First thing’s first, I finished my Master’s degree in Cybersecurity and Information Assurance earlier this year! I had fully intended to make a blog post about that degree, but I also started a new Network Security Team Lead/management role at the beginning of March. I got very busy very quickly, but right now I’m sitting on the rear porch of a villa near Milan, Italy – I guess I could spare a few minutes of vacation for a catch up!
In my previous post, I had alluded to continuing on at WGU for my master’s degree. I did decide to do that, and it worked much the same as my bachelor’s through them – definitely some speed bumps in learning for the certifications (PenTest+ was a lot of info), but much more of applying skills I’d learned in my previous role as an INFOSEC specialist in the government! The MSCSIA program had a lot more practical assessments (papers) than the Cloud Computing degree. However, given how much of my previous work experience was interpreting policy into actions and projects, it felt like a perfect fit. Writing imaginary policy without any real life business use cases to get in the way or office politics to work around was a nice change of pace.
I received a couple of competing job offers in early February (after months and months of nothing, of course), the one I ultimately chose also had a long lead-in time, allowing me a few more weeks to dedicate myself entirely to completing my master’s degree. I was a little worried that if I tried to work on the master’s while starting a new role (as a manager, no less), the degree might fall to the wayside. Thankfully, I completed it with a week to spare, and just a little bit of time to read up on the hot new thing in upcoming role.
Zscaler
Not to give away too much of my personal life here (as if 98% of readers weren’t direct LinkedIn referrals), but my job is contracting for the same organization I used to be a direct employee of. When I last worked in the environment, I was assisting with the process of ripping out the old VPN plumbing and replacing it with Zscaler. While my new role is officially “network security team lead”, it’s really manager for the tech team (with a lot of tech knowledge needed and applied day to day) that handles some central security operations and projects. Today, use of Zscaler in our environment is widespread, but not fully “mature.” A large part of my new role is managing the maturation process and helping to build the most secure (and zero trust-ified) environment possible.
As I’m sure could be said for any pre-existing environment, there have been a ton of very interesting challenges in provisioning access to internal systems using Zscaler. Unfortunately, blogging about the specifics of my employer’s network internals would be unwise, so I wanted to focus on a few tools I built using the legacy API (OneAPI isn’t available for our tenant yet). I’m on vacation so I’m not about to go send an email to get clearance to write code snippets here, but I may go back and update this later with actual code.
To set the stage, our environment is locked down pretty tight with administrative controls. If anyone wants to gain access to the admin dashboard, even for read-only access, they have to collect a lot of signatures, to say nothing of justifications. Some of the information in Zscaler’s configurations is super interesting for other teams though, so why not build a tool for our internal tools site? Thus, the app segment lister was built. Not overly complex, it’s a couple of Python scripts being tied together with Perl. When a user enters the “App Segment” page on our internal site, the Python script lists all app segments by name and number, with each name linking to another page (and script) that lists the addresses and ports used for that segment. This solution has proved especially useful when teams add an IP or FQDN to their own applications and wonder why their users have intermittent issues – send them the link and ask them if the new address is included! It’s also useful for some of the more large and unwieldy app segments; it’s much easier to view dozens and dozens of addresses on this page than the ZPA admin console.
The second script was also to get around policy find a more efficient way to provision access to specific information. In this case, we wanted to provision access to Zscaler Client Connector One-Time Passwords (OTPs) for help desk agents. Unfortunately, to get to OTPs, you have to set an administrator up with ZPA/ZIA/ZDX so they can access the ZCC portal, as well as create a tightly scoped administrative role to make sure they can only see enrolled devices and their OTPs. This has gotten easier with the introduction of Zidentity, but it’s still a bit of a pain. Using the same winning combination of Python + Perl, we created a tool that allows help desk agents to enter an end user’s ID and receive their OTPs. We keep a log of requests sent to the server, and Zscaler itself logs use of the OTPs. Creating this type of quick workaround helped a lot, as it greatly reduced the amount of clicks and time spent for each help desk request.
My current project is a workflow for SSL Inspection Bypass requests. As anyone who has worked on implementing SSL Inspection will tell you, implementing inspection is the easy part – defining the exceptions is never-ending. I am working on building a Power Automate/Forms workflow to easily allow for end users to request an exception, have the request sent to the proper teams for approval, and, assuming approval, automatically get added to the proper custom category in ZIA. The actual Python script is simple, but authenticating to the legacy ZIA endpoints via Power Automate is a super interesting problem to solve. There’s the brute-force method with an API key, but that involves storing admin credentials somewhere for Power Automate to use (not the end of the world with Azure Key Vault but still not ideal) and encoding them in the Python script itself. Instead, we’re opting to use OAuth2 with our regular IdP. I hope to get that done soon after my vacation ends!
What’s Next?
Well, first I have a couple more crazy cycling climbs to do up and fontanelle to find here in Como.
After that though, I’ll get back to work getting used to balancing being a manager with my love for the actual technical side. I’m sure there’s a happy balance in here somewhere. My next academic venture, however, is passing the JLPT N2! My listening skills are there, so I’ve been cramming as much reading immersion as possible to get those kanji in. We’ll see where I land in December. Hopefully I’ll make another post before then.
