Our unique cloud proxy architecture is at the core of Zscaler Internet Access and a fundamental element of the Zero Trust Exchange, a comprehensive cloud native security platform.
A cloud proxy functions like a reverse proxy in many ways—client requests flow through the cloud proxy on the way to an internet address, and replies (e.g., permission to access a webpage) return through the proxy on their way to clients—but because the cloud proxy resides in the cloud, it isn’t confined to data center hardware like a conventional appliance-based proxy.
Traditional reverse proxy servers and HTTP proxies are still commonplace in today’s network security stacks, but IT leaders increasingly cite issues with:
Proxies are still the right solution for enterprises looking to prevent stealthy threats without compromising the user experience. In the era of the cloud and mobility, hardware-based offerings can’t reliably deliver on that promise. An effective cloud-based proxy architecture offers:
The most effective cloud-based proxy architecture is part of a comprehensive security architecture, able to address the entire range of compliance and security benchmarks without leaving gaps for another function or a third party (e.g., a cloud provider) to resolve.
Gartner, The Future of Network Security Is in the Cloud
Sitting in the flow of traffic, a cloud proxy integrates with an organization’s authentication service (e.g., single sign-on), after which it can operate inline without an agent. This offers a straightforward user experience, with incoming traffic to managed cloud apps and the like redirected to the cloud proxy automatically.
Let’s take a closer look at this process.
A cloud proxy can protect sensitive data (e.g., PCI data, PII) by acting as a middleman or stand-in for the server on which that data resides. Client requests are routed first to the cloud proxy, then through a specified port in any applicable firewall, and then to the content server—and finally, back again. The client and the server never communicate directly, but the client interprets responses as if they had. Here are the basic steps:
Backed by the elasticity of the cloud, this all happens in near-real time regardless of traffic volume.
Gartner, The Future of Network Security Is in the Cloud
To provide clean, safe, and compliant internet access and a great user experience to all users, on any device or operating system, over any network—no matter where they are—the solution is a cloud-based proxy architecture.
Our proven cloud proxy-based architecture forms the foundation of Zscaler Internet Access™, a cloud native security service edge (SSE) solution that builds on a decade of secure web gateway leadership. Offered as a scalable SaaS platform from the world’s largest security cloud, it replaces legacy network security solutions to stop advanced attacks and prevent data loss with a comprehensive zero trust approach.
Zscaler Internet Access is part of the Zscaler Zero Trust Exchange™, a comprehensive cloud native security platform.
The Zscaler cloud proxy architecture provides reverse proxy coverage for all traffic, a core element of cloud access security broker (CASB) within the security service edge (SSE) model.
As part of an SSE framework, our cloud proxy architecture supports your organization in:
Many of your employees may use multiple devices for work, including personal ones. Beyond that, plenty of suppliers, partners, and customers may need access to your internal applications on their own unmanaged devices, presenting a risk to your security.
You can install agents to manage devices your organization owns, but unmanaged endpoints are a different story. Third parties won’t let you install agents on their endpoints, and many employees don’t want agents on their personal devices, either. Instead, our proxy architecture offers agentless protection against data leakage and malware from any unmanaged device accessing your cloud applications and resources.
The Zscaler proxy architecture can enforce data loss prevention policies to prevent accidental or intentional uploads or downloads of sensitive information to or from sanctioned cloud apps. Because it operates inline and inspects all traffic, even encrypted traffic, it can ensure uploaded or downloaded data falls in line with your policies.
An infected file in a cloud service can spread to connected apps and devices—especially unmanaged devices. By agentlessly preventing uploads or downloads of infected files to or from cloud resources, our proxy architecture provides advanced threat protection against malware and ransomware.
By nature, our architecture also hides servers and their IP addresses from clients, which protects your web resources from threats such as distributed denial of service (DDoS attacks).
The Zscaler proxy can be used to handle client requests that could otherwise overwhelm a single server with high demand, promoting high availability and optimizing load times by distributing requests to your servers evenly.
Our unique cloud proxy architecture is at the core of Zscaler Internet Access and a fundamental element of the Zero Trust Exchange, a comprehensive cloud native security platform.
Proxy-based security: a pillar of the cloud-first architecture
Read the blogWhy Proxies and Firewalls Are Essential in the Modern Threat Landscape
Read the blogZscaler SASE at a Glance
Read the solution briefZscaler Cloud Firewall
Learn more5 Key Requirements for Branch Transformation
See the infographic