Weaving Zero Trust Into Your Connectivity Fabric

Enterprise networks have evolved beyond just enabling the client-server apps of yesteryear. Your apps are no longer in your data centers, and your users are no longer in the office. Many infrastructure managers are wondering what that expensive WAN is really doing for them. It’s a fair question to ask in the era of cloud-centric hybrid workplaces. At the same time, as users have left the building, IoT and OT devices have proliferated. An enterprise WAN today is carrying less business application traffic and more device traffic than ever before. With this, come new connectivity and security challenges. The WAN hasn’t lost relevance as much as it has evolved into something different. And the way we design and build it needs to evolve.


One of the biggest threats keeping IT leaders up at night is ransomware. According to a recent Threatlabz report, ransomware attacks increased almost 40% between 2022 and 2023, with the average demand being $5.3M. There’s a fundamental reason why attacks like these are successful. We built our enterprise WANs as castles, with a security perimeter “moat” around them. Once you enter the castle, the wildly efficient networks we designed & built make it relatively easy to move around. A successful breach then becomes all about finding the weakest link in an organization to serve as an entry point. Good cybersecurity cannot depend upon 100% perfection.

Challenges With Traditional WANs

Legacy WANs were built using MPLS, which offered stringent SLAs and good security by virtue of being isolated from the Internet. However, this meant that you needed to backhaul traffic to your Internet exit locations, which meant added latency and poor performance for SaaS apps. SD-WANs offered another alternative, by building site-to-site VPNs over the Internet and simplified local breakouts for SaaS apps. While this automated some of the complexity of provisioning hub & spoke VPN networks, it failed to fully solve for security. Many SD-WAN deployments ended up requiring multiple boxes at the branch — one for the connectivity, and a separate firewall for layering on security.

This gets to the heart of the issue. We have built IP networks using routing protocols that are really good at allowing devices anywhere to talk to each other. We’re now living in a world where that’s not necessarily a good thing.

What About Segmentation?

Network segmentation and micro-segmentation are touted as one of the solutions to the security problems plaguing corporate networks today. Yet, we have 40% growth in ransomware attacks, which rely on lateral movement. So what gives? Segmentation is hard to manage and inefficient. It’s like building a swanky new freeway network, and then adding dividers all over the place. It makes security be the bad guys that slow everything down and it invites calls for exceptions for critical apps and demanding users.

Instead what if segmentation was inherent to the connectivity fabric itself?

Zero Trust Branch Connectivity

Most of our readers are likely aware of the Zero Trust model of security — everyone is inherently untrusted. Trust is a privilege earned ephemerally based on identity and context. This model has been applied very successfully for users and apps with Zero Trust Network Access (ZTNA). So why not extend it to all the other traffic on the WAN as well? That’s the fundamental idea behind Zero Trust Branch Connectivity. It securely connects your branches, head offices, factories and data centers using the Zero Trust Exchange, without the complexity of VPNs or overlay routing. 

Instead of allowing every site unrestricted access to every other site, you can start with a fully untrusted posture, and only enable the connectivity you need. For example a printer in the Chicago office may need to talk to a private print server in the New York office, while at the same time have Internet access for automatic software updates. This printer does not need to talk to any other device on the network. By eliminating the routed overlay, we avoid the problem of accidentally allowing lateral threat movement. Zero trust becomes a part of the connectivity fabric itself and there is no need to layer on additional segmentation.

See It Live

Come stop by the Zscaler booth at ONUG Fall 2023 and join us on October 24th at 3:45pm to see a live demo of Zero Trust Branch Connectivity in action. Or you can schedule a meeting with one of our experts at your convenience.


Author's Bio

Ameet Naik

Director, Product Marketing, Zscaler