Your users access hundreds of sanctioned and unsanctioned cloud applications every day. They constantly upload and download data that needs protection. This presents challenges to IT and security teams to decide: should they take a sledgehammer approach and block the application, or should they allow the access and deal with the consequences later?
One of IT’s biggest concerns is how to safely enable access to cloud applications without affecting user productivity.
With the Zscaler Data Protection solution, IT can achieve this goal by providing granular controls for cloud applications to block only the risky activities instead of the entire application.
Cloud App Control policies let organizations control access to cloud applications at a granular level, based on users, tenants, domains, and activities. Zscaler’s inline CASB identifies corporate vs. personal tenants along with activities such as upload, download, share, edit, post, view, login, logout, and more in real time—and provides the control needed to manage application access.
Let’s look at how Zscaler solves some different use cases.
Many users have personal instances of corporate-approved SaaS apps, such as OneDrive, Outlook, Gmail, and others. Separately, they’re fine—but using both their corporate and personal instances of an app at once could lead to a data leak. Imagine an employee uploading next quarter’s sales projections to a personal Google Drive instead of a corporate one. It could lead to not only a data leak, but also possible damage to the company's reputation.
Similarly, organizations that use AWS want to restrict users’ access to certain critical accounts. Schools that use YouTube EDU want students to have access only to the content the school has selected.
In scenarios like these, you can use Zscaler's tenancy restriction feature to restrict access to personal accounts, corporate accounts, or both for certain cloud applications. Simply create a Tenant Profile, specify the allowed tenants in it, and associate it with the respective Cloud App Control policy. SaaS apps deny access to all tenants not explicitly mentioned in the Tenant Profiles.
Tenant Profiles also provide options to restrict access to personal Microsoft 365 tenants, consumer access to Google accounts, and so on.
Tenant Profile configuration
Domain-based access to SaaS applications
In today’s highly connected world, most organizations can’t work in silos—they work with multiple partners and third-party vendors. To collaborate with these partners, you need to provide them access to their corporate collaboration or file sharing applications. However, giving partners full access to corporate domains may lead to data exfiltration.
In another scenario, a developer syncs his corporate GitHub repository with his personal GitHub account, leading to exfiltration of the source code, along with any hard-coded credentials such as AWS keys and passwords.
To ensure that employees, partners, and other users can access only allowed instances of an application, Zscaler provides the Cloud Application Instance feature. With it, you can create multiple instances of a cloud application based on different domains (corporate, partner, trusted/untrusted) and add them as criteria in Cloud App Control policies. For example, you could allow partners access only to their partner Box instance, or allow developers to log in to corporate GitHub accounts only from corporate networks, preventing accidental data leakage.
The Zscaler DLP solution also supports cloud application instances: you can choose cloud application instances and create rules based on the content. For example, allow employees to upload files in their personal Box accounts, but block upload if a file contains sensitive data such as PII, PHI, or PCI data.
Cloud Application Instance configuration
Activities based access to SaaS applications
You need fine-grained control over what users are allowed to do in a SaaS application. For example, your organization may not want employees to rename or add comments to files uploaded to corporate OneDrive. You might want to restrict employees from posting sensitive content on social networks but still let them view those sites.
Zscaler Cloud App Control policies provide fine-grained, activity-based access controls for critical applications across all categories. You can easily create rules to block activities like file renaming and posting on social media while still allowing other activities across these applications.
Fine-grained rule configuration
In addition to Cloud App Control, Zscaler monitors millions of web and SaaS applications across hundreds of categories with powerful URL filtering. Leverage this to allow or block users’ access to these applications as well as any custom applications.