Zscaler TSA separation is the work of standing up a Newco tenant, rebuilding the internet access and private access policy, cutting endpoint traffic forwarding to the Newco cloud, and integrating Newco identity before the seller's tenant sees or controls Newco traffic. The work sits inside the broader carve-out advisory program and is a Day One item, because secure access is the path every user and application depends on from the first minute.
Zscaler separation starts with an inventory of the seller tenant. The buyer needs the subscription scope across Zscaler Internet Access, Zscaler Private Access, and any digital experience or posture modules, the policy structure, the App Connector and Service Edge footprint for private access, the traffic forwarding method whether client connector, GRE, or IPsec tunnels, and the identity integration. It needs the application segment inventory for ZPA: which private applications Newco users reach through Zscaler.
Zscaler is the secure access path for the workforce, so the clean end state is a dedicated Newco tenant with its own ZIA and ZPA policy, its own App Connectors, and its own identity integration. A shared seller tenant keeps Newco traffic under seller policy and seller visibility, which is unacceptable beyond a short bridge. Unlike a reporting platform, this is not a tool Newco can leave on the seller's environment quietly, because the seller can see and cut the traffic.
Target strategy treats Zscaler as a Day One readiness item. The Newco tenant and a baseline policy stand up before close so that on Day One, Newco devices forward to the Newco cloud rather than the seller's. Refinement continues afterward, but the forwarding boundary is established at Day One. The decision is settled early in step with the endpoint and identity separation.
A clean inventory and a settled tenant decision drive the downstream sequence: the ZIA policy rebuild, the ZPA application segment rebuild, the forwarding cutover, and identity integration. The pattern aligns with the broader Day One cybersecurity framework and the carve-out IT plan.
Zscaler is sold as per user subscriptions across bundle editions for ZIA and ZPA. The seller agreement does not transfer in a carve-out. Newco signs a direct subscription sized to its real user count and the editions it needs. The buyer counts Newco users rather than the seller's licensed total, because the seller's bundle was sized for the combined organization and Newco should not inherit that scale or its discount assumptions.
Zscaler reads a carve-out as a buyer with a Day One deadline, which is real leverage for the vendor. The buyer offsets that by starting the commercial conversation early, before the deadline removes optionality, and by being clear about which modules Newco actually needs rather than accepting the seller's full bundle. Where Newco is reconsidering its secure access architecture, a credible alternative strengthens the position, though the Day One timing usually argues for continuity first and architecture decisions later.
Where the seller provides secure access through a TSA period, the pricing is cost-plus or fixed-fee with a defined exit ramp, and the TSA defines how Newco user counts are metered. The seller cannot mark up subscription costs it does not separately incur. Given the Day One nature of secure access, the TSA tail here is usually short.
Where a partner is engaged for the rebuild, the contract is fixed fee for defined deliverables with disciplined change control. The audit discipline runs through the broader TSA license consolidation work so Newco rationalizes its security spend at exit.
The Internet Access policy is rebuilt rather than copied wholesale. URL filtering rules, cloud application control, SSL inspection policy, data loss prevention rules, firewall policy, and bandwidth control are reconstructed in the Newco tenant to match Newco's risk posture. The seller policy is a useful reference, but it carries seller specific exceptions and allowlists that Newco should review rather than inherit blindly.
SSL inspection deserves dedicated attention because it depends on the Zscaler root certificate being trusted on every endpoint. The Newco certificate is deployed through endpoint management so that inspection works without breaking applications on Day One. The buyer coordinates this with the endpoint management separation so the certificate lands before the forwarding cutover.
Data loss prevention and the dictionaries behind it are rebuilt for Newco's data classification. Where the seller's DLP referenced seller specific data patterns, those are replaced with Newco's. Logging and the SIEM feed are repointed so Newco's security operations see the traffic rather than the seller's, which closes a visibility gap that otherwise persists after cutover.
Allowlists for business applications are validated against Newco's actual application estate so that legitimate traffic is not blocked when users move to the Newco tenant. The discipline mirrors the broader endpoint security separation sequence.
Zscaler Private Access is the more involved workstream. ZPA provides users access to private applications without exposing them to the internet, through App Connectors that sit near the applications. The application segments, the server groups, the App Connector groups, and the access policy are rebuilt in the Newco tenant. New App Connectors are deployed in Newco's network adjacent to the private applications Newco retains, because the seller's connectors sit in the seller's network and will not serve Newco after the boundary is set.
