In the past few years, there has been a momentous shift in the way modern enterprises have evolved. They have moved from a traditional hub-and-spoke, data center type of network to a cloud-based or anywhere-access type of network. The core locations have become more decentralized because the employees are now based in various geographies and the applications are migrating to the cloud.

When we look at the infrastructure itself, enterprises invest in a variety of products such as routers, switches, and firewalls to implement various functions such as authentication and security. These products very quickly reach end-of-life from a capacity and a vendor-support perspective. This, in turn, causes the enterprises to upgrade in a 3- to 5-year cycle where they must do a lift and shift of the entire hardware in their data center. This moves the enterprise expenditure from an OPEX to a CAPEX model, which is not desirable from a business and planning perspective.

In this chapter, we will see how Zscaler steps in as a cloud-based security solution. The ZIA product provides secure internet access and the ZPA product brings the geographically spread-out end users and enterprise applications together. They both provide the following benefits:

• There are no upgrade cycles for the enterprise as Zscaler takes care of that.
• There is a shift from CAPEX to OPEX, which enterprises like because of predictability.
• An amazing user experience as users can access applications using the best path.

In this chapter, we are going to cover the following main topics:

• Fundamental definitions in security
• Shift of the modern enterprise and its workforce
• The need for scalable, cloud-based security
• Zscaler Internet Access (ZIA) for a safe and secure internet experience
• Zscaler Private Access (ZPA) for a zero-trust private application access

Let's get started!

In this section, we will define some commonly used internet and security terms that are applicable to this book. A detailed explanation of all internet and security concepts is outside the scope of this book. If you are already comfortable with these terms, you can skip ahead to the next section.

Active Directory

Active Directory is a directory service that was originally developed by Microsoft for the Windows environment and was released in 2000. It stores data such as users, groups, and devices. It has many components that assist the user to interact with the domain. Our focus in this book is to authenticate users against their credentials in Active Directory.

Authentication

Authentication is the process by which an end user, a computer, or a software application can prove its identity. This is typically done using a username and a password. The term multi-factor authentication (MFA) is gaining popularity today. MFA means that there is an additional item that is needed in addition to a username and a password. This could be a token number or a biometric such as a fingerprint or a retina scan.

Bad actors

A bad actor is, in general, a malicious party that is usually interested in the following:

• Attacking legitimate users and businesses due to various motivations
• Stealing sensitive and valuable information from individuals and businesses
• Compromising infrastructure such as servers and using them for their needs

Next, we'll look at bandwidth.

Bandwidth

Bandwidth refers to the rate of data transfer over a network. It is typically measured in bits per second. The higher your bandwidth, the faster you can transfer your data across. The data being transferred could be an image, text, a video, or a combination of all three.

Certificate

A certificate is usually a small text file that can be used to establish the identity, authenticity, and reliability of a web server on the internet. Certificates are usually used to assure the confidence of end users trying to use the services of a website and to provide protection against malicious websites. Certificates are issued by certification authorities and they are usually tracked with creation and expiry dates.

DLP

Data Loss Prevention (DLP) is the prevention of loss of any kind of valuable or sensitive data. Valuable data may mean company proprietary formulas and business strategies. Sensitive information may be customer information such as social security numbers, credit card numbers, date of birth, and so on.

DNS

The Domain Name System (DNS) is a system that converts domain names (such as www.google.com) into IP addresses so that web browsers can translate customer requests into lower-level IP packets and carry on data transfer tasks, such as loading websites. The DNS is very crucial for internet security as bad actors can hijack these servers and have the end user traffic sent to their malicious web servers, instead of the legitimate ones.

Firewall

A firewall is a security device or application that monitors traffic through the network and applies security rules configured by the administrator to that network traffic. Firewalls are usually used as perimeter security devices by many organizations.

FTP

The File Transfer Protocol (FTP) is a network protocol (based on IETF standards) that is used primarily to transfer files between a client and a server across a network.

Identity Provider

An Identity Provider (IdP) is a system that creates and maintains identity information for end users or applications. When a company wants to authenticate an end user, they usually make a call to the IdP. An IdP is essentially an Authentication as a Service (AuthaaS).

Intrusion Prevention System

An Intrusion Prevention System (IPS) is a system that sits in the line of the network traffic and looks at possible malicious activity and blocks it. There are many types of IPS systems, with the most recent ones looking to leverage artificial intelligence and machine learning.

Kerberos

Kerberos is an authentication protocol used on computer networks. It issues tickets for end user access and allows end points to communicate over non-secure network systems, and then prove their identity to one another in a secure way.

