Getty Images/iStockphoto

Tip

A review of Zscaler SASE architecture

Zscaler has a strong cloud-native architecture for secure internet access. But it doesn't deliver SD-WAN or converge internet access and WAN security, leaving it with only part of a SASE platform.

Editor's note: This article is part five in a series that looks at SASE vendors and their platforms. These vendors were chosen regardless of size or ranking. Instead, they were selected based on enterprise interest and competitive bids that our expert has encountered while consulting customers.

When one thinks of secure remote access in the cloud, Zscaler almost always comes to mind. The $45 billion network security company brands itself as the "zero trust leader." And, because zero trust is a core part of Secure Access Service Edge, one would expect Zscaler to play well in the SASE space. But the reality is Zscaler delivers only part of what's needed to be a SASE platform.

SASE in brief

SASE is meant to be a global cloud service that provides secure access everywhere -- at sites, on the road and in the cloud. With SASE, enterprises displace their many networking and security appliances with a single global service.

While Gartner includes about a dozen security and networking functions in its SASE description, SASE is first and foremost a cloud-native service. Processing should be done in the cloud as much as possible, with the bare minimum running at the edge. By edge, Gartner refers to software-defined WAN (SD-WAN) appliances that link sites; clients -- and clientless access -- for mobile devices and IoT devices; and cloud connectivity.

Core capabilities required for SASE fall into two components:

  1. WAN edge services
  2. security service edge

SD-WAN is the most critical of the WAN edge services. Other capabilities include routing, quality of service (QoS), WAN optimization, SaaS acceleration and content delivery. In truth, all SD-WAN devices will now include routing and QoS.

For security services, Gartner identifies four that are critical: firewall as a service, secure web gateway (SWG), cloud access security broker (CASB) and zero-trust network access (ZTNA). Other capabilities include data loss prevention (DLP) and remote browser isolation.

Again, the genius of SASE isn't about new features. Most, if not all, features in a SASE platform already exist in some form in the market. The genius of SASE is the packaging of those features together. They're delivered as one in a single, global cloud service. One console monitors and manages them. In short, switching from appliances and discrete services to a SASE cloud is as revolutionary and beneficial as the shift from servers to cloud computing.

The Zscaler SASE offering

Zscaler has a global cloud-native platform that provides trust and secure access. With the introduction of SASE, Zscaler adopted that nomenclature to describe its secure access suite.

Zscaler runs two services:

  1. Zscaler Internet Access (ZIA) for secure access to the internet; and
  2. Zscaler Private Access (ZPA) for secure access to remote locations.

The vendor does not offer SD-WAN devices, requiring customers to obtain third-party appliances.

Zscaler Internet Access

With ZIA, enterprises establish a Generic Routing Encapsulation or IPsec tunnel from a site's router to the closest Zscaler data center. Mobile employees forward traffic via Zscaler Client Connector or a proxy autoconfiguration file running on their mobile devices. ZIA inspects unencrypted and Secure Sockets Layer traffic, providing a cloud firewall, cloud intrusion prevention system, cloud sandbox, cloud DLP, CASB and cloud browser isolation.

Zscaler Private Access

With ZPA, enterprises gain zero-trust access to private applications running on public cloud or within the data center. Companies add the Zscaler App Connector VM on the same network segment as the server running an application.

Once users connect to ZPA, they're authenticated. If authorized, ZPA instructs App Connector to establish a connection from the application to the ZPA user. In this way, applications are never exposed to the internet, making them invisible to unauthorized users. The approach supports managed and unmanaged devices and any private application, not just web apps.

Two separate products and use cases

Zscaler provides basic firewalling, acting as an access control list. This may be sufficient for users and branch offices, but data centers will require third-party firewalls. Zscaler's inspection capabilities in ZIA are limited to HTTPS, FTP and DNS protocols. Most customers will use the Zscaler advanced cloud firewall to secure outbound access, which takes a significant load off the existing data center firewall.

Most importantly, remember that ZIA and ZPA are two different products. ZIA is built by deploying hardware into top-tier data centers, while ZPA is mostly in AWS. Traffic from ZPA cannot be passed to ZIA; ZIA traffic can be passed to ZPA. Management platforms are separate, and so is authentication. Without single sign-on, users will have to double authenticate.

Strengths of Zscaler SASE

Zscaler offers a rich security option in ZIA that ticks all the boxes Gartner said are must-haves for SASE: next-generation firewall, SWG, CASB and ZTNA. In addition, ZIA offers DLP and sandboxing. ZTNA is offered as part of ZPA. Zscaler also has also strong applications analytics through Zscaler Digital Experience, which enables organizations to monitor the application experience.

