TLS, SWG, and the New Encrypted World Order: Part 2

Zscaler has innovatively devised strategies to ensure the integrity of data transmission, preventing sensitive information from going out and threats from coming in.

For achieving optimal outcomes for SSL inspection at scale, we adhere to five core principle in the form of pillars:

1. Scalability

SSL inspection is quite expensive and compute intensive in general. To achieve the required level of scalability, we ensure we have sufficient capacity, global coverage, and the right SSL acceleration in our entire global network to handle high volumes of encrypted traffic at line rate.

With over 150 locations worldwide and processing over 300 billion transactions daily, our architecture is designed for multitenancy, is distributed and purpose-built to handle high volumes of data and deliver a seamless end-user experience.

2. Ease of use

Simplifying SSL deployment is crucial, particularly during initial certificate enrollment, to avoid disrupting the user experience.

Zscaler offers two flexible deployment options. The first one is Zscaler Default CA for a straightforward setup, or a Bring Your Own CA (BYOCA) approach for customers with diverse PKI requirements.

In the Zscaler Default CA, we provide the root and intermediate certificates, which are used to sign the man-in-the-middle certificate. While this option is easy to use and comes out of the box, it does require the root certificate to be pushed out to all the endpoints to trust it.

With the BYOCA approach, we generate the private and public key pair stored within the Zscaler cloud boundary with measures in place to securely store and manage private and public key pairs. This facilitates certificate distribution through various deployment methods, including Zscaler Client Connector (ZCC) and third-party mobile device management (MDM) solutions.

3. Secure decryption

To enforce secure TLS usage, Zscaler provides granular control over encryption protocols, allowing users to specify minimum client and server-side versions. Furthermore, HTTPS 2 decryption is universally supported across all Zscaler cloud data centers.

Additionally, Zscaler offers a fully managed cloud hardware security module (HSM) service to safeguard encryption keys, ensuring robust security measures. Granular SSL policy enforcement, based on factors such as URL categories and geographic locations, enables phased SSL inspection deployment.

4. Privacy by design

Zscaler's architecture prioritizes security and privacy. We minimize and secure data throughout its life cycle-in use, in motion, and at rest. Our security controls are independently validated against top compliance frameworks, including DOD IL5. Additionally, Zscaler undergoes independent assessments to verify encryption controls, client key management, and the security of stored key information.

5. Measuring TLS inspection coverage

This is where we provide a lot of different techniques from QBR reports and cybersecurity risk reports where you can look at the traffic based on protocols. Users can essentially do a lot of troubleshooting by analyzing the logs based on different policy regions and the selected items there.

Once you measure the TLS inspection, there are different ways to quantify it. You can use different filters to see what is the value delivered across threat categories, different file types and across threat names.

By adhering to these core principles, Zscaler ensures that SSL inspection is conducted efficiently, transparently, and securely, maintaining the integrity of data transmission and enhancing network security posture.

Public link

Please use the above public link if you want to share this noodl on another website.