Zscaler, trusted for resilience

As we recently announced, Zscaler continues to grow, adding more and more customers seeking a trusted security cloud that provides protection and a great user experience. Passing 500 billion daily transactions was a major milestone that we could not have reached without the trust put in us by our customer base.

That trust has been hard won, and rightly so, given the fact that Zscaler is a security cloud that sits inline between users, devices and applications, making us mission critical for our customers. The reliability and performance of our service is paramount, which is why we go to such lengths to stay on top of demand, both in terms of service availability and capacity.

And it’s working! As the number of daily transactions has risen over recent years, we have seen an inverse drop in the number of support tickets handled by our customer success team.

Business Continuity in Focus

Business continuity planning (BCP) has been receiving heightened attention in 2024, driven by the growing number of governmental and industry regulations compelling it, such as DORA, but also by some high profile IT outages that had widespread impact around the world. The reliance on being secure and online means vendors must do all they can to provide reliable services that also maintain compliance to regulatory mandates.

Customers, especially from regulated industries, often ask us, ”We trust Zscaler and your investments in building the most trusted security cloud, but how should we plan for a force majeure event, as unlikely as it may be?”

In early 2023, we introduced resilience capabilities for our security cloud, providing organizations with a way to stay connected, even in the event of a widespread internet outage, or a nation-state level attack on the infrastructure underpinning Zscaler services.

These widely adopted customer-controlled resilience solutions serve the basic need to keep the lights on. Now it’s time to go to the next level, and so we’re delighted to be announcing significant enhancements to our resilience solutions that minimize disruption to normal activity, even during a catastrophic, so-called “black swan” event.

We laid out three goals when thinking about how to build on our initial resilience capabilities:

Provide business continuity with full security posture, even during a catastrophic event
Make it even easier to configure and deploy
Make it simple, or even automated, to trigger

Introducing Business Continuity Private Clouds

For the next evolution in our resilience solution, we are introducing Private Business Continuity Clouds that add a private control plane to the existing private data plane to facilitate access to applications with a full security posture in the event the public cloud is unavailable or unreachable. Customers will be able to deploy local services in their own data center, or even opt for an upcoming fully Zscaler-managed solution. The components to make this work vary for internet/SaaS and private application, so let’s unpack this in more detail.

Internet and SaaS Applications (ZIA)

When it comes to access to the web, and web-hosted (SaaS) applications, if the customer wishes to retain granular controls during a catastrophic failure they would deploy one or more Private Service Edges. Managed by Zscaler Cloud Operations, these physical or virtual appliances provide the same functionality available under normal operations through Zscaler’s Public Service Edges, the internet gateways to the Zero Trust Exchange (of which there are more than 160 around the world). Primary functions of a Service Edge include bidirectional web traffic inspection for malware, and the enforcement of malware, security, compliance, data loss prevention, and firewall policies.

To the Private Service Edge we are adding the ability for Client Connector to failover to the Private Service Edge, and establish a Z-Tunnel 1.0, leveraging the Business Continuity PAC file. A new Private Policy Caching capability is added, which facilitates seamless failover between itself and Public Service Edges, specifically by providing a backup for the public Central Authority servers. These are the servers that host all customer policy and configuration settings. They also monitor the cloud and provide a central location for software and database updates, plus threat intelligence.

With the addition of the Private Policy Cache, customers retain full security posture during a catastrophic failure, including for unauthenticated users who require access during that time.

Private Applications (ZPA)

Private applications are accessed differently, whereby they are rendered effectively invisible to all but those with permissions to access them. This is distinct from a publicly available SaaS application, which must be visible to the internet to be discovered and accessed. This difference presents a unique set of challenges when it comes to handling catastrophic failures.

Zscaler addresses this with a new Private Cloud Controller, a virtual appliance that stays in sync with the public Zero Trust Exchange until a failover event occurs, or the ZTE is unreachable, for whatever reason. This solution was originally developed to address the stringent requirements of the military DDIL (Denied, Disrupted, Intermittent, and Limited) use case where federal agencies need to ensure zero trust access to critical applications, even in the event of loss of connectivity to the public cloud. In this instance the Private Cloud Controller takes on responsibility for a wide range of functions, over and above what was previously available:

Authentication redirection
User redirection
New user enrollment
Log streaming
Customer configuration sync

Business Continuity for Endpoints

There’s another important use case to cater for. Imagine an organization’s endpoints (laptops, mobile devices) had been compromised, as famously happened to Maersk back in 2017. Even if the Zscaler public cloud was operational and reachable, such an organization could be dead in the water without a way to securely connect productivity devices to applications.

Enter Cloud Browser Isolation for secure, agentless BYOD access to web applications. This functionality already has a place in the Zscaler portfolio as an alternative to VDI, or to secure the use of BYOD devices. These make the feature a perfect fit for a catastrophic event by enabling an impacted organization to utilize any unmanaged or BYOD device for application access via its browser. Employees simply switch over from their non-functioning corporate device to continue their work. Zscaler is able to stream applications as pixels to the ‘guest’ device, meaning full security and policy controls can be maintained, and data loss prevented.

Conclusion

When it comes to technology, eventually something is going to go wrong. IT professionals the world over spend a good chunk of their time seeking to mitigate potential impact to productivity by building resilience, in all its forms. It’s like an insurance policy, except that when it comes to business continuity planning for cybersecurity it’s more: regulatory and compliance requirements in many industries demand adherence.

These imperatives have driven customers to demand more capabilities during even the most catastrophic events. With these new industry-first offerings from Zscaler, organizations can feel confident that they will experience little to no impact to their operations. To learn more, read our solution brief, or watch our on-demand webinar.  

