Emergency Offboarding

Hi Everyone

We’re currently POC’ing a number of VPN alternatives (Zscaler is on the list) and one of the user stories we’re seeing poor results for with some solutions is emergency/urgent offboarding of staff.

Our intent is to integrate with Google Workspace using SAML/SCIM, and we need to be sure that if a user is disabled, their access, or ZPA in this case, is revoked in a timely manner.

Does anyone have any information about whether ZPA handles this type of change quickly, or is there an arbitrary ‘re-authentication window’ that means a user could stay connected for hours/days/weeks beyond their account being disabled?

Thanks VM in advance…

Hi Mike,
When using SCIM, the changes to the identity provider are sent to Zscaler in near real-time and will not require a re-authentication event to occur to revoke access. The time to live for the account will depend on the SCIM sync interval. I have seen this interval very low (1 minute) with some IdPs, but I am not aware of what the interval is with Google Workspace IdP.
Access can always be revoked from the Zscaler mobile admin (Zscaler Client Connector) portal by going to enrolled devices and revoke a device from there.

Warm Regards,
Chris

3 Likes

Hi Mike,

For apps that support SCIM being able to kill access rather quickly is a huge benefit. As another option in Zscaler, you can also go to the mobile portal, select their device(s) and click “require reauthentication” which will lock them out of the system as well.

Personally SCIM is my favorite option, but it’s not your only option in a situation where you need to remove access.

-Trace

Thank you both for the informative replies - much appreciated. We’ve found that some (unnamed) solutions have a re-auth period of up to six months, even with SCIM which renders their solutions pretty useless from an off boarding / BYOD / security point of view.

A cheeky follow-up question - in terms of the ZS appliance that runs in cloud platforms like AWS, is there any white paper or other documentation that outlines its security posture? One of the concerns raised about ZPA-like solutions internally has been the potential for vulnerability of those black boxes sitting alongside our production systems, so if there’s any information available I’d love a nudge in the right direction, as a search hasn’t yielded anything solid so far. Thank you. :pray:

@techfirth I just sent you a PM. I think this is something we can work out, I’m just having a hard time following the question. For some reason I never got a message that you had replied.

v/r
Trace