Erleben Sie, wie Zero Trust Ihre Organisation transformieren kann.
Zum Report
Was ist Zero Trust?
Was ist Security Service Edge (SSE)?
Was versteht man unter Secure Access Service Edge (SASE)?
Was ist Zero Trust Network Access (ZTNA)?
Was versteht man unter Secure Web Gateways (SWG)?
Was ist ein Cloud Access Security Broker (CASB)?
Was ist eine Cloud Native App Protection Platform (CNAPP)?
Ressourcen zu Zero Trust
Ihre User erhalten nahtlosen, sicheren und zuverlässigen Zugriff auf Anwendungen und Daten.
Zscaler unterstützt die Entwicklung und Ausführung sicherer Cloud-Anwendungen, gewährleistet Cloud-Konnektivität nach dem Zero-Trust-Prinzip und schützt Ihre Workloads im Rechenzentrum genauso zuverlässig wie in der Cloud.
Zscaler bietet Zero-Trust-Konnektivität für IoT- und OT-Geräte sowie sicheren Remotezugriff auf OT-Systeme.
Komplett Cloud-native Services gewährleisten den Erfolg Ihrer digitalen Transformation
Zero-Trust-Lösungen schützen und vernetzen Ihre Ressourcen – für ein ungehindertes Wachstum Ihres Unternehmen
Zuverlässiger Schutz vor Cyberangriffen
Sicherheit für Ihre Daten
Anwendungszugriff mit Zero Trust
Alternative zu VPN
Schnellere Integration bei Fusionen und Übernahmen
Hervorragende digitale Anwendererfahrungen
Zero Trust SD-WAN
Sichere Entwicklungs- und Laufzeitumgebungen
Cloud-Konnektivität mit Zero Trust
Zero Trust für IoT/OT
Zero Trust für privates 5G
Produkte und Lösungen finden
Produkte und Lösungen finden
Erfahren Sie, wie Zscaler mit seiner Cloud-nativen Plattform Zero-Trust-Sicherheit ermöglicht, basierend auf der weltweit größten Security Cloud.
Neuer Schub für Ihren Weg zur Transformation
Erfolgreiche Geschäfts- und IT-Initiativen
Lernen Sie die Tools und Ressourcen kennen, die Sie dabei unterstützen, Ihre Transformation zu beschleunigen und Ihr Unternehmen zu schützen
Jetzt besuchen
Immer die aktuellen Best Practices
Programme, Zertifizierungen und Events
Studien und Erkenntnisse einfach abrufbar
Speziell entwickelte Tools
Austausch und Support
Lösungen für Ihre Branche und Ihr Land
Cloud enclaving is a method of segmenting workloads in a cloud environment to control access as well as secure cloud infrastructure, apps, and sensitive data against self-propagating malware, data breaches, and other attacks. Cloud enclaves use a software-defined perimeter (SDP) to create protected infrastructure in which to deploy access control, trust assessment, certificate management, and more. Cloud enclaving is also called cloud workload segmentation or cloud microsegmentation.
Cloud enclaving is built to meet the needs of modern digital business in a way legacy security solutions aren’t. Let’s put this into historical context to understand why.
Years ago, when applications and data resided in an organization’s on-premises data center—and employees largely worked from those same premises—traditional perimeter-based network security offered a reasonable level of security. Today, globalization and hybrid work have pushed cloud computing to the fore, rendering older models ineffective.
In the cloud, a single organization’s different critical workloads can sit with multiple cloud service providers (e.g., Amazon Web Service [AWS], Microsoft Azure), and users access them over the internet. In practical terms, this means there’s no longer a “network perimeter,” which opens up many more avenues for possible attacks. Cloud enclaving counters this by making room for tailored security policies that limit traffic to and from specific workloads to only what’s explicitly permitted.
An enclave is a portion of a network that’s separated from the rest of the network and governed by granular security policies. The purpose of a secure enclave is to enforce least-privileged access to critical resources as part of a defense-in-depth security strategy.
Network segmentation is best used for north-south traffic (between your environment and locations outside it), while cloud enclaving adds a layer of protection for east-west traffic (server-to-server, app-to-server, web-to-server, and so on inside your environment). Let’s look at both in a little more detail.
Network Segmentation
Compared to a perimeter-based model that only secures a network from the outside, network segmentation is a more nuanced approach. Namely, it divides a network into “subnets” and applies security and compliance protocols to each. Traffic between segments is typically separated using a VLAN before passing through a firewall.
