Review: Zscaler cloud-based security

Security in the cloud may be the 'next big thing' but, apart from hosting existing products on servers of their own, few security vendors have done much to embrace the concept. One exception is Zscaler, which offers a unique web filtering service designed from the ground up as an answer to cloud computing security.

Zscaler offers, in effect, a secure internet connection for a simple monthly subscription. There's no need for any extra hardware, making it very easy to test. All we needed to do was configure the browsers on our test network to connect to the web via a Zscaler proxy. We did this manually and it took just a few minutes, but the process can be automated for large companies and locked down to prevent users bypassing the controls later on.

As well as being quick and easy to set up, another advantage with Zscaler is the ability to protect mobile as well as office-bound users equipped with either notebooks or smartphones. To support this Zscaler has servers in over 40 datacentres across the world, insuring fast, low latency connectivity regardless of location. Users are connected to a local proxy by default, but even when we manually attached via proxies in the US or as far away as Hong Kong we saw no real drop in performance and remarkably little impact on latency.

Security profiles likewise are maintained and applied regardless of the proxy server being used. A simple yet comprehensive web-based console is provided for management and, when a change is made, it's immediately implemented across the Zscaler network.

How it works
The Zscaler proxies inspect all web traffic passing in or out of customer networks, applying a variety of user configured filters or profiles as it goes. A default set of profiles were configured as soon as we were signed up, providing a base level of security, and a useful online getting-started guide took us through tweaking the settings to suit our needs.

We began by making sure that the built-in anti-virus and anti-spyware services were active. They were, so we immediately began trial downloads of suspect files from Eicar and other security test sites. Zscaler correctly intercepted everything we threw at it, and displayed a customisable warning to let us know what was going on.

Next, we moved on to add rules to stop users browsing sites of our choosing. This we did by selecting from a categorised list to which we could easily add exceptions and, usefully, find out how particular sites would be classified in advance.

Again this worked well, and it was good to find that we could specify different rules for different users and quickly differentiate between office-bound and mobile connections. Another nice feature was the ability to specify when rules should be applied, and even set daily quotas to allow users a couple of hours of online shopping, but no more, for example.

Other controls let us selectively block access to public webmail services, such as Google Mail and Hotmail, with the option of allowing access while still blocking attachments. Similarly we could control the use of popular instant messaging, social networking and blogging services, plus sites such as YouTube that stream video and other data over the internet. Bandwidth controls were another option, along with customisable compliance policies to prevent data leakage.

Performance
Despite scanning every packet passing in and out of our network there was no noticeable impact on performance with Zscaler, which uses its own patented technology to assess the threat level posed by different sites and services. This is all the more impressive given that it's a multi-tenanted solution which meant that we were sharing the host servers with other customers.

Moreover, unlike a lot of security products, there was no assumption of technical expertise and very little in the way of complex jargon to master. Indeed, it only took a couple of hours to become familiar with how it all worked and a couple more to be confident that we had a robust and effective security policy.

The analysis and reporting tools were impressive too. Logs generated by proxy servers can be huge, but Zscaler uses its own NanoLog compression technology to reduce the storage required, enabling it to keep huge amounts of data. That, in turn, allowed us to not just monitor trends from a summary dashboard view, but drill down to individual users and transactions to see just who was doing what.

In the end the only real issue we had with Zscaler was that it can only secure web traffic. On the plus side that's how the majority of threats are transmitted nowadays, but it means having to deploy other products to protect against infections spread by other means, such as removable media and SMTP email.

Such concerns aside, Zscaler really does make light work of securing web communications, and at a remarkably affordable price. There's no hardware to install and no software to update. It's all hosted and done for you up in the cloud. It's easy to manage and it just works.

Cloud-based web filtering and security service running on hosted servers across the world. No on-site appliances or other hardware required. Users need to be configured to use a Zscaler proxy for web access by programming browsers directly, HTTP redirection via routers (using GRE tunnels) or firewalls, or by proxy chaining from existing proxy servers (Microsoft ISA, Squid etc). One-time sign-on to service required with support for a hosted user database plus Active Directory and LDAP integration.