Built 100% in the cloud, Zscaler delivers your 'Security Stack-as-a-Service' from the cloud - where your services and users now reside. By securely connecting users to their applications, regardless of device, location, or network, Zscaler has transformed enterprise security, providing...
- Unmatched Security - Always-on protection. No appliance complexity.
- Secure Network Transformation - From 'hub-and-spoke' to direct-to-cloud.
- Fast & Secure Remote Access to AWS/Azure - No remote VPN pitfalls.
- Successful Microsoft 365 Deployment - One-click deployment. No network upgrades.
Every Zscaler Deployment is Different
With no hardware appliances to deploy, connecting to the Zscaler service is as simple as forwarding all internet traffic to the Zscaler service, so you can secure your internet traffic and apply policies accordingly.
However, as Zscaler has a powerful set of features, it is important to configure It According to your unique (and predefined) requirements. So, here, we'll discuss how to deploy Zscaler.
Traffic Forwarding Methods
Firstly, several traffic forwarding methods exist to connect to the Zscaler Cloud.
- Tunnelling
- PAC Files
- Zscaler App
- Proxy Chaining
You can use one or a combination of these, depending on your environment/architecture. For more information about the various traffic forwarding methods Zscaler supports, read Choosing Traffic Forwarding Methods.
Configuring Zscaler to Deliver on Your Requirements
However, aside from the technical elements of deployments, there are many other considerations and variables that you should take into account when deploying Zscaler.
Every Zscaler deployment we undertake is different
This is because every business has different operations, goals, and requirements.
While the goal of one organisation may be to secure its remote workforce, another may be looking to implement URL filtering and bandwidth control. Zscaler has a wide set of security capabilities - it just depends on what you are looking to achieve.
Firstly, Some Questions to Ask / Answer
Here are a few questions relating to your environment and plans, which are helpful to consider and answer.
1. Do you have sites connected via MPLS, and do they have direct internet access?
2. Do you use any Hyperscale platforms? e.g. Office 365, Salesforce.com ,tcetc
3. Do you allow remote VPN access for remote workers, contractors, or affiliated persons?
4. How do you currently firewall protect your services?
5. Do you currently use any DNS proxy web filtering services?
6. Do you have any expansion/acquisition plans?
7. What is the mix of office-based/mobile/remote workers?
8. Do you have a multi-device deployment? i.e. PC/Tablet/Mobile phone. How are these protected?
9. Do you have a multi-OS environment? i.e. Windows/Android/iOS. How are these protected?
How to Approach a Zscaler Deployment
As previously mentioned, every Zscaler deployment is different. There is no prescribed way of:
- Forwarding traffic
- Authenticating
- Rolling out
Zscaler is capable and flexible enough to offer multiple deployment options, some of which will naturally lend themselves to certain environments and some of which will depend on the preference of those who will ultimately administer the service day to day.
1. Define Your Required (and Desired) Goals From Zscaler
This is a critical step, as it will shape the deployment and help define the project plan. The following are the common business drivers driving the decision to deploy Zscaler. One or several may apply to your organisation.
1.1. Security
Zscaler’s security cloud processes up to 50 billion requests (more than Google) and performs 120,000 security updates each day. Any threat detected by any user is instantly shared and blocked across the entire Zscaler network. So very little configuration is required to benefit from the powerful in-built security toolset of Zscaler’s security-as-a-service.
1.2. Compliance Requirements
Compliance means different things to different people. With many in-built feature sets, Zscaler can be configured to help you meet your compliance requirements - GDPR, PCI, ISO 27001, Cyber Essentials, etc., if a priority.
Zscaler provides a toolset for controlling what people put onto the internet and includes a Data Loss Prevention (DLP) add-on.
1.3. Business Productivity
Many organisations are concerned about lost productivity from (for example) using Facebook, or ‘shadow IT' services like Google Drive, or Dropbox.
Zscaler gives you complete visibility of user behaviour, so you can intelligently shape policy and user behaviour.
For example, a large organisation we were working with saw a lot of file-sharing activity with Google Drive, Dropbox and WeTransfer. The investigation saw no malicious activity, but this highlighted risks. So, the policy was adjusted to move everyone towards using Microsoft’s OneDrive, meaning file sharing was kept under the control of the business.
Additionally, bandwidth control allows you to view and prioritise business traffic. 60% of the bandwidth was allocated to Office 365, while YouTube bandwidth was capped. All of this maintained the Quality of Service and user productivity.
