Browser Isolation

Agenda

• What is Browser Isolation?

• Problem statement and Use cases
• Cyberthreat Protection
• Data Protection (for Private Apps, SaaS)
• New – Isolaiton 2.0!
• Licensing

2 ©2022 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION
© 2022 Zscaler, Inc. All rights reserved.
Browser isolation allows content to be accessed without the risk

© 2022 Zscaler, Inc. All rights reserved.

Browser Isolation enhances security and boosts productivity
Internet Sanctioned SaaS and
Corporate Private Web Apps

SaaS Data
Internet Public Cloud Center
Sanctioned

Isolated Browser Session

Application and
Data Protection

ZERO TRUST EXCHANGE

Cyber Threat
Protection Safe Pixel Streaming

Managed BYOD/Unmanaged
Endpoints Endpoints
Employees Employees, Third-party

Providing an Unmatched Experience for Users and Admins

© 2022 Zscaler, Inc. All rights reserved. 7

Cyber Threat Protection
Binary policies risk being overly permissive or overly restrictive

Medium user risk

Low user risk Unknown/Miscellaneous URLs
Newly Registered Domains Critical user risk
Known good URLs
Newly Categorized Domains Known malicious URLs
Managed devices
Unmanaged devices Illegal/illicit content
Enterprise apps
Personal email/websites
Social networking

ALLOW BLOCK

© 2022 Zscaler, Inc. All rights reserved.

Cyber threat protection
Internet - Sanctioned SaaS and
Web, Email URLs and Files Corporate Private Apps

SaaS Data
Internet Public Cloud Center
Sanctioned

Isolated Browser Session

Isolate Risky Internet Content
Prevent Data Loss
and Reduce App
Isolate Risky Users Attack Surface
ZERO TRUST EXCHANGE

Boost User/Admin Productivity

Protection from
Cyber Threats Safe Pixel Streaming

Managed Unmanaged Endpoints

Endpoints Employees, Third-party
Employees

Provide an Unmatched UX for Users and Admins

Recap of Browser Isolation Capabilities
Destination & Content Based User and Device Based Boost User & Admin
Isolation Isolation Productivity

Isolate NRDs, Misc &

Unknown destinations
Isolate high-value Avoid
users overblocking

1-Click AI-Powered Smart

Isolation of suspicious sites

Manage exceptions using

Isolate based on user
isolation
risk and device posture

Safe Document rendering and

Active content disarm

© 2022 Zscaler, Inc. All rights reserved.

Identifying suspicious domains

Domain and hosting Hosting location and ASN

provider reputation information

Heuristic analysis Page risk

of page structure assessment
4cm3.com

Typosquatting and Relationship to

13

brand imitation other domains

© 2022 Zscaler, Inc. All rights reserved.

Safe Document rendering & Active Content Disarm

Safe Rendering of 0 day documents in

isolation while sandbox analysis in
progress.

Ability to download original files from

isolation based on sandbox verdict.

Ability to download disarmed

document as PDF if sandbox verdict is
Browser Isolation
Cloud Sandbox Malicious.

Support for rendering of 20+ document

formats in isolation

© 2022 Zscaler, Inc. All rights reserved.

Application and Data Protection
App and data protection
Internet - Sanctioned SaaS and
Web, Email URLs and Files Corporate Private Apps

Protect sensitive data

Granular controls
SaaS Data
Internet Public Cloud Center (BYOD, Third-party, M&A, VDI)
Sanctioned

Protect business-critical apps

From exploitation by vulnerable endpoints
by obfuscating the anatomy of the app
Isolated Browser Session
Prevent Data Loss Boost user/admin productivity
Easy, secure agentless access
and Reduce App
Attack Surface
ZERO TRUST EXCHANGE

Protection from
Cyber Threats Safe Pixel Streaming

Managed Unmanaged Endpoints

Endpoints Employees, Third-party
Employees

Provide an Unmatched UX for Users and Admins

Protect against data loss in common business scenarios

Third-party
Employees’
partners/ Secure access w/o Provide flexibility,
requiring an agent boost productivity BYOD
contractors

