet traffic forwarding

ZCC internet access forwarding scenarios

ZCC internet access forwarding options

ZCC silent authentication

ZCC ZIA process flow

Evaluating user authentication options

Benefits of user authentication

Surrogate IP

User provisioning

User authentication process flow

User authentication options

Summary

Questions

Further reading

Chapter 5: Architecting and Implementing Your ZIA Solution

Analyzing the security posture of the enterprise

Zscaler question set

Creating a customized ZIA solution for the enterprise

Traffic forwarding

User authentication

Policy

Implementing the ZIA solution across the enterprise

Planning

Configuration

Pilot rollout

Production rollout

Summary

Questions

Further reading

Chapter 6: Troubleshooting and Optimizing Your ZIA Solution

Technical requirements

Setting up proactive ticketing and alerts

ZIA alerts

ZIA ticketing

Producing reports for management review

System-defined reports

Insights

Generating custom widgets for the ZIA Dashboard

Editing current widgets

Adding new widgets

Creating a unified ZIA troubleshooting guide

Basic troubleshooting

Advanced troubleshooting

End users are unable to access websites

End users get a Website Blocked error

The ZCC App displays a Captive Portal Fail Open Error message

The ZCC App shows a Network Error message

The ZCC App displays an Internal Error message

The ZCC App exhibits a Connection Error message

The ZCC App has a Local FW/AV Error message

The ZCC App shows a Driver Error message

User authentication errors

Users are unable to upload or download files

Slow website response

URL formatting

Application SSL inspection

Application authentication

Summary

Questions

Further reading

Section 2: Zero-Trust Network Access (ZTNA) for the Modern Enterprise

Chapter 7: Introducing ZTNA with Zscaler Private Access (ZPA)

What is ZTNA and how does ZPA fit in to this?

ZTNA core principles

Why is ZTNA needed?

ZPA security principles

Delving into the ZPA architecture

ZPA CA

ZPA PSEs

ZCC application

App Connectors

Z tunnels

Microtunnels

Logging and analytics cluster

LSS

Exploring clientless ZPA solutions

Understanding the Zscaler Cloud Connector ZPA solution

Delving into the BA ZPA solution

Questions

Further reading

Chapter 8: Exploring the ZPA Admin Portal and Basic Configuration

Navigating around the ZPA Admin Portal

ZPA dashboards

ZPA administration

Configuring the ZPA log servers for activity insights

Integrating with Azure AD and Okta for SSO

Adding an IdP

Configuring the ZCC app for ZPA

ZCC app installation

ZCC app enrollment and authentication

ZPA application access

Device posture control

ZPA process flow

Summary

Questions

Further reading

Chapter 9: Using ZPA to Provide Secure Application Access

Deploying App Connectors

Connector requirements

Installing the connector

Connector updates

Connector provisioning

Configuring ZPA applications

DNS search domains

Adding an application segment

Configure SAML attributes

Configuring end user access policies

Application health monitoring

Exploring the best practices for enterprise deployments

App Connectors

Certificates

Authentication

ZCC app

Application

Monitoring

Log streaming service

Summary

Questions

Further reading

Chapter 10: Architecting and Troubleshooting Your ZPA Solution

Architecting your ZPA solution

Stepping through the ZPA Question Set

Inventory of existing applications

Discovering end user access

Pilot rollout

Expanded rollout

Final rollout

Troubleshooting your ZPA solution

Unable to access a service due to a captive portal error

Unable to access a service due to a network error

Unable to access a service due to an internal error

Unable to access a service due to a connection error

Unable to access a service due to a local FW/AV error

Unable to access a service due to a driver error

Unable to access a private application/service due to an unauthenticated error

Unable to access a private application/service

Unable to access any application/service

Unable to authenticate due to a SAML transit error

Unable to authenticate due to a SAML account error

Unable to authenticate due to a SAML format error

Summary

Questions

Further reading

Assessments

Chapter 1 – Security for the Modern Enterprise with Zscaler

Chapter 2 – Understanding the Modular Zscaler Architecture

Chapter 3 – Delving into ZIA Policy Features

Chapter 4 – Understanding Traffic Forwarding and User Authentication Options

Chapter 5 – Architecting and Implementing Your ZIA Solution

Chapter 6 – Troubleshooting and Optimizing Your ZIA Solution

Chapter 7 – Introducing ZTNA with Zscaler Private Access (ZPA)

Chapter 8 – Exploring the ZPA Admin Portal and Basic Configuration

Chapter 9 – Using ZPA to Provide Secure Application Access

Chapter 10 – Architecting and Troubleshooting Your ZPA Solution

Why subscribe?

