Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Zscaler: Zero Trust Architecture for WAN Environments Explained

Zscaler
07/10/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


what Zero Trust can mean in a WAN environment. First of all, if we look at traditional WAN environments, you will see several environments that will be connected to each other with an SD-WAN solution, an MPLS or a combination of them. And these connections ensure that everything can finally talk to each other. There are a few fundamental problems with this approach. First of all, it quickly becomes very complex. If I want to control all those traffic flows, it means that I have to place firewalls locally. These firewalls are very good at protecting their own little thing, but in general, there is very little idea about what happens in the rest of the network. An IP address is an IP address, you don't know exactly what that means. You can start doing things as a NAC to push users specifically into certain groups, but in the end, the problem remains the same. Especially in an environment where an IP address can be one application today and something very different tomorrow. If I start an AWS, there is no guarantee that the IP address will do the same tomorrow. Finally, it also means that all these environments must be routable. This means that I have dependencies based on IP. The IP address here may not exist there, but it has to get there. This means that if I have a new environment with existing addresses, it will be very difficult to connect them. And again, with cloud, this is actually the usual work. What does it look like in a real Zero Trust environment? First of all, we have the Zero Trust Exchange here. It is a central component where all these environments make a connection. For users, this is quite simple. I just have a client, and that client automatically makes a connection with the node closest to it. But I also have solutions for my other environment. First of all, I can build tunnels. Nowadays, we can also use branch connectors in these environments. Or cloud connectors, like AWS, Azure or Google Cloud. They work in the same way as a client. They look for the node closest to it and automatically make a connection. While this is happening, they get their policies. They get to hear what they have to do and what they are allowed to do. And in this way, they can exchange data and talk to the Zero Trust Exchange, so that they can actually make those connections. On the internet, this is fairly straightforward. I just make a connection to the outside world. The internet doesn't really matter what the original IP addresses were here. But of course, I can also make a connection with the applications that are used internally. We have a component there called an App Connector. The App Connector actually functions as a client and is therefore responsible for the connection to the internal application. In most cases, there may not be much need for an office environment to connect internally. But I think that in the case of a factory or a warehouse, if you want to talk to an existing OT, that happens regularly. The advantage is that the branch connector, which we have in a hardware form factor, can also connect the outgoing branch connector at the same time. But it can also host the App Connector. So together, it actually provides bidirectional traffic. The beauty of this solution is first of all that all these connections are actually independent of each other. This means that if I have a certain IP range here, it is not a problem if I use it elsewhere. Instead, we look at DNS and make the connections based on that. This also means that if I build up very flexible environments in the cloud, I can simply connect with them. This also means that if I notice that an application is initially in a data center and then moves to a cloud, I don't actually have to make any adjustments. I just have to make it known on the App Connector and then I can make automatic connections to all my users, as well as all my other environments. In other words, I can make those connections very flexibly and dynamically. I can do that based on performance. I can just see which environment works best for me. I'm going to use that. For offices and other environments where users are located, I will still let those users go to the right. That's easy. Then I just have an identity. I have authentication. I can follow much better. This also means that if those users move to it, I will still keep the context, the history of those users, so that I know very well what the risk profile is and that I also know very well what has been done in the past and whether I might have to take that into account. At the same time, I have an IoT environment here, for example. I'm going to let it run through the branch connector. If it is still necessary that I want to separate those environments further, for example, I have a payment system at the office and I also have a door access system. I have to put that on the network, but I don't necessarily want people to be able to communicate locally with it or even communicate with each other. We have seen in the past that access points were used to take over an environment. To make that possible, we can continue to segment here. And we can actually do that without having an impact on the devices or the network itself. So I don't have to make any further adjustments to my VLAN. I don't have to make any adjustments to my devices. I don't have to install an agent. I just have a solution that looks at the traffic flows, that can position itself in between and can check all those connections. And I can do that both in control environments and in the factories or warehouse environments, where there is more traditional OST. The advantage of the latter is that many of those OT systems are often certified. I don't have to make any adjustments to that. We even have certain fixed settings for things like IP addresses. We can handle that neatly. If you are interested, go to our website www.zscaler.com or contact one of our sales people who would certainly like to discuss this further. Thank you.

TL;DR

  • Traditional WAN architectures using SD-WAN and MPLS create complexity through IP-based dependencies and isolated firewall management that lacks holistic network visibility.
  • The Zero Trust Exchange eliminates IP address conflicts by using DNS-based connections, allowing overlapping address ranges across different environments without routing conflicts.
  • Branch connectors and cloud connectors establish outbound connections to the nearest Zscaler node, receiving policies dynamically while enabling bidirectional traffic when combined with App Connectors.
  • IoT and OT environments can be segmented without network changes, VLAN modifications, or agent installation—critical for certified OT systems with fixed IP configurations.

