cyber-101

What are the high-level steps for deploying Zscaler TLS inspection in an organization?

A brief walk-through of the recommended phases to rollout TLS inspection.

Mike Berggren

Mike Berggren

2 min read
What are the high-level steps for deploying Zscaler TLS inspection in an organization?
Photo by Jake Hills / Unsplash
💡
This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.
💡
While this article focuses on Zscaler, the underlying principles could also apply to other technologies and vendors.

Wouldn't it be great if we could all just snap our fingers and instantly deploy robust security features/functionality in an organization? Unfortunately, technology just doesn't work that way. Successful execution of a security tool/feature requires careful planning. In today's article, I want to walk through the high-level phases/steps for rolling out SSL (TLS) inspection on Zscaler.

  • Step 1: Do the pre-work
    • Decrypting TLS traffic can be a sticky subject with privacy and regulatory implications. Before actually implementing the security controls, it's best to get the necessary approvals from leadership/governance.
    • This part also includes defining acceptable use policies and making it clear to users what is subject to security inspection.
  • Step 2: Implement/define/configure the Certificate Authority
    • Depending on final solution architecture, customers can either bring their own CA or leverage the vendor one.
    • Either way, all endpoints must trust the Root CA that is being used for TLS inspection.
    • Distributing the root certificate might require some additional work (especially on mobility or hardened appliances).
  • Step 3: Perform an initial roll-out with selective inspection.
    • Start slow. Implement this feature for a sub-set of users (pilot group).
    • Only perform inspection on a sub-set of websites and services (like risky URL categories).
    • Collect feedback from end users to understand their experience and determine if workflows have been impacted.
  • Step 4: Extend the rollout to a broader group.
    • Upon transitioning out of step 3, additional scenarios will emerge (e.g. certificate pinning, more complex use cases, etc).
    • Expand coverage to include more use cases and groups.
  • Step 5: Collect relevant data and reports.
    • As the deployment of the feature begins to reach maturity, data is going to be critical.
    • At this phase in the rollout, it's very important to leverage reporting capabilities to document inspection coverage and environment support.
    • This includes data points to help quantify value like:
      • % of traffic being inspected
      • Threats captured in encrypted traffic.
      • The most common TLS versions and negotiated ciphers

For more information on this topic, check out the following resources:

https://help.zscaler.com/zia/deploying-ssl-inspection

https://help.zscaler.com/zia/choosing-ca-certificate-ssl-inspection

https://help.zscaler.com/zia/adding-custom-certificate-application-specific-trust-store

https://help.zscaler.com/zia/configuring-ssl-inspection-policy

Read more