Bucher Municipal Replaces SD-WAN with Zero Trust at 20 Global Sites, Reducing Risk and Slashing SecOps Overhead

Headquartered in Switzerland, Bucher Municipal is a manufacturing company that provides customers in 140 countries with street cleaning and clearing vehicles and equipment—from street sweepers to snowplows to refuse collectors.

A few years ago, Bucher experienced a cybersecurity event that triggered a re-evaluation of its legacy infrastructure by CISO Ádám Kováts. The company’s existing SD-WAN setup with firewalls and VPN tunnels at each location was costly and complex to manage, led to performance bottlenecks, and expanded the attack surface. Additionally, with Bucher’s migration to the cloud, the workforce needed the flexibility to access apps from anywhere. These requirements inspired Kováts to embark on a modernization journey by adopting the Zscaler Zero Trust Exchange platform.

“When we reached out to Zscaler, we had three goals in mind: strengthening our security posture, increasing visibility across our estate, and improving the user experience,” said Kováts. “We chose Zscaler as our partner for its technical excellence, commitment to innovation, and its collaborative engagement.”

At the top of the CISO’s to-do list was replacing poorly performing, insecure remote access solutions with zero trust. Before Zscaler, internet traffic was backhauled through the data center in Switzerland, causing significant latency for remote users and for offices in different locations. According to Kováts, some employees even carried two laptops in order to be able to work online. One of his biggest concerns was the possibility of network outages that could potentially prevent users from accessing internal apps and resources, especially those residing in Microsoft Azure. Users also needed unrestricted access to SaaS apps, such as OneDrive and other core components of Microsoft 365, to maintain business continuity.

Kováts began the transition to zero trust by rolling out Zscaler Internet Access (ZIA) to a small group of users, providing them with identity- and role-based secure zero trust access to SaaS apps and the internet. Once he and his team fine-tuned corporate policies, they rolled out ZIA to the entire user population. Now everyone at Bucher is assured of a smooth and secure experience. SSL/TLS traffic inspection prevents data exfiltration and propagation of hidden malware, and always-on, AI-powered advanced threat protection detects and blocks ransomware, phishing, and malicious web content.

To provide users with secure access to private apps residing in Azure, the Bucher team deployed Zscaler Private Access (ZPA). Outdated VPN systems resulted in latency and lacked fine-grained controls for defining user-specific policies. The VPNs also exposed IP addresses to the internet, expanding the attack surface and making the organization more vulnerable to attackers. 

“By implementing ZPA, we are able to reduce 95% of our site-to-site VPN tunnels in 20 global locations across five continents. ZPA reduced latency and provided a vastly improved user experience while shrinking our attack surface and preventing lateral movement of threats,” said Kováts.

Bucher’s SD-WAN and branch firewall setup proved to be costly, complex to manage, and inherently risky. The organization realized that this infrastructure did not provide adequate protection against today’s sophisticated threats. By connecting everything to everything, the legacy architecture expanded the attack surface and enabled lateral movement, allowing ransomware and other threats to move between branches, the cloud, and the data center. Tool sprawl further limited visibility and drove up operational costs.

Kováts and his team addressed these challenges by deploying Zscaler Zero Trust Branch across 13 global production sites. With Zero Trust Branch, Bucher no longer extends the network to every location. Instead, traffic is forwarded to the Zscaler Zero Trust Exchange over any broadband or 5G connection for inline inspection and policy-based, least-privileged access. Users, workloads and devices at every branch are automatically segmented to stop lateral movement and contain threats.

Now all Bucher employees—at headquarters, at branches, at home, or on the road—enjoy a consistent and secure café-like experience with fast access to all authorized apps from any device over Wi-Fi. The team also benefits, gaining unified visibility and simplifying operations. As part of the transformation, Kováts also retired all remaining branch firewalls.

“While our legacy SD-WAN was a great transitional technology, it is the opposite of zero trust, since it enables lateral movement by design. A major advantage of Zero Trust Branch is that we stop lateral movement of threats across our infrastructure and reduce our attack surface while gaining better visibility, improving performance, and boosting our defenses with comprehensive security capabilities,” he observed.

