ZCSPM Platform Architecture

The Zscaler Cloud Security Posture Management (ZCSPM) service is a multi-tenant software-as-a-service (SaaS) product hosted on Microsoft Azure. ZCSPM is designed using a scalable three-tier architecture: web tier, serverless microservices tier, and data and analytics tier.

ZCSPM collects configuration metadata from Amazon Web Services (AWS) using serverless Lambda functions running on ZCSPM's AWS account and from Microsoft Azure as a part of the microservices tier which runs on ZCSPM's Azure account.

View the ZCSPM Platform Architecture

The ZCSPM service offers data protection, high availability, and resiliency for all imported, stored, and exported data types. All traffic to and from ZCSPM is encrypted and access controlled. ZCSPM uses TLS 1.2 for data in transit encryption and AES 256-bit encryption for data at rest.

ZCSPM Data Flow

The data flow diagram outlines the data exchange between the ZCSPM service and external systems.

View the ZCSPM Data Flow diagram

ZCSPM Access Permissions

ZCSPM follows cloud service provider guidelines for third-party SaaS application integrations.

AWS: The ZCSPM service uses an AWS external ID to access the configuration metadata in a specific AWS account. The AWS external ID is assigned a Security Audit role with specific role-based access control (RBAC) permissions for accessing the management plane. The cloud connector located in ZCSPM AWS account communicates with the management plane using AWS-trusted credentials.
Microsoft Azure: The ZCSPM service uses App Registration in Microsoft Active Directory (AD) to access the configuration metadata within a specific Azure subscription. The App Registration is granted specific RBAC permissions for accessing the management plane. The cloud connector located in ZCSPM's Azure subscription communicates with the management plane using App Registration credentials.
Microsoft 365: The ZCSPM application uses App Registration within Microsoft 365 AD tenant to access the configuration metadata. The App Registration is granted specific RBAC permissions for accessing the management plane. The Microsoft 365 agent collects the metadata using your admin credentials. ZCSPM connects to the agent using separate secure credentials.

View the ZCSPM Access Permissions diagram

Configuration Metadata

The ZCSPM service collects cloud asset configuration metadata and compares them with security policies. The ZCSPM service does not collect any application or user data from cloud service providers. The following table offers a high-level view on what configuration metadata is collected:

	Amazon Web Services	Microsoft Azure	Microsoft Office 365
Cloud Accounts	AWS Billing ID AWS ID / AWS External ID roles	Azure subscription ID Azure AD Tenant (ID, domain name) Azure App Registration (encrypted)	Azure AD Tenant (ID, domain name) Azure App Registration (encrypted)
Cloud Resource Configurations (metadata)	Resource name, ID, tags Location AWS Resource and Property Types AWS Resource attributes	Resource name, ID Resource groups Location Azure Resource Providers and Types Azure Resource Manager (ARM) Resources meta-data	Azure AD Users (summary count)

Data Encryption

The ZCSPM service encrypts all data stored in ZCSPM:

Data encryption at rest: ZCSPM uses multiple cloud service components and encryption schemes such as key vaults, AES symmetric key algorithms and higher-level cipher suites to encrypt customer data. ZCSPM encrypts all backed up data and applies specific RBAC permissions for recovery.
Data encryption in transit: ZCSPM uses TLS 1.2 encryption or higher to encrypt data in transit.

Data Access

You own all the cloud account data present in ZCSPM. The ZCSPM support team requires encryption keys with explicit permission from you to view your data. The following access control mechanisms are implemented:

Customer lockbox: Lockbox ensures that the ZCSPM support team cannot access customer data to perform a service without your explicit approval.
Data classification: ZCSPM applies a restricted data classification to the configuration metadata in the data-store.
Data access: The ZCSPM support team can access the management plane at the data store level. However, they will not have access to decrypt the configuration metadata unless a support request makes it necessary. You have to explicitly grant access to the support team to retrieve data for a time-boxed period which is required to resolve the request.
Access control: All access requests are managed through Privileged Identity Management (PIM).
Access logging: All access transactions to application and metadata in the data store are logged and monitored.

Data Privacy

The ZCSPM service does not store any cloud user information. It only collects user count and IAM configurations. The only personal identifiable information (PII) stored in ZCSPM is the name and email address of the ZCSPM service users.

	Amazon Web Services	Microsoft Azure	Microsoft Office 365
Cloud Users	IAM user counts and configurations	Count (Configuration information processed but not stored)	Count (Configuration information processed but not stored)
ZCSPM Application Users	Name Email	Name Email	Name Email

ZCSPM requires you to provide an explicit consent for storing your personal data in the ZCSPM data-store. You can view the consent request when you sign in to the ZCSPM service for the first time.

SOC 2 Type 1 Attestation

ZCSPM's data protection and operational processes are SOC 2 Type 1 attested by a third-party auditor. ZCSPM can provide the report on request.

ZCSPM

Customer Data Security