Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Products & Solutions

ZDX & Data Privacy – A Summary of ZDX in the Context of Workers Council Concerns

image

Controlling access to data collected by ZDX

In this blog post, I’d like to share details about the data that is collected and used for Zscaler Digital Experience (ZDX) and especially, the administrative means to: firstly, control what data is collected, and secondly, how to restrict access so that only defined personnel with defined roles can access and work with the data.

 

Information accessed by ZDX

This blog may not point out every single data point that is collected or produced by ZDX, but will give an overview of the different areas and the intention of the collection and aggregation.

The general reason for data collection is to provide performance data to inform you on the impact for the End User Experience Score (ZDX Score) and quickly identify which areas improvement actions need to be initiated.  
 

IT AreaReason for data collection
ApplicationDetermine if … 
  • Synthetic uptime and response time tracking of web SaaS applications and websites.
… the application itself is down or has issues.
  • Metrics for UCaaS applications that are brought in through API integration.
    • Applications: Webex, Microsoft Teams, Zoom
    • Metrics: Meeting ID, participants, latency, jitter, etc.
… UCaaS has an issue or the network path between user and service has issues. 
Network 
  • IP addresses of the end device, the network hops, and the application are discovered and presented.
… there is an issue with any specific network segment and to find the owner of that network segment e.g. the ASN and the name of ISP. If those parts of the network are managed by the company itself, actions can be implemented immediately, or if contracts with the ISP exist, they can be asked to implement changes.
  • IP addresses are used to determine user location.
… the issues are bound to the local network. Administrators could help resolve issues that are bound to geographic areas, e.g. service down in that area.
Device 
  • Hardware details of the device are collected.
… there is an issue with hardware usage, e.g. memory at 100%, or CPU fully loaded.
  • Installed software repository is collected.
… there might be a software (version) that is incapable of delivering a good service.
  • Location (Lat/Long as determined by Operating System).
… the issues are bound to the local network. Reading the location from Windows devices is an alternative to the default of estimating the location based on the IP address.
  • Optional integration with Microsoft Intune endpoint analytics. Device-specific data on Boot performance and software stability.
… there is an issue with the user’s device or its performance, and quickly identify if it is a hardware or software issue.

 

It is important to understand that application and network traffic data is acquired by synthetic monitoring, not actual user traffic. ZDX does not inspect actual user data in motion, so no information about visited websites or actual user activity is being monitored. 

ZDX may integrate with third-party providers like Microsoft Teams, Zoom or Webex for meeting data. Content of those meetings is not collected, but metrics like meeting ID, duration of meeting, technical KPIs, and other meeting participants can be visible in the ZDX portal. 

 

Personally identifiable information (PII)

ZDX collects the following PII information:

  • Device IDs and device usage information. Zscaler Client Connector (ZCC) captures detailed device fingerprint and usage information. 
  • Device geolocation. ZCC can communicate with location services on a device and picks up the device’s geolocation coordinates. This is a configurable setting. If the coordinates are not available, geolocation is provided through IP address geo lookup for the internet-facing egress IP.
  • Home network IP address. ZDX cloud path records the name and IP address of a user’s Wi-Fi network, including its SSID.

A ZDX administrator can configure ZDX and ZCC to protect user privacy and exclude PII entries. This includes:

  • Login username
  • Machine hostname
  • MAC address of the network interface
  • SSID and BSSID of the wireless LAN

 

Overview of controlling access

ZDX offers multiple layers of:

1. Collecting information

2. Giving access to the collected information

 

Define what information from whom to collect 

Enabling and Disabling ZDX

ZDX is enabled on two different layers. First, ZDX is enabled in ZCC. This can be done either by selecting “ZDX Enabled by Default” to enable ZDX for all ZCC users, or it can be activated for specific User Groups.

