Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Application Security in Zscaler Private Access

Zscaler
04/14/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


In this series of short videos, we're taking a look at the baseline recommendations for the configuration of Zetscaler Private Access. This is Part 7, Securing Your ZPA Applications. First, let's start by talking about App Protection. App Protection is an integral part of ZPA that allows you to identify and stop attacks against your applications. App Protection does this by allowing you to create inspection profiles, either from scratch or using predefined profiles, that will inspect traffic between the user and the application. Inspection can then be enabled on the application segment and an App Protection policy configured that maps an inspection profile to the application segment. These inspection profiles include several critical security controls for your applications. One of these is the OS Top 10 Prevention model. This will allow Zetscaler to identify and prevent attacks against applications that map to the Top 10 application security risk as identified by the Open Worldwide Application Security Project. App Protection also leverages the Zetscaler Threat Labs research to generate Threat Labs control based on signatures from exploits that our security research team is seeing in the wild. Additionally, App Protection is capable of performing virtual patching by applying security controls to block specific attacks that are being leveraged by threat actors and reported as CVEs. It can also be leveraged to provide SMB, Kerberos, and LDAP inspection and protection, providing you with anomaly detection within AD-related traffic, assistance in prevention of enumeration attacks, and protection against common attacks such as Kerberosting, AD schema mapping, and SMB enumeration. Finally, App Protection also provides browser session protection, allowing you to define session fingerprints using a combination of 27 available indicators in browser session protection profiles, which can then be activated as a browser session protection policy based on applications and SAML or SCIM attributes. This also provides a dashboard, identifying users with a high number of unique fingerprints. Finally, understand that you can leverage Zetscaler internet access to inspect ZPA traffic. This works the following way. Traffic that matches an application segment definition is sent to the ZPA service edge as is normal for ZPA. If ZIA inspection is enabled, the ZPA service edge will establish a TLS tunnel to a ZIA enforcement node so that the traffic is sent to ZIA. Security policy configured on the ZIA side will then be enforced. If traffic violates the ZIA security policy, it's blocked. Otherwise, it's allowed and sent back to the ZPA service edge, after which it's sent onto the app connector and forwarded to the destination. Note that this has several prerequisites and limitations. Obviously, this requires a ZIA tenant that is linked to your ZPA tenant. The ZIA inspection feature must be provisioned for ZPA. This can be enabled with a simple support request if it isn't provisioned. A ZIA root certificate must be deployed to your devices as is required for SSL inspection in ZIA. And there's also a minimum version of 4.4 for the client connector required. This does not support browser access or privileged remote access, ICMP, double encryption, multi-session protocols, ZDX, machine tunnels, or partner tenants. As such, it's recommended that you only leverage this inspection feature for business-critical applications. This will allow you to use ZIA's mature policy enforcement and malware detection capabilities, for example, TLS inspection, sandboxing, data loss prevention policy, et cetera, to enforce these on ZPA flows to your business-critical applications, preventing any client-side compromise. Paired with app protection, this will allow you to provide complete client-side and server-side anti-compromise measures in order to fully protect your applications. That's it for this video. Thank you for watching.

TL;DR

  • AppProtection provides server-side security for ZPA applications through inspection profiles that detect OWASP Top 10 attacks, apply threat intelligence signatures, perform virtual patching for CVEs, and protect AD protocols with anomaly detection.
  • Browser session protection creates fingerprints using 27 indicators to identify anomalous user sessions and provides dashboards showing users with high numbers of unique fingerprints for investigation.
  • ZPA traffic can be routed through ZIA enforcement nodes for business-critical applications to leverage mature security controls like TLS inspection, sandboxing, and DLP policies, providing comprehensive client-side protection when paired with AppProtection's server-side defenses.

Summary

This technical tutorial demonstrates how to secure applications accessed through Zscaler Private Access (ZPA) using two complementary approaches: AppProtection and ZIA inspection integration. AppProtection provides server-side security through inspection profiles that detect and prevent attacks mapped to the OWASP Top 10, apply threat intelligence from Zscaler Threat Labs, perform virtual patching for known CVEs, and protect Active Directory protocols including SMB, Kerberos, and LDAP. The session also covers browser session protection capabilities that use 27 indicators to create session fingerprints for anomaly detection. For business-critical applications, organizations can route ZPA traffic through Zscaler Internet Access (ZIA) enforcement nodes to leverage mature security controls including TLS inspection, sandboxing, and data loss prevention policies. This dual-layer approach provides comprehensive client-side and server-side protection against compromise, though ZIA inspection has specific prerequisites including certificate deployment and client connector version 4.4 or higher, with limitations on certain protocol types and access methods.

Chapters

0:00 - Introduction to Application Security
0:12 - AppProtection Overview
0:45 - OWASP Top 10 Prevention
1:21 - AD Protocol Protection
1:37 - Browser Session Protection
1:58 - ZIA Inspection Integration
2:34 - Prerequisites and Limitations

Key Quotes

0:17 "App Protection is an integral part of ZPA that allows you to identify and stop attacks against your applications."
1:04 "App Protection also leverages the Zetscaler Threat Labs research to generate Threat Labs control based on signatures from exploits that our security research team is seeing in the wild."
3:33 "Paired with app protection, this will allow you to provide complete client-side and server-side anti-compromise measures in order to fully protect your applications."

Categories:
  • » Webinar Library » Zscaler
  • » Cybersecurity » Data Security
  • » Cybersecurity » Application Security
  • » Cybersecurity » Zero Trust
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Zero Trust
  • Application Security
  • Threat Intelligence
  • Technical Deep Dive
  • How-To
  • Zero Trust Network Access
  • OWASP Top 10
  • Virtual Patching
  • Active Directory Security
  • Browser Fingerprinting
  • TLS Inspection
  • Data Loss Prevention
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Application Security in Zscaler Private Access

              Upcoming Webinar Calendar

              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting a Championship-Caliber Security Team for Lasting Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-caliber-security-team-for-lasting-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-safeguarding-ai-accessible-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies in Data Protection and Privacy Management
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-in-data-protection-and-privacy-management/
              • 07/22/2026
                01:00 PM
                07/22/2026
                Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue
                https://www.truthinit.com/index.php/channel/2029/insights-from-attackers-during-the-fifa-world-cup-a-human-dialogue/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 07/29/2026
                01:00 PM
                07/29/2026
                Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/02/2026
                12:00 PM
                09/02/2026
                Unified Data Security in Action: Uncover, Analyze, and Resolve Challenges
                https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-challenges/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                14

                Crafting a Championship-Caliber Security Team for Lasting Defense

                07/14/202601:00 PM ET
                • Jul
                  14

                  Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data

                  07/14/202602:00 PM ET
                  • Jul
                    21

                    Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                    07/21/202604:00 AM ET
                    • Jul
                      22

                      Insights and Strategies in Data Protection and Privacy Management

                      07/22/202606:30 AM ET
                      • Jul
                        22

                        Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue

                        07/22/202601:00 PM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version