Isolation

M&A VDI
Accelerate Reduce complexity,
time-to-value TCO for web apps

© 2022 Zscaler, Inc. All rights 22

reserved
VDI-like controls with Browser Isolation and PRA
What is VDI Deconstructing VDI deployments
Streams pixels of remote desktops (VMs) to
user endpoints
VDI

Persistent Non-Persistent Kiosk-like

Desktops Webdeployments)
(majority Apps

VDI Primary use case:

Data Residency -> No data on local device
Thick Client
Web Apps RDP/SSH
Apps
Pain Points:
Expensive, complex, broken UX
VDI
Alternatives Browser Isolation PRA X
Trends: by Zscaler
Web apps becoming more popular than desktop apps

Reduce cost and complexity

© 2022 Zscaler, Inc. All rights 23

reserved
Plethora of Security & Data Exfiltration Controls

Clipboard Upload/ Document Watermarking Read Only Mode

Control (Copy Download Viewing
Paste)

Access Control Data Protection

URL / Web Filtering App Segmentation Tenant Restrictions Cloud DLP Inline CASB

IPS WAF Sandbox Adv. Threat Protection Antivirus

Security Controls
© 2022 Zscaler, Inc. All rights 25
reserved
User Portal 2.0
The Original Problem

Customer DC
ZIA ZIA

ZPA ZIA

The isolation browser

connects to G-DRIVE/Internet
Destination directly. This is The isolation browser
traffic is not logged, not connects to G-DRIVE/Internet
enforced with any policies. Destination VIA ZIA. All traffic
Completely unaccounted for. accounted for, logged and
User could potentially ZERO TRUST
enforced with policies by ZIA.
EXCHANGE
download a malicious file
from internet and upload it to
the private app.
Zscaler ZIA

28 ©2022 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your digital transformation © 2022 Zscaler, Inc. All rights reserved
 Architecture - Traffic Flow & Authentication

ZIA Pre Authentication

Container Architecture co
m
5 & ler.
CA 2345 zsca
I to =1 @
AP GID srao
OR erid= ts h
xis ut
Isolation Us er E dy (A
U s o
B
Browser K, he
0O nt
20 TX i
Browser EC ken)
ZPA Exporter To
ECTX as an HTTP header
for all traffic forwarded to ZIA Service Edge
ZIA

ZPA Local User:srao@zscaler.

com
Client Proxy

ZPA Traffic Internet

Traffic

ZPA ZIA ZEN

Broker

29 ©2022 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your digital transformation © 2022 Zscaler, Inc. All rights reserved
 Isolating Private Web Applications
1. Configure application for browser access 2. Create an Isolation Policy

https://Apache.supportian.co,in https://Apache.supportian.co,in

Unmanaged ZPA Exporter ZPA Service Edge App Connector Web Application
Endpoint Isolation Browser

1. User accesses 1.ZPA Exporter 1. The Isolated 1.ZPA Service Edge Application is accessed via the App
the “private web” authenticates the container establishes brokers the connector.
application. user. the M-Tunnels to the connection.
2.The domain Zpa Service Edge.
resolves to the 2. Executes the 2. Checks if the 2. Executes the
exporter IP Isolation policies webpage being Access Policies.
address. and redirects the accessed is a ZPA
3. Browser user to an application. -
connects to isolation session. 3. If Yes,Forwards the
exporter. request through the
M- tunnel.

© 2022 Zscaler, Inc. All rights reserved

 Isolating SaaS Web Applications
1. Configure application for browser access 2. Create an Isolation Policy

Domain
https://salesforce.supportian.co,in Transformation https://zscaler70-dev-
ed.my.salesforce.com

Unmanaged ZPA Exporter ZIA Service Edge

Endpoint Isolation Browser
SaaS Application

1. User accesses 1.ZPA Exporter 1. The Isolated container 1.ZIA Receives the pre-
the “Alias authenticates the establishes the M-Tunnels to authenticated request.
Domain” user. the Zpa Service Edge. 2. Enforces the
2.The domain 2. The isolated browser policies(URL filtering,
resolves to the 2. Executes the accesses the “SaaS Domain” DLP, Cloud app etc) and
exporter IP Isolation policies 3. Checks if the webpage logs the same.
address. and redirects the being accessed is a ZPA 3. Forwards the traffic to
3. Browser user to an application. the SaaS App.
connects to isolation session. 4. If No, Forwards the request
exporter. to ZIA.

