The Zscaler Client Connector (ZCC) is a cornerstone of modern zero trust and engineering marvel. There are currently over 50 million installed instances globally, each sharing traffic with one or more of 150 data centers, generating an eye-watering 400 billion secured transactions daily.
Despite the coverage, some devices cannot run traditional ZCC agents or edge forwarding services like the Zscaler Branch Connector. These devices typically lie outside the four walls of a building, site, or factory and have SIM cards that help them connect to cellular and satellite networks. Applying zero trust controls and policies in a customer IT ecosystem to cover these devices, often described as IoT or IoT, has been a challenge until now.
Recognizing the need for a solution, a dedicated team of innovation leaders and 5G experts at Zscaler have been at the task for the past three years. Their mission: to figure out how to seamlessly connect devices like surveillance cameras, shelf-scanning robots, and shipping container smart locks to the Zero Trust Exchange. This ongoing effort is a testament to Zscaler’s commitment to providing comprehensive security solutions for the ever-expanding world of IoT.
Speaking to a group of CXOs at Zenith Live 24 in Las Vegas last week, Nathan Howe, Vice President of Innovation at Zscaler, presented the latest progress in this arena.
“What tends to be the case is that we’d backhaul these devices into our control plane by using a private network that would sync with our cloud, which would provide the controls,” Howe said. “The challenge is you're still backhauling, which is what Zscaler has been trying to get rid of for the last 15 years.”
Zero trust in cellular networks: ‘Store of the future’ proves concept
Howe described Client Connector's first production use case in an environment where the agent did not intend to protect end users. Instead, a customer deployed a slimmed-down version of the agent across a fleet of handheld devices for point-of-sales (POS) connected to a cellular network. To make it possible, Howe and his team created a private service edge that extended across the Swiss company's 25,000 global point-of-sales devices running on Android.
"The deployment opened up their business model, empowering the company's salespeople to meet with their customers in the field and conduct transactions in person. The credit card transactions seamlessly pass through the Client Connector," Howe elaborated. "We can now co-create innovative services, including supporting augmented reality applications on their smart devices, opening up a world of possibilities."
The Zscaler edge ecosystem resides on the public telecom network, within the edge and the application is completely hidden unless the device access is enrolled in the customer's tenant.
"Any device that can run a modern operating system including Android, iOS, and, in some cases, Windows running on tablets can run a Client Connector. The set up is not based on a user account, but a system account or one based on certificate-based authentication, that connects to the Zero Trust Exchange using customer-defined access policies," explained Howe.
The result, for the Swiss company, was a better remote sales experience unconstrained by the four walls of a store.
Howe points out that regardless of where the devices are located (e.g., delivery drivers or logistics partners) they benefit from zero trust by following three core rules:
- You have complete visibility into where your traffic is going
- You have control over the data the devices access, curtailing any misuse that can cause data utilization costs to explode (e.g., unauthorized video streaming)
- You apply the controls needed to protect your business against cyber risks, such as a user downloading a malicious file
After the success of deploying Client Connector detached from user identities, the next step was to go beyond secured handhelds running familiar operating systems to connect a wide range of SIM-based IoT devices prevalent in shipping, logistics, energy, and other industries.
Since you can’t load an agent on them, he explained, the team tried for a year to integrate ZCCs with SIM cards. However, the engineers faced two problems: SIM cards cannot run TLS tunnels and it would be a challenge to manage the code across so many diverse endpoints. The solution was to design the zero trust SIM.
Opening the floodgates to secure IoT
Howe explained two ways to roll out a zero trust SIM.
Zscaler-delivered SIMs offer redundancy, resiliency, and availability over any mobile network. That means if you have an iOS-based phone running on AT&T and an Android phone running on T-Mobile, both can go through the same zero trust control plane in the Zscaler cloud.
“With multi-network path roaming, whenever a device goes out of range of one provider, we’ll connect it to another available network with no change to the control plane,” said Howe. The solution works with eSIM, but most IoT devices use plastic SIMs, noted Howe.
To make it all work, there was one final piece to the puzzle: zero trust cellular edge. It consists of software similar to the Zscaler branch and cloud connector, but it sits within the mobile network as a direct hop from a telco (Zscaler can partner with 400 worldwide) to the Zscaler Zero Trust Exchange.
Zscaler Zero Trust SIM
“You can access your private applications with these devices without needing to install a client connector while the cell edge creates the connections in, giving you bidirectional access. You can remotely log into systems or your EV charger, which is very powerful,” Howe said.
Most customers, however, would not simply replace all the SIMs in one shot as there could be hundreds of thousands in a large distributed environment, hence the partner-delivered SIMs option.
Partner Zero Trust SIM
With partner-delivered zero trust SIM, Zscaler can't guarantee resiliency and roaming, but a customer would be able to run it all on their incumbent wireless network. The Zscaler Cellular Edge would still apply policy as the traffic flows from carrier SIMs to the Zscaler cloud, delivering the same access control and security protection as the Zscaler-delivered SIM model.
“With Zscaler cellular edges based on zero trust, we are helping customers with use cases like providing privileged remote access to cargo ship engines and electric grid access to smart meters for power management. The opportunity in front of us is tremendous, and we are just getting started,” said Howe.
Interested in learning more? Email the team: sim[at]zscaler.com
What to read next
Mobile World Congress shows a vision of even more connected things
Security leaps forward for open radio access networks and 5G (interview)