Introducing Zero Trust SASE

The evolution of work and IT

Workplaces are rapidly evolving and hybrid work has become the new normal. Legacy network architectures were designed around a static model of work where users were in fixed locations. Today’s branches look very different — with hoteling desks, co-working spaces, a mobile workforce, and internet-centric connectivity. As branches evolve, so too must the networking infrastructure used to connect them — one size no longer fits all.

Legacy networks introduce risk & complexity

The traditional model of connectivity is very network-centric — users, devices and servers connect to a network, and the network assures access to every other device on the same network. This model has too much implicit trust — any device can talk to any other device or server by default, enabling the lateral movement of threats and attacks such as ransomware. 

Network-centric connectivity also requires extending the network into public clouds and third parties using VPN tunnels, which can expand your attack surface into infrastructure that you do not directly control. Along with the proliferation of IoT devices in organizations, attack surface management becomes increasingly complex. Relying on routed overlays and traditional routing protocols also introduces additional complexity into networks.

Traditional SD-WAN is not zero trust

SD-WANs also take a network-centric approach and build routed overlays using site-to-site VPN tunnels and routing protocols. While they allow organizations to move away from expensive MPLS networks and solve many operational challenges, they introduce security risks by facilitating lateral movement. Controlling these risks requires network-based segmentation, which often necessitates additional firewall appliances at the branch and complex network-based security policies.

Zero trust is a cybersecurity strategy that assumes every entity is untrusted by default — and only allows access to certain resources based on identity, context, and posture. This is fundamentally opposed to the way traditional networks work. We could limit the trust inherent in traditional networks through techniques like segmentation and admission control, but these approaches can dramatically increase complexity.

It’s time for a new approach — built on zero trust principles.

Introducing Zero Trust SD-WAN

I previously announced our Branch Connector appliances for connecting branches through the Zero Trust Exchange. Today I am excited to announce Zero Trust SD-WAN — an industry-first zero trust solution for securely connecting branches, factories, hospitals, retail locations, and data centers — that eliminates the security risks of traditional SD-WANs. Using lightweight virtual machines or plug & play appliances coupled with the Zscaler Zero Trust Exchange, Zero Trust SD-WAN provides secure inbound and outbound zero trust networking for locations, without overlay routing, additional firewall appliances or policy inconsistencies. Fully integrated with our industry-leading SSE platform, Zero Trust SD-WAN enables robust security and simplifies branch network management.

We are also pleased to announce general availability of our Z-Connector plug & play appliances — ZT 400, ZT 600 and ZT 800. Along with a lightweight virtual machine form factor, these appliances can support a wide range of customer requirements, ranging from 200 Mbps to multi-gigabit. With pre-provisioned config templates and zero touch provisioning, deploying a new branch can be as simple as plugging in an internet connection.

New gateway capabilities

The Zero Trust SD-WAN solution can be deployed in two modes: as a Forwarder, or as a Gateway. The Forwarder mode enables customers with existing WAN solutions to implement a zero trust overlay by deploying Z-connector appliances next to their existing routers and switches. Relevant traffic can be directed to the Z-connector appliances through conditional DNS resolution or policy-based routing.

The Gateway mode terminates the ISP connection directly on the Z-Connector appliance, eliminating the need for additional routers or firewalls. The Z-connector acts as the default gateway for the site, forwarding all traffic to the Zscaler Zero Trust Exchange which provides secure connectivity to internet, SaaS, and private applications.

Gateway mode supports rich WAN and LAN management capabilities, including dual ISP termination, app-aware path selection with ISP monitoring, high availability (active-active, active-passive), multiple LAN subnets, local firewall, integrated DHCP server, and DNS gateway.

Zero Trust SD-WAN gateway capabilities will be available starting February 2024.

Zero Trust SD-WAN reduces complexity and risk

Zero Trust SD-WAN solves many critical challenges for our customers. Here are a few key use cases:

1. Replace site-to-site VPNs: Avoid complex VPN configurations and route table management and eliminate the risk of lateral threat movement.
2. Accelerate M&A integrations: Connect users to apps across organizations without merging routing domains or deploying NAT gateways. Reduce integration time from months to days.
3. Secure OT connectivity: Eliminate VPNs and exposed ports for vendor remote access to OT resources.
4. IoT discovery & classification: Discover and secure IoT devices on the network with AI-powered classification engines

To learn more about these use cases, read our blog on bringing zero trust to branches.

Industry-first SASE platform built on zero trust

Secure Access Service Edge (SASE) is a term coined by Gartner to describe the convergence of networking and security to align with modern IT infrastructure and working patterns. While SASE embraces zero trust principles, many SASE solutions in the market simply bolt on traditional SD-WAN to an SSE service, with zero trust principles limited to user-to-app access. This still leaves sites exposed with too much implicit trust.

With the introduction of Zero Trust SD-WAN, Zscaler is proud to deliver the industry’s first single vendor SASE platform built on zero trust and AI. Zero Trust SASE enables organizations to extend zero trust beyond just users, to branches, factories and data centers. Building on the strengths of our SSE platform — the Zero Trust Exchange — Zero Trust SASE reduces cost and complexity by eliminating traditional security and networking solutions.

Transform your branch networks

Legacy WAN architectures no longer work. The industry-wise disruptions around hybrid work and zero trust security present a unique opportunity to rethink and transform your network architecture. Zero Trust SD-WAN and SASE take a radically different approach to connecting users, devices, and apps without the risk of lateral threat movement.

Visit our SASE resources page for additional product information, white papers and videos and read more about our Zero Trust SD-WAN capabilities here.