Investing analysis of the software companies that power next generation digital businesses

Zscaler Zenith Live Conference 2022

Zscaler unveiled a number of product enhancements during their Zenith Live conference in June, demonstrating why they are still the leader in Security Service Edge. They continue to expand the capabilities of their core Zero Trust platform, extending secure connectivity for enterprise users into application workloads and now IoT devices. They also introduced several AI-enabled features to streamline threat identification and resolution. While I no longer own the stock, I am impressed by the breadth and depth of their offering. For customers seeking a complete and robust solution for a Zero Trust migration today, Zscaler provides an enterprise-ready, hardened platform that checks all the boxes.

In this post, I will review the announcements made during Zenith Live and discuss how these further solidify Zscaler’s position in Zero Trust. I will also draw some comparisons to Cloudflare’s progress and share my investment approach for this space.

Audio Version
View all Podcast Episodes and Subscribe

Background

Zscaler’s product offering is called the Zero Trust Exchange. It is an integrated platform of services that acts as an intelligent switchboard to secure three types of communications – user-to-app, app-to-app and machine-to-machine. This works globally across any network and from any location. The Zero Trust Exchange operates through 150 data centers, generally co-located in proximity to the cloud providers and SaaS application onramps that enterprise users are accessing, such as Microsoft 365 and AWS.

Zscaler is able to stop threats and prevent data loss by terminating each connection for these communications. They often use the metaphor of a switchboard, controlling every connection between two endpoints (users, apps, machines). By operating inline, Zscaler can conduct deep packet inspection of the content and verify access rights based on identity and context. This inline posture requires enormous scale, high throughput and extreme expectations for uptime. It has the benefit of generating a large amount of data that can feed further threat detection. It also creates a competitive moat, as switching costs are high and other parties can’t access the rich usage data collected.

Requested connections are verified and applied using rules defined in access policies. The Zero Trust Exchange brokers the connection between authenticated and authorized resources. This inline, middleware architecture accomplishes two security goals. First, it prevents lateral movement for an attacker, as they are only authorized for each resource on a per connection basis. This represents an improvement over traditional network security solutions which allowed the user full access to all resources on the network after the initial authorization.

Zscaler Zenith Live Keynote, June 2022

Second, this approach keeps applications invisible to the Internet, effectively eliminating attack surfaces. This is due to the fact that once a private application or enterprise resource is on the Zscaler platform, that entity’s location on the Internet no longer needs to be publicly advertised. As the switchboard, the Zscaler platform knows where all of an enterprise’s resources are located and can connect authorized users directly, eliminating the need for public routing. Of course, this benefit only applies to private enterprise resources (internal to the company). Resources for the general public (like the corporate web site) would still need to be addressable on the Internet.

At the foundation of the Zscaler Zero Trust Exchange are three fundamental principles. These represent Zscaler’s competitive advantage over traditional “castle and moat” security architectures that rely on single control points like firewalls.

  1. Decouple application access from being on the network. Users are only authorized to access enterprise resources like apps on a per request basis. Previous network security architectures allowed application access to anyone who could authorize themselves on the corporate network.
  2. Minimize attack surface by hiding public IPs. As mentioned above, once enterprise applications and users are on the Zscaler network, they no longer need a presence on the public Internet. This effectively hides them from attackers, because these entry points can’t be discovered. A common exploit technique is to scan the public IP space for open ports and then try to attack them.
  3. Proxy architecture with full inline inspection including SSL. By terminating every connection, the Zscaler platform can inspect all network traffic. This provides valuable data for threat detection and breach prevention. Firewalls allow or block the connection, but have limited visibility into the data being transmitted.

Initially, Zscaler built the Zero Trust Exchange platform for enterprise employee usage. This involved securing access from users to the Internet and third-party SaaS applications through Zscaler’s Internet Access (ZIA) product. The complementary product to ZIA is Zscaler Private Access (ZPA), which offers secure access to private applications, services and OT devices.

Controlling user access to enterprise resources creates an expectation that Zscaler either causes or has insight into usability issues. If a user can’t access their Zoom meeting, Zscaler would probably be blamed first. To offer IT personnel insight into user access issues, Zscaler offers Zscaler Digital Experience (ZDX). This system monitors connectivity and user experience quality for issues, providing IT helpdesk personnel with insight into service problems.

Zscaler Zenith Live Conference, June 2022

More recently, Zscaler realized that the same secure access controls for users could be applied to cloud workloads. Zscaler for Workloads allows enterprises to build and run secure cloud-based applications. When these applications need to connect securely to another application, Zscaler provides workload-to-workload communication. As part of the Zenith Live announcements, they introduced a new capability called Posture Control to ensure the workloads themselves are free of issues that might lead to a breach. Those could be misconfigurations, unnecessary user entitlements and software vulnerabilities.

Beyond workloads, Zscaler is expanding into other applications of their Zero Trust Exchange technology. Another new development from Zenith Live was in the area of securing IoT communications and providing privileged access to Operational Technology assets, including industrial devices like valves, engines, conveyors and other machines.

Zscaler Zenith Live Keynote, June 2022

As part of their overview at Zenith Live, the Zscaler team shared some metrics to highlight the worsening threat environment. These trends are concerning and are driving demand for Zero Trust services from enterprises.

