ZScaler Web Security Cloud for Small Business

by Joseph Moran

Zscaler's cloud-based Web security service provides threat protection and access control without hardware or software.

For related articles, visit Internet.com's new Cloud Computing site.

The Internet is an indispensable small business tool, but using it safely means defending your small business against myriad online threats and ensuring that employees aren't putting your company at risk by using Web access in risky or inappropriate ways.

Small Business Security and Cloud Computing

Small business security protection and control is typically accomplished with hardware and software that's installed on a network and/or on individual PCs. By contrast, ZScaler's Web Security Cloud for Small Business is a SaaS-based alternative that promises small business security without the need to deploy and manage security appliances and PC-based anti-virus/firewall utilities.

We found that Zscaler's Web Security Cloud is relatively straightforward to set up, offers a high degree of protection, and affords small businesses the ability monitor and control virtually every aspect of employees' interaction with the Web.

ZScaler Pricing and Service Options

The cost for Zscaler's service varies depending on the specific features needed and the number of users protected. The service is available in five tiers, with basic Web URL filtering at the entry level, anti-virus and anti-spyware included at the midrange, and advanced features such as bandwidth management and data loss prevention (DLP) on tap at the high-end.

ZScaler Web Security Cloud for Small Business; small business security
Zscaler provides detailed information about network transactions that's available almost immediately.
(Click for larger image)

Pricing for the entry-level Web Filtering Suite starts at $2.40 monthly per person for fewer than 50 people and drops to $2 for 50+ users and $1.50 for 100+, while the mid-range Advanced Suite pricing is $5.20, $4.33 and $3.25, respectively.

This PDF shows the features included with each tier -- features that you can also subscribe to a la carte. Note: We looked only at Zscaler's Web (HTTP) security offering; email protection (SMTP) and spam control are available separately (but the two products do share a single administration console).

Getting Started with ZScaler

Getting up and running with Zscaler's service is a fairly simple affair process thanks to the lack of any hardware or software to deploy. Upon activating a Zscaler account, you're presented with a browser-based administration console with a half-dozen top-level configuration tabs (Secure, Manage, Comply, Analyze, Reporting and Administration), plus a Dashboard that provides at-a-glance network statistics.

A set of default policies are already in place when you activate the Zscaler service, though in many cases administrators will need to spend some time customizing them for specific business requirements. Zscaler's administration interface is logically laid out and expansive.

Navigating it and understanding how all the configurable options work can be a bit daunting at first, but a Getting Started link and context-sensitive online help are handy resources. (Zscaler is working on a simpler and more streamlined method of setting up the service (aimed at SMBs with fewer than 100 users), which is scheduled to debut in Q1 of 2011.

After setting up your security policy via Zscaler's admin interface, you need to enable it on your network by configuring your firewalls/routers to talk only to Zscaler's cloud-based servers. You also need to set up client Web browsers to use a proxy server so they direct traffic through Zscaler even if not on the network. While this may sound daunting, setting up a browser to use a proxy takes about six mouse-clicks.  

Web Access Control and Threat Protection

The foundation of Zscaler's service is its Web-filtering capability, which you can use to restrict access to sites based on various categories of content (or if you prefer, display a warning but allow access). You can add custom URLs to categories, create custom categories, and move URLs between existing categories. It's also possible to set up unique policies for different locations, such as for different offices or when a user's working from a remote connection rather than being on the company network.

Not surprisingly, Zscaler automatically blocks well over a dozen classifications of viruses, spyware, and miscellaneous forms of malware. By default the service also blocks a host of other common Web-borne threats, including attempts to exploit known browser or Office file vulnerabilities, botnet command and control traffic, cross-site scripting, anonymizers, and phishing sites.

It also blocks a host of P2P applications that can be vectors for infection, such as BitTorrent, and eDonkey, and even P2P communications apps such as Skype or Google Talk. Optimally, you can block access to an entire country domain if it's inherently risky or your employees have no legitimate need for accessing (say, Russia or China).

