The 'Easy Button' for Zero Trust B2B Connectivity: Introducing ZPA B2B Federation

Introduction

Successful organizations rely on strong business partners and robust supply chain ecosystems. Traditionally, enabling secure connectivity across this ecosystem has involved site-to-site VPNs. These network-based B2B connections act as a "digital doorway" for partners, suppliers, and distributors to access internal resources. However, once a partner is "on the network," they often have broad access, creating massive attack vectors. This approach lacks Zero Trust enforcement—offering no user identity and device posture checks, no continuous verification, and no risk-based policies for external users. Furthermore, a traditional network-based approach leaves an organization’s security posture dependent on that of its partners.

Organizations can no longer protect themselves by simply securing their own infrastructures since their electronic perimeter is no longer meaningful; threat actors intentionally target the suppliers of more cyber-mature organizations to take advantage of the weakest link.  – NIST IR 8276

To address the security risk of the "weakest link," organizations need a model that decouples application access from network access. Zscaler shifts the focus from "network access" to "application access," ensuring that users are granularly connected only to the specific resources they need—and only after their identity and context have been verified.

Last year, we extended our Zero Trust Architecture to B2B connectivity with the introduction of ZPA B2B Extranet. This capability represented a paradigm shift in bringing Zero Trust philosophy to business partner connectivity. Since then, many customers have enabled ZPA B2B Extranet to connect with their partners and suppliers, and many organizations also use this capability to accelerate mergers and acquisitions.

This approach offers four immediate benefits:

1) Elimination of the Attack Surface: Your internal applications remain invisible to the public internet and the partner’s network. There are no listening ports and no discoverable IP addresses.

2) Simplified Onboarding: Gone are the days of coordinating complex firewall rules, NAT rules  or shipping hardware  to a partner's data center. Onboarding now happens at the speed of your business needs.

3) Secure bi-directional connectivity: By leveraging Zscaler Zero Trust Exchange as the broker, secure connectivity  extends both ways for workloads-to-workload communications.

4) Reduced Operational Costs: By eliminating expensive site-to-site VPNs and the overhead of managing disparate  IPsec tunnels, organizations can slash connectivity spending while significantly improving their security posture.

Today, we are taking the next leap to further simplify B2B connectivity for environments where both entities are Zscaler customers with the brand-new ZPA B2B Federation.

Introducing ZPA B2B Federation

ZPA B2B Federation enables organizations to share application access with external "guest" users from partners or subsidiaries, or those navigating mergers, acquisitions, and divestitures. Simply put, it provides seamless zero trust application access between organizations via ZPA tenant federation.

How ZPA B2B Federation Works

Organizations can enable ZPA tenant federation in three simple steps:

• Host: The organization that owns the application.
• Guest: The partner organization whose users require access.

Step 1: Establish federation between ZPA tenants using a secure token exchange.

Generate an access token to initiate federation with partner or verify access token generated by partner.

Control the partner federation status: Active, Pause or Terminate.

Step 2: Publish private application segments with your partner tenant. 

The host defines application segments with specific applications that guest users need access to.

Step 3: Enforce Zero Trust access by configuring access policies for each B2B app group.

The guest configures the access policy.

Host can view the policies defined by partners.

Use Cases for ZPA B2B Federation

Our design partners intend to utilize ZPA B2B Federation for several critical scenarios such as:

 - Third-party partner and vendor access: This includes suppliers, contractors, distributors, and agencies—users who do not work for you but need access to specific applications to drive business. Today, connecting these users is often a painful process.

- Mergers, Acquisitions, and Divestitures: The day a deal closes, the business expects "Day-1" access. However, IT is often left scrambling to merge networks, Identity Providers (IdPs), and security stacks—a process that typically takes months.

- Multi-tenant and MSSP scenarios: Whether you are a service provider managing multiple customer tenants or a large enterprise with segmented business units running their own ZPA tenants, you need a way to share applications securely without collapsing into a single tenant.

- Federal and cross-cloud collaboration: Government agencies, defense contractors, and regulated industries often need to share applications across Fed-High, Fed-Mod, and Commercial environments without compromising compliance boundaries.

Real-World Impact: Greater Business Agility, Zero Trust Security, and Lower Costs

The combination of Extranet and Federation is a force multiplier for business agility, particularly in the world of Mergers, Acquisitions and Divestitures (M&A&D).

- ZPA B2B Extranet is ideal for general B2B connectivity with partners that do not currently use Zscaler.

- ZPA B2B Federation is the "Easy Button" for B2B connectivity within Zscaler-to-Zscaler environments.

Traditionally, it takes months to integrate the IT environments of two companies. With Zero Trust B2B Connectivity, the "parent" company can provide a "subsidiary" with secure access to ERP or HR systems on day one, without ever merging the underlying networks.

The core advantages are clear:

1) Security: True Zero Trust for partner connectivity. There is no network access and no lateral movement; applications remain invisible to the internet.

2) Speed and Agility: Partner onboarding moves from months to minutes. M&A Day-1 access becomes a reality, and offboarding is as simple as a policy change.

3) Cost Savings: Reduce upfront infrastructure costs and the ongoing operational costs of deploying and maintaining VPN concentrators and firewalls.

4) User Experience: Users get direct-to-app access with consistent global performance and no clunky VPN clients.

5) Operational Simplicity: No more managing complex IP-based rules, routing tables or NAT tables. Set-up secure partner access in just a few clicks.

Conclusion: Transform your Business Partner Connectivity and Eliminate Legacy Complexity and Cyber Risk 

The announcement of ZPA B2B Federation, coupled with the general availability of ZPA B2B Extranet, marks a new era for the Zscaler Zero Trust Exchange. We are moving beyond just securing employees; we are securing the entire ecosystem of business relationships.

By removing the friction of legacy hardware, the danger of lateral movement, and the operational burden of managing network infrastructure, Zscaler enables organizations to collaborate faster and more securely than ever before. Your partner ecosystem should be a competitive advantage, not a security liability. With Zero Trust B2B Connectivity, it finally is.

Ready to get started? Take the [self-guided product tour] to experience firsthand how easily you can deploy ZPA and set up extranet connectivity for your business partners.

Ready to chat? [Sign up now] and our product experts will connect with you to discuss how Zero Trust B2B Connectivity and ZPA B2B Federation can transform your organization’s connectivity