This guide takes you through the configuration steps you need to complete to begin using Zscaler Cloud Security Posture Management (ZCSPM) to secure your organization.

Before you begin configuring ZCSPM, Zscaler recommends reading the following articles:

• What is Zscaler Cloud Security Posture Management?
• How does ZCSPM work?
• Accepting the EUSA
• About Customer Data Security

Configuring ZCSPM

To configure ZCSPM, complete the following steps

• Step 1: Activate Your ZCSPM License

  After your organization is provisioned for ZCSPM, you can access the ZCSPM Admin Portal and log in with the provided credentials. Click Activate License to activate your ZCSPM license. To view information about your ZCSPM license, see About Features and Quotas.

  Close
• Step 2: Configure Single-Sign-On Authentication

  ZCSPM supports single-sign-on (SSO) via SAML 2.0 so that your users can access ZCSPM without having to log in separately to ZCSPM. To configure SSO for ZCSPM, see the following articles:

  • Accessing ZCSPM
  • Configuring SAML for SSO

  Close
• Step 3: Onboard Your Cloud Accounts

  You can onboard multiple cloud accounts into ZCSPM. When onboarded, ZCSPM n provide you with your cloud deployment's security posture. You can onboard multiple cloud accounts from any cloud service provider into your ZCSPM license. To learn how to onboard cloud accounts, see:

  • Onboarding a Microsoft Azure Account
  • Onboarding an AWS Account
  • Onboarding a Google Cloud Platform Project Account
  • Onboarding a Google Cloud Platform Organization Account
  • Onboarding a Microsoft 365 Account

  ZCSPM also offers agents which you can run on your cloud deployment to collect additional configuration metadata:

  • ZCSPM can collect Kubernetes cluster configuration metadata and compare them with security policies related to CIS Kubernetes benchmarks. To learn more, see:
    • Configuring the ZCSPM Agent for Azure Kubernetes Service
    • Configuring the ZCSPM Agent for the Amazon Elastic Kubernetes Service
    • Configuring the ZCSPM Agent for Google Kubernetes Engine
  • ZCSPM can collect advanced security configuration metadata for Microsoft Azure and Microsoft 365 using agents:
    • Advanced Security Configuration for Microsoft Azure
    • Microsoft 365 Advanced Security Configuration Agent

  Close
• Step 4: Fix Quick Wins and Harden Operating Systems

  ZCSPM offers ready-to-run scripts you can run on your AWS and Microsoft Azure cloud deployments to quickly remediate high-risk misconfigurations that can be easily fixed. To learn more, see the following articles:

  • AWS Quick Wins
  • Azure Quick Wins

  ZCSPM offers baseline configuration hardening for the following Operating Systems (OS):

  • CentOS Linux 7
  • Red Hat Enterprise Linux 7
  • Ubuntu 18.04
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012

  Configuration hardening establishes a baseline, maintaining only functions that are required and that can be configured securely.

  Close
• Step 5: Configure ZCSPM for Your Cloud Deployment

  Configure ZCSPM

  ZCSPM can be tailored to meet your organization's governance needs:

  • If you are certain about the security policies that do not impact your organization's assets and are aware of the associated risk, you can choose to override those security policies. To learn more, see Overriding Security Policies.
  • You can create new custom security policies for asset types that currently do not have default security policies. To learn more, see About Creating Custom Security Policies.
  • Your organization might have internal or testing assets which don't need to be evaluated by ZCSPM. You can exclude such assets. To learn more see, Managing Assets.
  • You can create a private benchmark to include all the security policies relevant for your organization and set a custom compliance standard for your cloud deployment. To learn more, see Private Benchmarks.

  Configure ZCSPM Remediation

  ZCSPM offers multiple ways for you to remediate misconfigured Microsoft Azure and AWS assets:

  • Guided Remediation: ZCSPM offers a guided remediation procedure to remediate assets that are non-compliant to a security policy.
  • Manually-triggered Remediation: ZCSPM offers a remediation framework which Admins can use to manually trigger remediation on the ZCSPM portal. ZCSPM leverages the cloud service provider APIs to remediate exisitng non compliant assets.
  • Auto Remediation: ZCSPM's remediation framework can be set to remediate assets as soon as they are deployed.

  To learn more, see About Remediation.

  Configure ZCSPM Integrations

  ZCSPM integrates natively with your Azure subscription and sends audit logs and benchmark summary information. To learn more, see Data Feed Integrations.

  ZCSPM integrates with your security information and event management (SIEM) system, such as Splunk. To learn more, see Integrating with Splunk.

  ZCSPM also offers incident management by integrating with ticketing system such as ServiceNow and Zendesk. To learn more, see:

  • Integrating with ServiceNow
  • Integrating with Zendesk

  Close