Logging

In the security world, logging means to record the transactions going across the network to a file on a storage medium. When there is a need to investigate a security incident, these logs are then analyzed by specialized systems to derive insights and conclusions.

Malware

Usually, software applications are used for legitimate purposes, such as for operating and growing a business. But bad actors write malicious software with the intent to steal valuable information or attack infrastructure such as computers. This malicious software is called malware. It could be as damaging as bringing down an entire organization to its knees or as annoying as pesky advertisement popups.

PAC file

Usually, individuals sitting at their home computer access the internet directly. But many organizations use a proxy server that sits between the end users and the internet. They do this to monitor their employees' activity against any company policy violations. A proxy auto-config (PAC) file defines what proxy servers and methods are chosen by end user web browsers. A simple example would be choosing ProxyServer1 when going to www.yahoo.com and choosing ProxyServer2 when going to www.google.com.

SAML

Security Assertion Markup Language (SAML) is an open standard that is used to exchange authentication and authorization information between an IdP and a service provider. For example, some websites allow you to log in using your Google account. End users navigate to the website of interest. They click on Sign in with Google and are then redirected to Google. The user then enters their Google credentials, and they are authenticated and are then redirected to the original website. In this case, the original website is the service provider and Google is acting as the IdP.

Sandbox

A sandbox in security is an isolated environment where software components may be executed to observe their behavior and note down any malicious intent. Unknown software components are typically "detonated" in a sandbox environment before they are passed on to the end user.

Secure Web Gateway

A Secure Web Gateway (SWG) is a component or solution that continuously monitors web traffic between end users and web servers, and filters any traffic that is malicious or does not comply with the enterprise policies.

Secure Sockets Layer/Transport Layer Security

Secure Sockets Layer (SSL)/Transport Layer Security (TLS) are cryptographic protocols that provide secure communication over a typically untrusted connection or network. They are commonly used when exchanging sensitive information, such as typing in your social security number or a credit card number on a website. Your browser typically shows a "lock" icon just in front of the URL in the address bar.

Surrogate IP

When an end user types in their credentials and are authenticated, a relationship is established between that user and the IP address they are currently using to access the network. This assumes that the IP address is used by only one user within the entire organization at any given time. So, this IP address is treated just like the user in terms of granting access to applications and so on.

Tunnel

When using an untrusted network such as the internet, private communications can typically be placed inside of (encapsulated) other packets. This allows for data to be moved across the untrusted network securely. This process is called tunneling. The channel that is established for this purpose is called a tunnel. There are many types of tunnels, such as GRE, IPSec, and so on.

VPN

A Virtual Private Network (VPN) allows an enterprise to extend their private network across a public network. For the end users, it appears as if the other side of the network is right across the room.

XFF

When an end user connects to a website through a proxy, the proxy will put its IP address when communicating with the web server. The X-Forwarded-For (XFF) header field can be used to identify the IP address of the originating end user. It can be extracted by the web server to make decisions based on the originating IP address of the end user.

With that, we have briefly touched upon the basic technologies that you will encounter in this book. Though this was a brief introduction, in this book and in your own work, you will get to know many of these concepts in more detail. In the next section, we will explore the changes that have led to the modern enterprise and workforce that we know today.

In this section, we will learn how the modern enterprise has slowly moved away from a central data center or headquarters model to a more distributed, internet-based model. We will also learn how the working habits of the enterprise workforce have changed with the advent of working remotely over the internet.

Evolution of the workforce

With the advent of the internet, for many technology workers, what could be done in the office can now be done remotely over the internet using technologies such as VPNs. This shift was accelerated due to several reasons:

• Employees want a flexible work style. They no longer are tied to a traditional 8 A.M. to 5 P.M. work schedule.
• Various teams in the companies now make up employees from different geographies, so 8 A.M. is no longer the same for everyone on the team.
• Companies benefited by moving from a dedicated office space (such as a cubicle for an employee and an office room for a manager) to a flexible workspace. This way, there are some flexible workspaces that could be reserved by the employees on the days where they want to come to the office.
• Different roles for the employees mean that someone could be working on a production install after-hours, which is better from the comfort of their home than a lonely work location with no one around.
• With the COVID-19 pandemic raging across the world, employees do not want to put their families at risk, and the pandemic has accelerated the move to work remotely over the internet.

All these points mean that now, companies must adapt to their workforce. They must make applications readily available to their employees wherever they are located.

Enterprise infrastructure evolution

In a data center architecture, the enterprise chooses certain locations to serve as their repositories for applications and data. A company may choose a certain city on each of the continents they operate in and provision and maintain a massive data center. At this point, the company needs to provision expensive private connections between all its offices and these data centers.

