Hastings Direct Deploys Zscaler Zero Trust Exchange to Improve the Digital Insurance Experience

Zero trust security helps Hastings Direct become UK's largest digital insurer

Since selling its first insurance policy in 1997, Hastings Direct has been committed to leveraging new technologies to provide the most straightforward insurance buying experience. In recent years, the company has prioritized total digital transformation. Migrating operations fully to the cloud enabled comprehensive digitization of all Hastings products and services, ultimately giving its customers more options for purchasing and managing insurance policies. 

Embracing cloud-first operations also inspired the company to modernize its security with a zero trust architecture. “Hastings is determined to be the largest digital insurance provider in the UK.” said Simon Legg, Chief Information Security Officer (CISO) at Hastings Direct. “We can’t reach that goal using legacy approaches for data protection and information security. Zero trust is the way forward.”

The Zscaler Zero Trust Exchange helps stop bad actors and amplify productivity at Hastings Direct

A traditional castle-and-moat security architecture could not adequately support the company’s digital-first evolution. The scalability issues and rigidity inherent to this type of legacy security approach created barriers to safe and efficient cloud operations.

Hastings Direct wanted a cloud native, comprehensive zero trust platform that could help retire legacy security infrastructure, simplify security management, and improve security posture.

Seamless integration with Microsoft was another important consideration. The company exclusively uses Microsoft for its cloud-first business operations—Microsoft Azure for infrastructure as a service and Microsoft 365 to support user productivity and collaboration. Microsoft Entra ID, Azure Sentinel, and Microsoft Defender for Endpoint are also part of the Hastings security ecosystem. 

Hastings Direct chose the Zscaler Zero Trust Exchange as the foundation for its new zero trust security architecture. A phased deployment of the Zscaler platform allowed the team to balance changing processes with managing user experiences, resulting in a seamless transition to zero trust across the organization.

“Introducing a new security solution inherently introduces a certain level of friction,” Legg shared. “In security, there is a constant balancing act between bad friction and good friction. Bad friction stops organizational productivity. Good friction stops the bad actors. Zscaler helps us eliminate the bad and amplify the good.”

Phase 1: Direct-to-internet access reduces latency and enables work-from-anywhere flexibility

Together nearly 4,500 employees and outsource partners provide support for 3.9 million policyholders across the UK. Enabling secure, work-from-anywhere connectivity for this hybrid workforce was crucial to the company’s larger digital goals. “Providing an outstanding digital experience for our colleagues empowers them to ensure an equally outstanding digital experience for our customers,” said Legg.

Hastings Direct retired a legacy internet proxy that was no longer fit for purpose and deployed Zscaler Internet Access (ZIA) as its first solution on the Zero Trust Exchange. As Legg explained, securing outbound connectivity as a starting point for its zero trust journey allowed the company to “get the basics right in terms of internet access protection.”

ZIA brokers fast, direct connections to the internet and SaaS applications from anywhere. Because Zscaler delivers zero trust connectivity as close to the end user as possible, from more than 150 edge locations around the world, Hastings no longer needs to backhaul internet traffic to central data centers. The result is fewer choke points, reduced latency, and a better user experience when connecting to web-based resources. 

The Zero Trust Exchange also includes functionality for cloud firewall protection, URL filtering, TLS/SSL inspection, and advanced threat protection. As a result, important security measures that would have previously required multiple point products are now deployed as parts of Zscaler’s comprehensive platform. 

“Confining work to a central office represents an outdated way of thinking about productivity. People want to work from wherever they choose,” shared Legg. “Zscaler allows us to operate with freedom and flexibility at Hastings. No matter when or where our colleagues choose to work, everyone is protected by the same zero trust processes when connecting to the internet.”

Phase 2: AI-powered end-to-end visibility proactively prevents user issues

After simplifying and securing outbound connectivity, Legg decided to focus on “building trust” among colleagues by ensuring a positive user experience for the Hastings Direct workforce.

To accomplish this, Hastings Direct deployed Zscaler Digital Experience (ZDX). ZDX provides end-to-end visibility from user to application, meaning the Hastings IT team has a complete view into digital experiences across devices, networks, and applications. 

With deeper, AI-powered root cause analysis for all performance challenges, it takes less time for the team to identify and resolve problems. In fact, user issues are often resolved before they can noticeably impact workflow. 

Legg believes that this positive administrative experience positions the whole technology community to be better zero trust advocates. “My team witnesses firsthand how Zscaler protects the business without interrupting business activities,” said Legg. “They really understand the power of the Zscaler platform, and they are empowered to help the rest of our Hastings colleagues embrace zero trust.”