© 2022 Zscaler, Inc. All rights reserved

User Portal 2.0 Licensing

© 2022 Zscaler, Inc. All rights reserved

 Isolation Use Cases

For Private Apps

#1: Threat Protection #2: Data Protection

#2a: For Private #2b: SaaS Apps

Apps (User Portal 2.0)
A la Carte

ZIA-ISO-ADV-PLUS ZPA-ISO-ADV-PLUS ZS-DP-ISO-SAAS-ADV-PLUS*

ZIA-ISO-ADV ZPA-ISO-ADV ZS-DP-ISO-SAAS-ADV*

ZIA-ULTD ZPA-ULTD ZS-DP-PRIME

Packages

ZIA-ISO-ADV-PLUS ZPA-ISO-ADV-PLUS
ZS-DP-ISO-SAAS-ADV-PLUS
ZS-DP-ISO-SAAS-ADV-PLUS ZS-DP-ISO-SAAS-ADV-PLUS

ZIA-TFORM ZPA-TFORM ZS-DP-ADV

ZIA-ISO-STD ZPA-ISO-STD ZS-DP-ISO-SAAS-STD

*new pre SKU

© 2022 Zscaler, Inc. All rights reserved.
Key Licensing FAQ

Isolation SaaS SKU required and sufficient

No i.e. ZPA platform NOT required

ZIA Customer,
Has
needing User Portal 2.0
ZPA Platform
for SaaS Data Protection

(Doesn’t matter whether or not

customer is entitled to ZIA Isolation,
as it provides Iso Threat protection not Isolation SaaS SKU still required
Iso Data Protection, Yes (private app isolation doesn’t cover
so additional SKU needed) SaaS Isolation)
(Doesn’t matter whether or not customer
is entitled to ZPA Isolation, as it provides
Iso Data Protection for private apps only,
so additional SKU needed)

Detailed FAQ: https://docs.google.com/document/d/16muNxvlG4csyee50WZ30vT1hWYMT6A1gY677x3uaCcE/edit?usp=sharing

© 2022 Zscaler, Inc. All rights reserved.
© 2022 Zscaler, Inc. All rights reserved.
Summary
 Browser Isolation Footprint Expansion

London
Cincinnati Frankfur
Paris t
San
Francisco Washington DC
Tel Aviv Tokyo

UAE Hongkon
Mumbai
Hyderabad g

Singapor
e

São Paulo Sydne

Cape y
Town

38 ©2022 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION Securing your cloud transformation © 2022 Zscaler, Inc. All rights reserved.
Isolation: Enhancing Protection and Boosting Productivity
Internet - Sanctioned SaaS and
Web, Email URLs and Files Corporate Private Apps

Protect sensitive data

Granular controls
Data
Internet
SaaS
Public Cloud Center
(BYOD, Third-party, M&A, VDI)
Sanctioned

Protect business-critical apps

From exploitation by vulnerable endpoints
by obfuscating the anatomy of the app
Isolated Browser Session
Secure Access to Risky Web
Content With Web, Email URLs, and Files Prevent Data Loss Boost user/admin productivity
Easy, secure agentless access
Isolation, integration with Zero Trust
Exchange and 1-click AI-powered Isolation and Reduce App
Attack Surface
Secure Access for Risky users
High-value executives or based on user risk
score or device posture ZERO TRUST EXCHANGE

Boost user/admin productivity

by Isolating risky sites (otherwise blocked)
and simplifying policy exceptions
Protection from
Cyber Threats Safe Pixel Streaming

Managed Unmanaged Endpoints

Endpoints Employees, Third-party
Employees

Provide an Unmatched UX for Users and Admins

 Thank you

©2022 Zscaler, Inc. All rights reserved. ZSCALER CONFIDENTIAL INFORMATION SECURING YOUR DIGITAL TRANSFORMATION