Zscaler Zero Trust SD-WAN (software-defined wide area network) provides branches, on-premises data centers, and public clouds with fast and reliable access to the internet and private applications with a direct-to-cloud architecture that features strong security and operational simplicity. The solution eliminates lateral threat movement by connecting users and IoT/OT devices to applications through the Zscaler Zero Trust Exchange (ZTE).

Cloud and branch traffic is securely forwarded directly to the ZTE, where Zscaler Internet Access (ZIA) or Zscaler Private Access (ZPA) policies can be applied depending on traffic destination for full security inspection and access identity-based control of cloud, branch, and data center communications.

By combining lightweight virtual machines or plug-and-play devices with the ZTE, Zero Trust SD-WAN provides secure inbound and outbound Zero Trust networking for sites and clouds, without overlay routing, additional firewall appliances, or policy inconsistencies. Fully integrated with the ZTE, Zero Trust SD-WAN enables robust security and simplifies branch network management.

To learn more, see What Is Zscaler Branch Connector?, What Is Zscaler Cloud Connector?, What Is Zscaler Private Access?, Understanding the ZIA Cloud Architecture, and Understanding Zero Trust Branch Devices.

Key Features and Benefits

The following are some key Zero Trust SD-WAN features and benefits:

• Enables Zero Trust everywhere for all users, devices, servers, and IoT/OT, regardless of location or cloud.
• Improves application performance by replacing complex site-to-site VPNs with a simple direct-to-cloud architecture that improves application performance and increases productivity.
• Minimizes the internet attack surface by placing private applications behind the ZTE, where they can’t be discovered or attacked from the internet.
• Prevents lateral threat movement by connecting directly to applications, not the network.
• Enables organizations to discover and classify shadow IoT devices with automatic device classification based on traffic profiles.
• Simplifies secure access to OT resources with clientless browser-based access to SSH/RDP/VNC ports on OT assets.
• Enforces finely grained forwarding policies for internet and non-internet traffic using ZIA or ZPA.
• Introduces plug-and-play deployment with zero touch provisioning (ZTP), which simplifies deployment and reduces time to integration.

Zero Trust SD-WAN Use Cases

The following are some key Zero Trust SD-WAN use cases:

• Site-to-site VPN replacement: Connect branches directly to private applications in data centers or public clouds without extending your WAN or relying on VPNs, both of which increase a network’s attack surface. Applications are hidden from discovery behind the branches, and access is restricted via the ZTE to a set of named entities. Identity, context, and policy adherence of the specified participants are all verified before access is allowed, prohibiting lateral movement elsewhere in the network.
• Mergers and acquisitions: Merging multiple networks can be challenging and time consuming. Problems range from overlapping IP addresses and routing issues to increased security risk from an enlarged network attack surface. With Zero Trust SD-WAN, networks can remain separate, and branch locations or clouds in one environment can quickly connect to private applications in another, without disruption.
• Direct internet access enablement for branches: On-premises networking and security models become less effective as organizations migrate their apps to the public cloud and build cloud-native apps. Zero Trust SD-WAN is a purpose-built solution for branch transformation, ushering in a new model that enables branches to communicate with any destination securely and independently from the underlying network.
• Zero Trust for server, IoT/OT connectivity: Employees and third-party vendors need to regularly access IoT/OT assets to maximize production uptime and avoid disruptions from equipment and process failures. Zero Trust SD-WAN for IoT/OT and Privileged Remote Access (PRA) provide fully isolated, clientless remote desktop access to Remote Desktop Protocol (RDP) and Secure Shell (SSH) Protocol target systems—without having to install a client on devices using jump hosts and legacy VPNs.
• Shadow IoT/OT discovery and visibility: IT teams face blind spots when unsanctioned, undiscoverable devices connect to branch office networks, increasing device vulnerability, and creating a broader attack surface. Zscaler identifies and classifies devices to give IT teams deeper visibility into behavior for better access control policies.