Organizations are facing a 314 percent increase in cyberattacks on encrypted internet traffic and an 80 percent increase in ransomware with nearly a 120 percent increase in double extortion attacks. Phishing is also on the rise with industries like financial services, government and retail seeing annual increases in attacks of over 100 percent in 2021. To combat advancing threats, organizations need to adapt their defenses to real-time changes in risk. However, lean-running IT and security teams are experiencing security alert fatigue with increasing exposure to real-time threats and often don’t have the resources or skills to effectively investigate and respond to the mounting volume of threats.

Zscaler press Release, June 2022

Given this substantial increase in the threat landscape, leadership spoke to how Zscaler is uniquely positioned to address these security needs. Beyond the advantage of their architectural design in serving as a switchboard, Zscaler can leverage an enormous amount of data to make the system smarter. They claim to operate the largest in-line security cloud, which inspects over 240B data transactions daily and blocks 150M attacks. Due to this data volume, Zscaler is equipped to train its AI/ML models to automate threat responses and make policy recommendations to security teams.

Several of the big announcements at Zenith Live revolved around the application of AI/ML to streamline operations by making the platform more intelligent. With those data volumes, it would be difficult for human security operators to keep up with all the risk factors. New machine learning and AI capabilities allow Zscaler to generate risk profiles for every user, application and workload. The risk profiles are then applied to access policy decisions about whether to establish a connection. As behavioral data changes, the automated policy decisions adjust in real-time.

This level of automation is necessary to counteract the increasing sophistication of attackers. Hackers are shifting to automation themselves, by writing programs that scan the public IP space for opportunities. Once identified, the attack script very quickly takes advantage of a vulnerability to create a compromise, like permission escalation or data exfiltration. This can happen before a human operator is alerted and certainly before they could take action. Going forward, the “hacker” is less likely to be an individual sitting on a keyboard and more likely a machine running scripts and adjusting behavior to take advantage of security holes even during short intervals of exposure.


Sponsored by Cestrian Capital Research

Cestrian Capital Research provides extensive investor education content, including a free stocks board focused on helping people become better investors, webinars covering market direction and deep dives on individual stocks in order to teach financial and technical analysis.

The Cestrian Tech Select newsletter delivers professional investment research on the technology sector, presented in an easy-to-use, down-to-earth style. Sign-up for the basic newsletter is free, with an option to subscribe for deeper coverage.

Software Stack Investing members can subscribe to the premium version of the newsletter with a 33% discount.

Cestrian Capital Research’s services are a great complement to Software Stack Investing, as they offer investor education and financial analysis that go beyond the scope of this blog. The Tech Select newsletter covers a broad range of technology companies with a deep focus on financial and chart analysis.


This background provides the baseline for what was announced at Zenith Live. Zscaler is leveraging their platform to expand into new use cases relevant for Zero Trust, including workloads and IoT. This represents a smart strategy, as growth in workload and IoT security will likely scale faster at enterprises than the number of employees.

Beyond expanding into adjacent categories of connectivity, Zscaler is making their Zero Trust platform more intelligent. As mentioned, this revolves around harnessing all the data generated by the system to create a closed loop for blocking attacks. Rather than relying on human threat hunting teams exclusively to identify attack vectors, machine learning and automation can surface and react to exploit attempts as fast as they occur. This will allow the system to scale to higher usage without requiring proportional security personnel within the enterprise to manage it.

Let’s dig into what Zscaler announced at the Zenith Live conference.

Product Announcements

Zscaler contends that enterprises are seeking a platform that consolidates the many point products that currently make up a Zero Trust solution. Customers want to avoid operational complexity and high overhead costs. As the cloud continues to mature, they want to extend protections for their users to applications, cloud workloads and even autonomous devices.

Additionally, as use of more sophisticated security platforms increases, enterprises don’t want to be overwhelmed with thousands of single event alerts. They need security systems to intelligently correlate all the signals and activity across the system and prioritize the highest impact threats currently. The system should assess the risk associated with user and application activity, applying more aggressive access policies and mitigation tactics to the higher risk participants. This system intelligence represented a major theme of the conference.

Automation of Threat Detection through AI and ML Processes

In response to the increasing automation and sophistication of cyber attacks, Zscaler is layering AI-powered capabilities on top of threat detection across the platform. These capabilities stand to provide real competitive differentiation, as less mature platforms rely on human operators to review alerts and take action. Additionally, a machine learning approach allows threat detection to quickly evolve to the latest behaviors observed in live traffic streams, rather than the output of threat research teams.

These machine learning driven insights are able to be harnessed due to the large amount of data being collected by the Zscaler platform. Zscaler receives 300T signals a day drawn from over 240B transactions across more than 6,000 customers. They block over 7B threats a day through application of security policies. Their internal ThreatLabz threat hunter team includes 125+ security experts. They update the platform with 250k threat indicators daily.

This data volume represents a big advantage for Zscaler over other out-of-band solutions. Because their Zero Trust Exchange facilitates every connection for every user, application and workload, the system can observe all threat activity in real-time. It can correlate known exploits and compromises to behaviors beforehand. These insights can then be fed back into a scoring algorithm for rating future threat levels.

