What is Zscaler Private Access?
Zscaler Private Access is an access control solution designed around Zero Trust principles. Companies use Zscaler Private Access to protect private resources and manage access for all users, whether at the office or working from home. However, this enterprise-grade solution may not work for every business. We will explain Zscaler Private Access and how it compares to Twingate’s distributed approach to Zero Trust access control.
Zscaler Private Access (ZPA) is a cloud-native Zero Trust access control solution designed for today’s distributed network architectures. Companies use Zscaler’s ZPA product to provide access to private resources to all users no matter their location. The resources themselves may run on-premises in data centers or be hosted on public cloud platforms such as Azure or AWS.
Zscaler customers deploy apps to their private resources and to users’ devices. The resource’s app initiates a proxy connection to the nearest Zscaler data center. The Zscaler client app enforces access policies on the user’s device before initiating a proxy connection to its closest Zscaler data center.
Zscaler operates Private Service Edges at a global network of more than 150 data centers. When users try to access resources, the Private Service Edge links the client and resource’s proxy connections.
The Zscaler cloud network also centralizes access management. Administrators use simple dashboards to monitor activity, manage security policies, and modify user permissions.
As its name suggests, Zscaler Private Access only lets companies control access to their private resources. They must subscribe to a separate solution, Zscaler Internet Access, to manage their X-as-a-Service (XaaS) resources.
- Unified access control for external and internal users.
- Unified access control for on-premises and cloud-hosted private resources.
- Migrate from secure perimeter to Zero Trust network architecture.
- Extend access control to IoT devices.
- Consistent user experience at home or at the office.
- Enhanced security through smaller attack surfaces and least privilege access policies.
- Fast, easy deployments of software solutions.
- Integrations with identity providers and other third-party services.
- Zscaler’s focus on large enterprises may not suit small or mid-sized organizations.
- Opaque pricing structure requires consultation with Zscaler or a reseller.
- With all traffic passing through Zscaler’s cloud, latency depends on the distance to the nearest Private Server Edge.
- User traffic passing through Zscaler’s cloud may not be appropriate for all businesses.
Twingate designed a distributed architecture for Zero Trust secure access. The legacy secure perimeter paradigm integrated the data plane and the control plane. Changes to access policies impact network configurations and vice versa. Twingate decouples the data and control planes to make companies’ network architectures more performant and secure.
Twingate’s solution consists of a cloud-based platform connecting users and resources. Companies deploy lightweight Connectors to protect resources. When users need access, the Twingate Client app enforces security policies. It then contacts Twingate’s cloud-based Controller which facilitates authentication and authorization. A Twingate Relay then creates a direct, encrypted connection between the user’s device and the resource.
Administrators use simple consoles to define and manage security policies in the Controller. These policies can be based on device posture, user identity and role, network type, and more.
Twingate’s software-based Zero Trust solution lets companies protect any resource whether running on-premises, hosted in the cloud, or delivered by a third-party XaaS provider.
- Provide access for all users whether on-premises or remote, employees or contractors.
- Protect all resources whether on-premises, cloud-hosted, or third-party.
- Simple, phased migrations to Zero Trust architectures.
- Unification of access control systems no matter where resources and users are located.
- Enhanced security through smaller attack surfaces and least privilege access policies.
- Rapid deployment through existing CI/CD pipelines.
- Compatible with existing networks and security stacks.
- Simplified administration with consoles for managing access policies and user permissions.
- Transparent, user-based pricing scales from small teams to the largest enterprise.
- Free tier is limited to five users and one network.
- Enterprise pricing tier required for the most advanced features.
Both Zscaler and Twingate address the inherent security weaknesses of legacy VPN technologies. Companies once assumed they could protect resources running on trusted networks by creating secure perimeters. They used VPN to create portals through their defenses for a handful of remote employees.
VPN was created to connect private networks over the internet. It treats a remote user’s device as a remote network. Once connected, users have full access to anything on the network. Making things worse, anyone can see a company’s VPN gateways on the public internet.
Zero Trust solutions eliminate these security risks by hiding resources behind software-defined perimeters. When hackers breach a private network, they cannot see the resources. Least privilege access policies make attacks more difficult by removing over-permissioned user accounts.
Twingate and Zscaler make it much easier to turn each resource into its own protected segment without expensive changes to network infrastructure.
Twingate and Zscaler also address the severe performance impacts of legacy castle-and-moat architectures. VPN gateways concentrate all user traffic. The hardware limitations, however, force users to compete for throughput. When users access cloud resources, VPN gateways channel the traffic in both directions through the private network. Besides undermining network bandwidth, this backhaul increases latency and degrades the user experience.
Solutions such as Twingate’s or Zscaler’s improve user experience and network performance. Traffic destined for resources in the cloud no longer travels over a company’s private network.
Zscaler’s centralized data center network creates single-hop routes from one side of the world to another. How much this improves latency will depend on how close users and resources are to their respective data centers.
Twingate, by comparison, turns each user device into its own point of presence (PoP) by creating direct connections to resources along the most efficient, performant path.
Both Twingate and ZPA are cloud-first solutions that make access control easier to manage. Browser consoles let administrators on-board and off-board users, update permissions, and manage security policies.
Unlike legacy VPN systems, both solutions are easy to deploy. All components of Twingate and Zscaler’s solutions are software and require no changes to the underlying network or the protected resources.
Scalability was never easy with legacy VPN technologies — a weakness the pandemic made clear. Building access control into the physical network means any changes are time-consuming and expensive. In addition, hardware capacity limits meant that gateways designed to handle a few remote users collapsed when every user went remote.
Modern software solutions such as Zscaler or Twingate scale instantly as business needs change. Administrators can add new users or update permissions from consoles without having to rip-and-replace network appliances.
Zscaler Private Access provides 24x7 support through its website and call centers. However, telephone response times vary depending on the customer’s service agreement. The Standard agreement included with all plans offers priority-1 response times of two hours. Upgrade to the Premium Plus service levels and response times drop to fifteen minutes.
Twingate provides support options for each subscription tier. A knowledge base and community forum are available to all customers — even those on the free Starter plan. At the Business tier, customers get access to Twingate’s email support system. Enterprise tier customers get priority support services.
Twingate’s modern approach to Zero Trust provides additional security benefits. For example, companies can restrict SSH access to specific users and contexts. Threat actors use SSH and other common tools to penetrate deeper into the network. Twingate extends multi-factor authentication to SSH and limits access to privileged users.
Other security features include policies based on device posture and activity logs indexed to both users and devices. Combined, these features help Twingate customers further reduce their attack surface and mitigate successful attacks.
The old secure perimeter paradigm has outlived its usefulness. Technologies like VPN make networks too brittle and expensive to manage. Even worse, VPN itself is a significant vector for cyberattacks.
Twingate lets companies deploy secure access solutions based on modern Zero Trust principles. Within as little as 15 minutes, companies can hide any resource and implement role-based, least privilege access rules. The user experience improves, networks become more performant, and companies become less vulnerable to today’s security threats.
Contact Twingate to learn how to protect your on-premises, cloud-hosted, and third-party cloud services. Or subscribe to our free Starter tier to see how individuals and small teams benefit from Zero Trust access.