Other Books You May Enjoy

Preface

Almost everyone in today's modern world knows about the internet and its role in everyday life, from email to live video calls. But at the same time, we have seen the rise of bad actors misusing and abusing the same internet for malicious purposes.

It is in this context that we need a secure way to browse the internet, especially from an enterprise perspective. Zscaler Internet Access (ZIA) is one such product that provides employees of the enterprise with a safe internet experience.

Many organizations have not yet embraced the concept of Zero Trust Network Access (ZTNA). Most of them are still in a legacy security mindset. Zscaler Private Access (ZPA) provides ZTNA private application access to end users of the enterprise.

Who this book is for

This book is for a variety of readers. The first category consists of people like me who have been in the information technology field with no exposure to web security, but who want to transition into web security. The second category of readers is those who are in a decision-making capacity regarding a potential security product they are evaluating for their enterprise and are looking to compare Zscaler to other competing products. The third category consists of deployment and support engineers who need to architect, implement, and troubleshoot a Zscaler solution for an enterprise.

What this book covers

Chapter 1, Security for the Modern Enterprise with Zscaler, explains the evolution of the enterprise infrastructure and hence the need for unique, cloud-based, and scalable security solutions. It also introduces the two flagship products of Zscaler, namely, ZIA and ZPA.

Chapter 2, Understanding the Modular Zscaler Architecture, sets out the foundation for the reader by explaining the building blocks of the Zscaler cloud. It is very important to understand how the Zscaler cloud is architected in a modular fashion, and each component can scale without depending on the other components.

Chapter 3, Delving into ZIA Policy Features, gets right into the various web, mobile, and firewall features that are available with ZIA out of the box. A subset or all of the available features could be chosen by the Zscaler administrator of the enterprise.

Chapter 4, Understanding Traffic Forwarding and User Authentication Options, explains in detail the available options for forwarding the end user traffic to Zscaler. It also details the end user authentication options available to the enterprise and the process to choose the most appropriate option.

Chapter 5, Architecting and Implementing Your ZIA Solution, starts with the discovery of the current security posture within the enterprise, crafting a customized ZIA solution, and then implementing it across the enterprise.

Chapter 6, Troubleshooting and Optimizing Your ZIA Solution, provides practical troubleshooting tips for engineers supporting the ZIA solution and also provides ideas on how to get the most out of your deployed ZIA solution, such as reports and tweaking the dashboards.

Chapter 7, Introducing ZTNA with Zscaler Private Access (ZPA), introduces the concept of and the need for ZTNA. It also explains how ZPA aligns with the fundamental principles of ZTNA, and lists the components of ZPA architecture and agentless ZPA solutions.

Chapter 8, Exploring the ZPA Admin Portal and Basic Configuration, takes readers through a tour of the ZPA admin portal, configuration of the ZPA log servers, end user authentication with Azure AD and Okta, and ends with the configuration options for the ZCC app.

Chapter 9, Using ZPA to Provide Secure Application Access, continues with the configuration elements of the ZPA solution, including App Connector deployment and application configurations, and explores best practices for enterprise deployments.

Chapter 10, Architecting and Troubleshooting Your ZPA Solution, walks you through the process of developing a customized ZPA solution and provides ZPA troubleshooting tips to the enterprise engineers supporting the solution.

To get the most out of this book

You will need access to either the ZIA Admin Portal or the ZPA Admin Portal or both in order to perform the configuration steps listed in this book. If you are administering end user authentication, it is recommended to have access to the IdP portal as well.

To set up the enterprise infrastructure, such as the NSS VMs or log servers, you need access to a VMware infrastructure within the enterprise.

Additional information regarding the hardware requirements is available on the Zscaler Portal.

Make sure to refer to the latest requirements from the Zscaler Help Portal, which can change frequently.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781800567986_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Zscaler's advanced sandbox feature can scan many additional types of file, such as .doc(x), .xls(x), .ppt(x), and .pdf."