Scoring of risk can be factored into access policy decisions. This provides a mechanism for automation, as operators don’t need to review every access request. Operators can set thresholds of user risk levels for different categories of applications. For example, an internal application or workload that has access to sensitive data can be set to require a very low risk score to grant user access. Users with higher risk scores can be forced through additional verifications or have limited actions.

At the top level, customers can view their overall Risk Report. This provides a summary view of an enterprise’s risk across four categories: external attack surface, lateral propagation, compromise and data loss. More importantly, the system generates recommendations to improve scores in the critical areas, making the Risk Report actionable for security teams. They take both level of risk and level of effort to fix into account, and prioritize the recommendations for security teams that would result in the most relative benefit.

Zscaler Zenith Live Conference, June 2022

Phishing Prevention

Email-based phishing attacks have become one of the largest sources of stealing user credentials and installing malware. Zscaler alone measured 874M phishing attempts on their users. This is typically accomplished by tricking users into clicking on links or visiting malicious web sites. Zscaler has added real-time analytics, expert research from their ThreatLabz team and browser isolation capabilities to prevent users from being exploited by phishing attacks.

Zscaler Zenith Live Conference, June 2022

Their new phishing prevention capability is focused on examination of the destination web site for the phishing campaign. Most phishing attempts try to manipulate the user into visiting a manufactured web site that resembles a popular SaaS application. Zscaler is introducing an AI-powered phishing detection algorithm that examines a number of metadata points about the phishing destination site. These include the hosting provider, domain name age, certificate information, branding and structure of the page. By examining large amounts of historical data about sites visited and what makes for a legitimate versus malicious experience, Zscaler has been able to train their AI models to distinguish between the two.

Zscaler has been running this data collection analysis in-line for about 6 months, uncovering about 10,000 malicious phishing sites each month. Since user traffic passes through Zscaler’s switchboard in-line, they can block access to any site that has a high risk score. An additional benefit for customers is that these phishing sites are identified in near real-time, versus needing to wait for a data feed refresh from a third party to activate them.

Related to this is the implementation of secure browser isolation. If a user clicks on a link to visit a new site or initiate a file download, the user can be exposed to malware. If the system can detect that the action taken by the user appears risky, it would be safer to pass that user action to secure browser isolation for the remainder of the session. Browser isolation executes the browser activity on a virtual machine in the cloud run by Zscaler, versus the user’s own computer.

In the past, security operators have been challenged by needing to determine when to apply browser isolation. If turned off completely, then users are always exposed. If always on, then the user experience can be disrupted, as browser isolation creates lag and blocks certain actions. To solve for this, Zscaler introduced Smart Protections, which can be activated with a single setting by the security operator.

Zscaler Zenith Live Conference, June 2022

This feature uses AI/ML to determine what browsing activity needs isolation and automatically applies it on demand. This is primarily driven by analysis of web sites by domain and then flagging suspicious ones for isolation. The determination of risk is similar to that for phishing – analysis of the domain, hosting provider, page structure, brand imitation and relationship to other domains. These create a score that determines the action to take based on access policies.

Segmentation

User to app connections can be segmented at a more granular level by applying AI-based policy recommendations. These are based on scores trained through millions of customer signals across app telemetry, user context, behavior patterns and location. The platform can quickly identify anomalies and apply policy recommendations to minimize damage in an automated fashion. This reduces the attack surface and prevents lateral movement.

Zscaler Zenith Live Conference, June 2022

This risk data is being incorporated into new features for segmenting user-to-app communications. They are bringing two new features into ZPA to help enhance user segmentation. These are risk-based policies and a new AI-powered segmentation engine. Both of these capabilities tap into rich data stores like the user authentication system and client connector logs to generate risk scores.

The system can also run in a discovery mode, that identifies new applications being accessed by users. The data discovery engine can determine how many of these users actually need that level of access, based on their role in the company. The AI engine can generate an alert to security operators that some users don’t need access to an application, thereby reducing the attack surface. Zscaler has already been prototyping the risk based access policy controls with some early customers.

Zscaler Zenith Live Conference, June 2022

Zscaler’s overall Zero Trust Exchange can combine all the telemetry and user activity data gathered from both ZIA and ZPA to determine which users are engaging in risky behavior and map the private applications available to them. Based on a user’s risk profile, they can either be prevented from accessing an application or forced to go through additional controls to verify their identity and limit the actions they can take.

Zscaler Zenith Live Conference, June 2022

The user’s risk score can be calculated by observing all of their behaviors through ZIA, like whether they click on questionable links or visit newly registered domains frequently. For a user with a high risk score, ZPA can layer on additional protections like application protection for inline inspections as well as integrated deception.

Zscaler Zenith Live Conference, June 2022

Deception is a recent capability gained through an acquisition, in which ZPA provides a user with access to resources that might be valuable for a hacker, but don’t represent real assets. If the user tries to access these “honeypots”, then the system knows they are likely malicious actors. Endpoint protection can be engaged to identify the compromised users and block additional access attempts. In this way, Zscaler Zero Trust can limit lateral movement at a very sophisticated and automated level.

