Zenith Live '23 Keynote: Streamlining & up-leveling the Zscaler administrative experience | ZSLogin

00:00

foreign

00:04

[Music]

00:13

so last year you heard about our goals

00:15

to unify identity across our products

00:17

today I'm happy to discuss what we've

00:19

released

00:20

Zs login is the identity service for all

00:24

of zscaler it simplifies identity

00:26

management and authentication for

00:27

administrators and soon for end users

00:30

this service unlocks new identity use

00:32

cases for your zero trust architecture

00:34

in the first release we focused on the

00:36

administrator Zs login is the central

00:38

point of entry for administrators to all

00:40

z-scaler products if your administrators

00:43

authenticate who has zscaler hosted

00:45

credentials they only need to maintain a

00:47

single set of credentials

00:49

if your administrator is SSO from a saml

00:51

identity provider you only need to

00:53

maintain a single connection with that

00:54

IDP

00:56

there's a lot more I could get into but

00:57

let me demonstrate a couple of things

00:58

that we've built

01:00

the uh the demo I'm going to give here

01:02

we're going to authenticate as a as a

01:04

administrator with hosted credentials

01:06

and I want to show off the host and

01:07

credential experience so I can show off

01:09

our support for passwordless

01:11

multi-factor Authentication

01:13

what you see here is The One and Only

01:14

One login screen to z-scaler but I want

01:17

to draw your attention to the second

01:18

checkbox

01:19

in this case I'm going to authenticate

01:21

with a Fido security key

01:24

Fido is an industry standard that

01:26

enables a passwordless multi-factor

01:28

authentication that is phishing

01:30

resistant in this case the two factors

01:32

consist of what I have a private key on

01:34

this device and what I am my fingerprint

01:37

biometric so two factors of

01:39

authentication and I won't need to use a

01:41

password now I'm using this USB key but

01:43

you could also use the fingerprint

01:44

reader on your device the difference

01:46

being that this USB key is considered a

01:48

roaming authenticator I can go to other

01:50

devices to authenticate with it

01:52

so I click next on the login screen

01:55

and my browser prompts to me for my

01:57

registered Fido Authenticator

02:01

I insert my USB key

02:05

and put my finger on the fingerprint

02:07

reader

02:09

and with that then I am authenticated to

02:11

Z scaler what you see here are the list

02:13

of services that I'm entitled to

02:15

administer each tile is dynamically

02:17

displayed based on the services your

02:19

organization uses

02:21

and the services that each admin is

02:22

entitled to by clicking on a tile the

02:25

admin is seamlessly brought into that

02:27

admin console

02:28

so I can click the private access tile

02:30

and seamlessly access zpa

02:34

or I can click the internet access tile

02:37

and I'm in Zia

02:39

the last thing I want to mention about

02:41

the administrator use case is that with

02:42

Zs login we can support automatic

02:45

provisioning and de-provisioning of

02:47

Administrators from your identity

02:48

providers by using skim and this also

02:51

applies to the entitlements that the

02:53

that the administrator will receive

02:56

so support for administrators is

02:58

available but we've also made a lot of

03:00

progress in our support for end users

03:02

the core principles for supporting end

03:04

users are the same there's one identity

03:06

record with entitlements to the services

03:07

in which that user should be enrolled

03:09

and just like for administrators you

03:11

only need to maintain a single

03:12

connection with your identity provider

03:15

now whenever multiple services are

03:17

referring to a particular user we will

03:19

know absolutely whether that's the same

03:21

user or a different user

03:24

so now we'll have this guaranteed unique

03:26

identity and that's going to make it

03:27

much easier for us to share all

03:29

contextual data about a user throughout

03:31

the z-scaler ecosystem

03:33

so for example it'll make it very easy

03:35

for us to share things like the user

03:36

risk profile whether deception has

03:39

detected any nefarious activity whether

03:41

Zs login is detected any anomalies to

03:43

the way a user authenticated

03:45

and not only will we be able to share

03:47

these signals across z-scaler services

03:49

but amongst third parties as well

03:51

maybe a third party identity provider

03:53

has detected a risky user based on some

03:56

activity that occurred outside a

03:57

z-scaler and wants to share that

03:58

information with zscaler to help protect

04:00

your organization

04:02

policies at z-scaler could then be

04:04

defined to limit this user's access or

04:07

even send the user back to the identity

04:08

provider to re-authenticate

04:12

what you're looking at here is a user

04:14

record in Zs login and with the work

04:16

that we're doing it's going to make it

04:17

very easy for us to provide a way for

04:19

you to centrally review all contextual

04:21

data about a user in real time

04:23

in this case we're showing examples from

04:25

Zia client connector Zs login and Azure

04:29

active directory

04:31

great so let's say you want to use this

04:33

information to protect your organization

04:35

let's say you want to detect risky users

04:37

and limit their ability to upload

04:39

sensitive data or access sensitive

04:41

resources

04:43

with the work that we're doing it's

04:44

going to make it very easy for you to

04:46

define context criteria for policies

04:49

that taken signals from a bunch of

04:50

different sources such as the user risk

04:53

profile endpoint security any anomalies

04:55

from authentication or activity detected

04:58

by deception

05:00

likewise it'll make it just as easy for

05:02

us to Define access policies using that

05:05

exact same set of criteria

05:07

so this means that any policy on any

05:09

service throughout zscaler will have

05:10

access to the exact same context data

05:12

and ultimately you could Define the

05:14

exact same criteria for those policies

05:17

now we already have well over 100

05:19

different types of contextual data so

05:21

making this easy to use is going to be

05:22

the next trick so we're also looking at

05:24

ways to enable you to centrally Define a

05:27

range of contact signals and their

05:28

thresholds and therefore rather than

05:30

maintaining long list of granular

05:32

criteria in every one of your policies

05:34

throughout z-scaler you can use the

05:36

central definition and refer to it from

05:38

your policies this will make it easier

05:41

to use and ensure that your policies are

05:44

more consistent

05:46

foreign