The next phase of Bucher’s zero trust journey will focus on further improving the user experience and system performance. To gain unified visibility across devices, networks, and apps, Kováts plans to roll out Zscaler Digital Experience (ZDX) in the near term. With ZDX, Bucher’s network operations and help -desk can monitor performance in real time, identify the source of user issues, and resolve them more quickly. This helps users remain productive and reduces the workload for support staff. 

Another top priority is implementing Zscaler Zero Trust Device Segmentation. This agentless solution isolates each device into a network of one. By confining threats, it prevents them from spreading laterally across the network. Moreover, Zero Trust Device Segmentation automatically discovers and classifies devices, enforcing policies for device-to-device communication based on device type, identity, health, and context. This solution will enable Kováts to phase out costly, high-maintenance firewalls and unscalable manual segmentation processes.

To support Bucher’s continued migration to the cloud, he is looking forward to exploring Zscaler Zero Trust Cloud to provide secure connectivity and communication between workloads, the internet, and SaaS apps. With many of the organization’s mission-critical apps residing in Azure, securing cloud workload traffic is business-critical. Through microsegmentation, Zero Trust Workload isolates and protects high-risk apps. Kováts is especially interested in the Zscaler Zero Trust Gateway, a service managed entirely by Zscaler that will eliminate the need for additional cloud resources and further simplify operations.

Building a more robust data defense is another key initiative for Bucher. Kováts will be evaluating Zscaler Data Security to safeguard sensitive data of all types (from customer data to intellectual property) in motion, in use, and at rest. Additionally, the organization is looking to Zscaler to help prevent data leakage and oversharing in GenAI apps like ChatGPT, which they are leveraging to accelerate innovation. 

Finally, implementing Zscaler Deception is also on the horizon to detect and block both human and AI-orchestrated attacks and prevent them from gaining access into the environment. Deception uses realistic decoys to lure and trap attackers and will help the team proactively contain breaches in real time.

Adopting a zero trust model has empowered Kováts and his team to limit the likelihood and the impact of a potential breach. Even if a system is compromised, attackers cannot move to other systems and or other areas of the infrastructure, ensuring that the organization can do business without interruption. The zero trust architecture also minimizes the attack surface by making internal apps invisible to the internet, “which means bad actors can never find you,” as Kováts pointed out. 

Since deploying Zscaler, Bucher has seen major improvements in its overall security posture. In a 12-month period, it has prevented 707.01 million policy violations and blocked 260,160 threats. 

“Another big advantage of Zscaler is the flexibility it offers our users to work securely from anywhere, anytime. On the IT side, we can fine-tune the platform for our particular use cases and now have vastly improved visibility. Zscaler enables us to monitor what our users are doing and determine how to better secure our infrastructure while providing them with access to the resources they need to do their jobs,” said Kováts.

The transition to Zscaler has not only lowered costs by reducing or eliminating dependence on legacy solutions like SD-WAN, VPN, and firewalls, it has also simplified Bucher’s security operations. Previously, team members managed separate security solutions and were burdened with manually updating and enforcing policies across disjointed tools, each with their own dashboard. Zscaler’s unified single-view platform and automated processes have significantly boosted efficiency, freeing up staff for more strategic projects while providing consistent policies for all users, devices, and locations.

For Kováts, replacing Bucher’s legacy architecture with a zero trust approach has been more than a technology transformation—it represents a fundamental shift in mindset for his team and for the company as a whole. He noted that a highly focused and measured rollout strategy, along with close collaboration with the Zscaler team, contributed to the success of this initial deployment and to winning company-wide buy-in.

“It was really amazing to see how quickly our team was able to adapt to Zscaler, especially since we were under a strict deadline to transition from SD-WAN to Zero Trust Branch. The rollout to our global locations was seamless, and we are really proud of what we achieved,” he said. “Our users have enthusiastically embraced the change as well and have become more productive and happier.”

As Bucher continues on its cloud-first modernization journey, Zscaler will be an integral partner in that effort.