Very quickly, this becomes an expensive proposition for the company. Not only does it have to focus on its core business, but now it must run and maintain its massive infrastructure. This infrastructure consists of several product categories, such as routers, switches, firewalls, and application servers. For redundancy and high-availability purposes, the company must invest double the amount of equipment, even if the chances of a failure on the hardware components is low. This is because it cannot take the risk of business application downtime.

To add to this complexity, we all know that hardware for these products quickly becomes out of date. We are all familiar with our own personal upgrade cycles where we upgrade our electronic gadgets such as our smartphones, laptops, and tablets. Corporations are in a similar upgrade situation every 3 to 5 years based on the manufacturer, the product, and the technological changes in the marketplace.

When these upgrades come around, there is a wholesale lift-and-shift of the entire hardware, which needs a lot of manpower. This upgrade is also treated as a capital expense (CAPEX) and not as an operating expense (OPEX). Enterprises prefer an OPEX model because it allows them to predict the costs and account for them in their business operating model.

Enterprises also have a range of products doing different things. Most of the time, they do not have a choice, even if one product overlaps with another product in terms of its features. There is no single magic bullet or integrated product that can meet all the customers' needs.

Now that we've learned about the evolution of the preferences of the enterprise workforce and the changing requirements for the enterprise infrastructure, let's look at how a cloud-based security solution can address both those needs.

In this section, we will see how these shifts in trends lead us toward a scalable, available, cloud-based security while using the internet as the underlying transport mechanism.

Workforce evolution requirements

As the workforce evolves and demands access to applications from anywhere, we must look at the common medium of transmission. We can all safely agree that the internet seems to be that common medium. End users can now access the internet using several methods such as a computer (Ethernet), a tablet (Wi-Fi), or a smartphone (cellular network). The internet is now considered a utility like electricity, water, and gas. So, why not use the internet to bring these end users to their applications?

The workforce is also demanding access not only from anywhere but at any time. Again, the internet solves this problem. The internet is always on. Many Internet Service Providers (ISPs) now provide service level agreements (SLAs) like other utilities.

Enterprise preferences

Now, let us look at what we need in order to develop a model that enterprises prefer. The first issue was trying to build a vast network and infrastructure to host their applications and then to connect their workforce to those applications. If enterprises were to leverage the universal medium – the internet – they could use it as the transport mechanism to connect their workforce to their applications. This is very much true for internet-based applications, but it could also work for in-house legacy applications that run on physical servers.

Enterprises could migrate their applications to virtual servers on various public cloud platforms such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), or they could somehow leverage the internet to connect their users to the legacy applications in their data centers.

The second problem is the constant, expensive upgrade cycle. What if the provider is cloud-based and all upgrades are managed by the provider without any burden on the enterprise? All the enterprise needs to do is hand off their traffic to the provider using the internet; the provider does the rest. The enterprise is guaranteed a SLA from the provider and is also provided with high availability. This model also shifts the spending model from CAPEX to OPEX, which is preferable by the enterprise.

The third problem is in terms of the various products needed for a set of features. What if the enterprises can rely on a provider that has all the essential features that enterprises need and can be chosen on a subscription basis? Enterprises get the essential features for a base pricing model (billed monthly) and they can choose optional features for extra money. For example, they may choose extra features 1, 3, and 4 and pay $X more or choose extra features 1, 2, 3, and 4 and pay $Y more. Even better, what if these license costs are based on the number of active users? If an enterprise has 500 users, it pays 500X monthly instead of an arbitrary monthly amount. This would be a very fair pricing model, no different than a utility billing such as electricity, water, and gas.

Scalable, highly available, cloud-based solutions

Any security solution that is designed for enterprises needs to tick these boxes. A scalable solution means that the solution should continue to work at the same expectation levels when the user count goes from 100 to 10,000. This provides assurance to the enterprises that they do not have to worry about poor performance as their user base scales up or down.

The solution also needs to be highly available. This means that when a certain component of the provider goes down, end user traffic should automatically be handled or re-routed by another component that is ready and standing by. The availability of the provider is usually measured using SLAs. Some SLAs that are often mentioned by providers are 99.99% available or 99.95% available.

Finally, enterprises prefer a cloud-based solution where they do not have to do or know anything about how the providers operate. All the enterprises do is forward their traffic to the cloud provider and that is the end of it. The cloud provider provides the enterprise with an administration portal where the enterprise administrators can log in and provision their desired configuration.

Internet security for everyone

In today's world, we are seeing that a lot of small businesses, schools, and hospitals are being targeted by bad actors, especially using ransomware that has been on the internet for quite some time. The consequences of a compromise can be fatal to these organizations. In the past, it was difficult to select and provision a security solution.

