Products > Workload Segmentation

Impossibly Simple Workload Segmentation

Stop lateral movement of threats and prevent
application compromise and data breaches.

Flat networks increase risk in cloud and data centers

Flat networks allow excessive access via unprotected pathways that allow attackers to move laterally and compromise workloads in cloud and data center environments. Experts agree that shrinking segments and eliminating unnecessary pathways is a core protection strategy for workloads. However, the cost, complexity, and time involved in network segmentation using legacy virtual firewalls outweighs the security benefit.

Legacy network security is complex and time-consuming to deploy and manage

Legacy network controls are complex and time-consuming

Legacy virtual firewalls icon

Legacy virtual firewalls

Address-based, perimeter controls were not designed to protect internal workload communications. As a result, attackers can “piggyback” on approved firewall rules.
Legacy network complex and manual policies icon

Complex, manual policies

Application interactions have complex interdependencies. Existing solutions translate “application speak” to “network speak,” resulting in thousands of policies that are almost impossible to validate.
Unclear security benefits of legacy network

Unclear security benefits

Stakeholders need to be convinced that risk will be reduced. Can security risk be reduced without breaking the application? Practitioners struggle to accurately measure the operational risk of deploying complex policies.

Workload Segmentation

Zero trust security that’s impossibly simple

Workload Segmentation is a new way to segment application workloads. With one click, you can enhance security by allowing workload segmentation to reveal risk and apply identity-based protection to your workloads—without any changes to the network. The workload segmentation identity-based technology provides gap-free protection with policies that automatically adapt to environmental changes. Eliminating your network attack surface has never been simpler.

A diagram showing Zscaler Workload Segmentation (ZWS) is a new way to segment application workloads just with one click

What Workload Segmentation can do for you

ZWS can strengthen security through identity


security through identity
Identity-based workload protection prevents lateral movement of malware and ransomware across servers, cloud workloads, and desktops. Stop threats with zero trust security.
ZWS can simplify operations with policy automation


operations with policy automation

For uniquely simple microsegmentation, driven by machine learning, the service automates policy creation and ongoing management.

ZWS can improve visibility and exposure analysis


visibility and exposure analysis
Get unified visibility into communicating applications on-premises and public clouds. Map app topology in real time, and measure overexposure with attack path analysis.

What makes Workload Segmentation unique?

Zscaler Workload Segmentation is unique because of Software identity-based protection
Software identity-based protection

Workload segmentation looks beyond network addresses to verify the secure identity of the communicating application software and workloads, in public or private clouds, hybrid clouds, on-premises data centers, or container environments. Read the blog post on why identity is foundational for cloud workload protection.

Zscaler Workload Segmentation is unique becaue of policy automation engine
Policy automation engine

Workload segmentation uses machine learning to automate the entire policy lifecycle for microsegmentation and workload protection. There’s no need to build policy manually during deployment or ongoing operations. Workload segmentation recommends new or updated policies when apps change or are added.

Zscaler Workload Segmentation is unique because of attack surface visibility and measurement
Attack surface visibility and measurement

Workload segmentation automatically builds a real-time application topology and dependency map down to the process level. It then highlights the required application paths and compares them to the total available network paths, recommending policies to minimize attack surface and protect what’s needed. Read the blog post on how microsegmentation differs from network segmentation.

Suggested Resources


Identity-based Microsegmentation


Fairfax County: Expanding Zero Trust Approach with Zscaler Workload Segmentation


Implementing Segmentation in Phases


Goulston & Storrs Elevates Security of Client Data


Aligning Zscaler Workload Segmentation with the NIST CSF


Mitre ATT&CK Framework – Stopping Unauthorized Lateral Movement

Get a live, personalized demo of Zscaler Workload Segmentation