Zscaler vs. Tailscale
Some people say that “zero trust networking” is a misleading term, since zero trust is less about protecting networks as about protecting each individual node on a network. To do this, we need to authenticate every user and authorize every access.
Zero trust principles are at the core of both Tailscale and Zscaler. Although we take different approaches, Tailscale being a modern remote access VPN and Zscaler being a cloud security proxy, we share the same end goal of protecting critical resources and securing communications between users and services.
Here, we’ll compare and contrast Zscaler with Tailscale, outlining their distinct features and use cases.
Zscaler is a cloud-based information security company, based in California. They have two main offerings: Zscaler Private Access (ZPA), which offers secure access to a company’s internal apps, and Zscaler Internet Access, which allows users to securely access the Internet through company-controlled servers.
Zscaler Private Access lets organizations give access to their internal applications and services, while ensuring the security and integrity of their network. It offers security policies, limiting access to authorized users only. With ZPA, application access does not require granting access to the network itself. And since ZPA is integrated with users’ existing authentication infrastructure, the process is seamless.
|Open source?||Yes (except coordination server)||No||Integrates with identity providers for single sign-on?||Yes
(Google, Office 365/Azure AD, Okta, etc.)
|Connection type||Mesh VPN||Cloud service proxies|
|End-to-end encryption?||Yes||SaaS proxy forwards between users and apps.|
|Connection latency||Minimal (point-to-point mesh)||Depends on nearest proxy location|
|ACLs and security policies?||Yes (central ACL policy)||Yes|
|Forward all traffic through gateway?||Optional (exit nodes)||Separate product (ZIA)|
|Auditing and logging?||Yes||Yes|
|Pricing||Free for individuals. Paid plans for teams and enterprise||Professional, business, and other plans|
Users accessing applications or services never actually get access to the network where these resources are held, preventing lateral movement across a network.
Instead, Zscaler Private Access uses “inside-out” connectivity: both users and services connect from inside their network, out to SaaS proxies operated by Zscaler. This avoids the need to open firewall ports in order to expose a service for private use.
IP addresses of private applications are never exposed; rather, a session IP address is generated (not the true IP address). With this kind of least-privileged access and Zscaler’s ability to shield applications from unauthorized users’ view, attack surface area is reduced.
Zscaler offers visibility into who is using what, and where things are running. They’ve been know to help uncover unknown internal applications running in data centers and clouds.
Application segmentation determined by user groups creates a relatively simple, more flexible structure than traditional network segmentation. Every service can have its own access controls, rather than coarse-grained firewall settings for each network segment.
Tailscale’s nodes talk directly to each other, usually without any middlebox needed to forward traffic. That is, Tailscale users and services have direct peer-to-peer connections on a mesh network. All communications are end-to-end encrypted. Private encryption keys never leave their nodes and are not visible to Tailscale, improving data security and privacy.
Like Zscaler, Tailscale offers a zero trust security model. Tailscale’s architecture provides a single virtual network for the whole organization, but lets users and administrators define strict security policies that determine which nodes can access which others. Each node in the Tailscale network has its own firewall, centrally configured.
Tailscale users can also define which nodes can access which services and groups of users. Tailscale uses central role-based access control (RBAC), minimizing the number of rules needed to enforce a given security policy.
Like Zscaler, Tailscale works with popular identity providers to support single sign-on. Since each Tailscale node logs its connections to a central audit system, every connection is logged twice (at both source and destination), making log tampering straightforward to detect, even without funneling traffic through a concentrator.
Zscaler and Tailscale both offer highly secure zero trust network architectures, although they differ in their approach.
Zscaler uses a worldwide network of proxy servers to forward and log traffic between users and services. It offers access only to services, not to the underlying network itself, preventing lateral movement.
Tailscale creates end-to-end encrypted mesh connections directly between users and services, avoiding the need for central concentrators. It offers direct IP-based connectivity, but prevents lateral movement through centrally-controlled packet filters running on each node.