Risk-based policy engine

Supporting segmentation is a new risk-based policy engine that can dynamically adapt security and access policies in real-time. This responds to rapidly-evolving cyber threats, allowing security teams to customize policies based on risk scoring for users, devices, apps and content.

Zscaler Zenith Live Conference, June 2022

Zscaler revamped the Risk Report for ZIA to provide a comprehensive overall view of risk. From the top-level Risk Report, users can drill into risk factors at a very granular level. A user based risk report provides a good example, where the behavior of a single user is measured and associated with a risk score. This can be determined by a combination of factors – sites visited, files downloaded, compliance category, etc.

Zscaler Zenith Live Conference, June 2022

This allows for the creation of dynamic policies that can be applied to users based on their risk score, representing a major new feature introduced at Zenith Live. These can be applied to both ZIA and ZPA, as risk is becoming a top level criteria for determining access policy. Based on the risk levels associated with a user and the device they are connecting from, the security operator can set policies to require additional security protections or checks for higher risk levels.

Data Loss Prevention

Zscaler is introducing a new feature that takes all inputs about data and file access from user behavior and intelligently groups those into segments that make it easier for operators to create access policies. This leverages ML/AI systems to logically categorize the data sources and types.

Zscaler Zenith Live Conference, June 2022

ML-powered discovery can apply to both data at rest and document store access. This view of the sensitive documents by type is embedded into the overall DLP data monitoring dashboard. Document access totals can be traced back to individual users, to see if a particular user is accessing a lot of documents. The activity can be tied to the document collaboration applications, both sanctioned and unsanctioned. If the user is uploading a lot of documents to an unsanctioned document store, that might provide a strong indicator of a compromised user and data exfiltration attempt.

Zscaler Zenith Live Conference, June 2022

The security operator can also take proactive action that will protect many user accounts at once. For example, they can block all unsanctioned applications in a single operation. They could also restrict user access to their personal document storage SaaS tools, like Dropbox or OneDrive, lest they are trying to move sensitive documents out of the enterprise store into their personal accounts.

The system offers sophisticated indexing of documents through OCR, ML image recognition and document fingerprinting. This allows the DLP system to scan communications for these documents. DLP can block user activity that involves trying to move any sensitive document off of an enterprise store and into their personal email or personal document storage. As a check to blocking the user, the system provides the user with a notification, in the event that the activity was legitimate.

Root Cause Analysis

Zscaler introduced their Digital Experience Monitoring product to manage the quality of user access to various applications and corporate assets. When issues arise, it helps operators analyze, troubleshoot and fix them. Because of Zscalers’ position in the corporate Zero Trust network, they have a bird’s-eye view of quality of a users’ experience.

Zscaler Zenith Live Conference, June 2022

The process of investigating issues has been largely manual up to this point. Going forward, Zscaler will be mining the large amounts of telemetry data that they are collecting to identify patterns in user experience issues and make recommendations for resolution. By quickly finding the root cause for a poor user experience, the operator saves time in troubleshooting and can focus on applying the fix, based on where in the connection path the issue exists.

Zscaler Zenith Live Conference, June 2022

Part of these improvements will include a new feature called ISP Insights. This will display a more generalized view of the health of the Internet, through a map of the world. Operators can drill in to identify problem areas where ISP service levels have dropped. This information will be offered on a public web site. It should be noted that this data is based on the perspective of Zscaler users. If Zscaler doesn’t have active users in some part of the globe, that service issue wouldn’t be reported.

Zscaler Zenith Live Conference, June 2022

A nice feature of Zscaler ISP Insights is that the operator at an enterprise can then cross-reference the system to get a list of their corporate users who are being impacted by an ISP issue. This allows the operator to corroborate a poor ZDX user score with an actual ISP event.

Another convenient integration that Zscaler introduced is with ServiceNow’s ITSM service. ITSM is a ticketing system typically used by enterprises to allow their users to report issues with corporate IT resources (network access, apps, devices, etc.). Zscaler’s integration takes the form of an app in the ServiceNow app store. Helpdesk personnel can use the ServiceNow app to launch a deep tracing feature that analyzes a user’s status within ZDX. With that information, they can take the appropriate action in ServiceNow, all without needing direct access to ZDX.

Zscaler Zenith Live Conference, June 2022

Finally, Zscaler introduced very granular monitoring of the activity on a particular user’s device. It can identify the type of machine, operating system, software packages and updates. It also measures utilization of system resources by application for items like CPU, memory, network and disk. These are then reported in a dashboard for the operator to use to identify issues on that user’s device. For example, if the machine is slow, the operator could identify the application that appears to be consuming a lot of resources. This could also signal malware or malicious activity on a compromised device.

Zscaler Insights

In order to better manage their Zero Trust configuration and improve their threat posture, some customers have asked for access to the ThreatLabz team of 125 security experts. These security experts already scrutinize log data from over 6,000 Zscaler customers to identify threats and set up machine learning jobs. To meet this customer request, Zscaler is previewing a new managed security service, called Zscaler Insights. ThreatLabz experts will be available to customers to examine their logs and provide insights into the behavior they observe.

