Rodgers Builders Lowers Its Risk Score by 72% in 4 Months by Adopting a Café-Like Branch Model

Mid-size construction firm makes a bold move to shift from perimeter-based security to zero trust

In business for more than 60 years, Rodgers Builders is a mid-size general contractor that sets itself to a high standard and successfully competes against much larger firms. With a laser-focus on excellence, client care, and its “building with purpose” philosophy, Rodgers creates complex campus-style developments for multiple sectors and has been named among the top 20 healthcare construction firms in the U.S. 

In his role, CIO Markus Hill has always been committed to following security best practices and to building a solid infrastructure to support the business in every way possible. But when the pandemic required Rodgers employees to work remotely, he quickly discovered that the company’s traditional castle-and-moat security model proved insufficient. Needing a way to better protect mobile and remote workers, Hill learned about Zscaler and deployed the Zscaler Zero Trust Exchange platform to secure user access to the internet and corporate resources from anywhere. Since then, the company has been on a journey of discovery that has led to greater utilization and expansion of its zero trust platform. 

“As we evolve our zero trust architecture, I see Zscaler as an enabler of value. It keeps our people focused on clients’ needs rather than worrying about how to connect with our technology, and that is precisely in line with how we do business,” said Hill. 

Phase 1: A convincing POC underscores the value of zero trust for secure connectivity to the web and apps from anywhere

At Rodgers, most of the employees work remotely across multiple sites and several regional offices, with anywhere from a handful to a few dozen people at a location at any given time. Each of the locations had SD-WAN appliances, firewalls, switches, and routers to connect from branch offices to the corporate network. With a small team under his supervision, Hill often had to hire consultants to assist with configurations and other tasks necessary to support this increasingly complex infrastructure. 

To enable secure work-from-home during the pandemic, he considered installing site-to-site VPN hardware at the same time he initiated the proof of concept (POC) for the cloud native Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA). Only a few months into the POC, Hill saw that Zscaler eliminated the need for VPNs and other costly, high-maintenance hardware and provided a more secure solution and a great user experience. He immediately changed his plans and adopted the zero trust approach to remote access.

With ZIA, users were able to seamlessly and securely access the internet and SaaS apps used daily at Rodgers—no matter where they worked. Even in the dynamic construction industry, where the workforce is constantly on the move, ZIA enforces consistent security policy based on context and user identity. It performs 100% SSL/TLS inspection, detecting and preventing malicious activity and files hidden in encrypted traffic to curb data exfiltration and block threats. In addition, ZIA provides Rodgers with advanced protections, such as URL filtering to keep users from visiting malicious websites and AI-powered phishing and zero-day threat detection. To further defend against unknown threats, Hill implemented Zscaler Sandbox to block, quarantine, and analyze suspicious files before they do harm.

Soon after, Hill rolled out ZPA to provide direct zero trust access to private apps hosted in the data center and the cloud (Azure and AWS). Users now have a more seamless and secure experience. There is no need to log into VPN every time they connect to apps. Latency and unreliable performance no longer hamper productivity. 

“Zscaler requires a complete rethinking of how you connect. It’s a fallacy that a traditional security stack can adequately protect remote employees who are using laptops—you simply don’t have the control over or visibility into the endpoints. Zscaler was the answer, giving us the ability to run our operation without the infrastructure that we used to have—and now we have significantly minimized our attack surface and are more secure than ever,” said Hill.

Phase 2: Zenith Live sparks expanded platform utilization: a café-like branch model, app segmentation, and faster issue resolution

A few years later, Hill attended the annual Zscaler Zenith Live conference. The experience was game-changing, prompting Hill to take the company’s Zscaler deployment to a new level. Interacting with Zscaler executives and customers raised his awareness about the power of the platform and led to expanded utilization. 

In this phase of the zero trust journey, Hill was inspired to create a café-like branch architecture based on Zscaler. He started by retiring redundant and unnecessary hardware because of Zscaler over a two-year period. By eliminating firewalls, switches, and routers at project sites with zero trust, Rodgers saved 85 percent of the networking cost (hardware, support, maintenance, and consulting) at project sites.

Next on the platform expansion agenda was ZPA’s App Segmentation, which he learned about at Zenith Live. This capability completely changed his mindset around networking. App Segmentation gives Hill control over which users or groups have access to specific apps. Automated application discovery helps him refine policies based on app usage data from user traffic logs. 

“We have the ability to be more granular as to which of our users are allowed access to the data center. Zscaler app segmentation reduces our attack surface and limits the blast radius of potential attacks,” explained Hill. 

After attending Zenith Live, Hill implemented Zscaler Digital Experience (ZDX) to address common video conferencing challenges, such as latency, disconnections, and degraded audio  video quality. ZDX offers comprehensive end-to-end visibility, correlating issues across networks, devices, and the application. This empowers the helpdesk team to swiftly and accurately pinpoint the root cause of performance problems, whether stemming from network bottlenecks, device health, or application performance and availability.

