Zero Trust Inside: Device Segmentation for Branch, Factory, and Campus

Legacy Network and Security Architectures

In today’s complex digital landscape, lateral threat movement inside the branch, factory, and campus —where malware or attackers pivot across a network—remains a major cybersecurity challenge. Traditional solutions, relying on expensive firewalls or complex network access controls (NAC), often fall short, as they either depend on severely outdated methods or require endpoint agents that aren’t always feasible to deploy. Zscaler’s Zero Trust Device Segmentation offers a streamlined, scalable answer to these security obstacles without the complexity of traditional networks segmentation. With a zero trust architecture inspired by telco networks, it provides an effective strategy to isolate and protect every device inside enterprise networks.

The Big Problem:  Lateral Threat Movement

1. Unsegmented Devices Inside the Branch and Factory: Despite years of adding point security solutions, traditional network segmentation methods still allow lateral movement. Attackers can compromise one device and then spread laterally, exposing sensitive data or disrupting operations. This “east-west” threat movement is particularly problematic in industries where uptime is crucial, like healthcare, manufacturing, and critical infrastructure, and networks are often relatively “flat”.

2. Shortcomings of Legacy Segmentation Solutions Many existing segmentation solutions rely on access control lists (ACLs) or NAC policies, which require ongoing manual management and do not scale well for modern networks. Additionally, many solutions rely on deploying agents across devices, which can be unfeasible in environments with legacy systems, IoT devices, and operational technology (OT) assets that cannot support agent-based security.

3. Lack of Enterprise-wide Device Isolation The principle of zero trust asserts that no device, user, or network segment should be trusted by default. However, conventional enterprise networks often lack true device isolation, leaving gaps where threats can spread. This is particularly true of coarse segmentation achieved by deploying east-west firewalls and legacy perimeter security. Zscaler’s approach, by segmenting each device individually into its own network of one, minimizes this risk by ensuring devices can communicate only where explicitly allowed.

A Telco-Inspired Approach 

Despite millions of users, telco subscriber networks never pass malware from one phone to another.  How?  In these systems, each subscriber device operates in isolation, preventing lateral movement. For example, a compromised mobile device on one subscription doesn’t impact other devices. Zscaler has adopted a similar strategy with its Zero Trust Device Segmentation: each device is effectively placed in its own isolated “network,” restricting its ability to connect laterally.

How Device Segmentation Works

Zscaler’s Zero Trust Device Segmentation aims to simplify segmentation by embedding zero trust security directly within the network infrastructure. Here’s a breakdown of the core deployment and operational mechanics:

1. Simple Deployment

• Placement: The Zscaler Edge appliance is deployed next to the core switch on a trunk port, creating a seamless gateway to intercept and manage device connections.
• High Availability Configuration: Typically, two appliances are installed as an active and standby pair, ensuring uninterrupted service and resilience against single points of failure.

2. Automatic Device Segmentation

• SVI Deactivation: Once deployed, the switch’s Switch Virtual Interface (SVI) for the VLAN is deactivated, and the Zscaler Edge appliance assumes the role of the default gateway.
• Netmask Adjustment for Isolation: As devices renew their IP leases, the appliance modifies their netmask to a /32, effectively isolating each device with a unique subnet mask.
• Handling Static IP Devices: For static devices, Zscaler offers automated scripts that update their netmask configurations without requiring downtime or session drops, allowing seamless integration in high-availability environments like hospitals and corporate campuses.

Inventory Everything, Enforce Everywhere

Once Zscaler’s Zero Trust Device Segmentation is deployed, it enables granular control and visibility across the network:

1. Device Classification and Dynamic Grouping

• Zscaler’s platform autonomously discovers, classifies, and groups devices by type (e.g., printers, IoT devices, Android devices). As new devices are added or removed, group memberships dynamically update, providing continuous, real-time visibility.
• Grouping Flexibility: Device groupings can be configured based on type, OS, or custom attributes, allowing for targeted policy enforcement and simplified management.