Unfortunately, because this approach is based on IP addresses, it can only identify how a request arrived (i.e., its originating IP address, port, or protocol), not the context or identity of the entity making the request. Communications deemed safe are allowed, even if IT doesn’t know exactly what they are. Then, the entity is trusted once it’s inside a segment—even if they’re a malicious actor looking to move laterally inside the environment.
Network segmentation creates a “flat” network, leaving unprotected pathways that allow attackers to move laterally and compromise workloads in cloud and data center environments. Beyond that, the cost, complexity, and time required to manage network segmentation using legacy firewalls or virtual machines (VMs) tend to outweigh the security benefits.
Cloud Enclaving
Cloud enclaving—that is, cloud-based microsegmentation—enables more granular traffic control while minimizing an organization’s attack surface, achieving segmentation in a way that’s operationally simpler and more secure than network segmentation. It does this by looking beyond IP addresses, ports, and protocols to authenticate requests by identity and context. Furthermore, it delivers granular protection at the level of individual workloads to more effectively control communications between them.
Cloud enclaving not only minimizes insider threats by providing protection much closer to the workloads themselves, but also prevents the spread of outside threats after the perimeter has been breached.
Like network segmentation, cloud enclaving exists to strengthen network and data security in the face of a growing, evolving cyberthreat landscape. Organizations are under threat across regions and industries as cybercriminals develop ever-more sophisticated techniques to evade security measures. To keep up, organizations and their security need to adapt.
An effective cloud-based microsegmentation approach offers:
Cloud enclaving addresses numerous cloud security use cases that traditional approaches simply weren’t built to support. Where network segmentation relies on coarse, management-intensive controls, microsegmentation applies controls to individual workloads, which then follow the workloads throughout your cloud environment. In our world of global hybrid workforces, distributed data, and increasingly clever attacks, cloud enclaving is an essential means of achieving:
Visibility Across Your Environment
Cloud enclaves offer greater context around which your security team can build policies based on application, environment, compliance, and more by focusing on identity instead of only point of origin. This enables your team to create more granular policies, in turn bolstering your security posture.
Protection Across Providers and Deployments
An effective microsegmentation approach secures your workloads consistently across cloud providers, freeing you up to create hybrid and multicloud environments that best suit your budget and deployment needs. Increased flexibility lets you more easily adopt containers, serverless computing, and more.
Reduced Capex and Opex Costs
Cloud enclaving will save both labor and resources in the long run. Rolling out, managing, and maintaining cloud-based microsegmentation is far less expensive, work-intensive, and time-consuming than doing so for firewalls and other hardware.
Zscaler Workload Segmentation™ (ZWS™) is a new way to create secure enclaves in the cloud. With one click, you can enhance security by allowing ZWS to reveal risk and apply identity-based protection to your workloads—without any changes to the network.
ZWS provides gap-free protection with policies that automatically adapt to environmental changes, eliminating your network attack surface. What’s more, Zscaler Workload Segmentation is API-driven, meaning it can integrate with existing security tools and DevOps processes, enabling one-click auto-segmentation.
Built on zero trust, Zscaler allows only verified workloads to communicate in your public, private, or hybrid cloud environment, mitigating risk and offering the highest level of data breach protection.
Zscaler Workload Segmentation includes:
Software Identity-Based Protection
ZWS looks beyond network addresses to verify the secure identity of the communicating application software and workloads in public or private clouds, hybrid clouds, on-premises data centers, or container environments.
Policy Automation Engine
ZWS uses machine learning to automate the entire policy life cycle for microsegmentation and workload protection. There’s no need to build policy manually during deployment or ongoing operations, and ZWS will recommend new or updated policies when apps are added or changed.
Attack Surface Visibility and Measurement
ZWS automatically builds a real-time application topology and dependency map down to the process level. It then highlights the required application paths and compares them to the total available network paths, recommending policies to minimize the attack surface and protect what’s needed.
Request a demo to see for yourself how Zscaler Workload Segmentation enables you to create cloud enclaves to enhance your security.
How Microsegmentation Differs From Network Segmentation
Read the blogOne-Click Zero Trust
Read the data sheetGartner Market Guide for Zero Trust Network Access 2020
Read the guideThe Network Architect’s Guide to Zero Trust Network Access
Read the white paperImplementing Segmentation in Phases
Read the paper
