Zenith Live is coming to Europe in October. Join us! Register
Zenith Live is coming to Europe in October. Join us!
Register
Products > Cloud Architecture

Zscaler Architecture: Cloud from the beginning

The global security-as-a-service architecture built
in the cloud for performance and scalability.

What We Do

Proprietary, multi-tenant global cloud architecture

Zscaler security as a service is delivered by a next-generation security architecture built from the ground up for performance and scalability. It is distributed across more than 100 data centers on 6 continents, which means that users are always a short hop to their applications, and we peer with hundreds of partners in major internet exchanges around the world for performance and reliability.

zscaler-cloud-enabled architecture

100+

data centers
worldwide

50B+

transactions processed every day at peak periods

100M+

threats detected
every day

120K+

unique security updates
every day

What differentiates a global security cloud?

Examines internet traffic over all ports and protocols, including SSL

Recognizes threats independent of signature feeds

Enables policies to follow users, regardless of location or device

Propagates threat information across the cloud in real time

Integrates findings from multiple security engines

Provides global visibility on demand

The Zscaler Platform

Designed for resiliency, redundancy, and fast performance, the three-tiered Zscaler platform modules comprise the control plane (Zscaler Central Authority), the data plane (Zscaler Enforcement Nodes), and the logging and statistics plane(Zscaler Nanolog Servers).

Zscaler brings the Internet and web gateway closer to the user for a faster experience

The Control Plane: Central Authority

The Zscaler Central Authority monitors our entire security cloud and provides a central location for software and database updates, policy and configuration settings, and threat intelligence. The collection of Zscaler Central Authority instances together form the brain of the cloud, and they are geographically distributed for redundancy and performance.

Relying on UTM and NGFW appliances to secure internet traffic is costly, results in appliance sprawl, and compromises branch security.
Relying on UTM and NGFW appliances to secure internet traffic is costly, results in appliance sprawl, and compromises branch security.

The Data Plane: Zscaler Enforcement Nodes

Traffic is directed to the Zscaler Enforcement Node (ZEN) nearest the user, where security, management, and compliance policies are enforced consistently, no matter where the user connects. Each ZEN utilizes a full proxy architecture and is built to ensure that data is not written, but scanned in RAM only and then erased. Logs are continuously created in memory and forwarded to the logging plane.

The Logging Plane: Nanolog Technology

Built into ZENs, Nanolog technology performs lossless compression of logs, which are transmitted to Nanolog servers over secure connections and multicast for redundancy. Zscaler customers can mine billions of transaction logs to generate reports that provide insight into network utilization and traffic. We continuously update our dashboards and reporting and can stream logs to a third-party Security Information and Event Management (SIEM) service as they arrive. Customers can choose to have logs written to disk in a physical location that complies with regional regulations.

Relying on UTM and NGFW appliances to secure internet traffic is costly, results in appliance sprawl, and compromises branch security.

Innovations on a global scale

ByteScan

Cloud scale for fast scanning

ByteScan enables fast scanning of each inbound and outbound byte for the detection of malicious sites and content, zero-day attacks, and attempts to exfiltrate data. It also enables native SSL scanning. ByteScan does not rely on traditional signature analysis.

SSMA

Single-Scan, Multi-Action technology

SSMA technology allows all Zscaler inspection engines to scan content in a single pass with only microsecond delay. With the appliance model, on the other hand, each security service independently processes packets, adding latency at each hop.

PageRisk

Dynamically computed risk scoring

PageRisk technology measures potential threats, such as injected scripts, vulnerable ActiveX objects, and zero-pixel iFrames, as well as domain information to generate a risk score. As hackers get better at hiding malware, it’s important to check all objects on all pages.

PolicyNow

Policies follow users

As users connect to nodes around the world, PolicyNow technology ensures that policies stay with them. PolicyNow is also central to our cloud’s global resiliency; even if multiple data centers lost power, users would be connected to the next closest node, and cloud services would be uninterrupted.

ByteScan

Cloud scale for fast scanning

ByteScan enables fast scanning of each inbound and outbound byte for the detection of malicious sites and content, zero-day attacks, and attempts to exfiltrate data. It also enables native SSL scanning. ByteScan does not rely on traditional signature analysis.

SSMA

Single-Scan, Multi-Action technology

SSMA technology allows all Zscaler inspection engines to scan content in a single pass with only microsecond delay. With the appliance model, on the other hand, each security service independently processes packets, adding latency at each hop.

PageRisk

Dynamically computed risk scoring

PageRisk technology measures potential threats, such as injected scripts, vulnerable ActiveX objects, and zero-pixel iFrames, as well as domain information to generate a risk score. As hackers get better at hiding malware, it’s important to check all objects on all pages.

PolicyNow

Policies follow users

As users connect to nodes around the world, PolicyNow technology ensures that policies stay with them. PolicyNow is also central to our cloud’s global resiliency; even if multiple data centers lost power, users would be connected to the next closest node, and cloud services would be uninterrupted.

The data path: the right place for comprehensive security as a service

Because of its position between every user and the internet, the Zscaler platform is positioned to provide secure access to any destination—the open internet, apps and services in the cloud, and internal apps in the data center and public and private clouds.

Our position also makes Zscaler a critical integration point for a range of services. We complement and interoperate with key technology vendors across major market segments, including SD-WAN, identity and access management, device and endpoint management, as well as SIEM for reporting and analytics.

Many of these vendors, like us, were born in the cloud and, together, we form a dynamic cloud ecosystem for modern security and access. Read about them here.