It does not have to be like that today. The solution that will be presented in the next sections is quite easy and quick to implement, especially when using the default security policy that is based on industry standards. This is even more true for a startup or a consulting organization that has many employees remotely working across broad geographies. As the saying goes, "prevention is better than cure" – this is very much true for internet security today.

The internet today has become the wild, wild, west. There is a mushrooming of many types of websites, especially after the dot com boom. It has become difficult to keep track of legitimate websites versus malicious ones. When the Internet Service Providers (ISPs) themselves cannot keep track of these harmful websites, we cannot expect the end user to keep up with it. This is why we need a security solution to give the end users a safe internet experience.

Why safe internet?

Employees of the enterprise have a business need to access the internet on an almost daily basis. This could be for researching solutions, learning new skills, or to log into internet-based applications for company work.

Employees may be directed to go to a website through various means. For example, they may receive an email with a link where they can access the latest content on an interesting topic. A friend or a co-worker could send a web link through an instant chat message.

When employees are using corporate-issued devices to access these websites, it is the duty of the enterprise to provide employees with safe and secure internet access. If the employees inadvertently access malicious websites and those websites install some sort of malware on the corporate-issued device, then that malware could spread to other enterprise systems, including critical infrastructure, which will have a massive impact on the enterprise.

This is no different than someone catching a viral infection and then going around spreading it inadvertently – hence the need for safe internet. For example, an employee receives a seemingly legitimate email telling them they can find more information on a topic at www.help.com. A spammer or a bad actor can easily change the letter "l" in the website URL to the number "1" so that the malicious URL is www.he1p.com. Based on the font used by the employee's email program, the difference may not even be that visible.

The employee then proceeds to click on the malicious link, thereby triggering the malware and compromising the machine. Internet security is needed because not all malicious emails may be caught by the company's email security software. This is where Zscaler Internet Access (ZIA) comes in.

How ZIA works

ZIA is a cloud-based web proxy whose primary purpose is to provide safe and secure access to the internet. Simply put, ZIA sits between the end user and the target internet website resource. The enterprise will purchase the necessary subscription and internet security feature set as part of their contract. A company Zscaler administrator will provision and activate these security settings in the ZIA portal. Those changes take effect immediately.

Once this has been set up, suppose an employee receives an email with a malicious link in it, as described in the previous section. When the employee clicks on that link, the browser on the machine tries to navigate to that malicious website. But that initial website request is now intercepted by Zscaler. Zscaler then checks this URL against its dynamic list of malicious websites and identifies it as a malicious website. Zscaler will then display a warning message that says this is a malicious website and hence the request was blocked.

A very impressive feature of ZIA is that it can detect botnet callbacks. Although we will talk about it in more detail in later chapters, we will provide an example here. Let's say that an employee takes their corporate device home and then accesses the internet in an insecure way, so the bot is now installed on their device. When the employee uses the same device in the Zscaler-protected corporate environment, Zscaler will identify and block that botnet callback to the central bot server and can also alert an administrator. The administrator can then immediately identify the device and the user, and then either quarantine that device or get it cleaned immediately using anti-malware software, thereby eliminating the root problem and preventing it from spreading. This can be visualized with the following diagram:

Figure 1.1 – Fundamental operation of Zscaler Internet Access (ZIA)

ZIA is also famous for its cloud sandbox feature. When malware is initially released on the internet, its signature (the bit pattern in binary) is not known to many anti-malware engines. ZIA can (adding a little bit of delay) identify this unknown signature and detonate it safely in its cloud sandbox environment and observe its effects. If there is no fallout, ZIA will forward that packet normally. If, however, it is observed that the malware is harmful, ZIA will immediately update its threat signature database and propagate that information to all its clouds, thus protecting all the remaining customers within a matter of minutes.

There are many ways ZIA can be provisioned. If a user is at a corporate location, GRE or IPSec tunnels can be established from the location to the two (there could also be more or less than two, depending on the customer's choice) nearest Zscaler cloud locations. If the user works remotely or travels a lot, an application called the Zscaler Client Connector (ZCC) can be installed on the user's device. Before the user can access the internet, the user will have to log into the ZCC using their credentials manually or by using their Active Directory Domain credentials. This makes sure the user is always protected.

Zscaler estimates that over 80% of the traffic on the internet is now using SSL. Hence, SSL inspection is an integrated, most basic feature that is supported by ZIA.