The first steps on their zero trust journey—deploying ZIA and then ZDX—were so smooth and seamless, Legg suspects the transition went largely unnoticed. “The fact that I had to tell most colleagues that we’d implemented a whole new security architecture and digital experience monitoring solution and they’d already been working under zero trust protection with the ZIA and ZDX solutions was one of our greatest success markers,” Legg recalled.

Phase 3: Replacing legacy VPNs to safeguard private resources and customer data with zero trust access

Hastings Direct embraces a data-driven approach to offer highly personalized and competitive insurance products, responsibly using advanced customer analytics to better inform decisions. 

Protecting essential private applications (and the customer data within them) from cyberattacks is one of the most critical mandates for Legg, but the company’s legacy security architecture made this challenging. A legacy VPN solution with blanket access policies left him unable to properly segment role-based application access, putting the whole network at risk of lateral threat movement. “With our migration to the cloud, the attack surface became more complex and more challenging to defend with legacy solutions,” Legg confirmed.

Hastings Direct replaced its legacy VPN appliances with Zscaler Private Access (ZPA), completing a powerful trifecta of solutions from the Zscaler platform (alongside the previously deployed ZIA and ZDX). 

ZPA eliminates the need for VPNs by enabling seamless, zero trust access directly to private applications, not to the network. Additionally, these resources are hidden behind the Zero Trust Exchange and never exposed to the internet—making them invisible to threats while minimizing the attack surface. User identity and device posture verification are scrutinized during inline traffic inspection to help stop compromise before inbound connections are established. Microsegmented application access prevents lateral threat movement because Hastings users are directly connected only to the resources they need and are authorized to access, not to the network as a whole. 

“Adding the use of ZPA to our Zscaler deployment brought this CISO great joy because I no longer have to worry about VPN clients spread across colleague devices or our network,” said Legg. “With powerful capabilities from the Zero Trust Exchange, Hastings has solidified a more holistic approach to zero trust security.” 

Zscaler platform eliminates complexity while enhancing security posture

Hastings Direct has leveraged the multitenant Zscaler platform as part of a deliberate catalogue of work to aggressively streamline its technology estate. 

Even with this much lighter tech stack, the company has achieved a more robust security posture. In a recent quarter, Zscaler processed 2.5 billion transactions and 186 TB of traffic for Hastings Direct, preventing 45 million policy violations and blocking more than 14,000 security threats. Nearly 4,500 of these threats were hidden in encrypted traffic, where legacy solutions that lack scalability typically struggle to detect them.

Since mitigations are automated on the Zero Trust Exchange, increased security doesn’t equate to increased administrative overhead. With less need for heavy-touch human intervention, IT employees at Hastings no longer feel like they are constantly reacting to small issues and can instead focus on other strategic priorities. 

Next up: bolstering risk awareness and enhancing DLP efforts

Because maintaining holistic zero trust security is a dynamic, evolutionary process, Legg is already considering next steps for Hastings Direct. He’ll expand use of the Zscaler platform and embrace additional solutions in the coming months. “Zero trust security is a lifetime commitment, not a one-time upgrade,” said Legg. “We are more confident in our security posture today, but we will always be preparing for tomorrow’s risks.”

Zscaler Risk360™ is being seen as a solution that can materially help with risk awareness. This comprehensive quantification and visualization framework provides an enriched holistic, data-driven assessment of the top risk drivers, allowing security teams to predict issues and eliminate the causes before any effects are ever felt. A diverse range of reporting capabilities also helps teams communicate about cyber risk at a less technical level.

Safeguarding customer analytics data is a critical responsibility for Legg and his team. Embracing Zscaler Data Protection is being looked at as a potential way to strengthen data loss prevention (DLP) efforts by identifying sensitive information wherever it goes and providing clear visibility into data exposure across company systems.

Zscaler partnership allows Hastings to chart a new course in the digital insurance market

Relationships and collaboration are central to everything at Hastings Direct. The company’s culture is built around what it calls “the 4Cs: colleagues, customers, company, and community” and the symbiotic cycle they represent. Colleagues who feel supported and empowered help delight loyal customers; loyal customers drive company success; successful companies can invest more in their surrounding communities. “Our colleagues help drive growth, so we aim to give them the support and resources they need to do that,” Legg explained.

“The partnership with Zscaler has been critical in helping Hastings Direct realize its goal to be the most groundbreaking digital insurer in the UK,” Legg reflected. “Protected by the Zero Trust Exchange, our colleagues can operate with greater agility and security as they continue to chart a new course in the digital insurance markets.”