Customer Case Study

How Fairfax County Simplified and Amplified its SecurityStrategy with Zscaler Workload Segmentation

Zero Trust App Access Stop Cyberattacks Protect Data Zero Trust Cloud Connectivity


  • Company: Fairfax County
  • Industry: Federal & Government
  • HQ: Virginia, USA
  • Size: 1.1 million citizens served by 12,000 government employees


Located in Northern Virginia, Fairfax County serves more than 1.1 million citizens and employs more than 12,000 government employees. It is responsible for overseeing elections, tax collection, public education, social services, law enforcement, fire and rescue, transportation, and parks and recreation.


Stop lateral movement of threats, while reducing firewall-induced complexity, to expand existing zero trust approach


  • Reduces risk of breaches by protecting east-west traffic

  • Protects all 2,000 production systems on premises and in the cloud

  • Dramatically simplifies policy creation, monitoring, and enforcement

  • Reduces burdens on lean IT staff

  • Embraces a zero trust approach

  • Gains visibility into application communications

See More Information

Customer Video

Fairfax County implements Zscaler Workload Segmentation


Reinventing security strategy to minimize complexity

With cyberattacks on the rise, especially those targeting the government sector, Fairfax County recognized the need to reimagine its cybersecurity strategy. County departments rely on hundreds of applications residing in the data center and the Azure cloud which needed to be protected.

The most populous county in Virginia wanted to decrease the risk of breaches by reducing its network attack surface and protecting east-west traffic inside the data center. Its next generation firewalls (NGFWs) were becoming suboptimal, in part because the hundreds of applications required creation and management of thousands of policies. With a small, centralized IT team, Fairfax County needed to minimize complexity with a zero trust solution that was easy and seamless to deploy, monitor, and manage.

Securing east-west traffic through microsegmentation

“Our main issue was the east-west traffic,” explained Gulzar Khan, IT Program Manager for Fairfax County. “We had deployed over 150 VLANs, but still close to 80 percent of our traffic was east-west traffic. So, we wanted to find a solution to protect that east-west traffic and minimize the impact if there’s an instance of compromise.”

Microsegmentation, when done correctly, prevents the lateral movement of threats across flat networks inside cloud and data center environments. It originated as a way to moderate traffic between servers in the same network segment. It has since evolved to include intra-segment traffic so that server A can talk to server B or application A can communicate with host B, and so on, as long as the identity of the requesting resource (server/application/host/user) matches the permission configured for that resource.

But historically, microsegmentation has been a cumbersome and complex process because firewalls have been used to create the microsegments. As segments get smaller, the firewall rules become impossibly complex. Furthermore, every application is different and organizations have to learn the nuances of every application and build custom policy sets, which can take months. Fairfax County started looking for a solution that could help address its security concerns and reduce complexity while also being deployed quickly and easily.

The Zscaler team assisted us with understanding the policy creation process, mapping between servers, and troubleshooting any issues. They were very knowledgeable and helpful.

Gulzar Khan, IT Program Manager, Fairfax County

AI-powered policy lifecycle automation

Fairfax County found the solution in Zscaler Workload Segmentation, which runs independently or seamlessly as part of the Zscaler Zero Trust Exchange platform.

The County favored Workload Segmentation because it’s not an evolution of a firewall. Rather, it’s a purpose-built solution engineered to dramatically simplify microsegmentation by using the identity of software and machines and machine learning to automate the entire policy lifecycle. Additionally, Workload Segmentation would protect applications in both the County’s Azure public cloud and on-premises physical servers, increase visibility into application communications, and deploy easily.

Although Fairfax County had previously established a zero trust approach with Zscaler Internet Access (ZIA), Zscaler Private Access (ZPA) and Cloud Data Loss Prevention (DLP), Fairfax County conducted a comprehensive market evaluation. Ultimately, expanding its Zscaler Zero Trust Exchange platform proved the right solution.

“We looked at multiple products and eventually decided to go with Zscaler Workload Segmentation,” Khan said. “We selected the solution because it had superior machine learning capabilities, much better than other products that we tested.”

“Once the agent was installed, machine learning helped us discover all the processes running on our systems, and when we deployed the whole segment, it identified communication between systems within, coming into, and going out of the segment,” recalled Khan. “It was very helpful for us to learn more about our applications.”

The Zscaler Workload Segmentation policy creation process is super simple. It’s basically a few clicks.

Gulzar Khan, IT Program Manager, Fairfax County

Simplified policy creation, monitoring, and management

Workload Segmentation eliminates risk by building policy recommendations using patented machine learning technology. Identity-based microsegmentation, based on the cryptographic identities of all software and machines communicating on the County’s networks, significantly reduces the number of policies required to protect a segment. What previously took hundreds of policies to protect can now be protected with as few as seven policies. And all software updates are captured instantly, eliminating the need for manual policy creation and management.

“We liked the machine learning aspect of Workload Segmentation, but we also liked the policy creation process for its simplicity,” Khan noted. “It’s basically a few clicks—once a segment is created, you just click on auto-segmentation and that will begin a policy creation process. Once you create a policy, the next step is to troubleshoot any blocks. Overall, it was a pretty simple process.”

We can deploy these [Zscaler] agents to all these workloads for easy management. That was a big plus for us.

Gulzar Khan, IT Program Manager, Fairfax County

Streamlined, flexible deployment

Although Khan said he is very selective about agent-based solutions because they can be complicated and take extra time and effort to deploy, Workload Segmentation’s agent-based deployment allowed for more flexibility and easier management. Fairfax County’s workloads are distributed between the cloud and physical servers, and Workload Segmentation was able to streamline deployment regardless of workload location.

“Once the agent was deployed, our next process was to start setting up host segments,” Khan continued. “Zscaler Workload Segmentation automatically creates host segments, but we opted to use our knowledge of the environment to create our own host segments. Once we were done with the host segments, we let the system run for a couple weeks to discover all the traffic—ingoing, outgoing, and traffic within the segment.”

After that, the IT team conducted working sessions with the Zscaler Workload Segmentation team. Khan explained that these working sessions helped the team understand the policy creation process, mapping between servers, and how to troubleshoot any potential issues with the policies they had created.

Charting a path for the future

Fairfax County is in the final stages of setting up host segments, though there is still much to learn and accomplish to finalize the Workload Segmentation implementation.

“We are still in the process of troubleshooting and going over all our host segments,” Khan said. “We are working to understand all those host segments and get policies in place. Eventually, once we are comfortable with all those learnings and processes, then we’ll engage the application teams so we can start enforcing, testing, and verifying those policies. We’ve made pretty good progress and we’re close to completion.”

Ultimately, Fairfax County wants to get rid of legacy technology and ensure that its data and systems are secure. “Our goal is starting to sunset those firewalls,” Khan said. “Firewall rules have caused multiple problems and we’ve had to spend a lot of time troubleshooting them.”

Achieving goals securely and broadening horizons

Fairfax County, Virginia, has a mission to protect and enrich quality of life for people, neighborhoods, and diverse communities, but it needed the right security solution to protect these initiatives. Zscaler Workload Segmentation allowed the county to protect its sensitive data, both in the data center and in the cloud, while lessening the burden on the IT team, increasing visibility, and reducing complexity.