With Zscaler Inc.‘s announced today that it has acquired the startup Airgap Networks Inc.a provider of network access and segmentation technology, the cybersecurity provider aims to address gaps in operational technology.
No financial terms were disclosed for the purchase, but Airgap has raised just over $13 million since its founding in 2019, so the deal is likely under $100 million. I recently spoke with Naresh Kumar (pictured), vice president and general manager of product management at Zscaler, to discuss the details of the acquisition. He put the deal into perspective.
Bring Zero Trust to the LAN
“It’s about bridging the gaps, and there is a big gap in OT networks,” he told me. “We brought Zero Trust to the WAN in January. Zscaler is a solid north-south solution for protecting all applications accessing the Internet, SaaS, cloud and private applications. But what about the traffic that stays east-west? This is more challenging on campus, in large data centers and very often in a factory and customer scenario where all IT networks coexist and have specific critical infrastructure.”
For Kumar, Zscaler’s challenge was to bring zero trust to the LAN and eliminate the east-west firewalls. “On the LAN side, there is mostly no zero trust approach because you can do MAC-based controls on the ACLs of the switches,” he told me. And sometimes you do this at the firewall level if it’s a subnet level. These are the only two points of enforcement, and there is no notion of zero trust on either of them.”
Segmentation using firewalls and NAC has been the de facto standard for years, but this approach has many problems. First, firewalls are extremely expensive and using them to protect east-west traffic is overkill. This approach may also be appropriate if you have an environment where not much changes. But once you start making changes, it can be almost impossible to keep up, and almost every company I talk to today has a highly dynamic network. Mobile, OT, IoT, cloud and other trends require constant network changes that can render legacy segmentation useless.
Kumar said these are the traditional challenges in any segmentation product. But he saw a second challenge besides zero trust. “These segmentation solutions may not work in critical infrastructure and other campus environments because they require an agent,” he said. “You always had to go deep into the process on a micro level. This requires analyzing traffic, and dynamic environments present a major challenge.”
Adopting Airgap’s unique approach
But is there a way to do this without changing the network state? This is where air gap comes into play. “You keep your switches doing what they do at the VLAN level, but provide an overlay layer on top of that, and that’s what Airgap is very good at,” he told me. “They create an overlay of a segment of an approach to enforce east-west access and act as a gateway, which is the modern way of providing the same access.”
When taking over Airgap, Kumar told me that this was the critical feature he was interested in. The company says the way static ACLs work within NAC and network-based firewalls to control east-west traffic needs to be reconsidered to avoid the lateral movement of sophisticated threats within a LAN.
Airgap uses a unique method – an intelligent DHCP proxy architecture that can isolate devices and control access based on identity and context. The company says this reduces risk for critical infrastructure companies.
Zscaler explained several ways the acquisition will benefit customers, including:
- Zero Trust on the LAN: Airgap’s Zero Trust principles applied to east-west traffic can reduce the internal attack surface, which should prevent lateral spread of threats across campus and OT networks.
- Securing IoT and OT: The company says Airgap’s real-time device detection and inline enforcement acts as a ransomware kill switch, neutralizing advanced threats such as ransomware on IoT devices, OT systems and agent-unable devices.
- Simplicity: The solution eliminates the need for east-west firewalls and legacy technologies like NACs.
The term “OT” was once considered something that only a handful of industries such as oil and gas, warehousing and manufacturing had to deal with. With the advent of smart buildings and more connected “things,” OT is ubiquitous. Most LED lighting systems are now connected to PoE and often act as hubs for other facilities such as: B. ID card readers, air conditioning and environmental controls.
The biggest challenge: integration
This is an exciting acquisition for Zscaler and strengthens its position as a leader in Zero Trust for networks. Integrating acquisitions is always a challenge, but should be relatively easy since Zscaler has identified the niches that Airgap is expected to fill.
I am excited to see how this acquisition progresses and look forward to seeing how well the integration progresses. The harsh reality is that implementing Zero Trust independently for North-South and East-West can result in inconsistent policies that lead to blind spots. Of course, this leads to violations. By bringing these elements together, Zscaler has created a unified zero trust approach that significantly simplifies security work.
Zeus Kerravala is a Principal Analyst at ZK Research, a division of Kerravala Consulting. He wrote this article for SiliconANGLE.