1.4. Digital Transformation
Cloud services reduce hardware footprint and internal operational resource costs. However, many organisations' architectures were not designed for cloud services.
Zscaler allows secure, policy-based access to cloud-based services via direct internet breakouts. With no hardware to deploy, any user (regardless of location) will get the same quality of service and user experience. This makes deploying cloud-based services like Office 365 much easier, especially since Zscaler is co-located with Microsoft’s data centres.
1.5. Increasingly Mobile Workforce
Similarly, Zscaler makes providing remote and mobile users with secure, policy-based access to corporate services easy. Apply consistent policy to users, regardless of whether they’re in the office or a cafe. Everything is still controlled centrally, and every user gets the same Quality of Service.
1.6. Expanding Network / Mergers & Acquisitions
With the AAA merger acquisition, you wouldn’t want to connect networks immediately. However, with Zscaler, transferring new users/operations into your network is easy. Enrol new users to make them part of existing corporate controls and security policies. This provides the umbrella o w onich you cancan use stitch together networks.
2. Design & Project Plan
Having understood and defined your business requirements and goals, the next step is to produce a design to ensure the important functionality is configured and tested, and the service is successfully deployed along the agreed plan and timescales.
As a standard process, CyberOne works with your internal network experts and project management resources, engaging with various people throughout the business to help bring to the surface any concerns from within the business (regardless of where they are coming from).
3. Deployment Support
As a cloud service, there’s rarely a need for a CyberOne engineer to be on-site. However, only our most experienced Zscaler-certified engineers are assigned to client Zscaler deployments, providing a dedicated point of contact to support the intensive project plan.
Zscaler themselves do provide a standard support service, but the most intensive and business-critical support activities will occur during installation. CyberOne's team is always on hand to offer their wider IT expertise to oversee the installation and ensure any interaction with Zscaler is appropriately escalated and managed.
Example Zscaler Deployment
CyberOne deployed Zscaler to a company with 1,000+ users, spread over 26 sites in 8 countries.
Most users were concentrated in 3 main regional headquarters, but with many small branch offices, plus an ever-increasing number of exclusively remote mobile workers.
The company already supported direct internet breakout from each site, so as a result, there was no need to backhaul traffic over MPLS to a central location. They had no existing context-based URL filtering and used a DNS-based filter with a single policy applied to all. There was no ability to differentiate between groups and little visibility or security over traffic.
The company had grown via several acquisitions, so the infrastructure was disparate—many sites operated semi-autonomously.
The Challenge
The challenge they faced was applying a common security policy to internet activity and increasing data loss protection, when each site was very different regarding how users authenticate, and how traffic could be routed.
Discovery Phase
During the discovery phase, we were able to draw an accurate picture across all the sites, establishing that the majority of sites (including the three HQs) used the same version of the firewall, which was managed by the same third party. We also discovered that despite the disparity, operating systems were largely uniform.
Identities were not managed centrally but via multiple independent Active Directories. This challenge sat outside of the Zscaler deployment, so CyberOne recommended a highly effective cloud-based Identity Provider that could unite the various directories so that Zscaler and other cloud-based applications could be easily integrated with the business going forward.
Traffic Forwarding
Business-critical applications such as Salesforce and various banking sites were identified for testing and possible SSL bypasses. Regarding traffic forwarding, it was decided to use a combination of tunnels where firewalls existed (for the most comprehensive coverage) and the Zscaler App on devices where there was no firewall or for mobile users.
The firewalls did not support GRE tunnels, but given bandwidth information, it was decided that IPSec VPN tunnels were the best option. The Zscaler App would be configured to recognise when the device was on or off a corporate network so it could disable or enable itself.
Test Site, With Staged Deployment
A mid-sized branch site was identified as a test site. The service was then incrementally and systematically rolled out over the week with several prescribed tests built around business-critical applications to measure the success of the Zscaler deployment.
As per the project plan, the successful Zscaler deployment not only ensured a smooth transformation with minimalbusiness disruption butt also showcased the strengths of ZZscaler’slatform, delivering on the defined goals:
- Transformed security infrastructure, with local internet breakouts
- Securing and enabling the mobile workforce
- Unification of security services
- Simplified and reduced administration
About Zscaler Inc.
The World’s Largest Cloud Security Platform
As a Gartner magic quadrant leader for Secure Web Gateways, Zscaler moves your security stack to the cloud, providing fast, secure connections between users and applications, regardless of device, location, or network.
With 100+ data centres globally, every user gets a fast, local connection no matter where they connect from.