Why Look Beyond Zscaler?
Zscaler is built for cloud-first environments. It routes traffic through its global cloud to inspect and secure connections between users and SaaS applications. That model works for office workers accessing cloud apps. It does not work for:
- Industrial control systems that cannot tolerate routing traffic off-site
- On-premise infrastructure where data sovereignty is non-negotiable
- OT networks with legacy devices that have no endpoint agent support
If your security perimeter includes PLCs, SCADA systems, or air-gapped segments, you need a solution designed for that reality.
Comparison at a Glance
| Criteria | Zscaler | Trout Access Gate | Palo Alto Prisma/NGFW | Fortinet Security Fabric |
|---|---|---|---|---|
| Deployment | Cloud-only | On-premise appliance | Hybrid (cloud + on-prem) | On-premise + cloud |
| Agent required | Yes (Zscaler Client Connector) | No. Network-based enforcement | Yes (GlobalProtect) | Optional (FortiClient) |
| Zero Trust model | Identity + cloud proxy | Network-based, Layer 3 micro-segmentation | Identity + NGFW policies | NAC + firewall rules |
| OT/ICS support | Limited. No native OT protocol handling | Purpose-built for OT/IT convergence | Available via IoT Security add-on | FortiGate Rugged for OT |
| Legacy device support | Requires agent; excludes most legacy devices | Agentless. Works with any IP-connected device | Partial, depends on agent compatibility | FortiNAC handles unmanaged devices |
| CMMC / NIS2 compliance | Partial coverage | Built-in compliance mapping | Available with additional configuration | Available with FortiAnalyzer |
| Latency impact | Traffic routed through cloud PoPs | Local enforcement, no cloud round-trip | Varies by deployment model | Local with on-prem appliances |
| Typical use case | Remote workforce accessing SaaS | Factories, defense, critical infrastructure | Large enterprise hybrid environments | Campus and branch networks |
Key takeaway: If your environment includes devices that cannot run an endpoint agent (PLCs, HMIs, sensors, legacy servers), cloud-proxy solutions like Zscaler leave significant blind spots. Network-based zero trust closes that gap.
Where Zscaler Falls Short in Industrial Settings
No Coverage Without an Agent
Zscaler's security model requires the Zscaler Client Connector agent on every endpoint. In an industrial environment, this is a fundamental problem. PLCs, RTUs, HMIs, and many embedded systems cannot run third-party software. Any device without the agent is invisible to Zscaler.
Technical detail: Most OT devices run proprietary or stripped-down RTOS firmware. They expose no standard OS API for agent installation. Even where agents are technically possible (e.g., Windows-based HMIs), installing additional software may void equipment warranties or violate change management policies.
Cloud Round-Trip Adds Latency
Zscaler routes all traffic through its Security Cloud. For a sales team using Salesforce, this is fine. For a SCADA system polling field devices at sub-second intervals, the additional 20-80ms round-trip through a cloud PoP can cause timeouts, missed polls, or control instability.
Data Sovereignty and Air-Gap Requirements
Defense contractors subject to CMMC, energy operators under NIS2, and manufacturers handling CUI often require that network traffic never leave the facility perimeter. Zscaler's architecture makes this impossible by design.
Alternatives in Detail
Trout Access Gate
The Trout Access Gate is a physical on-premise appliance that enforces zero trust at the network level. No agent installation. No cloud dependency. Security policies are applied based on network identity, device posture, and traffic patterns rather than endpoint software.
How it works:
- Sits inline or as a gateway between network segments
- Enforces micro-segmentation at Layer 3, creating isolated zones for OT, IT, and DMZ traffic
- Authenticates and authorizes every connection attempt between segments
- Logs all cross-segment communication for audit and compliance
Technical detail: Because enforcement happens at the network layer, the Access Gate protects devices regardless of their OS, firmware, or age. A 20-year-old PLC gets the same zero-trust protection as a modern workstation. There is no software to deploy, no compatibility matrix to check, and no maintenance window required on the endpoint side.
Compliance alignment:
- Maps directly to CMMC Level 2 practices for access control (AC), audit (AU), and system/communications protection (SC)
- Supports NIS2 requirements for network segmentation and incident detection
- Generates audit-ready logs without additional SIEM configuration
Palo Alto Networks
Palo Alto offers both cloud (Prisma Access) and on-premise (PA-Series NGFW) options. Their approach combines identity-based policies with next-generation firewall inspection.
Strengths:
- Prisma Access supports hybrid deployment, bridging cloud and on-prem
- Cortex XSOAR provides orchestration across IT and OT security tools
- IoT Security module can discover and classify unmanaged devices
Limitations for industrial use:
- Full zero trust relies on GlobalProtect agent deployment
- IoT Security is an add-on module with separate licensing
- OT protocol inspection requires specific Threat Prevention subscriptions
- Complex multi-product stack increases operational overhead
Fortinet Security Fabric
Fortinet covers on-premise security with a broad product portfolio. FortiGate firewalls handle segmentation; FortiNAC manages device access control.
Strengths:
- FortiGate Rugged series is designed for harsh industrial environments (temperature, vibration, DIN rail mounting)
- FortiNAC provides agentless device profiling and access control
- Single-vendor stack simplifies procurement
Limitations for industrial use:
- Zero trust requires assembling multiple Fortinet products (FortiGate + FortiNAC + FortiAnalyzer + FortiManager)
- Compliance reporting requires FortiAnalyzer with custom report configuration
- OT-specific features are spread across different product lines
What to Evaluate When Choosing
Not all "zero trust" solutions deliver the same thing. Here is what matters for on-premise and industrial environments:
1. Can it protect devices that cannot run agents? This is the single most important question for OT environments. If the answer is "no" or "partially," you will have coverage gaps on your most critical assets.
2. Does enforcement happen locally? Cloud-routed security adds latency and creates a dependency on internet connectivity. For industrial systems, local enforcement is not optional.
3. How does it handle compliance evidence? CMMC and NIS2 auditors need logs, access records, and segmentation proof. Look for solutions that generate this evidence natively rather than requiring a separate logging infrastructure.
Technical detail: CMMC Level 2 requires 110 practices across 14 domains. Network segmentation and access control alone cover practices in AC (Access Control), SC (System and Communications Protection), and AU (Audit and Accountability). A solution that addresses these at the network layer reduces the number of point products needed for compliance.
4. What is the deployment footprint? A single appliance that handles segmentation, access control, and logging is operationally simpler than a four-product stack that requires integration, cross-licensing, and separate management consoles.
Conclusion
Zscaler solves a real problem for cloud-first organizations. But industrial and on-premise environments have different constraints: legacy devices, real-time requirements, data sovereignty, and compliance mandates that cloud-proxy architectures cannot address.
If your network includes equipment that cannot run an agent, the Trout Access Gate provides network-based zero trust without endpoint dependencies. If you need a hybrid approach, Palo Alto and Fortinet offer capable alternatives with trade-offs in complexity and cost.
Start by mapping your unmanaged devices and compliance requirements. That will tell you which architecture fits.