Traditional WAN Challenges and Complexity

This presentation examines the fundamental limitations of traditional WAN architectures that rely on SD-WAN, MPLS, or hybrid connectivity approaches. The speaker explains how these legacy designs create inherent complexity when attempting to control traffic flows, requiring local firewalls at each location that operate in isolation without broader network visibility. A critical issue highlighted is the dynamic nature of IP addresses in modern cloud environments—an IP address that represents one application today may serve an entirely different purpose tomorrow, particularly in AWS and similar platforms. This IP-based dependency creates significant challenges when connecting new environments with overlapping address spaces, a scenario that has become commonplace in cloud-native operations.

Zero Trust Exchange Architecture

The Zero Trust Exchange serves as a central connectivity hub where all environments establish outbound connections rather than requiring inbound network access. Users connect via lightweight clients that automatically find the nearest node, while branch locations can leverage branch connectors or cloud connectors for AWS, Azure, and Google Cloud. These connectors function similarly to user clients—they discover the closest node, establish connections, and receive their policies dynamically. The App Connector component enables secure access to internal applications without exposing them to the network, functioning as a client responsible for application-side connectivity. This architecture eliminates IP address dependencies by using DNS-based connections, enabling flexible scenarios where applications can migrate from data centers to cloud environments without requiring connectivity changes.

Chapters

0:00 - Introduction
0:16 - Traditional WAN Problems
1:55 - Zero Trust Exchange Overview
3:12 - App Connector Functionality
4:01 - IP Independence Benefits
5:21 - IoT and OT Segmentation
6:50 - Call to Action

Key Quotes

0:52 "These firewalls are very good at protecting their own little thing, but in general, there is very little idea about what happens in the rest of the network."
1:23 "If I start an AWS, there is no guarantee that the IP address will do the same tomorrow."
4:33 "If I notice that an application is initially in a data center and then moves to a cloud, I don't actually have to make any adjustments."
6:06 "So I don't have to make any further adjustments to my VLAN. I don't have to make any adjustments to my devices. I don't have to install an agent."

FAQ

How does Zscaler handle environments with overlapping IP address ranges?

The Zero Trust Exchange makes connections independent of IP addresses by using DNS-based resolution instead. This means the same IP range can exist in multiple environments without conflict, as the system doesn't rely on traditional IP routing between locations.

Can OT systems with fixed IP configurations be protected without modifications?

Yes, the segmentation solution inspects traffic flows and positions itself inline without requiring changes to devices, VLANs, or agent installation. This is particularly valuable for certified OT systems where configuration changes are prohibited or impractical.


Categories:
  • » Webinar Library » Zscaler
  • » Cybersecurity » Network Security
  • » Cybersecurity » Zero Trust
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Zero Trust
  • SASE
  • SSE
  • Network Security
  • OT
  • IoT Security
  • Technical Deep Dive
  • Zero Trust Architecture
  • WAN Transformation
  • SD-WAN Limitations
  • Cloud Connectivity
  • Branch Connectors
  • App Connectors
  • IoT Segmentation
  • OT Security
  • DNS-Based Networking
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Zscaler: Zero Trust Architecture for WAN Environments Explained

              Upcoming Webinar Calendar

              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting a Championship-Worthy Security Team for Unmatched Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-worthy-security-team-for-unmatched-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-safeguarding-ai-accessible-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies for Effective Data Privacy and Protection
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-effective-data-privacy-and-protection/
              • 07/22/2026
                01:00 PM
                07/22/2026
                Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue
                https://www.truthinit.com/index.php/channel/2029/insights-from-attackers-during-the-fifa-world-cup-a-human-dialogue/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 07/29/2026
                12:00 PM
                07/29/2026
                Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
              • 07/29/2026
                01:00 PM
                07/29/2026
                Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                14

                Crafting a Championship-Worthy Security Team for Unmatched Defense

                07/14/202601:00 PM ET
                • Jul
                  14

                  Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data

                  07/14/202602:00 PM ET
                  • Jul
                    21

                    Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                    07/21/202604:00 AM ET
                    • Jul
                      22

                      Insights and Strategies for Effective Data Privacy and Protection

                      07/22/202606:30 AM ET
                      • Jul
                        22

                        Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue

                        07/22/202601:00 PM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version