Edgewise was a pioneer in securing application-to-application communications for public clouds and data centers. Founded in 2016, the company’s innovative approach to microsegmentation improved the security of east-west communication by verifying the identity of software, services, and processes to reduce the attack surface, lower the risk of application compromise and data breaches, and achieve a zero trust environment. Zscaler acquired Edgewise Networks in May 2020.
Edgewise sought to eliminate data breaches and critical business application compromise. Unsegmented networks were allowing attackers to move through unprotected network paths to reach vulnerable targets. Microsegmentation was a common way to combat this, but performing segmentation using legacy solutions such as virtual LANs, firewalls, and access control lists (ACLs), was resource-intensive as well as complicated to implement and manage, costing too much for too little protection.
Edgewise set out to do microsegmentation differently, using software identity instead of the complex address-based controls of legacy approaches. Identity-based policies built with machine learning could protect any application, in any cloud or container environment, without any changes to the network. With this approach, verification of machine identity and software identity is required before communication is allowed.
This innovative approach led Gartner to recognize the startup as a 2018 Cool Vendor.
A New Approach to Microsegmentation
Microsegmentation originated as a way to moderate traffic between servers in the same network segment. It has evolved to include intra-segment traffic (Server A ⇄ Server B, Application A ⇄ Host B, etc.) as long as the identity of the requesting server, application, host, or user matches the permission configured for that resource.
Microsegmentation permissions can be based on resource identity, independent of the underlying infrastructure, whereas network segmentation relies on network addresses. This makes microsegmentation ideal for creating intelligent groups of workloads based on the characteristics of the workloads communicating inside the data center. Microsegmentation also enables organizations to isolate workloads from one another and secure them individually for more granular, stronger security.
As a key part of the zero trust framework, microsegmentation doesn’t rely on specific network structures or their business or technical requirements. It’s also far simpler to manage—you can protect a segment with just a few identity-based policies instead of hundreds of address-based rules.
With microsegmentation, IT teams can tailor security settings to different types of traffic, creating policies that limit network and application flows between workloads to those that are explicitly permitted. In this zero trust security model, a company could set up a policy, for example, that only allows medical devices to communicate with other medical devices. And if a device or workload moves, the security policies and attributes move with it.
By applying segmentation rules down to the workload or application, IT can reduce the risk of an attacker moving from one compromised workload or application to another.
Microsegmentation is the future of modern data center and cloud security; but not getting the microsegmentation-supporting technology right can be analogous to building the wrong foundation for a building and trying to adapt afterward.
Perimeter-based network security, once the de facto model, is far less effective in the era of the cloud, mobility, and IoT. Organizations facing sophisticated threats with this legacy security technology are vulnerable to modern stealthy attacks that can freely move laterally through a network as east-west traffic. A single compromised server allows an attacker to harm multiple servers and applications on that network.
Edgewise microsegmentation technology discovers individual applications and their legitimate communication patterns and, using AI and machine learning algorithms, automatically creates and enforces authorized communication to provide application segmentation. Legacy network segmentation simply falls short here, unable to provide the granular, flexible policies organizations need to protect today’s dynamic, ephemeral workloads.
In the modern threat landscape, cybersecurity should focus on protecting users, applications, and data, not the network. Zscaler secures connections between users and applications based on business policies, without connecting them to the corporate network—an approach known as zero trust network access (ZTNA). That’s why it made perfect sense to extend our zero trust approach with secure app-to-app communication. The acquisition of Edgewise broadened the Zscaler Zero Trust Exchange™ to deliver stronger security for public clouds and data centers as part of Zscaler Workload Segmentation (ZWS).
Zscaler Workload Segmentation
Zscaler Workload Segmentation (ZWS) simplifies microsegmentation by automating policy creation and management while protecting your applications and workloads in data centers and cloud environments. With one click, our cloud native security platform reveals risk across your organization and applies identity-based protection to workloads—without any changes to your network.
Its software identity-based technology provides gap-free protection with policies that automatically adapt to environmental changes. In short, ZWS optimizes attack surface elimination.
ZWS begins by mapping the application communication topology using machine learning, a process that takes about 72 hours (vs. months to do so manually).
Once complete, Zscaler can measure the total network paths available and the application paths your business applications require. Typically, only a fraction of the existing pathways is required. All unnecessary communications paths can be eliminated to reduce your attack surface.