Zscaler Zenith Live Conference, June 2022

Zscaler Insights supplements a customer’s own security team to provide an additional level of expertise, particularly focused on making the most of the Zscaler platform. Customers can take advantage of the advanced intelligence on threats gathered continuously by the ThreatLabz team. They can build resilience of their security controls by having these security experts consult to help refine policies and identify risks. Finally, if a breach does occur, the ThreatLabz team can be engaged to quickly evaluate the situation and coordinate incident response.

Posture Control

Another major highlight of the Zenith Live conference was Zscaler’s announcement of its new Posture Control solution, designed to give organizations unified Cloud-Native Application Protection Platform (CNAPP) functionality tailor-made to secure cloud workloads.

Zscaler’s new Posture Control builds on the security capabilities of their Workload Communications solution, which provides secure Internet access and Zero Trust connectivity between cloud applications. Zscaler views workloads as analogous to users. This allows them to extend the same ZIA and ZPA access policies to secure communications between workloads.

Packaged within the Zscaler for Workloads service, Posture Control and Workload Communications are combined to unify development and runtime security of cloud-native and VM-based applications. Posture Control delivers comprehensive coverage of all cloud environments in a singular view and a unified data model to enable security, IT and DevOps teams to secure cloud apps without disrupting the development processes.

Zscaler Posture Management Diagram, Web Site

Posture Control allows DevOps and security teams to prioritize and remediate risks in cloud-native applications early in the development lifecycle. The solution is agentless, which Zscaler contends is an implementation advantage. Posture Control identifies and prioritizes risks in cloud workloads, which could allow an attacker to gain access to resources or exfiltrate data. Risks include unpatched vulnerabilities in containers or VMs, excessive entitlements and cloud service misconfigurations.

Posture Control revolves around two primary scanning activities:

  1. Configuration scanning. Is a resource exposed to the public Internet? This involves ensuring that Infrastructure as Code (IaC) configuration files are locked down and correctly configured. It also looks for unusually open user entitlements. The effectiveness is enhanced by determining a risk level based on the type of service.
  2. Exposure scanning. This motion tries to identify vulnerabilities and discover sensitive data. It applies to both the workload infrastructure and the application interface itself.

Posture Control is made tangible for security operators through an interactive dashboard that functions as a single plane of glass. This resembles common observability dashboards, which should make them more familiar to DevOps personnel. The operator can examine a workload and visualize vulnerabilities, risky users and access by IP for any indications of malicious activity. The operator can also make changes to access policies or block user access, as they respond to potential threats.

Zscaler Zenith Live Conference, June 2022

Posture Control spans several point solutions for securing access to applications and workloads. These include CSPM to identify misconfigurations, threat correlation to flag malicious behavior patterns, CIEM for user entitlements management, vulnerability scanning and data loss prevention (DLP). Posture Control can replace all these point solutions, streamlining security operations by consolidating all these products into a single view.

Zscaler Zenith Live Conference, June 2022

Besides reporting on issues that have occurred, Posture Control also tries to prevent breaches by identifying potential issues as DevOps teams are configuring new systems (“shift left“). This ties into Infrastructure as Code (IaC) and integrates with the tools already used by DevOps teams like GitHub, Jenkins, GitLab, etc. Posture Control can flag weaknesses before deployment to the public cloud. Posture Control extends these risk visibility and prioritization capabilities across the entire cloud application lifecycle. The system accomplishes this through native integrations into the workflows of popular IDEs, source control repositories and DevOps tools. This allows teams to identify policy issues and address them in advance. As an example, it can be applied to Terraform templates through native plug-ins.

Zscaler Zenith Live Conference, June 2022

The system can also extend integration and control to code repositories. For example, a pull request on an updated IaC configuration file can be blocked until it passes the Zscaler scan in GitHub. This allows the team to maintain continuous compliance control. Posture Control is generally available now.

Deeper Integration with AWS

Zscaler also announced an extension of its relationship with Amazon Web Services (AWS), their preferred cloud provider. The two companies will deliver customers a unified solution to consolidate and simplify cloud security operations through a modern Zero Trust approach. The two introduced three new integrations:

  1. Delivering Cloud-Native Application Protection Platform (CNAPP) on AWS. Zscaler’s new Posture Control solution is built on AWS. It helps DevOps and security teams accelerate cloud adoption by efficiently implementing their portion of the AWS Shared Responsibility Model. The platform reduces operational complexity and overhead by replacing multiple point security products (CSPM, CIEM, CWPP, IaC scanning, DLP, CMDB) with a single, unified platform that analyzes millions of attributes to prioritize the critical issues that the security team should focus on first. AWS was chosen for its breadth of services and prevalence as a primary cloud provider in a large portion of Zscaler’s customer base.
  2. Extending Zero Trust Security to Workloads on AWS. Zscaler is extending the Zero Trust Exchange platform to protect cloud workloads against malware and data breaches as enterprises continue to migrate and refactor their applications and workloads on AWS. Zscaler delivers customers the benefits of inline inspection for Internet traffic from cloud workloads using deep integration with AWS native technologies like Gateway Load Balancer, AWS Secrets Manager, AWS CloudFormation and AWS Auto Scaling. It also extends the app-to-app segmentation capabilities of the platform, significantly reducing the enterprise attack surface and risk associated with lateral threat movement.
  3. Enabling Zero Trust for Private 5G with AWS Wavelength. The Zscaler Zero Trust Exchange protects workloads running on AWS Wavelength by providing user-based, Zero Trust access directly to the devices connected to the mobile network. The service is delivered using Zscaler Private Access (ZPA), a Zero Trust architecture built on AWS that supports both cloud and hybrid infrastructure control and deployment.