Employees of the enterprise primarily work on the company applications that generate revenue, support customers, and grow the company business. These company applications have traditionally been custom-designed for the enterprise and hosted in data centers. With the expansion of the internet and public cloud providers, many enterprises are migrating their applications to the cloud. Employees need to securely connect to these applications in an effortless manner. Here, we will introduce the concept of private access.

What is Private Access?

In the previous sections, we looked at the security needed when the users are accessing the public internet. Many enterprises host their core business applications in a private data center or in the public cloud. Most of the time, the employees work on these business applications as part of their daily work duties.

In the past, we saw that most company employees go to their corporate location, access the business applications using their internal LAN and desktops, and then go home at the end of the day. But as we explained in the workforce shift, the following happened:

• Business applications started to move to the cloud (web-based model).
• Employees wanted flexibility in terms of where and when they worked.
• The internet became the most popular and affordable transport platform.

Now, enterprises can't force their employees to go to a corporate location anymore. So, how do enterprises connect end users to the business applications without exposing either to the public internet? This is where Zscaler Private Access (ZPA) comes in.

How ZPA works

The primary use case for ZPA is to connect the end users and the business applications wherever they are, without even traversing the public internet. What ZPA does is use the internet as a transport medium and heavily leverages the Zscaler cloud.

While installing the service, an enterprise ZPA administrator does the following:

1. End users are identified based on their department or location.
2. Business applications that need to transition to ZPA are identified.
3. The end user access policy to business applications is created using business needs.
4. A small virtual machine called the App Connector is deployed near the business applications.

We can see this illustrated in the following diagram:

Figure 1.2 – Fundamental operation of ZPA ADD

When the App Connectors boot up, they discover the business applications and register with the Zscaler cloud, stating that they are ready to serve the end users to provide access to end users. This communication happens over secure tunnels using the internet as the underlying transport mechanism.

When users log into their corporate devices, they authenticate with the ZCC application, as described earlier. Based on Step 3, their application access is provisioned and ready upon authentication, and this happens in a transparent manner for the end user. The end users do not have to do anything special.

When the end users initiate the business application natively or using a web-based interface, their request is handled by the nearest Zscaler cloud. The Zscaler cloud already knows where that business application resides from App Connector registration. The Zscaler cloud then brokers the connection between the end user and the App Connector in the most optimum and secure manner.

As you can see, from an end user perspective, all they must do is log into ZCC, and everything just works! The end users or the applications are never exposed to the internet. You cannot attack what you cannot see!

ZCC

We saw ZCC mentioned in both the previous sections, so let's clarify things here. ZCC can be used for just ZIA, just ZPA, or both ZIA and ZPA. Ideally, the enterprise would use the same authentication mechanism so that their end users do not have to log into ZCC twice – once for ZIA and once for ZPA – which would be very confusing. ZCC is a central tool in most Zscaler implementations and as we will see in later chapters, ZCC offers a lot of different configurations that provide flexibility to each enterprise situation.

In this chapter, we saw how the internet has changed the working habits of the modern workforce influenced how enterprises operate. We learned about the need for a cloud-based, scalable, security solution. We then examined how Zscaler's ZIA and ZPA products play a key role in providing end users with a safe and secure internet browsing experience, while also providing them with secure access to the company's applications without being exposed to the internet.

In the next chapter, we will learn about the essential components of the Zscaler cloud, the roles and functionality of each component, and how they interact with each other. We will introduce the concepts of the management plane, the data plane, and the statistics plane.

As we conclude, here is a list of questions for you to test your knowledge regarding this chapter's material. You will find the answers in the Assessments section of the Appendix:

1. What are the reasons that a modern workforce prefers a flexible and remote work style?

   a. The internet can now allow anyone to access anything from anywhere.

   b. Flexible work style and globalization means no fixed hours or time zone.

   c. The enterprises require that their workforce is remote only.

   d. a and b

2. Why do enterprises prefer an OPEX rather than a CAPEX model?

   a. OPEX is better for accounting and tax purposes for enterprises.

   b. OPEX provides cost predictability, whereas CAPEX does not.

   c. All the above.

   d. None of the above

3. Why are enterprises moving away from the central data center model?

   a. Enterprises must keep up with the constant device upgrade cycle.

   b. Enterprises must connect all their data centers together with high-speed communications.

   c. Enterprises can achieve economies of scale by leveraging the public cloud.

   d. All the above.

4. The internet remains a safe place and hence there is no need for a web security solution for enterprises.

   a. True

   b. False

5. ZIA provides secure, private access to enterprise applications.

   a. True

   b. False

6. In a ZPA solution, neither the end users nor the enterprise applications are exposed to the internet.

   a. True

   b. False