icon-ztds.svg
Zero Trust Device Segmentation

What Is Zero Trust Device Segmentation?

Zscaler's Zero Trust Device Segmentation is an agentless device-segmentation technology that extends zero trust to secure traffic between devices inside your company's branch, factory, and campus network. The Zscaler solution eliminates lateral movement without the cost and complexity associated with legacy segmentation approaches such as east-west firewalls and network access control (NAC).

Traditional methods of implementing device segmentation often entail significant infrastructure changes and complexities in management and maintenance that do not include automation. As a result, segmentation projects frequently result in a patchwork of zero-trust measures that might still harbor vulnerabilities. The proliferation of Internet of Things (IoT), Operational Technology (OT), Internet of Medical Things (IoMT), headless devices, and legacy systems introduces distinct challenges in formulating a unified protection-and-containment strategy. These challenges, along with an ever-evolving threat landscape, present a formidable challenge for security teams and their organizations, since a single compromised endpoint has the potential to disrupt an entire operation.

Key Features and Benefits

Software as a Service (SaaS)-based Device Segmentation provides visibility and control over east-west traffic (intra- and inter-VLAN) as well as autonomous grouping and adaptive policy constructs for automated incident response.

With Device Segmentation, you have the following features and benefits:

  • No agent installation, API integration, or significant hardware changes are needed, enabling easy deployment.
  • Gateway appliances are managed by the Device Segmentation Admin Portal, a SaaS solution that offers multi-tenancy and role-based access control.
  • Devices can be ring-fenced by modifying the subnet mask (using DHCP or via automation for static IP address-enabled devices), with the Device Segmentation gateway assuming the role of default gateway.
  • All devices, even those within the same VLAN, must communicate with each other via the Device Segmentation gateway for maximum security.
  • It can be deployed incrementally, allowing you to test the proof of concept on part of the network before adding more devices.

How It Works

In Zscaler Device Segmentation, every device is ring-fenced within its own isolated network, limiting the potential impact of threats and eliminating lateral spread. Gateways can be deployed between the existing L2/L3 switch and the firewall in a high-availability cluster, where they can act as DHCP relays or DHCP servers for the endpoint devices.

When configured, Device Segmentation:

  • Assumes the role of default gateway for VLANs.
  • Auto-provisions every endpoint with a /32 subnet mask through the intelligent DHCP proxy.
  • Automatically classifies every device into related VLAN groups (e.g., IoT, servers, and OT).
  • Enforces group-based policies; for example, a policy could deny Remote Desktop Protocol (RDP) access to cameras for everyone except admins.
  • Provides a Ransomware Kill Switch that enforces policies based on threat level to allow faster incident response.

How Zero Trust Device Segmentation works.

Related Article
What Is Zero Trust Device Segmentation?