Impossibly Simple Workload Segmentation
Stop lateral movement of threats and prevent application compromise and data breaches.
Flat networks increase risk in cloud and data centers
Flat networks allow excessive access via unprotected pathways that allow attackers to move laterally and compromise workloads in cloud and data center environments. Experts agree that shrinking segments and eliminating unnecessary pathways is a core protection strategy for workloads. However, the cost, complexity, and time involved in network segmentation using legacy virtual firewalls outweighs the security benefit.
Legacy network security is complex and time-consuming to deploy and manage
Legacy network controls are complex and time consuming

Legacy virtual firewalls
Address-based, perimeter controls were not designed to protect internal workload communications. As a result, attackers can “piggyback” on approved firewall rules.

Complex, manual policies
Application interactions have complex interdependencies. Existing solutions translate “application speak” to “network speak,” resulting in thousands of policies that are almost impossible to validate.

Unclear security benefits
Stakeholders need to be convinced that risk will be reduced. Can security risk be reduced without breaking the application? Practitioners struggle to accurately measure the operational risk of deploying complex policies.
Zscaler Workload Segmentation
Zero trust security that’s impossibly simple
Zscaler Workload Segmentation (ZWS) is a new way to segment application workloads. With one click, you can enhance security by allowing ZWS to reveal risk and apply identity-based protection to your workloads—without any changes to the network. ZWS’s software identity-based technology provides gap-free protection with policies that automatically adapt to environmental changes. Eliminating your network attack surface has never been simpler.

What Zscaler Workload Segmentation can do for you

Strengthen
security through identity
Identity-based workload protection prevents lateral movement of malware and ransomware across servers, cloud workloads, and desktops. Stop threats with zero trust security.

Simplify
operations with policy automation
For uniquely simple microsegmentation, driven by machine learning, the service automates policy creation and ongoing management.

Improve
visibility and exposure analysis
Get unified visibility into communicating applications on-premises and public clouds. Map app topology in real time, and measure overexposure with attack path analysis.
What makes Zscaler Workload Segmentation unique?
Software identity-based protection
ZWS looks beyond network addresses to verify the secure identity of the communicating application software and workloads, in public or private clouds, hybrid clouds, on-premises data centers, or container environments.
Policy automation engine
ZWS uses machine learning to automate the entire policy lifecycle for microsegmentation and workload protection. There’s no need to build policy manually during deployment or ongoing operations. ZWS recommends new or updated policies when apps change or are added.
Attack surface visibility and measurement
ZWP automatically builds a real-time application topology and dependency map down to the process level. It then highlights the required application paths and compares them to the total available network paths, recommending policies to minimize attack surface and protect what’s needed.
Use cases
Microsegmentation
Microsegment applications using software-identity verification instead of legacy network controls.
Dramatically simplify policies during deployment and operations with machine learning automation.
Cloud Workload Protection
Decouple workload segmentation from the network and improve security by verifying the identity of communicating applications and services.
Continuously test the authenticity of workloads before least-privilege access can be granted.
App/Data Flow Mapping & Exposure Visibility
Gain insight into every communicating application and process in your cloud and data center.
Measure the over-exposure of applications by identifying unnecessary network paths