Products > Workload Segmentation

Impossibly Simple Workload Segmentation

Stop lateral movement of threats and prevent application compromise and data breaches.

Flat networks increase risk in cloud and data centers

Flat networks allow excessive access via unprotected pathways that allow attackers to move laterally and compromise workloads in cloud and data center environments. Experts agree that shrinking segments and eliminating unnecessary pathways is a core protection strategy for workloads. However, the cost, complexity, and time involved in network segmentation using legacy virtual firewalls outweighs the security benefit.

Legacy network security is complex and time-consuming to deploy and manage

Legacy network controls are complex and time consuming

Legacy virtual firewalls icon

Legacy virtual firewalls

Address-based, perimeter controls were not designed to protect internal workload communications. As a result, attackers can “piggyback” on approved firewall rules.
Complex policies icon

Complex, manual policies

Application interactions have complex interdependencies. Existing solutions translate “application speak” to “network speak,” resulting in thousands of policies that are almost impossible to validate.
Unclear security benefits icon

Unclear security benefits

Stakeholders need to be convinced that risk will be reduced. Can security risk be reduced without breaking the application? Practitioners struggle to accurately measure the operational risk of deploying complex policies.

Zscaler Workload Segmentation

Zero trust security that’s impossibly simple

Zscaler Workload Segmentation (ZWS) is a new way to segment application workloads. With one click, you can enhance security by allowing ZWS to reveal risk and apply identity-based protection to your workloads—without any changes to the network. ZWS’s software identity-based technology provides gap-free protection with policies that automatically adapt to environmental changes. Eliminating your network attack surface has never been simpler.

One click laptop icon

What Zscaler Workload Segmentation can do for you

Strengthen icon


security through identity
Identity-based workload protection prevents lateral movement of malware and ransomware across servers, cloud workloads, and desktops. Stop threats with zero trust security.
Simplify icon


operations with policy automation

For uniquely simple microsegmentation, driven by machine learning, the service automates policy creation and ongoing management.

Improve icon


visibility and exposure analysis
Get unified visibility into communicating applications on-premises and public clouds. Map app topology in real time, and measure overexposure with attack path analysis.

What makes Zscaler Workload Segmentation unique?

Software identity-based protection icon
Software identity-based protection

ZWS looks beyond network addresses to verify the secure identity of the communicating application software and workloads, in public or private clouds, hybrid clouds, on-premises data centers, or container environments.

Policy automation engine icon
Policy automation engine

ZWS uses machine learning to automate the entire policy lifecycle for microsegmentation and workload protection. There’s no need to build policy manually during deployment or ongoing operations. ZWS recommends new or updated policies when apps change or are added.

Attack surface visibility and measurement icon
Attack surface visibility and measurement

ZWP automatically builds a real-time application topology and dependency map down to the process level. It then highlights the required application paths and compares them to the total available network paths, recommending policies to minimize attack surface and protect what’s needed.

Use cases


  • Microsegment applications using software-identity verification instead of legacy network controls.
  • Dramatically simplify policies during deployment and operations with machine learning automation.

Cloud Workload Protection

  • Decouple workload segmentation from the network and improve security by verifying the identity of communicating applications and services.
  • Continuously test the authenticity of workloads before least-privilege access can be granted.

App/Data Flow Mapping & Exposure Visibility

  • Gain insight into every communicating application and process in your cloud and data center.
  • Measure the over-exposure of applications by identifying unnecessary network paths

Suggested Resources


Identity-based Microsegmentation


Stopping Python-based backdoor attacks with Security Weekly


Protecting critical infrastructure in hybrid clouds with Security Weekly

Case study

Goulston & Storrs Elevates Security of Client Data


How Microsegmentation Differs from Network Segmentation


Identity-Based Microsegmentation is Foundational to Cloud Security: Don’t Get Spoofed.

Get a live, personalized demo of Zscaler Workload Segmentation

Yes, please keep me updated on Zscaler news, events, webcast and special offers.

By submitting the form, you are agreeing to our privacy policy.