Bold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Click Flash from Etcher to write the image."

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in, and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Section 1: Zscaler for Modern Enterprise Internet Security

In this part, you will learn about the need for security and how it needs to change as the modern enterprise and workforce evolves.

This section comprises the following chapters:

Chapter 1: Security for the Modern Enterprise with Zscaler

In the past few years, there has been a momentous shift in the way modern enterprises have evolved. They have moved from a traditional hub-and-spoke, data center type of network to a cloud-based or anywhere-access type of network. The core locations have become more decentralized because the employees are now based in various geographies and the applications are migrating to the cloud.

When we look at the infrastructure itself, enterprises invest in a variety of products such as routers, switches, and firewalls to implement various functions such as authentication and security. These products very quickly reach end-of-life from a capacity and a vendor-support perspective. This, in turn, causes the enterprises to upgrade in a 3- to 5-year cycle where they must do a lift and shift of the entire hardware in their data center. This moves the enterprise expenditure from an OPEX to a CAPEX model, which is not desirable from a business and planning perspective.

In this chapter, we will see how Zscaler steps in as a cloud-based security solution. The ZIA product provides secure internet access and the ZPA product brings the geographically spread-out end users and enterprise applications together. They both provide the following benefits:

In this chapter, we are going to cover the following main topics:

Let's get started!

Fundamental definitions in security

In this section, we will define some commonly used internet and security terms that are applicable to this book. A detailed explanation of all internet and security concepts is outside the scope of this book. If you are already comfortable with these terms, you can skip ahead to the next section.

Active Directory

Active Directory is a directory service that was originally developed by Microsoft for the Windows environment and was released in 2000. It stores data such as users, groups, and devices. It has many components that assist the user to interact with the domain. Our focus in this book is to authenticate users against their credentials in Active Directory.

Authentication

Authentication is the process by which an end user, a computer, or a software application can prove its identity. This is typically done using a username and a password. The term multi-factor authentication (MFA) is gaining popularity today. MFA means that there is an additional item that is needed in addition to a username and a password. This could be a token number or a biometric such as a fingerprint or a retina scan.

Bad actors

A bad actor is, in general, a malicious party that is usually interested in the following:

Next, we'll look at bandwidth.

Bandwidth

Bandwidth refers to the rate of data transfer over a network. It is typically measured in bits per second. The higher your bandwidth, the faster you can transfer your data across. The data being transferred could be an image, text, a video, or a combination of all three.

Certificate

A certificate is usually a small text file that can be used to establish the identity, authenticity, and reliability of a web server on the internet. Certificates are usually used to assure the confidence of end users trying to use the services of a website and to provide protection against malicious websites. Certificates are issued by certification authorities and they are usually tracked with creation and expiry dates.

DLP

Data Loss Prevention (DLP) is the prevention of loss of any kind of valuable or sensitive data. Valuable data may mean company proprietary formulas and business strategies. Sensitive information may be customer information such as social security numbers, credit card numbers, date of birth, and so on.

DNS

The Domain Name System (DNS) is a system that converts domain names (such as www.google.com) into IP addresses so that web browsers can translate customer requests into lower-level IP packets and carry on data transfer tasks, such as loading websites. The DNS is very crucial for internet security as bad actors can hijack these servers and have the end user traffic sent to their malicious web servers, instead of the legitimate ones.

Firewall

A firewall is a security device or application that monitors traffic through the network and applies security rules configured by the administrator to that network traffic. Firewalls are usually used as perimeter security devices by many organizations.

FTP

The File Transfer Protocol (FTP) is a network protocol (based on IETF standards) that is used primarily to transfer files between a client and a server across a network.

Identity Provider

An Identity Provider (IdP) is a system that creates and maintains identity information for end users or applications. When a company wants to authenticate an end user, they usually make a call to the IdP. An IdP is essentially an Authentication as a Service (AuthaaS).

Intrusion Prevention System

An Intrusion Prevention System (IPS) is a system that sits in the line of the network traffic and looks at possible malicious activity and blocks it. There are many types of IPS systems, with the most recent ones looking to leverage artificial intelligence and machine learning.

