Telefonica UK Limited

Zscaler Security from O2

Zscaler is a global cloud-based information security company that provides Internet security, web security, next generation firewalls, sandboxing, SSL inspection, antivirus, vulnerability management and granular control of user activity in cloud computing, mobile and Internet of things environments.

Features

  • Cloud Security
  • Secure Web Gateway
  • Cloud Based Internet Gateway
  • Next Generation Firewall
  • DLP
  • APT - Cloud Sandboxing
  • Wifi Security

Benefits

  • Protects all internet traffic on all devices
  • SSL Inspection
  • Visibility of end user activities
  • Security Analytics
  • Full Remote Location Protection
  • Reduced Management Overhead
  • Protect against Data Exfiltration
  • Compliance Enforcement
  • Identify Compromised Endpoints
  • Stop Infections including Zero Day Attacks

Pricing

£6.88 a user a year

  • Free trial available

Service documents

Framework

G-Cloud 12

Service ID

3 3 9 0 6 0 9 3 6 2 3 6 3 3 1

Contact

Telefonica UK Limited Neil Cruden
Telephone: 07872015506
Email: g-cloud_framework@o2.com

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
None specified
System requirements
None

User support

Email or online ticketing support
Email or online ticketing
Support response times
Standard, Premium and Premium Plus; Side by side comparision available at https://www.zscaler.com/resources/data-sheets/zscaler-premium-support.pdf
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
No
Support levels
Standand, Premium, Premium Plus (All 24/7, level depends on the response time SLA) https://www.zscaler.com/resources/data-sheets/zscaler-premium-support.pdf
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Z-Scaler Deployment Advisory Services
Service documentation
Yes
Documentation formats
HTML
End-of-contract data extraction
Not applicable - no persistent data maintained online.
End-of-contract process
Realtime service stops

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Yes
Compatible operating systems
Other
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
None.
Service interface
No
API
Yes
What users can and can't do using the API
API is available on request, documentation can be found at https://help.zscaler.com/zia/api
API documentation
Yes
API documentation formats
HTML
API sandbox or test environment
No
Customisation available
Yes
Description of customisation
End user notifications, policies, reporting

Scaling

Independence of resources
Automated scaling capability.

Analytics

Service usage metrics
Yes
Metrics types
Service is monitored aggressively for quality by external 3rd party with public domain reporting.
Reporting types
Reports on request

Resellers

Supplier type
Reseller providing extra support
Organisation whose services are being resold
Z-Scaler

Staff security

Staff security clearance
Other security clearance
Government security clearance
None

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
No
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
No
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Not applicable.
Data export formats
Other
Other data export formats
Not applicable.
Data import formats
Other
Other data import formats
Not applicable.

Data-in-transit protection

Data protection between buyer and supplier networks
Other
Other protection between networks
Zscaler Platform is a Security Platform.
Data protection within supplier network
Other
Other protection within supplier network
Zscaler Platform is a Sercurity Platform.

Availability and resilience

Guaranteed availability
99.999%, assured by contractual commitment
Approach to resilience
N+1 fallover data-centers.
Outage reporting
https://trust.zscaler.com/ & email notifications

Identity and authentication

User authentication needed
Yes
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Other
Other user authentication
Only authenticated users will be able to use the service. Any not authenticated IP that tries to connect to the Zscaler service will be refused connection at a rate of 16 connections every 2 hours. Users will be authenticated via location or credentials (either hosted by Zscaler or logged in via an external SAML/LDAP IDP)
Access restrictions in management interfaces and support channels
Production can only be accessed via Jump infrastructure. Jump infrastructure access requires the following:
1. Session being initiated from whitelisted IP Space
2. User having a valid OKTA account in corporate and password
3. User having a valid jump account and password
4. User having a secure token (Physical token)
5. User being member of specific group with their private key protected by passphrase

Furthermore, production access is restricted to specific commands executed based on user role and job function. For commands outside of regular day-to-day job function there is an escalation process to control ability to execute additional commands.
Access restriction testing frequency
At least once a year
Management access authentication
Other
Description of management access authentication
Zscaler Cloud service is managed via a single web based (HTTPS) management UI. Authorised users can be created on the hosted DB or it can be integrated with a customer SAML solution for IDP initiated SSO authentication. SAML solutions can in turn support strong authentication, certificate based authentication etc. Admin access logs are available in the admin UI. Configuration audit logs can be exported to CSV format.

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Between 6 months and 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Brightline
ISO/IEC 27001 accreditation date
26/06/2014
What the ISO/IEC 27001 doesn’t cover
The scope of the ISO/IEC 27001:2013 information security management system (ISMS) includes the Zscaler cloud operations
for its Security as a Service platform (including operations employees and network operations center) located in Zscaler’s
network operations center in San Jose, California, in accordance with the Statement of Applicability, dated April 21, 2014.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
ISO/IEC 27001

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Following industry best practices with ISO/IEC 27001 certification.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Following industry best practices with ISO/IEC 27001 certification.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Following industry best practices with ISO/IEC 27001 certification.
Incident management type
Supplier-defined controls
Incident management approach
Following industry best practices with ISO/IEC 27001 certification.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
No

Pricing

Price
£6.88 a user a year
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
We can offer a free 30-day evaluation.

Service documents