 Image

If you have enabled posture based services, there will be two more options, as you can see in the below screenshot. The Device Groups in this case will be taken from Posture Profiles. User Groups and Device Groups are connected with logical AND. A use case would be, for example, to differentiate company devices and private devices and enable ZDX only on company devices.

 Image

 

Users, User Groups, etc. for ZDX are taken from the ZIA repository. If ZIA is connected to AD, an option would be to use a specific AD group for ZDX. In the screenshot, you see that ZDX is activated only for the group “IT.”

Our recommendation is to have as many users active in ZDX as possible in order to be able to see global trends—geographically as well as for applications—so that in case of a decreased ZDX Score, actions can be initiated quickly to improve the digital experience.

 

Zscaler Client Connector user privacy options

The configuration to protect PII information is controlled in Mobile Portal and at the administrator management level, where obfuscation can be enforced.

Please see the screenshot below for ZCC User Privacy Options. Those are not only relevant to ZDX, but used by other Zscaler offerings as well. Specific to ZDX are the two options “Enable Local Packet Capture in Zscaler Client Connector” and “Collect Location Info for ZDX.”

Image

 

Sharing device location information

There are two mechanisms for collecting the user’s geolocation. The first method is to enable the collection from Windows device by enabling the collection in Mobile Portal. 

Image

If that option is disabled, the location is estimated by the egress IP address and the public/internet-facing IP address of that connection.

The second option is the default, that can’t be disabled, but can be obfuscated.  
 

Device inventory setting

The collection of device software inventory can be enabled or disabled on a tenant level.

Image  
 

Image

Sample of Software Inventory Overview  
 

Image

Sample overview for zscaler software

 

Enabling applications and probes


Image

After the enablement of ZDX, applications and probes need to be configured. Those two can be assigned to all users or a subset of users.

Synthetic monitoring depends on applications and their assigned probes. Without any defined probes, no data is collected.

In the context of data protection, it is important to understand that for each probe the applicable users or groups, etc. can be defined. See the screenshot below for the available configuration options.


Image  

 

Controlled access to the collected information

Operational use and role-based access control (RBAC) 

Only assigned administrators will be able to log in and see the data collected by ZDX. Additionally, ZDX has multiple means of protecting personal information of a single user.

This is implemented by RBAC. Different roles with different permissions for certain aspects of ZDX and the collected data can be defined in ZDX to limit access as needed.

There are three predefined roles:

  • ZDX Read-only Admin
  • ZDX Service Desk Tier 1
  • ZDX Super Admin

An example is presented in the following screenshot. Keep in mind that roles can be set up and added as needed for your organization.

Furthermore, each individual administrator can be assigned to a specific scope, organization-wide, or just a specific department or location.

 Image

Image  
 

Obfuscation - Masking user information (PII)


Image

Permissions can be applied for an admin to be able to see the following data in clear text in the dashboard, or in obfuscated format:

  • Username
  • Location
  • Device Name
  • IP Address

The setting can be as follows:

  • Visible: Allows admins to view user and device information.
  • Obfuscated: Does not allow admins to view user and device information.
  • Custom: Allows admins to view specific user or device information.

The effect of obfuscation can be seen in the following screenshots:

Image

The following examples show all four data points (Username, Location, Device Name, IP Address) obfuscated:

Application Dashboard

Image

User Dashboard

Image

 

Cloud Path

Image

 

Zscaler compliance

For further information on legal documentation, consult our privacy website  and let your account manager know to arrange a meeting with our legal team.

 

Further resources

Information on internet protocol (IP) addresses to access the ZDX service.  
https://config.zscaler.com/zdxcloud.net 

Data Protection and Privacy  
https://www.zscaler.com/privacy/overview

Zscaler Sub-processors  
https://www.zscaler.com/privacy-compliance/subprocessors 

Company > Compliance  
https://www.zscaler.com/compliance/overview

Best Practices Operationalization  
https://www.zscaler.com/resources/white-papers/best-practices-operationalizing-zdx.pdf

form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.