Correction: In the original version of this article, we incorrectly stated the cost of Zscaler's service in the final paragraph. We regret the error.
Protecting your network perimeter with security software or appliances is a pointless exercise when your typical user is a laptop- or smartphone-toting mobile worker or your business has numerous branch offices.
That was the thinking behind the creation of Zscaler, a California-company that offers enterprise security as a service. Founded four years ago by Jay Chaudhry (a serial entrepreneur with companies such as AirDefense and CipherTrust to his name) and executives from big name companies including Cisco, Juniper, Citrix and BlueCoat, Zscaler's service aims to provide security for corporate HQs, branch offices and mobile workers from the cloud, without the need for onsite hardware, software or client agents.
So how does Zscaler work? Not by running security appliances in remote data centers and sending traffic to these for sanitization, the company is at pains to point out. "Very early on we realized that we weren't going to rack and stack BlueCoat or Squid appliances behind load balancers," says Manoj Apte, Zscaler's vice president of product management. "You don't solve many of the security problems that exist that way, and you don't make any money. Instead we decided to create a platform from scratch which would exist only in the cloud."
The Zscaler system is actually split up into three parts: the central authorities (CAs), numerous Zscaler enforcement nodes (ZENs) and NanoLog servers. The CAs provides customers with a user interface from which they can manage their organization's security policies. These include URLs (or URL categories) that should be blocked, and whether Web 2.0 and other services such as webmail, instant messaging, streaming video and social networking should be allowed. Bandwidth controls (to restrict or ban Hulu traffic and to guarantee a minimum bandwidth for WebEx, for example) and data loss prevention engines (to prevent financial records or documents marked "confidential" from leaving the organization, for example) can also be configured on a CA. The CAs are actually a distributed peer-to-peer cluster with an automatically elected master, the company says, so that a CA will always be available even if a major Internet outage occurs in one region. End user authentication is carried out through integration with Secure LDAP or ID Federation systems.
The all-important traffic analysis and sanitization work is actually carried out on Zscaler's ZENs, a large number of which are distributed in data centers throughout the world. "Whenever we sell in a country, we put a node there" Apte explains. These machines have a custom OS and TCP/IP stack, and run entirely in RAM, making them very fast indeed, he says. 90 percent of transactions can be carried out in less than 90 microseconds, and 10 microseconds is typical, Apte claims. Each ZEN can handle traffic from hundreds of thousands of users, scanning every byte for viruses, botnet activity, cross site scripting exploits and more.
When an organization subscribes to the Zscaler service, its traffic can be diverted to the service in a number of ways. Enterprise network traffic can be diverted to Zscaler by configuring egress routers, while laptops, iPhones and other smartphones can be configured to use Zscaler as a proxy, or to connect to it using a VPN. Whatever the method, Zscaler then connects the user to the nearest ZEN so that mobile workers suffer a minimum amount of latency. (It is also possible for customers to specify to connect to ZENs in particular countries if they need to, perhaps to satisfy particular regulatory requirements.) The latest policies configured in the CA are then downloaded to that ZEN to be enforced.
Solving reporting problems
A potential problem with this architecture is the difficulty of producing reports when users in different locations may be connecting to different ZENs, says Apte. "If you have nodes everywhere, you are going to have logs everywhere," he points out. To overcome this problem, each ZEN compresses the logs it produces and sends them every second to a number of Zscaler's NanoLogs server over a secure connection. These are consolidated in real time, so that within 10 seconds - guaranteed by a service level agreement - administrators can see a log of any user's activity, regardless of where they are in the world and which ZEN they may be connected to. This could be the most recent activity from that user, or historic data. "If you want to analyze a user's logs from June 5th of last year at 4pm, we can get you that data within 10 seconds," Apte boasts.
In terms of the security services that the ZEN provides, Zscaler divides these into three broad classes: anti-virus and anti-spyware (AV/AS); Advanced Threat Protection (ATP) ; and web access control. Its AV/AS system scans all files before they are sent to end user machines, and also scans web pages for malicious scripts, embedded viruses and links to malware. It also uses multiple commercial AV/AS engines concurrently in offline mode to help detect other threats. For ATP, Zscaler uses a technology it calls ByteScan to scan every byte of every request and response, to detect hidden iframes, cross site scripts, signs of phishing attempts, cookie stealing and botnet command and control traffic. The system can handle encrypted HTTPS connections once a Zscaler certificate has been installed on a device: Zscaler then acts as a man in the middle, decrypting SSL traffic scanning it, and then re-encrypting it and sending it on to its final destination. It also computes a risk index for any given page based on factors such as incidence of zero pixel images and where in the world the page is being served from. Administrators can then define a policy to block pages based on their risk level.
Apte says that Zscaler has found appeal with customers with all sizes. "At the low end we've found that Zscaler sells itself: small companies lack resources and want someone to take care of their security for them. The service also appeals to large companies as they often have too many branch offices and mobile users to make appliances practical."
Implementation times are usually very short indeed, Apte says, because customers don't need to install any hardware or software (except for SSL certificates) and in some cases may only need to configure a single router. He cites the example of one customer who switched to Zscaler at 12,000 sites across the USA in just seven days.
In common with most cloud based services pricing is done on a per user basis, with bundles offered for 1, 3 or 5 years. Apte says that most new customers look at the service as an appliance replacement, and therefore sign up for three years -- the typical life of an appliance -- paying $1.5 to $4 per user per month, depending on the package they buy.