A discussion I am finding myself in more and more lately is a debate over whether or not the zScaler IP space is trust worthy. To outline a particular discussion, we have a vendor who is requiring that we give them the IP space we are coming from so they can firewall off the service. Since this is a web site it is something we would access through the zScaler cloud ZIA. However neither the vendor nor some of my counterparts like the idea of using the zScaler IP space, which in my case would be North America. The reason being is that any zScaler customer could be coming from that IP space. This is of course true but I don’t personally feel this a big risk considering that the service would also require a login as well, and the zScaler service itself requires a static IP or authentication. I just wanted to see how others were approaching this topic? Am I the fool for thinking this is not a big deal and that I can use the zScaler IP space as a layer of trust although not the only layer of course.
In my experience it is not the fact that Zscaler “owns” this IP-adresses but rather the sheer size of this IP-ranges whats irritating most people. Most “security/firewall”-admins tend to to drill the smallest possible holes in their defences. They are used to configure e.g. a /30 subnet and in general I think it is a good idea/approach to keep the attack surface as small as possible.
We also had discussions/tickets with tech-staff of a quite popular translation service and for the time being we ended up by using paid and named user accounts which are not ip-restricted.
Also Zscaler does provide Source IP Anchoring which seems could solve your issues quite easily (About Source IP Anchoring | Zscaler).
IMHO source ip-restrictions as the only/main reason are quite often a slightly outdated security measure founded at a time when a large part of the attacks came from the outside against the perimeter defenses. So IP addresses are or should be only a limited indicator for trust. Better one should focus on building a strong and reliable authentication and authorisation mechanism, solid website architecture and defenses against all too well known attacks like brutes, xss, etc. Would not be the first one trying to bolster their frontdoors while keeping backdoors wide open…