New IoT Focus and Siemens Partnership

Prior to Zenith Live and coinciding with their earnings release, Zscaler announced a partnership with Siemens to deliver an integrated OT (Operational Technology) solution. This combines the Zscaler Zero Trust Exchange cloud security platform and Siemens’ devices to help customers with OT infrastructures to accelerate their secure digital transformation initiatives. Offered directly from Siemens, customers will be able to obtain Zscaler Remote Access for OT alongside Siemens’ flexible local processing platform SCALANCE LPE. The new solution enables customers to securely manage, control and analyze production OT infrastructure from any workplace in any location.

Zscaler Zenith Live Conference, June 2022

Building on the Siemens partnership, Zscaler highlighted other opportunities to apply their Zero Trust architecture to 5G. Beyond industrial use cases, these include AR/VR experiences, autonomous vehicles and gaming. In considering these use cases, the same set of issues apply when deploying applications to the edge to secure them. Traditionally, these have been addressed by firewalls and VPN connections. Zscaler IoT allows enterprises to rethink identity, Zero Trust access policies and how to control device connections for their IoT fleets.

Leadership highlighted three real-world examples with existing partners who are using Zscaler IoT solutions, which were Nokia, Sandvik and Klas Government.

Looping Back on Cloudflare

Cloudflare has been making progress in their Zero Trust offering, recently concluding another innovation week that included a number of product announcements. Comparing the two company’s offerings specific to Zero Trust SSE at this point, Zscaler’s product suite is broader and deeper. Cloudflare is moving aggressively and has their sights set on making up a lot of ground quickly. Cloudflare’s CEO isn’t concerned about the feature gap, referencing other technology categories that they entered in the past (DDOS, WAF, CDN) where they rapidly evolved and are now considered best-of-breed. For more coverage of Cloudflare’s offering, I published a detailed review of Cloudflare’s Zero Trust platform following Cloudflare One Week.

For most expected features of a Security Service Edge platform, Zscaler’s solution has evolved through several versions, while in many cases, Cloudflare is on an early incarnation or beta product. To be fair, Cloudflare has only been working on their Zero Trust platform for two years, compared to over ten years for Zscaler. The velocity of Cloudflare’s progress upmarket will be a key consideration as they try to close the feature gap with Zscaler.

Beyond a feature-by-feature comparison of the two Zero Trust platforms, I’ll step back and discuss two other considerations. The first is a comparison of network architectures. Zscaler delivers services from about 150 data centers, which are generally adjacent to hyperscaler locations (AWS, Azure) and relies on those cloud providers for some network connectivity. Considering Zscaler’s strategy to secure connections to popular SaaS installations, private applications and cloud workloads, this choice makes sense. However, users aren’t distributed in this way.

Zscaler Web Site

If we look at their network map, most data centers are clustered in the northern hemisphere, primarily in the U.S. and Europe. Additionally, Zscaler doesn’t address network routing from the user to the data center servicing that request. Their topology implies that the user’s connection to the Zscaler switchboard largely travels through a secure tunnel routed over standard Internet paths to the closest data center. For some users, that data center may be far away.

Cloudflare Investor Day 2022

Cloudflare, on the other hand, has over 270 data centers, located within 50ms of 95% of the world’s population. Additionally, they have established network peering relationships with over 10,000 partners to ensure they have fast access to most global users. When making a connection, the user is directed to the closest Cloudflare data center and then routed through Cloudflare’s network of data centers to the destination. Each network path is optimized in real-time using Cloudflare’s dynamic path routing, avoiding Internet congestion and chokepoints.

The implication is that the user experience across Cloudflare’s network will be better. Cloudflare is eliminating as much of the path from the user to the Cloudflare transport network as possible. Their Magic WAN and Network Interconnect products seek to onboard corporate traffic at the closest data center onramp and then intelligently route that traffic through Cloudflare’s network to the destination. They have plans to extend this further with Cloudflare for Offices, replacing the local ISP in some areas.

Cloudflare Global Anycast Network Layered over Zero Trust, Web Site

Perhaps this explains why Zscaler is so invested in ZDX. An example used during a ZDX demo at Zenith Live highlighted the impact of a slow ISP connection on a user’s access to their enterprise application (accessing MS Teams over ATT in this case). If Cloudflare realizes their vision, a ZDX like product would simply be Cloudflare’s own internal operations dashboard used to manage their network. It would show the intelligent routing decision made to circumvent the slow network connection, rather than just displaying the congestion point as an explanation for the help desk operator to note in the trouble ticket.

A second consideration is the broader reach of Cloudflare’s product suite and whether synergies will arise across multiple categories. As depicted below, Cloudflare’s offering spans services for application delivery, protection, developer tooling and core network services. Additionally, the platform is fully programmable through their expanding Workers runtime and data storage options.