For some small businesses, it may be sufficient to have a single security policy that's applicable to all users, but for organizations that need greater flexibility, Zscaler supports user and group accounts that you can create manually, import into the service via a CSV file, or pick up from an Active Directory or LDAP directory. Lower-level admin accounts are available for purposes of viewing -- but not changing -- Zscaler settings or for generating usage reports.

Given that Zscaler does its work offsite rather than on your own network, you might expect some noticeable lag in Internet access as the service inspects content at some relatively distant data center. This wasn't evident in our time with the service; we found no perceptible decrease in responsiveness as a result of routing our traffic through Zscaler.

The company says that its worldwide network of data centers results in minimal latency. This speed was also evident when making adjustments to security policy -- whenever we applied changes, the new settings were in effect within just a few seconds.

Web Controls, Bandwidth and Browser Restrictions

Beyond basic Web filtering and threat protection, Zscaler offers very flexible and comprehensive controls, including Web 2.0 Control, which comes in very handy in situations where completely blocking access to an online service may not desired -- perhaps because there are legitimate business reasons for using it -- but you still want to restrict how it can be used.

Case in point: we used Zscaler's detailed controls to let users access Webmail sites such as Gmail, but block their ability to send email attachments. We also allowed the use of application- or Web-based IM programs (e.g. AIM, Meebo) for chat purposes but not for file transfers.

Similarly, we set up policies to permit access to social networking sites including Facebook and LinkedIn, but disallowed posting. And we could also blocked uploading clips to video-sharing sites YouTube while still allowing users to view videos.

One reason you might want to prevent users from uploading videos is the large amount of bandwidth the process tends to consume. Zscaler's top-level Premium service tier provides bandwidth controls that let you define a minimum or maximum amount of bandwidth available to certain application/data types. This prevents media streaming or large file transfers from interfering with, for example, a hosted CRM app or the weekly payroll transmission. One thing you can't do, however, is set up bandwidth rules on a per-user or per-group basis.

ZScaler Web Security Cloud for Small Business; small business security
Zscaler offers granular Web controls that let you do things such as users access Webmail but not send attachments, or access social networking sites but not post to them.
(Click for larger image)

If you want to dictate which Web browsers and specific versions of each your employees may use, Zscaler will let you do that too. We were easily able to block employees from getting to the Internet with unauthorized browsers (Safari), outdated browsers (IE 6), and beta versions (IE 9, Firefox 4).

Also part of Zscaler's premium tier is a DLP (Data Loss Prevention) feature with pre-defined policies for HIPAA, GLBA, and PCI compliance; it successfully detected and blocked our attempt to email a list of social security and credit card numbers.

Network Security Reports

Zscaler's reporting capabilities are as extensive as its set of features. The aforementioned Analyze tab lets you see network transactions based on user, group, location, type of request, etc. in very nearly real time. Transactions show up here a few seconds after they occur, which makes it easy to respond to user queries without having to wait for periodic logs to be generated.

You can also choose from a menu of dozens of graphical reports that detail Web activity from almost any conceivable vantage point. A particularly useful feature is the capability to designate desired reports as favorites for easy access via a pull-down menu. You can also save any of the available reports as PDF.

These days more small businesses are considering moving various kinds of business applications from in-house servers and PCs to the cloud. Zscaler makes a credible case for doing the same for Web security.

Pros: no hardware or software deployment necessary; offers granular Web controls in addition to outright filtering; provides near real-time network data and excellent reporting capabilities; supports Windows, Mac and Linux

Cons: bandwidth control not available on a user or group level, SMTP and spam protection must be purchased separately

Joseph Moran is a veteran technology writer and co-author of Getting StartED with Windows 7, from Friends of ED.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!
This article was originally published on Wednesday Dec 29th 2010
Mobile Site | Full Site