Want to see Zscaler Workload Segmentation in action? Get a live, personalized demo of ZWS today.
- See The Difference
- What is Zero Trust The strategy on which Zscaler was built
- How Zscaler Delivers Zero Trust A platform that enforces policy based on context
- Zero Trust Resources Learn its principles, benefits, strategies
![Zscaler transformation]( "Zscaler transformation")
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk
- Customer Success Stories Hear first-hand transformation stories
- Analyst Recognition Industry experts weigh in on Zscaler
- See the Zscaler Cloud in Action Traffic processed, malware blocked, and more
- Experience the Difference Get started with zero trust
![Zscaler transformation]( "Zscaler transformation")
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk
- Products & Solutions
- Secure Your Users Provide users with seamless, secure, reliable access to applications and data. Secure Your Workloads Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud. Secure Your OT and IoT Provide zero trust connectivity for OT and IoT devices and secure remote access to OT systems.
- Products Transform your organization with 100% cloud-native services
- Solutions Propel your business with zero trust solutions that secure and connect your resources
![Zscaler workplace enablement]( "Zscaler workplace enablement")
Make hybrid work possibleGet StartedSecure work from anywhere, protect data, and deliver the best experience possible for users
- Industries Our ecosystem of zero trust partners
- Partner Integrations Simplified deployment and management
![Zscaler industry partners]( "Zscaler industry partners")
Secure your ServiceNow DeploymentGet StartedIt’s time to protect your ServiceNow data better and respond to security incidents quicker
- Platform
- Platform Overview Unified platform for transformation
- Capabilities Integrated services, infinitely scalable
![Zscaler transformation]( "Zscaler transformation")
Accelerate your transformationLearn MoreProtect and empower your business by leveraging the platform, process and people skills to accelerate your zero trust initiatives
![Gartner Report]( "Gartner Report")
Gartner Magic Quadrant LeaderRead ReportZscaler: A Leader in the Gartner® Magic Quadrant™ for Security Service Edge (SSE) New Positioned Highest in the Ability to Execute
- Resources
- Content Library Explore topics that will inform your journey
- Blog Perspectives from technology and transformation leaders
- Security Assessment Toolkit Analyze your environment to see where you could be exposed
- Webinars and Demos A first-hand look into important topics
- Executive Insights App Security insights at your fingertips
- Ransomware ROI Calculator Assess the ROI of ransomware risk reduction
- Training and Certifications Engaging learning experiences, live training, and certifications
- Customer Success Center Quickly connect to resources to accelerate your transformation
- Customer Success Stories Hear first-hand transformation stories
![Customer success center]( "Customer success center")
- Security & Threat Analytics Threat dashboards, cloud activity, IoT, and more
- Security Advisories News about security events and protections
- Vulnerability Disclosure Program Webinars, training, demos, and more
- Trust Portal Zscaler cloud status and advisories
![Zscaler resources]( "Zscaler resources")
- Company
- About Zscaler How it began, where it’s going
- Leadership Meet our management team
- Investor Relations News, stock information, and quarterly reports
- Compliance Our adherence to rigorous standards
- ESG Our Environmental, Social, and Governance approach
- Events Upcoming opportunities to meet with Zscaler
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
- Media Center News, blogs, events, photos, logos, and other brand assets
- News and Press Zscaler in the news
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
- Partner Portal Tools and resources for Zscaler partners
- Summit Partner Program Collaborating to ensure customer success
- System Integrators Helping joint customers become cloud-first companies
- Service Providers Delivering an integrated platform of services
- Technology Deep integrations simplify cloud migration
- Partner Inquiry Become a Zscaler partner
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
-
What Is Cloud Workload Segmentation? Cloud workload segmentation is a cloud security process that applies identity-based protection to workloads without any architectural changes to the networks. It allows these workloads to securely move across different cloud environments without increasing security risk or needing additional access controls or security controls to be applied.
What Is a Workload?
A workload can refer to everything and anything sitting on top of a machine. For example, in the case of a piece of physical hardware, an operating system (OS) or the applications and data running on top of it would be considered the workloads. When speaking about cloud computing, a workload refers to an app or data that’s being transferred to or from the cloud, users, endpoints, data centers, and so on.
Why Is Cloud Workload Segmentation Important?
The cloud offers enormous opportunities, but it’s also increased vulnerability to cyberattacks such as malware. Cybercrime in general has surged as workloads have increasingly moved onto the cloud. Data has become more mobile, empowering businesses to work in a more agile way, but that puts information and business systems at risk.
Security strategies have evolved to focus on endpoint protection in a response to the growing enthusiasm for mobile and remote working. However, these technologies tend to miss what’s happening in the cloud. Any business using multiple public or private clouds need to protect themselves at the workload level, not just the endpoints.
How Does Cloud Workload Segmentation Work?
Workload segmentation automatically builds a real-time application topology and dependency map down to the process level. It then highlights the required application paths and compares them to the total available network paths, recommending policies to minimize the attack surface.
This can be a core protection strategy for workloads because it eliminates the excessive access allowed by flat networks. Such networks allow attackers to move laterally and compromise workloads in cloud and data center environments. Segmenting, or isolating, applications and eliminating unnecessary pathways will contain any potential compromises to the affected asset, essentially reducing the “blast radius.”
Segmenting applications and workloads—also known as microsegmentation—allows you to create intelligent groups of workloads based on characteristics of the workloads communicating with each other. As such, microsegmentation is not reliant on dynamically changing networks or the business or technical requirements placed on them, which means it enables both stronger and more reliable security.
Benefits of Cloud Workload Segmentation
Cloud workload segmentation allows you to apply quantifiable metrics to your cloud infrastructure and cloud network security by implementing:
Software Identity-Based Protection
Workload segmentation looks beyond network IP addresses to verify the secure identity of the communicating application software and workloads in public or private clouds, hybrid clouds, multicloud deployments, on-premises data centers, or container environments. Learn why identity is foundational for cloud workload protection.