Cloudflare Investor Day, 2022

As Cloudflare’s Zero Trust offering matures, they could entice new customers by offering adjacent products for a discount or free. DDOS and WAF provide good examples. While Zero Trust SSE platforms seek to hide all private applications and enterprise assets from the public Internet, a subset of enterprise applications, like the corporate web site, must have a public IP address. These applications are still susceptible to security exploits and DDOS attacks.

Further, if customers adopt Cloudflare’s network services like Magic WAN, Network Interconnect, Magic Transit and Smart Routing, then Zero Trust Services are simple to layer on top. Zero Trust takes advantage of Cloudflare’s network performance while ensuring secure connections and exploit protection. It can provide both a fast and secure experience for enterprise users.

Finally, Cloudflare’s product suite can be extended through their Developer Services. Workers provides a programmable runtime with data storage, located in the same data centers as Zero Trust services. This allows customers to customize or supplement aspects of their Zero Trust security implementation. As an example, Cloudflare’s new R2 object storage would allow customers to create their own private repository for sensitive data, circumventing the need to integrate with an external provider.

With that said, Zscaler’s focus and clear delineation of boundaries allows them to go very deep in their offering. This will appeal to customers who want a best-of-breed Zero Trust solution now and aren’t as interested in a broader suite of services. With such high demand for threat mitigation and security protection this year, Zscaler will likely continue scooping up customers.

A distinction between the two companies may start to emerge by customer type, where SMB and digital natives gravitate towards Cloudflare and large enterprises to Zscaler. In these cases, the purchase decision maker may also sway the evaluation criteria. The priorities and bundling interest of a CTO would likely vary from those of a CIO.

Other Players

Cloudflare isn’t the only company trying to compete with Zscaler for Zero Trust business. Palo Alto Networks offers similar capabilities through their Prisma Access product. Also advertised as a purpose-built, cloud product, Prisma Access protects all application traffic, while securing both access and data to reduce the risk of a data breach. Like Zscaler, it includes a common policy framework and single-pane-of-glass management.

Similar to Cloudflare, Palo Alto Networks is aggressively targeting Zscaler customers. I received the following Google Ad when searching for information on Zscaler Internet Access. This links to a product comparison page, which delineates the advantages of Palo Alto’s offering.

Google Ad, June 2022

Industry analyst Gartner provides another objective measure of the different offerings. For several years, Zscaler was the only provider listed in the Leader’s quadrant for Secure Web Gateway. SWG incorporated many of the features in Zscaler’s ZIA product. Now, Gartner has expanded the category to Security Service Edge (SSE) to more accurately reflect the latest expectations for a network-based Zero Trust solution that spans secure web gateway (SWG), cloud access security broker (CASB) and Zero Trust network access (ZTNA).

With the new definition, published in February 2022, Zscaler now shares the leaders quadrant with Netskope and McAfee. Palo Alto Networks is also close on the “Ability to Execute” axis, which reflects a company’s go-to-market effort. This new Magic Quadrant reflects a pretty large shift in the competitive landscape. While Gartner did combine some categories, it highlights the encroachment from new competitors. As a sidenote, Cloudflare was included as an Honorable Mention in the latest report. They were missing an API-enabled CASB solution at the cut-off time for consideration (August 2021). This feature is now available in beta.

If anything, the latest Gartner Magic Quadrant reflects the fact that customers have more options to consider for their Zero Trust solution. Zscaler is still winning deals, as evidenced by their quarterly results. But, it’s likely that they will have to increasingly compete for customer wins than in the past.

Investor Take-aways

I am frequently asked why I don’t have a position in Zscaler and Crowdstrike, even though I write favorably about their product offerings. This is part of a larger view I have on the security space. I could certainly be wrong on this, so investors can take it for what it’s worth. So far this year, the view has been mixed and we can point to some pure-play security stocks that are outperforming (CRWD).

My view is that as an IT spending category, security isn’t a growth driver. Rather, it is a risk mitigation allocation. This will always bias enterprise leadership to find ways to limit or shift security spend to other IT investments that drive growth and improve customer experience. Historically, this has been the case, where security companies have not sustained growth as long as generalized software infrastructure or enterprise SaaS.

However, the current threat environment is much more pronounced. This is driving security to a board level conversation and forcing CXO’s to no longer ignore it. They are doubling down on security spend to modernize their defenses. This is shifting an enormous amount of IT budget towards security considerations. That spend is primarily going to many of the pure play, best-of-breed providers, like Palo Alto Networks, Crowdstrike and Zscaler.

Over the mid to longer term, my concern for investment in the security space is two-fold. First, I do wonder if all the current security demand is a pull-forward or catch-up for most enterprises. It is true that cybersecurity is topping most CIO spend priority lists now, but I wonder what will happen next year or the following once enterprises feel they are “caught up”. After a reasonable defense is mounted, the ROI on significant increases to security spend proportionally each year becomes very low. This is in contrast with IT investments that will drive growth, like new customer experience applications, digital transformation, factory automation and operational technology. Those initiatives are easy to continue investing in, as the business ROI is clear. They can be directly tied to revenue growth or cost savings.

