Want to see how Zscaler Workload Segmentation works firsthand? Visit our product page to request a custom demo.
- See The Difference
- What is Zero Trust The strategy on which Zscaler was built
- How Zscaler Delivers Zero Trust A platform that enforces policy based on context
- Zero Trust Resources Learn its principles, benefits, strategies
![Zscaler transformation]( "Zscaler transformation")
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk
- Customer Success Stories Hear first-hand transformation stories
- Analyst Recognition Industry experts weigh in on Zscaler
- See the Zscaler Cloud in Action Traffic processed, malware blocked, and more
- Experience the Difference Get started with zero trust
![Zscaler transformation]( "Zscaler transformation")
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk
- Products & Solutions
- Secure Your Users Provide users with seamless, secure, reliable access to applications and data. Secure Your Workloads Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud. Secure Your OT and IoT Provide zero trust connectivity for OT and IoT devices and secure remote access to OT systems.
- Products Transform your organization with 100% cloud-native services
- Solutions Propel your business with zero trust solutions that secure and connect your resources
![Zscaler workplace enablement]( "Zscaler workplace enablement")
Make hybrid work possibleGet StartedSecure work from anywhere, protect data, and deliver the best experience possible for users
- Industries Our ecosystem of zero trust partners
- Partner Integrations Simplified deployment and management
![Zscaler industry partners]( "Zscaler industry partners")
Secure your ServiceNow DeploymentGet StartedIt’s time to protect your ServiceNow data better and respond to security incidents quicker
- Platform
- Platform Overview Unified platform for transformation
- Capabilities Integrated services, infinitely scalable
![Zscaler transformation]( "Zscaler transformation")
Accelerate your transformationLearn MoreProtect and empower your business by leveraging the platform, process and people skills to accelerate your zero trust initiatives
![Gartner Report]( "Gartner Report")
Gartner Magic Quadrant LeaderRead ReportZscaler: A Leader in the Gartner® Magic Quadrant™ for Security Service Edge (SSE) New Positioned Highest in the Ability to Execute
- Resources
- Content Library Explore topics that will inform your journey
- Blog Perspectives from technology and transformation leaders
- Security Assessment Toolkit Analyze your environment to see where you could be exposed
- Webinars and Demos A first-hand look into important topics
- Executive Insights App Security insights at your fingertips
- Ransomware ROI Calculator Assess the ROI of ransomware risk reduction
- Training and Certifications Engaging learning experiences, live training, and certifications
- Customer Success Center Quickly connect to resources to accelerate your transformation
- Customer Success Stories Hear first-hand transformation stories
![Customer success center]( "Customer success center")
- Security & Threat Analytics Threat dashboards, cloud activity, IoT, and more
- Security Advisories News about security events and protections
- Vulnerability Disclosure Program Webinars, training, demos, and more
- Trust Portal Zscaler cloud status and advisories
![Zscaler resources]( "Zscaler resources")
- Company
- About Zscaler How it began, where it’s going
- Leadership Meet our management team
- Investor Relations News, stock information, and quarterly reports
- Compliance Our adherence to rigorous standards
- ESG Our Environmental, Social, and Governance approach
- Events Upcoming opportunities to meet with Zscaler
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
- Media Center News, blogs, events, photos, logos, and other brand assets
- News and Press Zscaler in the news
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
- Partner Portal Tools and resources for Zscaler partners
- Summit Partner Program Collaborating to ensure customer success
- System Integrators Helping joint customers become cloud-first companies
- Service Providers Delivering an integrated platform of services
- Technology Deep integrations simplify cloud migration
- Partner Inquiry Become a Zscaler partner
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
-
What Is Microsegmentation? Microsegmentation is a cybersecurity technique that allows organizations to better govern network access between resources (e.g., server-to-server/east-west traffic). By uniquely identifying each resource (e.g., server, application, host, user), your organization can configure permissions that provide fine-grained control of data traffic. When implemented using zero trust principles, microsegmentation enables you to prevent lateral movement of threats, workload compromise, and data breaches.
Read "Microsegmentation 101"Microsegmentation vs. Network Segmentation
Although network segmentation and microsegmentation are often used interchangeably, they’re completely different concepts.
Network segmentation is best used for north-south traffic (i.e., the traffic that moves into and out of the network). With network segmentation, an entity, such as a user, is trusted once inside a designated zone of the network.
Microsegmentation, on the other hand, is best used for east-west traffic, or traffic that moves across the data center or cloud network—server-to-server, application-to-server, and so on. Simply put, network segmentation is like a castle’s outer walls and moat, whereas microsegmentation is like the guards standing at each of the castle’s interior doors.
How Microsegmentation Works
Microsegmentation solutions create secure zones that allow companies to isolate workloads from one another and secure them individually. They’re designed to enable granular (hence, “micro”) partitioning of network traffic to provide greater resistance to cyberattacks.
With an approach that includes microsegmentation policies, IT and security teams can tailor settings to different types of traffic, creating controls that limit network and application flows between workloads to those that are explicitly permitted.
