Enterprise Zero Trust Rollout with Zscaler
Deployed Zscaler ZIA and ZPA across 15,000 users and 200+ internal applications, replacing legacy VPN and proxy infrastructure.
Problem
The client relied on a hub-and-spoke VPN architecture that backhauled all remote user traffic through two data center proxy appliances. Users experienced latency spikes during peak hours, the security team had limited visibility into encrypted traffic, and the VPN concentrators were at capacity. Application access was network-based rather than identity-based, meaning any authenticated VPN user could reach any internal subnet.
Approach
We designed a phased zero-trust architecture using Zscaler ZIA for internet and SaaS traffic inspection and ZPA for private application access. Phase 1 focused on ZIA deployment: we configured SSL inspection policies, built URL filtering rules aligned to the client's acceptable use policy, and integrated with their existing Azure AD for identity context. Phase 2 deployed ZPA application segments for the top 50 internal applications, mapped access policies to AD security groups, and decommissioned the corresponding VPN split-tunnel rules. We built automated testing to validate user connectivity after each phase and created operational dashboards showing policy hit counts and blocked threat categories.
Results
- 15,000 users migrated to Zscaler in 10 weeks
- VPN infrastructure decommissioned, saving $280K/year in licensing
- Application access latency reduced by 60% for remote users
- 100% of internal application access now identity-based
- Security team gained visibility into previously encrypted traffic
Technology Stack
Artifacts Delivered
- Zero-trust architecture diagrams
- ZIA/ZPA policy configuration packages
- User migration playbooks
- Operational dashboards
- VPN decommission plan and validation reports