Kerberos

Kerberos is an authentication protocol used on computer networks. It issues tickets for end user access and allows end points to communicate over non-secure network systems, and then prove their identity to one another in a secure way.

Logging

In the security world, logging means to record the transactions going across the network to a file on a storage medium. When there is a need to investigate a security incident, these logs are then analyzed by specialized systems to derive insights and conclusions.

Malware

Usually, software applications are used for legitimate purposes, such as for operating and growing a business. But bad actors write malicious software with the intent to steal valuable information or attack infrastructure such as computers. This malicious software is called malware. It could be as damaging as bringing down an entire organization to its knees or as annoying as pesky advertisement popups.

PAC file

Usually, individuals sitting at their home computer access the internet directly. But many organizations use a proxy server that sits between the end users and the internet. They do this to monitor their employees' activity against any company policy violations. A proxy auto-config (PAC) file defines what proxy servers and methods are chosen by end user web browsers. A simple example would be choosing ProxyServer1 when going to www.yahoo.com and choosing ProxyServer2 when going to www.google.com.

SAML

Security Assertion Markup Language (SAML) is an open standard that is used to exchange authentication and authorization information between an IdP and a service provider. For example, some websites allow you to log in using your Google account. End users navigate to the website of interest. They click on Sign in with Google and are then redirected to Google. The user then enters their Google credentials, and they are authenticated and are then redirected to the original website. In this case, the original website is the service provider and Google is acting as the IdP.

Sandbox

A sandbox in security is an isolated environment where software components may be executed to observe their behavior and note down any malicious intent. Unknown software components are typically "detonated" in a sandbox environment before they are passed on to the end user.

Secure Web Gateway

A Secure Web Gateway (SWG) is a component or solution that continuously monitors web traffic between end users and web servers, and filters any traffic that is malicious or does not comply with the enterprise policies.

Secure Sockets Layer/Transport Layer Security

Secure Sockets Layer (SSL)/Transport Layer Security (TLS) are cryptographic protocols that provide secure communication over a typically untrusted connection or network. They are commonly used when exchanging sensitive information, such as typing in your social security number or a credit card number on a website. Your browser typically shows a "lock" icon just in front of the URL in the address bar.

Surrogate IP

When an end user types in their credentials and are authenticated, a relationship is established between that user and the IP address they are currently using to access the network. This assumes that the IP address is used by only one user within the entire organization at any given time. So, this IP address is treated just like the user in terms of granting access to applications and so on.

Tunnel

When using an untrusted network such as the internet, private communications can typically be placed inside of (encapsulated) other packets. This allows for data to be moved across the untrusted network securely. This process is called tunneling. The channel that is established for this purpose is called a tunnel. There are many types of tunnels, such as GRE, IPSec, and so on.

VPN

A Virtual Private Network (VPN) allows an enterprise to extend their private network across a public network. For the end users, it appears as if the other side of the network is right across the room.

XFF

When an end user connects to a website through a proxy, the proxy will put its IP address when communicating with the web server. The X-Forwarded-For (XFF) header field can be used to identify the IP address of the originating end user. It can be extracted by the web server to make decisions based on the originating IP address of the end user.

With that, we have briefly touched upon the basic technologies that you will encounter in this book. Though this was a brief introduction, in this book and in your own work, you will get to know many of these concepts in more detail. In the next section, we will explore the changes that have led to the modern enterprise and workforce that we know today.

Understanding the evolution of the modern enterprise and its workforce

In this section, we will learn how the modern enterprise has slowly moved away from a central data center or headquarters model to a more distributed, internet-based model. We will also learn how the working habits of the enterprise workforce have changed with the advent of working remotely over the internet.

Evolution of the workforce

With the advent of the internet, for many technology workers, what could be done in the office can now be done remotely over the internet using technologies such as VPNs. This shift was accelerated due to several reasons:

All these points mean that now, companies must adapt to their workforce. They must make applications readily available to their employees wherever they are located.

Enterprise infrastructure evolution

In a data center architecture, the enterprise chooses certain locations to serve as their repositories for applications and data. A company may choose a certain city on each of the continents they operate in and provision and maintain a massive data center. At this point, the company needs to provision expensive private connections between all its offices and these data centers.

