Just wondering in our enterprise network how support for ZIA is done. For instance how is the collaboration of supporting the endpoints and applying the policies. VPN traditionally was managed by the network team so ZPA is still managed by the network team. Now ZIA is being implemented and the security team wants to design the policies but who supports it does not seem too clear. I think helpdesk at best can disable Zscaler and verify it is or not the cause of the issue. After this it needs to go to either the network or security team. Just curious in large enterprise networks how others were approaching this.
There are no rules, every company has different priorities and people.
To me it would make sense for the Network team to “own” ZIA and ZPA in a operational sense; dealing with escalations from service desk, maintaining upgrades and a relationship with ZScaler to keep up with releases and renewals.
But Security should be a key collaborator in everything to do with design, implementation and change management.
I have helped companies of all sizes deploy ZIA/ZPA/ZDX. There is no best practice for who manages it. That falls on your company. I’ve probably seen ZIA under Security and ZPA under Networking the most, but not necessarily by a large margin. Just make sure there’s clear communication between the teams if it’s spread between more than one.
I think I’m in the minority here but I managed Zia and Zpa myself when I was on the security team. This was largely due to a management issue. ZPA would typically be network team and security typically be Zia in my opinion. I would not let the network team manage a SWG, CASB, DLP, etc. but I’m ok if they handle Zpa.
In my company we have separate team of few people specialised in Zscaler. But we’re providing support for other companies, hence it may be different case.
However, IMO there have to be at least one person who know what he is doing.
I would personally put Zscaler products under a security, but every company is different.
One of the big issues with VPN is that network teams were managing it prior - that’s not a dig to networking, but they were often being asked to manage firewalls and remote access, without having much security training/understanding. That’s not to dig networking teams, because security isn’t their job - they build and maintain the infrastructure, and make sure it’s running optimally, and traffic is flowing as expected. Security teams look at risk, attack surface, and perform the investigations, so they know which policies make the most sense for their business - but you wouldn’t want security teams making routing decisions.
In my ideal world, Security would design the policies, networking would handle the forwarding, tunnels, et cetera. Then the help desk would handle basic troubleshooting - if they have ZDX, it does most of that for them.
One thing about Network Security (especially in the remote work and cloud/SaaS world) is that it impacts everyone, and touches a lot of different areas, and requires expertise in a few different areas to effectively implement.
While ZPA fits the mold of a VPN technology which could align with a network team, the posture checking capabilities may make that a little muddier and push it back to security. Curious if the network teams got caught up in that.
If I can be honest, the most hesitancy with Zscaler adoption as a whole is from the network team and ZPA. Coming from doing it one way for the past 10-20 years to an entire paradigm shift is a tough pill for some to swallow. The “a ha moment” is normally when I set up the Application Connector and then sever any inbound connections and they can see access to the application segment. It’s then that they realize that the entire way they thought about network security is changing. If this isn’t done then you’ll probably still see a fight about segmentation, ACLs, and everything else network related when in reality we’re talking away any network access.
If they are open to this and were an active part of the POV then adding a couple of things like posture checks or access policies isn’t too bad. If they’re still fighting tooth and nail or are trying to manage a firewall with zones to micromanage ZPA then it’s probably going to be overwhelming.