“ZDX enables us to quickly identify and address issues, allowing us to provide users with clear explanations and actionable solutions. By doing so, we not only enhance their trust in our ability to resolve problems but also deliver a significantly improved user experience. Additionally, ZDX operates seamlessly in the background, ensuring no disruption to our users while driving faster resolutions and greater productivity,” remarked Hill. 

As part of the company’s defense-in-depth program, Hill also implemented Zscaler Identity Threat Detection and Response (ITDR). It detects identity-based attacks like credential theft that target identity access and management solutions and take advantage of risky configurations and overly permissive privileges. Through integrations with the company’s identity solutions, ITDR provides greater visibility into the identity attack surface and accelerates investigation and response.

Next Up: Zero Trust Branch to replace legacy appliances at branch offices

Continuing with the transition to the café model, Hill and his team are actively deploying Zscaler Zero Trust Branch at all five regional offices to replace existing traditional SD-WAN appliances that extend the network to branches and the cloud. This legacy architecture expands the attack surface and enables threats to move laterally across the network. Moreover, backhauling traffic to data centers slows down app performance and results in a poor user experience.

In contrast, Zero Trust Branch is a simpler, more secure solution for connecting branch offices to apps in data centers, Microsoft Azure and Amazon Web Services. Traffic is routed directly to the Zero Trust Exchange cloud for policy enforcement, full inspection, and identity-based access control.

“Zero Trust Branch minimizes the attack surface by not extending the network to every branch. It also will reduce management complexity and result in significant savings for us because we can phase out legacy hardware at all our offices,” said Hill. “And it’s another important step in providing our mobile workforce with high-performance, zero trust access to apps from anywhere.”

Zscaler Business Insights is another tool Hill is currently exploring to surface potential cost savings by gaining full visibility into SaaS app and physical office usage. Business Insights allows Hill and his team to take a complete inventory of SaaS apps and licenses to help them eliminate redundancies and unnecessary licenses. Business Insights also gives them a better understanding of facilities utilization.

Fine-tuning configurations and fully leveraging platform capabilities dramatically lower the risk score

During zero trust deployment, Hill found Zscaler Risk360 to be an invaluable tool for enabling proper configuration and greater platform utilization. The risk quantification and visualization framework ingests data from the Rodgers environment, external sources, and Zscaler ThreatLabz to provide detailed insights into risk associated with the external attack surface, potential compromise, lateral threat movement, and data loss. Hill and his team use Risk360 to identify areas that need improvement. By following the tool’s recommended actions, which are presented in an interactive dashboard, Hill and his team were able to fine-tune Zscaler configurations on their own, without relying on expensive consultants. 

He also regularly tracks the company’s risk scores. Making adjustments and expanding utilization of Zscaler led to a 72% improvement in the risk score in just four months. Hill has also begun using Risk360 for reporting to the executive staff and hopes to expand this use case to bring greater visibility into the business and operational benefits of zero trust.

“Risk360 has enabled us to close some loopholes. At Rodgers, our charter is to make the most of our technology investments. Risk360 has helped us in that regard by showing us how to leverage advanced features to proactively improve security. All of its recommendations make so much sense to me,” noted Hill. “Risk360’s gamified interface with badges, flags, and scores led us through the fine-tuning process step by step and really opened our eyes to how powerful Zscaler is.”

The positive impact of zero trust: stronger protection, lower costs, and a better user experience

Over the course of the Zscaler deployment, Rodgers has seen measurable benefits from a security and financial perspective. Zscaler prevented 4.7 million policy violations and blocked 44,909 threats (6,590 hidden in encrypted traffic) over a 90-day span—key metrics that contributed to a vastly improved risk score.

Replacing VPN, firewalls, and other security and network appliances with Zscaler has already resulted in approximately 70% savings on networking, with more expected once Zero Trust Branch is fully implemented. 

“There’s no doubt in my mind that Zscaler is a sound investment for Rodgers. It has really simplified our security infrastructure and positively impacted our security posture while providing a consistent experience for our users, no matter where they work,” said Hill. “We no longer have to replace hardware, pay monthly support fees, or engage consultants. The case for deploying Zscaler at a medium-size business is huge: it’s flexible, adaptable, and provides enterprise-grade protection at a significant cost savings over traditional perimeter-based security.”

Promoting zero trust with confidence

As the zero trust journey at Rodgers continues to unfold, Hill and his team are actively exploring other capabilities of the Zscaler platform. 

“One of the things that has been so impressive to me is how approachable and humble the senior leaders are at Zscaler—and that’s so refreshing. They are sincerely committed to delivering a platform that helps their customers, and they are constantly improving the technology. I’m really looking forward to seeing what’s new at the next Zenith Live event,” concluded Hill.