Zscaler goes east-west with the acquisition of Airgap Networks

This syndicated post originally appeared at Zeus Kerravala – SiliconANGLE.

With Zscaler Inc.‘s announced acquisition today of startup Airgap Networks Inc., a network access and segmentation tech provider, the cybersecurity provider is looking to address gaps in operational technology.

No financial terms for the purchase were provided, but Airgap has raised a little over $13 million since it was founded in 2019, so the deal is likely under $100 million. Recently, I spoke with Naresh Kumar (pictured), vice president and general manager of product management at Zscaler, to review the acquisition details. He put the deal in perspective.

Bringing zero trust to the LAN

“It’s all about addressing the gaps, and there is a big gap with OT networks,” he told me. “We brought zero trust to the WAN in January. Zscaler is a solid north-south solution to protect all applications accessing the internet, SaaS, cloud and private applications. But what about the traffic that stays east-west? That is more of a challenge on campus, in large data centers, and very often in a factory and client scenario where all the IT networks coexist and have a specific critical infrastructure.”

For Kumar, Zscaler’s challenge was bringing zero trust to the LAN and eliminating the east-west firewalls. “On the LAN side, you predominantly don’t have a zero-trust approach because you’re able to do MAC-based controls at the ACLs on the switches,” he told me. And sometimes, you do it at the firewall layer if it is at a subnet level. These are the only two enforcement points, and neither has any notion of zero trust.”

Segmentation using firewalls and NAC has been the de facto standard for years, but this approach has many problems. First, firewalls are extremely expensive, and using them to protect East-West traffic is overkill. Also, this approach can be adequate if you have an environment that doesn’t change much. But as soon as you start making changes, it can be next to impossible to keep up with, and almost every business I talk to today has a highly dynamic network. Mobile, OT, IoT, cloud, and other trends require constant network changes, which can make legacy segmentation useless.

Kumar said those are the traditional challenges with any segmentation product. But he saw a secondary challenge apart from zero trust. “These segmentation solutions could not work on critical infrastructure and other campus environments because there is a need for an agent,” he said. “They always needed to go deep into a micro level at the process. For that, you need to analyze traffic, and dynamic environments pose a significant challenge.”

Acquiring Airgap’s unique approach

But is there a way to do that without changing the network state? That’s where Airgap comes in. “You still keep your switches doing what they’re doing at a VLAN level, yet provide an overlay level on top, which is what Airgap is very good at,” he told me. “They create an overlay of a segment of one approach to enforce that east-west access and act as a gateway, which is the modern way of doing the same access.”

With the Airgap acquisition, Kumar told me that was the critical capability he was interested in. The company says that the way static ACLs work within NAC and network-based firewalls to control east-west traffic needs to be reimagined to avoid the lateral movement of sophisticated threats within a LAN.

Airgap uses a unique method — an intelligent DHCP proxy architecture that can isolate devices and control access based on identity and context. The company says this reduces risk for enterprises with critical infrastructure.

Zscaler outlined several ways in which the acquisition will benefit customers, including:

  • Zero trust in the LAN: Airgap’s zero-trust principles applied across east-west traffic can reduce the internal attack surface, which should eliminate lateral movement of threats across campus and OT networks.
  • Securing IoT and OT: The company says that Airgap’s real-time device discovery and inline enforcement acts as a ransomware kill switch, neutralizing advanced threats like ransomware on IoT devices, OT systems and agent-incapable devices.
  • Simplicity: The solution eliminates the need for east-west firewalls and outmoded tech like NACs.

The term “OT” was once considered something only a handful of industries, such as oil and gas, warehousing and manufacturing, need to be concerned with. With the rise of smart buildings and more connected “things,” OT is everywhere. Most LED lighting systems are now PoE-connected and often are hubs for other facilities, such as badge readers, AC systems and environmental controls.

The main challenge: integration

This is an interesting acquisition by Zscaler, and it extends its argument as the leader in zero trust for networks. Integrating acquisitions is always challenging, but it should be a relatively easy lift because Zscaler has identified the niches it expects Airgap to fill.

I’m intrigued to see this acquisition play out and look forward to seeing how well the integration proceeds. The harsh reality is that implementing zero trust for north-south and east-west independently can lead to inconsistent policies that lead to blind spots. This, of course, results in breaches. By bringing these together, Zscaler created a single approach to zero trust, which significantly simplifies the job of security operations.

Author: Zeus Kerravala

Zeus Kerravala is the founder and principal analyst with ZK Research. Kerravala provides a mix of tactical advice to help his clients in the current business climate and long term strategic advice.