2. Policy Enforcement with Role-Based Control

• Policies can be crafted to limit communication between specific device types, regions, or organizational units. For instance, administrators might restrict cameras from communicating with printers or block internal Remote Desktop Protocol (RDP) access organization-wide to greatly reduce attack surface.
• Scope Customization: Policies can be applied globally, regionally, or locally, providing flexibility for organizations with complex, distributed networks.
• Centralized Management Portal: Zscaler’s platform includes a management portal with role-based access control, enabling administrators to set policies, view network activity, and make adjustments in real-time.

3. Full East-West Visibility

• The platform provides a visual map of network activity, capturing all traffic flows across the network. This visibility includes both north-south (external) and east-west (internal) traffic patterns, allowing for quick diagnosis of network issues.
• Color-coded Flow Indicators: Network events are represented with intuitive color codes: red for blocked traffic, green for allowed connections, and black for default policies. Administrators can simply input a device’s MAC address, hostname, or IP to view its interactions in real time, enabling faster troubleshooting.

Why Zscaler?

The unique architecture of Zscaler’s Zero Trust Device Segmentation offers substantial advantages over traditional methods:

1. Reduction of Complexity and Cost

• By eliminating the need for east-west firewalls and intricate access control mechanisms, Zscaler significantly reduces network complexity and refresh costs. Administrators no longer need to manage sprawling ACLs or rely on firewall rule updates to maintain segmentation.

2. Agentless Segmentation for Legacy and IoT Devices

• Many legacy and IoT devices cannot support agents, making them difficult to secure with conventional solutions. Zscaler’s approach, which does not require agents, makes it an ideal solution for industrial environments, smart facilities, and other settings with diverse device types.

3. Enhanced Compliance and Detection

• Zscaler’s automatic device discovery and classification streamline compliance with industry regulations by ensuring all devices are accounted for and protected. Additionally, the centralized view of network flows helps quickly identify potential security incidents or policy violations.

4. Rapid Deployment and Flexibility

• Zscaler’s solution can be deployed quickly—often within a day—enabling rapid time-to-value. Its configuration options offer flexibility, allowing organizations to tailor segmentation to their operational needs without requiring downtime or lengthy project timelines.

Common Device Segmentation Use Cases

Automatic Device Discovery and Classification

• Ideal for environments with a mix of known and unknown devices, such as healthcare or manufacturing. By automating the discovery process, Zscaler allows administrators to keep track of both managed and rogue devices, ensuring network integrity.

Agentless Segmentation for Legacy, IoT, and OT Devices

• Industries with operational technology assets, like energy and manufacturing, benefit from Zscaler’s agentless segmentation, which provides robust security without disrupting production or requiring retrofitting of any IP endpoint.

Eliminating East-West Firewalls

• By removing the need for traditional internal firewalls, Zscaler minimizes the attack surface and reduces infrastructure costs. This is especially useful for organizations with a need to isolate IT from OT or separate major production lines that would otherwise require extensive firewall management.

The End of Lateral Threat Inside the Branch, Factory, and Campus

Zscaler Zero Trust Device Segmentation introduces a modern, efficient approach to zero trust segmentation for devices inside the branch, factory, and campus. With the ability to isolate every device individually, eliminate traditional firewalls, and manage policy centrally, Zscaler simplifies the complex task of segmentation. Inspired by the inherently isolated telco model, it brings zero trust to all devices, supporting both security and operational continuity.

For organizations grappling with segmentation challenges, Zscaler’s solution offers the opportunity to achieve true device-level security and resilience—within a day. With Zscaler, segmentation is no longer a lengthy, resource-intensive project but a streamlined, manageable solution that aligns with today’s zero trust principles.  And as part of Zscaler Zero Trust for Branch and Cloud, you can now extend zero trust principles everywhere in your enterprise.

To learn more about innovations in zero trust for branch and cloud, please visit zscaler.com/ztsegmentation