Please share with the community what you think needs improvement with Zscaler Internet Access.
What are its weaknesses? What would you like to see changed in a future version?
I would like to see more training and video documentation.
The reporting functionality could be a bit easier to use. There is a reporting function, but it's quite hard to do any good reporting, from a user-management perspective. For example, if a department manager wants to know how his department is using the web, there is a way to get the data, but it's quite cumbersome to get it and show it well. And that's true for comparing between departments. It's quite hard to get a good report. Another issue is that the API documentation could be a bit more up-to-date. They're implementing stuff, but not updating the documentation all the time.
I wish there were a lot less products to learn, because there are a lot. They just keep surprising me with new features, even in the SaaS arena, and they keep improving in every facet. We are Zscaler partners, so I got certified in two platforms, but there is a lot room for improvement. There is just too much training, where they focus a lot on protecting the Internet as everyone is moving to the cloud. I would love for the training to be shortened.
Zscaler can scan a URL like: https://www.example.com/maliciu...
Umbrella can not scan URLs, because they handle only FQDN (e.g., www.example.com).
There are a few features that are not compatible with the Azure cloud. It's not fully compatible with our environment because of the way that it is divided into business units. In order to get it working properly, there are some things that we had to put in for enhancements. Otherwise, everything works well.
I don't know whether it's Zscaler or not, however, sometimes I can't access my time management. I need to wait and try again a few hours later. Typically, if I let some time pass, I can access it again. From time to time, there's instability in terms of the user experience. I don't know whether it's Zscaler or the time instrument server itself. I don't know the root cause here, that this is the only thing, that causes me issues. Otherwise, I'm quite happy with it. The solution should do more in regards to handling phishing emails. They maybe should pair with a solution like Palo Alto in order to offer a more holistic view of the security and offer behavioral analytics or endpoint protection, etc., and all from one vendor. Data Lake, for example, is a product that gets the information and gives feedback to the user. There seems to be a high volume of phishing emails that we get, and I'd like to understand what the company is doing to address that. Zscaler seems like it's just a bit too static.
Zscaler should provide adjacent services, which would be complementary to their current offering that could to be more pragmatic for a customer. For example, if you take Akamai, you get multiple sets of services, all depending on the customer and the strategy and the complexity and the problems. In some areas, they are more varied in terms of coverage. For example, they also offer content delivery networks, which is complimentary, and for some customers that could solve two problems at once. By providing a wider range of services, Zscaler could reduce deployment risk and operational risk by being a one-stop-shop type of solution. In the next release, Zscaler should offer a content delivery network.
In terms of usage, here in the GCC, it's still growing a growing market, so the combination of DLP, data leak prevention, to a certain extent is fine. But what it requires is user-based access or role-based access. The solution needs to grow into that, which definitely takes time. There's not an easy way to integrate it when you have a cloud-based solution. The only DLP you can have is for the web, such as iboss. The DLP part is quite crucial for this particular region. DLP, machine learning, artificial intelligence, and some algorithms can be built into the solution. There are certain pet algorithms for AI and machine learning which everybody is moving towards, so that needs to be added to the solution as well.
The solution is a cloud service, so when you have Zscaler Internet Access, you still often require firewall appliances at the edge to act as gateways to Zscaler. There are certain elements that you can't necessarily ever extract at a network level, which makes it difficult to go completely appliance-less. You could see it as a downside, but if there's an unavoidable reality of how networking is addressed at this point, and I think that's the only thing that for us is unfortunate, having to always retain some type of alternate firewall or router capability inside the network in order to get to Zscaler, as an example. We've noticed a trend of Linux support being available at a mobile and workstation level, which isn't available from Zscaler yet, but we are expecting it soon. Zscaler also doesn't offer easy Cisco Meraki integration, which is also on the roadmap, even though we've seen it becoming very common. If we try and use Zscaler with Meraki, it's a fairly manual process to get Meraki to connect to Zscaler, whereas in all other SDware products, there's a lot more automation. The only other thing we would love to see in Africa would maybe be an additional Zscaler hub in another strategic location like Kenya to really round out Africa because there are only two hubs in over 30 countries on the continent. One is in South Africa and one is in Nigeria. Africa is kind of a black hole for all cloud providers, which makes life tough for us because there are performance issues when delivering cloud-related services. A little bit more penetration into Africa would help with this.
On the technical side, the only thing that I believe this scanner can improve is in the way they allocate traffic. For example, a big site doesn't have the ability to have its IPs inside the cloud, so Zscaler doesn't allocate you certain IPs for traffic. Your traffic goes to the nearest Zscaler point, and from there you get an IP. Sometimes that is problematic, because your users use the same IPs that another client is using so you don't get the ability to do some rules using some IPs. For example, you cannot use conditional access to high influence IP. You can't say if somebody goes to Zscaler I know that traffic is secure so I can let them past. In this scenario you cannot do this, because Zscaler is using a pool of IPs and they'll circle them for all the clients. I would like to see the ability to choose a pool of IPs for my company, set up rules based on them, and know that those IPs are not used by other companies.
The implementation process needs improvement. Even if you have implemented it, it doesn't mean that it is done, you have to pay for the service afterward. It's not a one-shot implementation, you need to spend some more effort on it afterward. It also needs better integration with other applications as well. There are some restrictions. I would like to see them incorporate a user ID or application ID in the next release of this solution.
The reporting could be improved to make it a little bit easier. When it comes to individual users, I'd like to see easy reporting that can be shared with executives. Due to my technical background I don't have issues to understand the reporting. However, if I have to give a report to an executive to read, he may find it too confusing. He wants to see something simplistic that contains information like what the user's access time was, how long the user spent time on the site, which sites was visited, what they did etc. The current reports can, therefore, be somewhat improved and simplified. Another thing that I would like to see is if Zscaler could have a separate product for direct access. I looked at a private access solution, but I understand there's a separate product that isn't integrated with this.
It needs better integration with other applications. It takes a fair amount of regular activity to apply the by-passes because it is very strict in its restrictions and frequently you have to go in and open things up to allow the workforce to work. The logs that are consumed by our security solution could be a bit more definitive, from an audit perspective. It's sometimes difficult to determine which end user a particular generated alert is associated with.
Which is better and why?
Let the community know what you think. Share your opinions now!