Policy Automation
Workload segmentation uses machine learning to automate the entire policy life cycle for microsegmentation and workload protection. There’s no need to build policy manually during deployment or ongoing operations. Modern workload segmentation platforms can even recommend new or updated policies when apps change or are added.
Adaptability for Updates and Changes
Cloud workload segments are based on the identity of communicating software, not the network itself. This means segments can adjust as new applications and hosts are added, verified, and permitted to communicate. The result: hardened security minus operational burden and complexity.
Cloud Workload Segmentation Challenges
Plenty of complications can stand in the way of gaining greater protection for your cloud workloads. Let’s briefly go over some of those.
- Inadequate legacy security: This tends to be the biggest barrier to improving not only cloud workload protection, but also cloud security in general. Legacy technologies such as VPNs or on-premises firewalls can greatly hamper your organization’s ability to provide consistent security for applications and data moving in and out of the cloud.
- Remote/Hybrid work: With the hybrid workforce in full swing, companies are allowing their employees to work from anywhere, access corporate resources on any device, and most importantly, use a variety of applications, often from a bevy of software as a service providers. This practice, while providing and promoting flexibility, poses a particular risk to sensitive data.
- Agile application development: DevOps and Agile methodologies have become the MO in the AppDev world, but they’ve moved security further and further down the list of priorities for software teams. This is great for the potential applications of the future, but it also poses a huge risk to the data of companies willing to use these apps through the cloud.
Is Workload Segmentation Difficult?
Given the prevalence of the above challenges, cloud workload segmentation can seem difficult. However, with the right platform and a quality security partner, you can ensure the apps and data traveling to and from your clouds are kept secure by closing off their exposure to the internet. In the next section, we’ll discuss key traits you should be on the lookout for when shopping for a workload segmentation solution.
Key Requirements of a Cloud Workload Segmentation Platform
A cloud- and mobile-ready workload segmentation platform:
Is Identity-Centric
An effective cloud workload segmentation platform should build policies based on the identity of applications, hosts, and services communicating in your cloud, not the network environment. This lets you avoid the operational complexity of trying to determine application dependencies, learn where each host is located, or monitor thousands of data points.
Leverages Encryption
Cloud architectures aren’t fit for traditional security tools that use IP addresses, ports, and protocols as the control plane. Proper cloud workload segmentation should cryptographically fingerprint software based on immutable properties that attackers can’t exploit for consistent workload protection across all networking environments.
Continually Assesses Risk
A modern cloud workload segmentation solution can automatically measure your visible network attack surface to understand how many possible application communication pathways are in use, quantify risk exposure based on the criticality of communicating software, and use machine learning to recommend the fewest possible security policies.
Types of Cloud Workload Segmentation
There are various segmentation methods that can help your workloads stay secure as they enter and leave the cloud.
Network Segmentation
Network segmentation is the division of a network into multiple subnetworks—each with subnet-specific security policies and protocols—to attempt to prevent lateral movement. It’s one of the most widely used means of reducing a network's attack surface to combat cyberattacks, however, with the increase in mobility offered by the cloud, traditional network segmentation has been rendered ineffective at preventing lateral threat movement.
Microsegmentation
Microsegmentation uniquely identifies each resource (e.g., server, application, host, user), which allows organizations to configure permissions that provide fine-grained control of data traffic, enabling them to prevent lateral movement of threats, workload compromise, and data breaches.
Zero Trust Workload Segmentation
In a zero trust cybersecurity model, a company could set up a policy, for example, that states a particular application running on a host can only talk to other application software running on other hosts. For instance, all PCI-related software can be microsegmented to tightly control access to the PCI environment and reduce the number of systems in scope.
Why Zero Trust?
Using a cloud-based, zero trust approach to secure connections between users and applications based on business policies, without connecting them to the corporate network—an approach known as zero trust network access (ZTNA)—delivers stronger security in public clouds and data centers.
ZTNA connects users directly to applications on a one-to-one basis, never to the network, eliminating lateral movement. This lets you achieve segmentation in a fundamentally different and more effective way that’s impossible with legacy VPNs and firewalls.
Plus, if a device or workload moves, the security policies and attributes move with it. By applying zero trust segmentation rules down to the workload or application, IT can reduce the risk of an attacker moving from one compromised workload or application to another.
When it comes to zero trust segmentation, only one cloud-based security vendor builds and innovates its platform with zero trust principles at the core—that vendor is Zscaler.
Implementing Cloud Workload Segmentation with Zscaler
Zscaler Workload Segmentation (ZWS) simplifies microsegmentation by automating policy creation and management while protecting your applications and workloads in data centers and cloud environments. With one click, our cloud native platform reveals risk across your organization and applies identity-based protection to workloads—without any changes to your network.
Its software identity-based technology provides gap-free protection with policies that automatically adapt to environmental changes. In short, ZWS optimizes attack surface elimination.
ZWS begins by mapping the application communication topology using machine learning, a process that takes about 72 hours (vs. months to do so manually).
Once complete, Zscaler can measure the total network paths available and the application paths your business applications require. Typically, only a fraction of the existing pathways is required. All unnecessary communications paths can be eliminated to reduce your attack surface.
ZWS supports a variety of use cases, including:
- Cloud workload protection
- App/Data flow mapping and exposure visibility
- Container security
- Security monitoring and event correlation
Suggested Resources
-
What Is Microsegmentation?
Read the article -
Cloud Workload Segmentation
Visit our page -
Zscaler Workload Segmentation
Read the data sheet -
What Is Cloud Workload Security?
Read the article