Zero Trust Branch: Say Goodbye to Lateral Threat Movement

The growing network & security sprawl

Legacy network architectures were designed for a world where your employees were all in offices, and your applications were in data centers. We built and optimized private networks to connect branches and data centers using technologies like MPLS and site-to-site VPNs, and more recently SD-WAN, and secured the perimeter with firewalls — everything inside the network was trusted and everything outside was untrusted.

As applications moved into the cloud, and organizations became more distributed, we simply extended this network to remote locations, partners and the cloud. These networks continued to have too much implicit trust. Attempts to segment these networks using firewalls has only contributed to endless firewall sprawl, never ending segmentation projects and an explosion in cost and complexity, leaving infrastructure teams strained for resources.

Traditional SD-WAN facilitates ransomware attacks

While these legacy network architectures have made it easier for users, devices and workloads to communicate with each other, they are also facilitating the lateral movement of threats. A single infected device in a branch can reach and infect your crown jewel apps in the data center or cloud. This is one of the primary ways in which ransomware attacks spread. According to the 2024 ThreatLabz Ransomware Report, we saw a 58% increase in the number of extorted companies in the past year alone, with record payouts reaching $75M. Ransomware attacks continue to proliferate for one simple reason — legacy SD-WANs expand your attack surface and enable lateral movement.

Continuing to use legacy architectures in a modern world not only spikes cost and complexity, but also leaves you vulnerable.

Zero Trust Branch — no lateral movement, no firewalls

With a Zero Trust Branch architecture, you don’t need to extend your network everywhere — your branches become like cafés. Users, devices and apps communicate through the Zero Trust Exchange over any broadband or cellular connection. There are no open ports listening for VPN connections that attackers can exploit. A device in one location cannot scan the network to find devices and apps in other locations. With no flat routable network, you don’t need firewalls at each branch.

Zero Trust Branch is made possible by three key Zscaler innovations. Firstly, Zscaler Zero Trust SD-WAN replaces your traditional SD-WAN, MPLS or site-to-site VPNs and facilitates secure inbound and outbound communications from your branch. Using a Zscaler Edge appliance that directly terminates and manages your ISP connections, Zero Trust SD-WAN optimizes app performance and provides full cyber threat and data protection for all user, device and server traffic from the branch. With three physical appliances (ZT 400, ZT 600 and ZT 800) and a virtual appliance (ZT VM), organizations can connect a variety of branches, campuses, factories and data centers to the Zero Trust Exchange.

We are pleased to announce new Zsaler Edge appliances with 5G cellular support, as a primary or backup ISP connection, to secure additional locations such as ATM machines, field offices and retail stores. In addition, we are also announcing higher throughput appliances that will support up to 5 Gbps encrypted throughput to enable multiple gigabit fiber connections operating in active-active mode.

Zero Trust SD-WAN ensures threats cannot move laterally between sites. Within the sites, Zscaler innovations in Zero Trust Device Segmentation help you further segment each device down to a network of one — eliminating the need for east-west firewalls, NAC and expensive proprietary switches. Deployable in hours, this innovative solution discovers, identifies and segments every device — even legacy OT systems — and eliminates all lateral movement within the site.

Another significant risk factor for lateral threat movement is third-party vendors and contractors accessing OT systems and servers. Traditionally this has required a network connection or a VPN which would bring unmanaged/unknown devices onto your network with direct access to your critical assets. Zscaler Privileged Remote Access provides a safer approach that does not require a network connection between third-parties and your infrastructure. Using clientless browser-based access and pixel streaming technology with keyboard and mouse control, you can enable remote technicians to safely access your OT systems, with full supervision, session recording and file sandboxing controls, to help minimize risk to your factories and ensure personnel safety.

Slash costs, improve security

A cafe-like branch architecture has many benefits to infrastructure teams and end-users.

• Lower cost: Since you don’t extend your network everywhere, your infrastructure footprint and cost reduces significantly. You don’t need to secure each branch with firewalls, just like you don’t secure every employee’s home network. You eliminate routing complexity and firewall policy management.

• Better security: Ransomware cannot move laterally between sites or even between devices in the same site. Also, your attack surface shrinks — branch offices are no longer effective targets. The Zero Trust Exchange provides complete cyber threat and data protection, ensuring devices do not talk to known command and control sites or exfiltrate data over channels like DNS.

• Better user experience: Since you no longer need to backhaul traffic through your data center for security inspection, applications run faster and users get a better, more consistent experience in the office and at home. You also eliminate performance and security tradeoffs — all traffic, included TLS encrypted traffic — can be inspected at the Zero Trust Exchange without performance penalties.

Zscaler Zero Trust Branch not only simplifies your branch architecture — slashing infrastructure costs by up to 50% — but also improves performance and delivers an exceptional user experience. And best of all, with a zero trust architecture, it eliminates lateral threat movement and stops ransomware attacks in their tracks.

Learn more about Zero Trust Branch innovations on our launch resources page.