At Zenith Live 2023, we announced several new and amazing innovations to further enhance Zscaler’s ability to secure enterprise organizations, whether it is for their employees, workloads, or IoT/OT devices.
In this blog, I want to revisit the exciting new capabilities we’re bringing to Zscaler Workload Communications to help customers secure their public cloud workloads such as VMs, containers, or virtual desktops.
Specifically, I want to explore how we are improving Workload Communications for our customers in three key areas:
- Simplifying Operations
- Automating Segmentation
- Unifying Multicloud
Although the public cloud provides rich and highly-scalable services, customers struggle to properly manage, operate, and execute their cloud workload security. To help address these challenges, we have worked hard to enhance our integration with Cloud Service Providers (CSPs) enabling customers to simplify connecting and securing their cloud workloads. Here are a few examples of features available today and coming soon:
- Identity and Attributes. We have new features that can help organizations automatically identify workloads and surface their cloud attributes for use in security policies.
- Virtual Desktop Infrastructure. Customers have the flexibility to deploy multi-user or non-persistent desktops with zero trust.
- Infrastructure as Code. We support our customer needs to maintain Infrastructure as Code requirements - we are big supporters of Terraform and Cloud Formation.
Let’s dig into a few of the new features for workload autodiscovery and building policy rules by referencing cloud-native user-defined tags and attributes.
- Autodiscover Resources. Very often, customers have to deal with clunky network constructs like IP addresses, FQDNs, or subnets. Managing these are challenging due to their dynamism and elasticity. Our upcoming feature provides customers with built-in discovery-as-a-service that automatically surfaces their workloads and workload details in real time. The following screenshot is an example of an AWS account-level view that includes all of the EC2s, across multiple VPCs.
- Review Discovered Resources. When customers double-click on their resources, they are given the option to verify the auto-discovered resources. Within the dashboard view, additional details surface including cloud-native user-defined tags and attributes. Customers can create logical groups that can be aligned with the business functions that are associated with these workloads.
- Create Resource or Workload Groups Using Tags. Customers can then build resource or workload groups using these tags or attributes for the Cloud Connector forwarding rules. Reference the following screenshot. These groups will then be automatically applied to Zscaler Internet Access (ZIA), Zscaler Private Access (ZPA), and more.
- The feature enables customers to reference their user-defined tags from a variety of cloud-native resource types such as VPC or VNET, subnet, EC2 or VM, and even as granular as an AWS ENI (Elastic Network Interface).
- Apply ZIA Policies to Resource/Workload Groups. For ZIA, customers select the groups they configured in their Cloud Connector portal. The groups can then be applied to ZIA filtering rules such as firewall (see below) as well as any of the other ZIA rules such as URL, SSL, DLP, SWG, and more.
- Apply ZPA Policies to Resource/Workload Groups. As with ZIA, customers can apply these groups based on user-defined tags or attributes to ZPA access policies.
Our customers are successful in using ZPA to enable least-privileged access for their users when accessing applications. ZPA customers continue to get additional value with their usage in public cloud and branch environments with Cloud and Branch Connectors. We are excited to announce that we have further enriched ZPA to apply this for app-to-app connectivity – providing controls to host-level such as EC2 or VM. The new offering will include feature support for cloud native identity, grouping, ML-based policies, and more.
Below is a dashboard view of an AWS Region with micro-flows between VPCs and within VPCs and subnets. This includes auto-discovered workload identities, runtime flow analysis, policies at the host level, and, best of all, it’s built on ZPA along with your ZPA policy frameworks.
As customers land and expand beyond single clouds, we are focused on helping them realize consistent security features and operations.
We will also have upcoming support for monitoring and alerting. Customers can leverage our single view into all of their Workload and Connector details across their cloud deployments (see image below).
Equinix and Zscaler partner to bring Zero Trust to Private Connectivity Services
- Customers can easily configure these capabilities through their Cloud Connector portal. Where traffic leaving the public cloud over these private connectivity services terminates on Equinix as it does today, Equinix will now automatically direct that traffic to Zscaler that’s integrated with Equinix.
- Customers can use ZIA, ZPA, and more before the traffic reaches its final destination such as internet, on-premises locations, OR another cloud– which in that case, your traffic is kept on the multicloud backbones.
All in all, we believe these innovations to Zscaler Workload Communications will dramatically improve user experience, performance, and security for our customers’ public cloud workloads.
- If you want to learn more about Zscaler Workload Communications and how it can help secure your organization, visit our product page.
- You can also demo Zscaler Workload Communications at your own pace by signing up for our hands-on lab.