Zero Trust Inside: Device Segmentation for Branch, Factory, and Campus

1. Unsegmented Devices Inside the Branch and Factory: Despite years of adding point security solutions, traditional network segmentation methods still allow lateral movement. Attackers can compromise one device and then spread laterally, exposing sensitive data or disrupting operations. This "east-west" threat movement is particularly problematic in industries where uptime is crucial, like healthcare, manufacturing, and critical infrastructure, and networks are often relatively "flat".

2. Shortcomings of Legacy Segmentation Solutions Many existing segmentation solutions rely on access control lists (ACLs) or NAC policies, which require ongoing manual management and do not scale well for modern networks. Additionally, many solutions rely on deploying agents across devices, which can be unfeasible in environments with legacy systems, IoT devices, and operational technology (OT) assets that cannot support agent-based security.

3. Lack of Enterprise-wide Device Isolation The principle of zero trust asserts that no device, user, or network segment should be trusted by default. However, conventional enterprise networks often lack true device isolation, leaving gaps where threats can spread. This is particularly true of coarse segmentation achieved by deploying east-west firewalls and legacy perimeter security. Zscaler's approach, by segmenting each device individually into its own network of one, minimizes this risk by ensuring devices can communicate only where explicitly allowed.