Item: Zscaler Internet Access
Rating: 6
Author: Verified User

Use Cases and Deployment Scope

Our office has a hybrid working environment with corporate employees working out of the corporate office and then the remote consultants. We use Zscaler as our firewall for our hosted solutions on Azure and AWS. We are also maintaining a Fortinet NGFW on-premise for our corporate staff. Zscaler is primarily tasked with protecting our hosted solutions on the cloud. We also route some outbound traffic from our corporate office via Zscaler to the internet. The primary reason we bought Zscaler is to allow remote consultants to connect into our secure services hosted online.

Pros and Cons

Zscaler completely moved away from the traditional firewall setup to a hosted firewall solution. We don't have to worry about the hardware failing or maintaining it as part of our service plan compared to our on-premise firewall. Zscaler has a lot of data centres across the world where they are maintaining their solutions so mobile consultants will always be close to one of their data centres.
Rolling out Zscaler solutions to our end customers' computers is actually pretty easy and hassle-free. As part of onboarding of new employees we can set up the Zscaler solution and push it to our end users' machines and get them connected to the cloud solutions.
Zscaler does proper market research on the latest emerging threats and they keep their firewall patched and updated to the latest versions so the security team does not have to worry about keeping the firewall updated.

My personal opinion about Zscaler is their idea is that all the services are online and are moving to the cloud but the truth is some of them have to stay on-premise and employees still need to work from an office. Zscaler simply doesn't have any on-premise solutions like an NGFW to provide a complete package. We are supporting Fortinet NGFW for our on-premise solution.
As mentioned earlier Zscaler being hosted online we don't get the full flexibility of managing our firewalls. Although it's a good thing we keep running into problems like when we want to allow list a service from a specific source IP Zscaler cannot provide a static IP for that. They route traffic through multiple IP addresses and the IP's keep changing every 15-20 minutes. So you cannot allow list a specific IP on the receiving end. The only way to move forward would be to allow an entire range of IP's which opens a security loophole on the receiving end.
For every small thing we have to keep opening a ticket with Zscaler. Their response rate is fast but still in a fast-moving world it's not fast enough. Especially since we need to get approval from our change control to get something done and then again we have to raise a ticket to get something done from the Zscaler side.

Most Important Features

Zscaler lets our consultants connect to our services like service now or SharePoint securely.
Zscaler maintains our internet gateway sort to speak so that we don't have to pay our telecom provider for MPLS lines or separate static IP's on-premise. Without a solution like Zscaler we would still be hosting some services on-prem and have to engage with our ISP to maintain lease lines or static IPs.
Zscaler internet access works well with our on-premise SIEM solution (Splunk) and sends really robust logs which we can ingest for further analysis if needed.

Return on Investment

We cancelled our lease line contract and our static IP contract from our ISP which is a key win for us.
We can make sure that our users are connecting to our share drive securely even if they are on the road which is also a key win.
The negative side with Zscaler is we cant choose our internet gateway IP address as its managed by Zscaler.
Another negative side is Zscaler is not a complete package for us as we maintain our on-premise firewall (Fortinet) along with Zscaler.

Alternatives Considered

Palo Alto Networks GlobalProtect Mobile Security Manager and Fortinet FortiGate

Fortinet's hosted solution is not really supported in my opinion. Opening a ticket for hosted firewall is a pain and even during the POC phase we had to work with engineers who really didn't understand our use case and we were not really happy with the way they presented the solution.

Key Insights

Do you think Zscaler Internet Access delivers good value for the price?

Yes

Are you happy with Zscaler Internet Access's feature set?

Did Zscaler Internet Access live up to sales and marketing promises?

Yes

Did implementation of Zscaler Internet Access go as expected?

Would you buy Zscaler Internet Access again?

Yes

Other Software Used

Fortinet FortiGate, Symantec Endpoint Security

Likelihood to Recommend

Zscaler is well suited if you have a work force which is 90-100% remote and you don't have to worry about any on-premise solution. In these cases all you have to do is set up your Zscaler and push credentials to your end users and they are good to go. Zscaler simply doesn't have any solutions if you have physical offices. This means you need to maintain separate firewalls (On-prem NGFW and Zscaler), separate contracts, separate points of contact and separate documentation and training.

In the Middle East region with strict data laws or countries where there is a law that critical network devices have to be maintained in the country this might not be the right solution as Zscaler doesn't have data centres in every country. Also some organisations like the government's compliance policy might not permit a solution like Zscaler because the security team does not have much control of the product.

A review from an organisation with both on-prem and remote workforce.

Software Version

Overall Satisfaction with Zscaler Internet Access