Zscaler today extended its zero-trust security to public cloud workloads and applications.

The new Workload Communications capability, which is built into Zscaler’s existing Zero Trust Exchange security platform, helps customers tackle the next challenge they face in rolling out zero-trust security across their organization, said Rich Campagna, Zscaler SVP of cloud protection.

Adopting a zero-trust framework, as the name suggests, requires companies to trust no one and assume breach. So instead of trusting users, devices, or networks by default, a zero-trust approach uses identity and behavior to continually verify users and devices, and it restricts data and access on a least-privilege basis.

“The pandemic pushed discussion — and certainly adoption — around zero trust,” Campagna said. “What’s happened in the last almost two-year time period is that people have started to recognize the security and operational benefits of adopting this kind of model.”

Zscaler built its security platform on top of a distributed, secure access service edge (SASE) architecture. And early on in the COVID-19 pandemic, customers used this platform to help their newly remote employees to connect to corporate resources from their home networks and devices, Campagna added.

“But the pandemic has also dramatically accelerated cloud transformation for a lot of organizations,” he said. “When they look at their cloud connectivity requirements, they see the same challenges that they saw a few years ago and the user side now manifesting themselves in the specific communication needs of their public cloud workloads.”

That’s where Workload Communications, which is generally available, comes into play. It’s a piece of Zscaler’s larger Cloud Protection feature, which automates protection for workloads on and between any cloud platform.

The new cloud-delivered service extends Zscaler’s secure internet and web gateway  — called Zscaler Internet Access or ZIA — and its private app segmentation service — called Zscaler Private Access or ZPA — to public cloud workloads. It secures workload communications over any network, including the internet and SD-WAN, and supports Amazon Web Services, Microsoft Azure, and Google Cloud Platform.

Workload Communications has three primary use cases. First, it secures application-to-internet communications via ZIA policies that include data loss protection and threat prevention. Additionally, it secures application-to-application communications across multicloud environments using ZPA policies. And finally, Workload Communications secures workload-to-workload communications inside a cloud, virtual private cloud, or data center using a combination of macro- and microsegmentation to verify software identity and prevent unauthorized communication between apps.

The new service simplifies multicloud security and connectivity, Campagna said.

“It’s very easy to do: Just port traffic via a simple Zscaler component that they install in their cloud environment,” he explained. “And what we’re able to do is eliminate dozens, in many cases, of firewalls, VPN appliances, homegrown proxy appliances, and complexity around things like routing and peering across cloud environments.”

It also helps customers move closer toward zero-trust security across their entire IT landscape by shrinking their exposed attack surface, Campagna added. “Because we’re not extending network connectivity into these various different cloud environments for workloads, we’re cutting down on the risk of lateral threat movement as well,” he said. “So instead of extending full network access, we’re allowing a workload only to access those other workload components that are absolutely required for it to get its job done.”