​[#item_full_content] [[{“value”:”Zscaler, trusted for resilience

As we recently announced, Zscaler continues to grow, adding more and more customers seeking a trusted security cloud that provides protection and a great user experience. Passing 500 billion daily transactions was a major milestone that we could not have reached without the trust put in us by our customer base.

That trust has been hard won, and rightly so, given the fact that Zscaler is a security cloud that sits inline between users, devices and applications, making us mission critical for our customers. The reliability and performance of our service is paramount, which is why we go to such lengths to stay on top of demand, both in terms of service availability and capacity.

And it’s working! As the number of daily transactions has risen over recent years, we have seen an inverse drop in the number of support tickets handled by our customer success team.

Business Continuity in Focus

Business continuity planning (BCP) has been receiving heightened attention in 2024, driven by the growing number of governmental and industry regulations compelling it, such as DORA, but also by some high profile IT outages that had widespread impact around the world. The reliance on being secure and online means vendors must do all they can to provide reliable services that also maintain compliance to regulatory mandates.

Customers, especially from regulated industries, often ask us, ”We trust Zscaler and your investments in building the most trusted security cloud, but how should we plan for a force majeure event, as unlikely as it may be?”

In early 2023, we introduced resilience capabilities for our security cloud, providing organizations with a way to stay connected, even in the event of a widespread internet outage, or a nation-state level attack on the infrastructure underpinning Zscaler services.

These widely adopted customer-controlled resilience solutions serve the basic need to keep the lights on. Now it’s time to go to the next level, and so we’re delighted to be announcing significant enhancements to our resilience solutions that minimize disruption to normal activity, even during a catastrophic, so-called “black swan” event.

We laid out three goals when thinking about how to build on our initial resilience capabilities:

Provide business continuity with full security posture, even during a catastrophic event
Make it even easier to configure and deploy
Make it simple, or even automated, to trigger

Introducing Business Continuity Private Clouds

For the next evolution in our resilience solution, we are introducing Private Business Continuity Clouds that add a private control plane to the existing private data plane to facilitate access to applications with a full security posture in the event the public cloud is unavailable or unreachable. Customers will be able to deploy local services in their own data center, or even opt for an upcoming fully Zscaler-managed solution. The components to make this work vary for internet/SaaS and private application, so let’s unpack this in more detail.

Internet and SaaS Applications (ZIA)

When it comes to access to the web, and web-hosted (SaaS) applications, if the customer wishes to retain granular controls during a catastrophic failure they would deploy one or more Private Service Edges. Managed by Zscaler Cloud Operations, these physical or virtual appliances provide the same functionality available under normal operations through Zscaler’s Public Service Edges, the internet gateways to the Zero Trust Exchange (of which there are more than 160 around the world). Primary functions of a Service Edge include bidirectional web traffic inspection for malware, and the enforcement of malware, security, compliance, data loss prevention, and firewall policies.

To the Private Service Edge we are adding the ability for Client Connector to failover to the Private Service Edge, and establish a Z-Tunnel 1.0, leveraging the Business Continuity PAC file. A new Private Policy Caching capability is added, which facilitates seamless failover between itself and Public Service Edges, specifically by providing a backup for the public Central Authority servers. These are the servers that host all customer policy and configuration settings. They also monitor the cloud and provide a central location for software and database updates, plus threat intelligence.

With the addition of the Private Policy Cache, customers retain full security posture during a catastrophic failure, including for unauthenticated users who require access during that time.

Private Applications (ZPA)

Private applications are accessed differently, whereby they are rendered effectively invisible to all but those with permissions to access them. This is distinct from a publicly available SaaS application, which must be visible to the internet to be discovered and accessed. This difference presents a unique set of challenges when it comes to handling catastrophic failures.

Zscaler addresses this with a new Private Cloud Controller, a virtual appliance that stays in sync with the public Zero Trust Exchange until a failover event occurs, or the ZTE is unreachable, for whatever reason. This solution was originally developed to address the stringent requirements of the military DDIL (Denied, Disrupted, Intermittent, and Limited) use case where federal agencies need to ensure zero trust access to critical applications, even in the event of loss of connectivity to the public cloud. In this instance the Private Cloud Controller takes on responsibility for a wide range of functions, over and above what was previously available:

Authentication redirection
User redirection
New user enrollment
Log streaming
Customer configuration sync

Business Continuity for Endpoints

There’s another important use case to cater for. Imagine an organization’s endpoints (laptops, mobile devices) had been compromised, as famously happened to Maersk back in 2017. Even if the Zscaler public cloud was operational and reachable, such an organization could be dead in the water without a way to securely connect productivity devices to applications.

Enter Cloud Browser Isolation for secure, agentless BYOD access to web applications. This functionality already has a place in the Zscaler portfolio as an alternative to VDI, or to secure the use of BYOD devices. These make the feature a perfect fit for a catastrophic event by enabling an impacted organization to utilize any unmanaged or BYOD device for application access via its browser. Employees simply switch over from their non-functioning corporate device to continue their work. Zscaler is able to stream applications as pixels to the ‘guest’ device, meaning full security and policy controls can be maintained, and data loss prevented.

Conclusion

When it comes to technology, eventually something is going to go wrong. IT professionals the world over spend a good chunk of their time seeking to mitigate potential impact to productivity by building resilience, in all its forms. It’s like an insurance policy, except that when it comes to business continuity planning for cybersecurity it’s more: regulatory and compliance requirements in many industries demand adherence.

These imperatives have driven customers to demand more capabilities during even the most catastrophic events. With these new industry-first offerings from Zscaler, organizations can feel confident that they will experience little to no impact to their operations. To learn more, read our solution brief, or watch our on-demand webinar.”}]]