Experience the transformative power of zero trust.
Get the full report
What is Zero Trust?
What is Security Service Edge (SSE)?
What is Secure Access Service Edge (SASE)?
What is Zero Trust Network Access (ZTNA)?
What is Secure Web Gateway (SWG)?
What is Cloud Access Security Broker (CASB)?
What is a Cloud Native Application Protection Platform (CNAPP)?
Zero Trust Resources
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Transform your organization with 100% cloud native services
Propel your business with zero trust solutions that secure and connect your resources
Stop Cyberattacks
Protect Data
Zero Trust App Access
VPN Alternative
Accelerate M&A Integration
Optimize Digital Experiences
Zero Trust SD-WAN
Build and Run Secure Cloud Apps
Zero Trust Cloud Connectivity
Zero Trust for IoT/OT
Zero Trust for Private 5G
Find a product or solution
Find a product or solution
Learn how Zscaler delivers zero trust with a cloud native platform built on the world’s largest security cloud.
Propel your transformation journey
Achieve your business and IT initiatives
Explore tools and resources to accelerate your transformation and secure your world
Visit now
Stay up to date on best practices
Find programs, certifications, and events
Get research and insights at your fingertips
Tools designed for you
Connect and find support
See solutions for your industry and country
Cloud enclaving is a method of segmenting workloads in a cloud environment to control access as well as secure cloud infrastructure, apps, and sensitive data against self-propagating malware, data breaches, and other attacks. Cloud enclaves use a software-defined perimeter (SDP) to create protected infrastructure in which to deploy access control, trust assessment, certificate management, and more. Cloud enclaving is also called cloud workload segmentation or cloud microsegmentation.
Cloud enclaving is built to meet the needs of modern digital business in a way legacy security solutions aren’t. Let’s put this into historical context to understand why.
Years ago, when applications and data resided in an organization’s on-premises data center—and employees largely worked from those same premises—traditional perimeter-based network security offered a reasonable level of security. Today, globalization and hybrid work have pushed cloud computing to the fore, rendering older models ineffective.
In the cloud, a single organization’s different critical workloads can sit with multiple cloud service providers (e.g., Amazon Web Service [AWS], Microsoft Azure), and users access them over the internet. In practical terms, this means there’s no longer a “network perimeter,” which opens up many more avenues for possible attacks. Cloud enclaving counters this by making room for tailored security policies that limit traffic to and from specific workloads to only what’s explicitly permitted.
An enclave is a portion of a network that’s separated from the rest of the network and governed by granular security policies. The purpose of a secure enclave is to enforce least-privileged access to critical resources as part of a defense-in-depth security strategy.
Network segmentation is best used for north-south traffic (between your environment and locations outside it), while cloud enclaving adds a layer of protection for east-west traffic (server-to-server, app-to-server, web-to-server, and so on inside your environment). Let’s look at both in a little more detail.
Network Segmentation
Compared to a perimeter-based model that only secures a network from the outside, network segmentation is a more nuanced approach. Namely, it divides a network into “subnets” and applies security and compliance protocols to each. Traffic between segments is typically separated using a VLAN before passing through a firewall.
Unfortunately, because this approach is based on IP addresses, it can only identify how a request arrived (i.e., its originating IP address, port, or protocol), not the context or identity of the entity making the request. Communications deemed safe are allowed, even if IT doesn’t know exactly what they are. Then, the entity is trusted once it’s inside a segment—even if they’re a malicious actor looking to move laterally inside the environment.
Network segmentation creates a “flat” network, leaving unprotected pathways that allow attackers to move laterally and compromise workloads in cloud and data center environments. Beyond that, the cost, complexity, and time required to manage network segmentation using legacy firewalls or virtual machines (VMs) tend to outweigh the security benefits.
Cloud Enclaving
Cloud enclaving—that is, cloud-based microsegmentation—enables more granular traffic control while minimizing an organization’s attack surface, achieving segmentation in a way that’s operationally simpler and more secure than network segmentation. It does this by looking beyond IP addresses, ports, and protocols to authenticate requests by identity and context. Furthermore, it delivers granular protection at the level of individual workloads to more effectively control communications between them.
Cloud enclaving not only minimizes insider threats by providing protection much closer to the workloads themselves, but also prevents the spread of outside threats after the perimeter has been breached.
Like network segmentation, cloud enclaving exists to strengthen network and data security in the face of a growing, evolving cyberthreat landscape. Organizations are under threat across regions and industries as cybercriminals develop ever-more sophisticated techniques to evade security measures. To keep up, organizations and their security need to adapt.
An effective cloud-based microsegmentation approach offers:
Cloud enclaving addresses numerous cloud security use cases that traditional approaches simply weren’t built to support. Where network segmentation relies on coarse, management-intensive controls, microsegmentation applies controls to individual workloads, which then follow the workloads throughout your cloud environment. In our world of global hybrid workforces, distributed data, and increasingly clever attacks, cloud enclaving is an essential means of achieving:
Visibility Across Your Environment
Cloud enclaves offer greater context around which your security team can build policies based on application, environment, compliance, and more by focusing on identity instead of only point of origin. This enables your team to create more granular policies, in turn bolstering your security posture.
Protection Across Providers and Deployments
An effective microsegmentation approach secures your workloads consistently across cloud providers, freeing you up to create hybrid and multicloud environments that best suit your budget and deployment needs. Increased flexibility lets you more easily adopt containers, serverless computing, and more.
Reduced Capex and Opex Costs
Cloud enclaving will save both labor and resources in the long run. Rolling out, managing, and maintaining cloud-based microsegmentation is far less expensive, work-intensive, and time-consuming than doing so for firewalls and other hardware.
Zscaler Workload Segmentation™ (ZWS™) is a new way to create secure enclaves in the cloud. With one click, you can enhance security by allowing ZWS to reveal risk and apply identity-based protection to your workloads—without any changes to the network.
ZWS provides gap-free protection with policies that automatically adapt to environmental changes, eliminating your network attack surface. What’s more, Zscaler Workload Segmentation is API-driven, meaning it can integrate with existing security tools and DevOps processes, enabling one-click auto-segmentation.
Built on zero trust, Zscaler allows only verified workloads to communicate in your public, private, or hybrid cloud environment, mitigating risk and offering the highest level of data breach protection.
Zscaler Workload Segmentation includes:
Software Identity-Based Protection
ZWS looks beyond network addresses to verify the secure identity of the communicating application software and workloads in public or private clouds, hybrid clouds, on-premises data centers, or container environments.
Policy Automation Engine
ZWS uses machine learning to automate the entire policy life cycle for microsegmentation and workload protection. There’s no need to build policy manually during deployment or ongoing operations, and ZWS will recommend new or updated policies when apps are added or changed.
Attack Surface Visibility and Measurement
ZWS automatically builds a real-time application topology and dependency map down to the process level. It then highlights the required application paths and compares them to the total available network paths, recommending policies to minimize the attack surface and protect what’s needed.
Request a demo to see for yourself how Zscaler Workload Segmentation enables you to create cloud enclaves to enhance your security.
How Microsegmentation Differs From Network Segmentation
Read the blogOne-Click Zero Trust
Read the data sheetGartner Market Guide for Zero Trust Network Access 2020
Read the guideThe Network Architect’s Guide to Zero Trust Network Access
Read the white paperImplementing Segmentation in Phases
Read the paper
