The ZCSPM service provides single sign-on (SSO) for user authentication, integrates with cloud service providers to collect configuration metadata, remediate misconfigurations, and integrates with your IT systems.

ZCSPM's workflow is categorized by the following categories:

Administration

Below are ZCSPM Administration's key components:

• Licenses: ZCSPM issues a license to you when you subscribe to the ZCSPM SaaS product. A customer can have multiple licenses to cater for multiple business units.
• Cloud Accounts: Under a single license, you can create one or multiple cloud accounts. Each cloud account is a representation of your cloud deployment in a single cloud service provider: Microsoft Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft 365.
• User Roles: The ZCSPM service offers three user roles at the license and account level:
  • Administrator: Administrators can view and manage alll ZCSPM features and configurations. They can also manage all other user roles.
  • Viewer: Viewers can view all ZCSPM features and configurations but cannot make any changes.
  • Reader: Readers can only view the dashboards and benchmark summaries. Readers cannot view any ZCSPM configuration pages.

Once you have obtained licenses for all your business units, you can onboard all your cloud accounts and set up SSO for your users to access ZCSPM.

Metadata Collection

The ZCSPM service integrates with cloud service providers such as Microsoft Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft 365. ZCSPM leverages cloud service provider APIs to collect configuration metadata every day:

• Microsoft Azure: ZCSPM's Azure subscription interacts with your Microsoft Azure subscription using Azure Functions and PowerShell scripts.
• Amazon Web Services: ZCSPM implements AWS Lambda fucntions running on ZCSPM's AWS account to interact with your AWS deployment.
• Microsoft 365: ZCSPM collects configuration metadata for Microsoft 365 using Azure API calls and a PowerShell agent installed on your Azure subscription.
• Google Cloud Platform: ZCSPM's Azure subscription interacts with your GCP service account using Azure Functions.

Governance and Visibility

ZCSPM will run your cloud deployment configuration metadata against 2900+ security policies and 16+ compliance benchmarks to offer you security, compliance, and risk posture via rich dashboards and an asset inventory. ZCSPM's asset inventory offers complete visibility across your cloud deployment, so you can easily identify and fix issues. The Asset Inventory page provides security posture via an inventory of all the assets deployed on your cloud deployment i.e., assets that are protected by ZCSPM with default security policies and assets not protected by ZCSPM.

Enforcement

ZCSPM offers guided and automated remediation mechanisms for Microsoft Azure and Amazon Web Services. Guided remediation is offered in the form of instructions for you to configure an asset securely. To auto remediate assets, ZCSPM requires you to install remediation agents.

ZCSPM can also perform reporting and send audit log information as data feeds to your storage account or a NoSQL database. ZCSPM integrates with ticketing systems and SIEM tools for you to enforce security posture.