Cloud Application Control is a specific Zscaler feature designed to provide granular control over SaaS applications. It allows administrators to create policies that can differentiate between corporate and personal instances of the same application. This is often achieved through tenant restriction, where Zscaler inserts specific headers into the user's web request, signaling to the SaaS provider which tenant (i.e., the corporate instance) the user is authorized to access. This directly addresses the need to ensure users can only use the sanctioned corporate instance while blocking access to personal or other unauthorized instances.

A. Out-of-band CASB: This solution connects to SaaS applications via APIs to scan data at rest and enforce policies within the app, but it does not control real-time user access to specific instances.

C. URL filtering with SSL inspection: URL filtering operates at the domain level. It is generally insufficient for distinguishing between corporate and personal tenants that often share the same login URL.

D. Endpoint DLP: This technology focuses on preventing sensitive data from leaving the endpoint device; it does not manage or control user login access to different SaaS application instances.

---

1. Zscaler Help Portal

"About Cloud App Control": "The Zscaler service provides Cloud App Control policies that allow you to control the cloud applications that users in your organization can access... Additionally

you can enforce tenant restrictions for certain cloud applications to ensure users can only log in with their corporate accounts."

2. Zscaler Help Portal

"Configuring Tenant Profiles": "You can create tenant profiles for specific cloud applications and then use them in your Cloud App Control policy to enforce tenant restrictions. When you enforce tenant restrictions

you can allow users to access only your organization's corporate accounts for a specific cloud application and block access to their personal accounts."

3. Zscaler Help Portal

"Adding a Cloud App Control Policy Rule": The documentation on creating policy rules explicitly shows the option to apply "Tenant Profiles" as an action for selected cloud applications

which is the mechanism used to enforce access to a specific corporate instance.