Weaknesses of Zscaler SASE

The devil is in the details, however, and the details matter when it comes to SASE. Below are some of the weaknesses of Zscaler SASE.

PoPs and geographic coverage

Although Zscaler advertises 150+ points of presence (PoPs), that number is deceiving. Not every service is available from every Zscaler data center. A customer will most likely only be able to access 40 to 60 data centers depending on the Zscaler cloud to which they belong. Also, many regions carry surcharges. For example, at last count, the Zscaler.net subcloud had only 58 data centers in unique locations ready for use by ZIA customers.

Performance plagues Zscaler

ZPA might sound like a viable option for secure enterprise access, but performance is a known issue for several reasons. First, of Zscaler's 150 PoPs, ZPA is available from 50 locations. This means latency increases, as user traffic must be diverted back to a Zscaler PoP before it proceeds to the enterprise data center. Second, the PoPs themselves are little more than VMs running in AWS. Zscaler performance suffers further without the ability to control the routing or scale resources up and down to address capacity issues.

In short, Zscaler provides pieces of a SASE platform but not the full story.

Finally, Zscaler data centers rely on the internet to connect with one another, not a global backbone. For global enterprises, this means WAN traffic is still exposed to the unpredictability and poor performance of the global internet. All traffic -- even traffic used for managing the service -- is routed over the public internet. While a private backbone and WAN optimization can make a significant difference in performance, none of those technologies are available with Zscaler.

Too often, I've heard of customer cases where Zscaler does not scale or properly manage their networks. PoPs often can't handle traffic volumes, something which Zscaler may blame on the internet. It tells customers to fail over sites manually to another data center while it investigates. (Zscaler service outage issues can be found at trust.zscaler.com.) All in all, ZPA performance suffers significantly, often delivering worse performance than traditional VPN products.

Complex to run and set up

SASE is meant to make networking and security simpler, but companies continue to face complexity challenges with Zscaler. Deployment is hardly zero touch. Customers need to install the Zscaler App Connector VM on the same network segment as the server that runs applications, which will be accessed remotely. In addition, customers need to deploy Client Connector on any client that connects to ZPA or ZIA and needs to access those applications. They also need to deploy third-party SD-WAN devices and data center firewalls separately.

On the back end, IT will need several VMs. Teams may need Zscaler Authentication Bridge to import Active Directory users. Nanolog Streaming Service and Log Streaming Service, which is built into the ZPA connector VM, are needed to export logs to third-party security information and event management for ZPA and ZIA, respectively. All of which, as well as the third-party appliances, must be duplicated for high availability purposes.

An essential part of SASE is seeing and managing the complete network through one console. With Zscaler, that is a problem. Zscaler has three separate consoles for managing ZIA, ZPA and Zscaler Client Connector. In addition to those three Zscaler consoles, customers will need another console for connecting third-party SD-WAN devices at each location to the Zscaler cloud.

Security in some places but not others

ZIA carries a rich set of security capabilities but lacks a full-fledged firewall to inspect protocols common to enterprises, such as Server Message Block 3.0. Zscaler also cannot provide dedicated IP addresses to customers. The only options are backhauling traffic through the ZPA service to a data center location, or proxy chaining.

Because all customers share egress IPs, Zscaler has had issues with websites blocklisting IPs, causing problems for customers. That issue can also make it ineffective to use source IP anchoring policies for authentication. Zscaler malware detection through its Advanced Threat Protection shields against all the major threats.

As for ZPA, it provides secure access but nothing else. It doesn't have content inspection, which leaves servers vulnerable to malware that moves laterally across the WAN from infected endpoints, and it provides no data leakage protection. At present, ZPA can provide protections for only the Open Web Application Security Project Top 10 on HTTPS. Anything else crossing ZPA to the data center is uninspected.

Zscaler: Half a SASE platform

In short, Zscaler provides pieces of a SASE platform but not the full story. For security, ZIA makes for a strong internet access option but doesn't inspect other protocols, nor does ZPA inspect east-west traffic. ZPA relies on the Zscaler Client Connector application and provides zero trust. For individual users, however, ZPA currently has no site-to-site capabilities, though clientless access is available. SD-WAN devices, as noted, are not offered at all.

As a result, enterprises are left running a patchwork of services to address their security and networking needs, which is exactly what SASE is meant to eliminate. Zscaler gets kudos for leading with a cloud-native architecture. But far more development, or integration with an SD-WAN platform, will be needed for Zscaler to be considered a serious SASE platform.

Dig Deeper on Network security