09/24/2024 | News release | Distributed by Public on 09/24/2024 11:22
1. Chrome DTC and ZPA Context Aware Access (CAA) service
The Chrome DTC interacts seamlessly with the Zscaler Zero Trust Exchange platform to share device posture information, enabling secure access based on predefined policies.
When a user attempts to access a private application (e.g., by entering private-app.acme.com into their browser), the request is first routed to the Zscaler platform. To handle this interaction, Browser Access needs to be configured (Link). Upon receiving the request, the Zscaler platform forwards it to the CAA service for further validation.
The CAA service initiates the security workflow by calling the Chrome Verified Access API, which generates a challenge. This challenge is sent to the browser, which responds with encrypted posture information. The CAA service then forwards this encrypted response to the Verified Access API service, which decrypts it and sends the device posture data to CAA service. Once the CAA service receives this verified posture information, it checks the access policy to determine if the device meets the required conditions for accessing the requested application.
This secure flow ensures that only devices meeting posture requirements are allowed access, reinforcing the zero trust architecture.
2. ZPA security policy definition
Once the user is authenticated and verified as using the Chrome Enterprise Browser, the ZPA policy engine can optionally conduct further posture checks before granting access. These posture checks ensure that the device complies with security requirements, reinforcing the zero trust architecture.
ZPA security administrators have the flexibility to create detailed posture profiles, which consist of various key-value pairs that define the criteria necessary for accessing specific applications. These profiles may include device attributes, security settings, or other critical posture elements that align with the organization's security policies.
Example:Posture information that will be sent to ZPA for evaluation via the DTC
Name |
Key |
Value |
Browser version |
browser_version |
126.0.6478.127 |
Key Trust level |
key_trust_level |
CHROME_BROWSER_HW_KEY |
Operating System |
operating_system |
MAC_OS_X |
Disk Encryption |
disk_encryption |
DISK_ENCRYPTION_ENCRYPTED |
Host Firewall |
os_firewall |
OS_FIREWALL_ENABLED |
Boot Mode |
secure_boot_mode |
SECURE_BOOT_MODE_ENABLED |
Screen Lock |
screen_lock_secured |
SCREEN_LOCK_SECURED_ENABLED |
Safe Browsing |
safe_browsing_protection_level |
STANDARD |
EDR |
crowd_strike_agent |
true |
Example:Policy definition in ZPA
3. Advanced security controls
Zscaler and Chrome come together to deliver advanced security and data protection capabilities, ensuring complete control over sensitive data, even when it's accessed from unmanaged devices. With Chrome Enterprise Premium and ZPA, organizations can implement robust DLP controls to prevent data leakage.
Key features include:
ZPA also enhances security by offering advanced application controls. Through user fingerprinting, ZPA continuously identifies and tracks the user throughout their browsing session. If an anomaly in the fingerprint is detected, it can indicate potential session hijacking, providing an additional layer of protection.
Example:Download controls - PII data download being blocked with custom notification
Example:Watermarking capabilities - added with username and timestamp to discourage screen captures
4. Comprehensive traffic visibility and device context with ZPA and Chrome
ZPA provides administrators with complete visibility into all traffic passing through the system, capturing critical system information from unmanaged devices. This enables security teams to monitor user activity, enforce security policies, and respond to potential threats in real time. By having detailed device posture and traffic data, ZPA ensures robust protection across all user interactions.
In addition, Chrome Enterprise enhances this visibility by sharing additional context about the browsers in your environment. Chrome Browser collects and reports device signals, providing administrators with deeper insights into browser usage and user behavior. This combined visibility helps strengthen the security enforcement.
Example: Transaction logs for the traffic flow with Chrome posture signal.
Example:Extensions and applications installed in the Chrome user base.