BSI Cybersecurity and Information Resilience (Ireland) Ltd

Zscaler Private Access

Zscaler Private Access is a new way for authorized users to access specific applications without the cost, hassle or security risk of VPNs, Zscaler Private Access decouples private internal applications from the physical network to enable authorized user access to selected apps without the security risk or complexity of VPNs.


  • Decouples private internal applications from the physical network
  • takes the “Network” out of VPNs
  • Increase security
  • ZPA is enabled just using the Z App
  • Phase out legacy VPNs, without the need to rip-n- replace
  • Move apps to the cloud on your schedule
  • No hardware to deploy, configure or maintain
  • Seamless integration with your existing Single Sign On
  • Wildcard app deployment will discover applications upon request
  • Apps “just work.”


  • no VPN client to launch or exit
  • Enable application-specific access to individual contractors, business partners or other
  • Automatically routes to the location that delivers the best performan
  • No need for policy juggling to deliver application access
  • unauthorized users are not able to even see applications
  • Zscaler Private Access extends the overall Zscaler capabilities
  • Removes complexity and security risk of VPNs
  • Reduces Capex and Opex compared to traditonal VPNs
  • Easy fast deployment


£63.32 per user per year

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 10


BSI Cybersecurity and Information Resilience (Ireland) Ltd

Neil Ryan

+353 (1) 210 1711

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Zscaler Internet Access Platform
Cloud deployment model Private cloud
Service constraints The Zscaler Cloud is designed to ensure maintenance is performed without service interruption; it is delivered irrespective of end user hardware
System requirements There are no specific system requirements

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Email and on line ticketing support is available as standard Monday to Friday 9am to 5 pm 24 /7 , 365 days a year email support is available via Zscaler Premium Support which is an optional extra
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support No
Support levels •Service desk •Email •Phone •Live chat Standard Support is included in the licencing cost and provides 9am to 5 pm support hours Monday to Friday. Premium Support is available which provides 24/7 365 support. Cost is 12% of Licensing Cost as outlined in the Pricing Matrix. An automatic upgrade to Premium Support Plus is made which includes a Technical Account Manager if Support revenue exceeds USD 30,000 per annum
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Full training is provided to allow for the on boarding of users. There are no physical appliances to deploy, no Network Address Translations to contemplate, nothing new to put in the DMZ.
• With Application Discovery, the combination of global ZENs and ZEN Connectors in front of servers can actually find apps in response to user requests. So IT does not have to map out IP addresses for each and every application—Zscaler Private Access will find them for you.
If more than one instance of an application is turned up, the Zscaler CA will apply a series of metrics to figure out which instance will deliver the best performance for each request.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction This service does not retain data at any point
End-of-contract process The Zscaler Subscription includes per user licence costs with standard technical support. Additional services include an upgrade to Premium Support. At the end of the contract term a BSI representative will provide a quotation for a new contract term subscription.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems Windows
Designed for use on mobile devices Yes
Differences between the mobile and desktop service There are no differences between the Mobile and desktop service
Accessibility standards None or don’t know
Description of accessibility Zscaler App – Enables a client to use ZPA
• ZPA Central Authority (ZPA-CA) – A multi-tenant, globally distributed policy engine that provides a single interface to provision policies and enable connection requests.
• ZPA Zscaler Enforcement Nodes (ZPA-ZENs) – ZPA-ZENs stitch the connection together.
• ZEN Connectors – Lightweight, ephemeral binary, and currently deployed as a virtual machine, ZEN Connectors establish a connection between the apps and ZPA integrates seamlessly into a company’s Single SignOn infrastructure.
Accessibility testing No interface testing has been done with assistive technology
Customisation available No


Independence of resources Each ZscalerNode is monitored in real-time with over 200 metrics to ensure it is available and SLA’s are being met. It is a horizontally scaling solution and Zscaler policy to over provide capacity for all of its customers. Our architecture has been specifically designed to scale in a data centre and across data centres. We have built a cloud architecture that allows our devices to be placed in a redundant, load balanced configuration which allows up to 32 devices to be clustered. This allows our data centres to be able to scale to millions of users


Service usage metrics No


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Zscaler Internet Access, SkyHigh, Okta, Alert Logic

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process No
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Zscaler Private Access does not hold any user data
Data export formats Other
Data import formats Other

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability The latest information on SLA for uptime (and their Penalties in case of breach) can be found on:
Approach to resilience Zscaler supports redundancy between data centres where traffic is rerouted to the next nearest location, if and whenever necessary. More information on the redundancy design of the Zscaler Platform can be made available upon request.
Outage reporting Zscaler provides customer access to Service Availability details on in conjunction with email alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
Access restrictions in management interfaces and support channels Zscaler’s role based administration allows organisations to create custom administrator roles that only have access to the reporting functionality of Zscaler. This can be further restricted to only allow reporting access to administrators for the particular department or locations for which they are responsible. In this way, non-IT administrators such as HR staff can be given “reporting only” administrator roles as required. By the same logic, IT administrators may be given configuration access only and have no visibility of user activity and reporting. Further to this, usernames can be obfuscated for certain administrators where there are concerns over user privacy.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information No audit information available
Access to supplier activity audit information No audit information available
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Brightline
ISO/IEC 27001 accreditation date 7th july 2016
What the ISO/IEC 27001 doesn’t cover All of the Zscaler Platform is covered by ISO/IEC 27001
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Zscaler's Information Security Management System has been ISO 27001 Certified. An Independent Practioner's Report examining these controls can be made available upon request.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Change Control windows are determined based on probability and impact. Change control windows are developed and documented and any changes that fall outside of normal change control windows are considered emergency changes. All changes are discussed at weekly operations meetings.The change request can include the following information: A summary of the change Risk probablility Risk Impact Justification for the change Systems that will be changed and impact Communication requirements Necessary technical requirements Roles and responsibilities Test plan Validation plan
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Zscaler uses automated and manual 3rd-party test methods to pro-actively find vulnerabilities and incidents. Zscaler leverages malware feeds from threat-sharing partners like Microsoft, Adobe, and Google on top of its own threat intelligence research to protect against the latest threats. These feeds are continuously updated in real time. Zscaler also conducts threat intelligence research with every download made by a Zscaler customer being sandboxed to detect zero day threats. Vulnerabilities in our Service and Security Incidents go to the Zscaler CISO Office. They are the 'owner' and Spokesperson. They will coordinate with the relevant internal departments, like Development and/or Threathlabz.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Zscaler Connectors have their own health monitoring in terms of latency & availability. We don’t monitor the hardware that the connector runs on, because this infrastructure is part of the customer’s deployment.
Sample Incident Response Times: Category Response time Priority 1 15 minutes in extended business hours Priority 2 30 minutes in business hours Priority 3 2 Hours in business hours Priority 4 4 Hours in business hours User support enquiry via email Reply deadline of 4 hours
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Support services are available through Zscaler’s helpdesk, which is operational 24 X 7 X 365. Upon reporting the incident (via phone, email or web), the incident will be assigned a unique Support ID number and such number must be used in all future correspondence until the incident is resolved. Standard Support is included in the fees for the Services; Premium Support and Premium Plus Support may be purchased by Customer for an additional fee. Incident reports are available via the customer dashboard.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks New NHS Network (N3)


Price £63.32 per user per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial There is a facility to provide an evaluation of the Zscaler platform involving live user traffic. Details of how many users and numbers of sites are dependant on client requirements.


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