The application segment inventory drives this. Each private application Newco users reach is identified, and where the application itself is migrating to Newco infrastructure, the ZPA segment is rebuilt against the new location. Where an application stays with the seller under a separate TSA, the access path is handled deliberately rather than left pointing at a connector that will disappear.
Identity integration is the binding piece. Zscaler authenticates users through SAML and provisions through SCIM against the identity provider. Both ZIA and ZPA are integrated with Newco's identity provider so that user authentication, group membership, and policy assignment all resolve against Newco identity. The Zscaler cutover is therefore gated on the identity boundary being live.
Policy assignment by group is validated so the right users get the right access from the first login, in step with the identity and endpoint separations.
Cutover moves endpoint traffic forwarding from the seller tenant to the Newco tenant. For client connector deployments, the Newco client connector profile is pushed through endpoint management so devices register with the Newco cloud. For tunnel based forwarding, the GRE or IPsec tunnels are repointed. The runbook covers the certificate deployment, the connector profile push, the policy go live, and the validation gate. The cutover is staged by user group where the device population allows it.
Validation confirms continuity. Internet access is tested against business applications, private application access is tested against each retained application segment, and SSL inspection is confirmed not to break critical sites. Because this is a Day One control, the validation is rehearsed on a pilot group before the broad cutover so that the first day of standalone operation does not become the first test.
Stabilization runs thirty to sixty days. Blocked applications, certificate issues, and connector reachability problems are triaged within agreed service-level commitments. Policy is refined as real Newco traffic patterns emerge. Only after stable operation does the buyer certify secure access for TSA exit.
Decommissioning is explicit. Once Newco is operating on its own tenant, the seller removes Newco users and disables forwarding from Newco devices so Newco traffic no longer traverses the seller's tenant or appears in the seller's logs.
Zscaler separation cost is driven by user count, the editions Newco subscribes to, and the rebuild effort across ZIA and ZPA policy. The discipline is to right size the user count and to subscribe to the modules Newco needs rather than copying the seller's full bundle. A bundle sized for the combined organization is a recurring cost that the separation should correct, not carry forward.
The common failure mode is treating Zscaler as a later exit rather than a Day One control. If Newco devices still forward through the seller tenant after close, the seller has visibility into Newco traffic and the ability to cut access. Buyers that establish the Newco tenant and baseline policy before Day One avoid both the security exposure and the operational risk of a sudden access loss.
The second failure mode is the SSL inspection certificate and ZPA connector dependency. A forwarding cutover without the Newco root certificate deployed breaks inspected applications, and a ZPA cutover without Newco connectors near the applications breaks private access. The fix is to sequence the certificate and connector deployment ahead of forwarding. A PMO maintains the dependency map across Zscaler, endpoint management, and identity, escalating blocks inside forty eight hours.
A clean Zscaler separation produces a Newco that owns its own secure access tenant, its own policy, and its own traffic visibility, with the optionality to evolve its security architecture on its own timeline. The discipline runs through the TSA exit acceleration program under a Fixed Fee plus Portfolio Retainer engagement model.
Yes. Zscaler is the secure access path for users and applications, so the clean end state is a dedicated Newco tenant with its own ZIA and ZPA policy, App Connectors, and identity integration. A shared seller tenant keeps Newco traffic under seller policy and seller visibility, which is unacceptable beyond a short bridge.
Zscaler controls internet access and private application access for the workforce. If Newco devices still forward traffic through the seller tenant on Day One, the seller sees Newco traffic and can cut access. The forwarding and policy must be on a Newco tenant by Day One even if refinement continues afterward.
Tenant provisioning, ZIA policy rebuild, ZPA App Connector and application segment rebuild, traffic forwarding cutover on endpoints through the client connector, and identity integration. Each is rebuilt for Newco rather than copied wholesale from the seller.
The Newco tenant and baseline policy can stand up in weeks for Day One, but full ZPA application segment rebuild and policy refinement usually run two to four months as private applications are inventoried and migrated.
Endpoint security tenant split, sensor migration, and the Day One detection boundary.
Read the article →The Day One security control set and how to stand it up before close.
Read the article →The carve-out security workstream and how secure access fits the plan.
Read the article →The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.
No spam. Unsubscribe in one click. · Read the overview first →

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.
Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.
Exit the seller's security stack first. Every week of shared security is a week of shared blast radius on a business they no longer own.
One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.
Subscribe to The Day One Letter →