Applying segmentation rules down to the workload level or application allows IT to reduce the attack surface, lowering the risk of an attacker moving from one compromised workload or application to another.
Why Legacy Segmentation Approaches Don’t Work
Legacy network segmentation solutions rely on firewalls that use network addresses to enforce rules. But because networks are constantly changing, policies must be continually updated as applications and devices move, which poses a challenge for on-premises data centers, in multicloud environments, and where IP addresses are ephemeral.
Additionally, network address-based approaches to segmentation can’t identify what’s communicating—for example, they can’t pinpoint the identity of the software. They can only tell you how it’s communicating, such as with the IP address, port, or protocol from which the “request” originated. This means that, as long as they are deemed “safe,” communications are allowed, even though IT and security teams don’t know exactly what’s trying to communicate.
Furthermore, once an entity is inside a "secure zone" on the network, the entity is trusted, which can lead to breaches and, on a flat network, lateral movement.
Why Microsegmentation Is Important
Microsegmentation is unique in that it allows IT to base policies and permissions on resource identity, making it the ideal method for creating intelligent groupings of workloads based on the characteristics of individual workloads communicating inside the data center.
What’s more, microsegmentation doesn’t rely on dynamically changing networks or the business or technical requirements placed on them, so it’s both stronger and more reliable for network security. In fact, it’s a fundamental part of a zero trust network access (ZTNA) framework, which is proven to simplify access control.
It’s also easier to manage—you can protect a segment with just a few identity-based policies instead of hundreds of address-based firewall policies.
Microsegmentation Features
Some of the technical benefits of microsegmentation include:
- Centralized security controls and management across networks: Because microsegmentation manages east-west traffic rather than north-south traffic, your policies stand up to any traffic that moves through the segments they govern. And, because policy is more defined, you get much greater visibility into network activity than with network segmentation.
- Segmentation policies that adapt automatically: Policies are applied to workloads rather than hardware, so they remain intact regardless of infrastructure changes. This means that IT security teams can extend one set of controls anywhere, no downtime required.
- Gap-free protection: Security policies span cloud, container, on-premises data centers, and hybrid cloud environments. This is because policy is specific to the workload, not the segment of the network, which closes any and all potential vulnerabilities in security coverage.
Some vendors focus exclusively on microsegmentation. In all cases, the solution should support the growing requirement for identity-based “microsegmentation” (more granular, software-defined segmentation also referred to as zero-trust network segmentation) of east/west traffic in data centers.
Neil MacDonald and Tom Croll, Gartner Market Guide to Cloud Workload Protection, April 2020
Business Benefits of Microsegmentation
Proactive Network and IT Security
Microsegmentation removes security roadblocks common with traditional segmentation by creating application-aware policies that travel with all apps and services. As a result, potential data breaches are contained to affected assets, not the entire network. Some microsegmentation services even offer functionality that leverages automation to identify all communicating software, recommend zero trust policies, and let you apply them with one click.
Reduced Vulnerability
Instead of static controls that rely on IP addresses, ports, and protocols, teams can cryptographically fingerprint each workload to provide consistent protection to workloads operating in an internal data center or the cloud. Fingerprinting decouples your workload security from IP address constructs to avoid issues with IP-based controls.
Continuous Risk Assessment
Microsegmentation lets you quantify risk exposure by automatically measuring the visible network attack surface to understand how many possible application communication pathways are in use. Some services even verify the identities of communicating software each time software requests a communication, which mitigates risk, supports regulatory compliance mandates, and provides visualized risk reports.
Zero Trust Segmentation
As mentioned earlier, a zero trust security model is based on principles of microsegmentation. Policy is applied to workloads, not network segments, allowing you to granularly control access to any resource in any location if sufficient context can't be established for any connection.
For example, with a zero trust model—particularly one that’s cloud-based—a company could set up a policy that states medical devices can only talk to other medical devices. If an endpoint device or workload were to move, the security policies and attributes would move with it in real time.
Many cloud security vendors make a promise of cloud-based zero trust that they can’t keep. Only one vendor delivers comprehensive zero trust security from the cloud that can protect your network, applications, and sensitive data from today’s sophisticated cyberthreats.
How Zscaler Can Help
Zscaler Workload Segmentation (ZWS) was built from the ground up to automate and simplify the process of microsegmentation in any cloud or data center environment. Built on easy-to-understand, identity-based policies, with a single click, you can enhance security by allowing ZWS to reveal risk and apply protection to your workloads—without any changes to your network or applications.
Zscaler Workload Segmentation uses software-identity-based technology to provide gap-free protection with policies that automatically adapt to environmental changes. Eliminating your network attack surface while adopting effective zero trust protection has never been simpler.
Suggested Resources
-
Zero Trust Microsegmentation for Hybrid Cloud
Visit the webpage -
Zscaler Workload Segmentation
Read the data sheet -
Zero Trust Microsegmentation: It’s All About the Data
Read the blog -
Zscaler Private Access
Visit our webpage