Very quickly, this becomes an expensive proposition for the company. Not only does it have to focus on its core business, but now it must run and maintain its massive infrastructure. This infrastructure consists of several product categories, such as routers, switches, firewalls, and application servers. For redundancy and high-availability purposes, the company must invest double the amount of equipment, even if the chances of a failure on the hardware components is low. This is because it cannot take the risk of business application downtime.

To add to this complexity, we all know that hardware for these products quickly becomes out of date. We are all familiar with our own personal upgrade cycles where we upgrade our electronic gadgets such as our smartphones, laptops, and tablets. Corporations are in a similar upgrade situation every 3 to 5 years based on the manufacturer, the product, and the technological changes in the marketplace.

When these upgrades come around, there is a wholesale lift-and-shift of the entire hardware, which needs a lot of manpower. This upgrade is also treated as a capital expense (CAPEX) and not as an operating expense (OPEX). Enterprises prefer an OPEX model because it allows them to predict the costs and account for them in their business operating model.

Enterprises also have a range of products doing different things. Most of the time, they do not have a choice, even if one product overlaps with another product in terms of its features. There is no single magic bullet or integrated product that can meet all the customers' needs.

Now that we've learned about the evolution of the preferences of the enterprise workforce and the changing requirements for the enterprise infrastructure, let's look at how a cloud-based security solution can address both those needs.

Exploring the need for scalable, cloud-based security

In this section, we will see how these shifts in trends lead us toward a scalable, available, cloud-based security while using the internet as the underlying transport mechanism.

Workforce evolution requirements

As the workforce evolves and demands access to applications from anywhere, we must look at the common medium of transmission. We can all safely agree that the internet seems to be that common medium. End users can now access the internet using several methods such as a computer (Ethernet), a tablet (Wi-Fi), or a smartphone (cellular network). The internet is now considered a utility like electricity, water, and gas. So, why not use the internet to bring these end users to their applications?

The workforce is also demanding access not only from anywhere but at any time. Again, the internet solves this problem. The internet is always on. Many Internet Service Providers (ISPs) now provide service level agreements (SLAs) like other utilities.

Enterprise preferences

Now, let us look at what we need in order to develop a model that enterprises prefer. The first issue was trying to build a vast network and infrastructure to host their applications and then to connect their workforce to those applications. If enterprises were to leverage the universal medium – the internet – they could use it as the transport mechanism to connect their workforce to their applications. This is very much true for internet-based applications, but it could also work for in-house legacy applications that run on physical servers.

Enterprises could migrate their applications to virtual servers on various public cloud platforms such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), or they could somehow leverage the internet to connect their users to the legacy applications in their data centers.

The second problem is the constant, expensive upgrade cycle. What if the provider is cloud-based and all upgrades are managed by the provider without any burden on the enterprise? All the enterprise needs to do is hand off their traffic to the provider using the internet; the provider does the rest. The enterprise is guaranteed a SLA from the provider and is also provided with high availability. This model also shifts the spending model from CAPEX to OPEX, which is preferable by the enterprise.

The third problem is in terms of the various products needed for a set of features. What if the enterprises can rely on a provider that has all the essential features that enterprises need and can be chosen on a subscription basis? Enterprises get the essential features for a base pricing model (billed monthly) and they can choose optional features for extra money. For example, they may choose extra features 1, 3, and 4 and pay $X more or choose extra features 1, 2, 3, and 4 and pay $Y more. Even better, what if these license costs are based on the number of active users? If an enterprise has 500 users, it pays 500X monthly instead of an arbitrary monthly amount. This would be a very fair pricing model, no different than a utility billing such as electricity, water, and gas.

Scalable, highly available, cloud-based solutions

Any security solution that is designed for enterprises needs to tick these boxes. A scalable solution means that the solution should continue to work at the same expectation levels when the user count goes from 100 to 10,000. This provides assurance to the enterprises that they do not have to worry about poor performance as their user base scales up or down.

The solution also needs to be highly available. This means that when a certain component of the provider goes down, end user traffic should automatically be handled or re-routed by another component that is ready and standing by. The availability of the provider is usually measured using SLAs. Some SLAs that are often mentioned by providers are 99.99% available or 99.95% available.

