Compare Trout & Zscaler
Zscaler routes your traffic through the cloud. Access Gate keeps everything on-premise. Works in air-gapped and classified environments where cloud routing is not an option.
Cloud zero trust doesn't work for OT
Cloud-routed security models add latency to time-sensitive OT communications, require a persistent internet connection, and break sovereign data control. In classified, air-gapped, or regulated environments, routing traffic through external data centers is simply not permitted. For OT, zero trust has to work entirely on-site.
Access Gate: Fully on-premise
Access Gate deploys as a local appliance or VM inside your network perimeter. All authentication, policy enforcement, and traffic inspection happen on-site. No internet connection required. Works in fully air-gapped environments with complete data sovereignty.
Zscaler: Cloud-native architecture
Zscaler routes user traffic through its global network of cloud Points of Presence (PoPs) for inspection and policy enforcement. This approach works well for IT and remote workforce scenarios but requires internet connectivity and sends traffic outside your perimeter.
| Feature | Access Gate | Zscaler |
|---|---|---|
| Zero-trust access | ||
| On-premise deployment | Cloud-only | |
| Air-gap support | Requires internet | |
| OT protocol awareness | ||
| Cloud dependency | Fully self-contained | Core architecture |
| Network segmentation | App-level only | |
| Asset discovery | ||
| Data sovereignty | All data stays on-site | Regional PoPs available |
| Latency impact | Minimal -- local processing | Variable -- depends on PoP distance |
| Agent required | Zscaler Client Connector |
Sovereign control by design
All traffic, policy decisions, and logs stay on your infrastructure. Nothing leaves the site. No external dependency can disrupt operations.
OT-native zero trust
Access Gate understands industrial protocols like Modbus, S7, and EtherNet/IP natively. Security policies map to OT operations, not just IP addresses and ports. In OT, systems run for years without restart. Security has to work the same way.
No agents, no client software
OT devices cannot run endpoint agents. Access Gate enforces zero trust at the network level without requiring software on endpoints. Legacy PLCs, HMIs, and RTUs are protected without modification.
Access Gate vs Zscaler FAQ
Cloud zero trust like Zscaler excels for distributed IT workforces accessing SaaS applications. If your primary use case is securing remote employees browsing the web or using cloud apps, a cloud-routed approach is efficient. However, for OT environments with strict latency requirements, air-gap mandates, or data sovereignty regulations, on-premise zero trust is the only viable path.
Yes. Access Gate operates entirely on-premise with no internet dependency. It can be deployed in fully air-gapped networks and still enforce zero-trust access policies, segment the network, and discover assets. Updates and policy changes are managed locally.
Access Gate natively understands Modbus TCP, S7comm, EtherNet/IP, OPC UA, DNP3, BACnet, and other common industrial protocols. This allows security policies to be defined at the operation level -- for example, allowing read commands but blocking write commands to a specific PLC.
No. Access Gate enforces security at the network level and does not require any software to be installed on endpoints. This is critical for OT environments where devices run proprietary firmware, cannot be modified, or must maintain certification.