Finally, enterprises prefer a cloud-based solution where they do not have to do or know anything about how the providers operate. All the enterprises do is forward their traffic to the cloud provider and that is the end of it. The cloud provider provides the enterprise with an administration portal where the enterprise administrators can log in and provision their desired configuration.

Internet security for everyone

In today's world, we are seeing that a lot of small businesses, schools, and hospitals are being targeted by bad actors, especially using ransomware that has been on the internet for quite some time. The consequences of a compromise can be fatal to these organizations. In the past, it was difficult to select and provision a security solution.

It does not have to be like that today. The solution that will be presented in the next sections is quite easy and quick to implement, especially when using the default security policy that is based on industry standards. This is even more true for a startup or a consulting organization that has many employees remotely working across broad geographies. As the saying goes, "prevention is better than cure" – this is very much true for internet security today.

Using Zscaler Internet Access for a safe and secure internet experience

The internet today has become the wild, wild, west. There is a mushrooming of many types of websites, especially after the dot com boom. It has become difficult to keep track of legitimate websites versus malicious ones. When the Internet Service Providers (ISPs) themselves cannot keep track of these harmful websites, we cannot expect the end user to keep up with it. This is why we need a security solution to give the end users a safe internet experience.

Why safe internet?

Employees of the enterprise have a business need to access the internet on an almost daily basis. This could be for researching solutions, learning new skills, or to log into internet-based applications for company work.

Employees may be directed to go to a website through various means. For example, they may receive an email with a link where they can access the latest content on an interesting topic. A friend or a co-worker could send a web link through an instant chat message.

When employees are using corporate-issued devices to access these websites, it is the duty of the enterprise to provide employees with safe and secure internet access. If the employees inadvertently access malicious websites and those websites install some sort of malware on the corporate-issued device, then that malware could spread to other enterprise systems, including critical infrastructure, which will have a massive impact on the enterprise.

This is no different than someone catching a viral infection and then going around spreading it inadvertently – hence the need for safe internet. For example, an employee receives a seemingly legitimate email telling them they can find more information on a topic at www.help.com. A spammer or a bad actor can easily change the letter "l" in the website URL to the number "1" so that the malicious URL is www.he1p.com. Based on the font used by the employee's email program, the difference may not even be that visible.

The employee then proceeds to click on the malicious link, thereby triggering the malware and compromising the machine. Internet security is needed because not all malicious emails may be caught by the company's email security software. This is where Zscaler Internet Access (ZIA) comes in.

How ZIA works

ZIA is a cloud-based web proxy whose primary purpose is to provide safe and secure access to the internet. Simply put, ZIA sits between the end user and the target internet website resource. The enterprise will purchase the necessary subscription and internet security feature set as part of their contract. A company Zscaler administrator will provision and activate these security settings in the ZIA portal. Those changes take effect immediately.

Once this has been set up, suppose an employee receives an email with a malicious link in it, as described in the previous section. When the employee clicks on that link, the browser on the machine tries to navigate to that malicious website. But that initial website request is now intercepted by Zscaler. Zscaler then checks this URL against its dynamic list of malicious websites and identifies it as a malicious website. Zscaler will then display a warning message that says this is a malicious website and hence the request was blocked.

A very impressive feature of ZIA is that it can detect botnet callbacks. Although we will talk about it in more detail in later chapters, we will provide an example here. Let's say that an employee takes their corporate device home and then accesses the internet in an insecure way, so the bot is now installed on their device. When the employee uses the same device in the Zscaler-protected corporate environment, Zscaler will identify and block that botnet callback to the central bot server and can also alert an administrator. The administrator can then immediately identify the device and the user, and then either quarantine that device or get it cleaned immediately using anti-malware software, thereby eliminating the root problem and preventing it from spreading. This can be visualized with the following diagram:

Figure 1.1 – Fundamental operation of Zscaler Internet Access (ZIA)

ZIA is also famous for its cloud sandbox feature. When malware is initially released on the internet, its signature (the bit pattern in binary) is not known to many anti-malware engines. ZIA can (adding a little bit of delay) identify this unknown signature and detonate it safely in its cloud sandbox environment and observe its effects. If there is no fallout, ZIA will forward that packet normally. If, however, it is observed that the malware is harmful, ZIA will immediately update its threat signature database and propagate that information to all its clouds, thus protecting all the remaining customers within a matter of minutes.