Additionally, the demand environment has attracted many companies into the security space. These include new pure-play providers nipping on the heels of the leaders, with examples like SentinelOne, Netskope, Snyk or Securonix. Besides the pure-play security companies, other software providers are quickly adding security features to their existing offerings by extension. These companies may be grounded in adjacent IT categories, like data processing, observability, application hosting or network services. They see the opportunity to leverage their existing customer base and architecture to add on security features.

One example of these is Datadog with their new security suite. They are leveraging the agent they already have on cloud workloads to add application security monitoring, CSPM, SIEM and workload security. This supplements their other offerings in observability, which will continue to ride tailwinds from cloud migration and digital transformation.

Another example is Snowflake, which has gotten into the security space by allowing other companies to build a security company on top of their platform. An example is Securonix, which provides a robust solution for several security categories including SIEM, SOAR and XDR. They have already been named a leader in SIEM by Gartner. Since a major aspect of threat detection is data processing, Snowflake is benefitting by providing the data platform upon which Securonix (and others like Lacework, Panther and Hunters) perform their security analysis. This is in addition to Snowflake’s core businesses around analytics, machine learning, data mining and data applications.

The two companies mentioned above are stocks that I own, in addition to Cloudflare. So, in this regard, I am holding security companies, just ones that offer security protection in addition to other categories of IT spend. If IT budgets return to a lower allocation to security after this catch-up period, these companies can still sell both growth-oriented and security-oriented cloud infrastructure products.

In the near term, though, enterprises will overspend on security and that may last longer than I expect. In that case, the pure-play security providers will realize high growth for the foreseeable future. Also, if the demand environment pushes CISO’s and CIO’s towards best-of-breed security solutions exclusively out of an abundance of caution, that would work less favorably for the companies with a blended product offering.

With all that said, if an investor wants to play the thesis that security spend will outpace other IT categories for several more years and that blended offerings won’t generate meaningful market share, then Zscaler, along with Crowdstrike, would make for great investments.

NOTE: This article does not represent investment advice and is solely the author’s opinion for managing his own investment portfolio. Readers are expected to perform their own due diligence before making investment decisions. Please see the Disclaimer for more detail.

Additional Reading

  • Muji at Hhhypergrowth has been going much deeper than I have into the Zero Trust space in general and Zscaler in particular. I recommend checking out his full coverage of the cybersecurity market. He also offers a perspective based on current IT spending categories that is very compelling.

9 Comments

  1. Defo

    Hey Peter, excellent article as always! I have three questions about this article/topic and would appreciate your feedback.

    1) In one of Crowdstrike’s presentations, they quoted a statement from IDC’s Frank Dickson: “An organization should spend between 5% and 10% of its IT budget on security.” According to IDC calculations, the share of cloud security spending in cloud IT spending is only 1%. This would therefore lead to a 5 to 10-fold increase in cloud security spending. Do you think this is unrealistic or an overly high percentage?

    2) Since you see a brighter future for network security rather than endpoint security companies, I’d be interested to know how likely you think it is that endpoint security companies like Crowdstrike will expand their offerings to include network security products?

    3) My last question is about the hyperscalers. In terms of endpoint security, Microsoft is already one of the leaders. If I understand correctly, Google is also going to get more involved in the endpoint security industry with the acquisition of Mandiant. With that said, do you see any tendencies for hyperscalers to be more interested and invest more heavily in the network security industry in the future?

    • Michael Orwin

      I’ve got a question related to Defo’s 1). Suppose an enterprise increases its non-security IT spend by X%, would it generally need to increase its security IT spend by X% to preserve the current level of security, or would it be more or less than X%? I guess it might be hard to answer because it’s very hypothetical and in a real case a lot of variables could matter, but is it possible to answer for the industry as a whole?

      • poffringa

        Hi Michael – I guess it depends on the type of security. For cloud workloads, the spend would increase proportionally to number of workloads in theory. For user security, it would scale to the number of employees.

    • poffringa

      Hi Defo – thanks for the feedback. I will address your questions below:

      1) I think IDC makes my point, that cloud security spending currently makes up about 1% of total cloud spend. While I think it will increase, I don’t think that would be a 5-10x increase for here. It’s hard to say where it would land – maybe 2x. The other thing to keep in mind is that individual components of the software stack are making efforts to secure themselves. An example is MongoDB and their recently announced encryption improvements. That wouldn’t be new security spend, but does improve security posture. Another consideration is the move to serverless, for which there really isn’t an endpoint or workload to protect.

      2) A network security solution requires a different architecture, which involves setting up individual data centers around the globe to collect and route user traffic. The endpoint providers are more geared towards an agent deployment that sends all data to a central cloud for analysis. They aren’t architected to actually proxy the traffic inline. It’s possible for Crowdstrike I suppose, but would represent a significant investment.

      3) Hyperscalers do have substantial network capabilities and distributed data centers, so they could expand into network security services if they wanted to. The only challenge would be independence, as they would need to interconnect traffic between each other. For example, AWS would need to route a user’s request to a workload or application on Azure.

  2. Calum

    Hey Peter, love the content you provide! I have a couple questions about Cloudflare vs. Zscalar.

    1. You mentioned Zscaler’s product suite is broader and deeper. I was wondering what you make of this page Cloudflare recently published: https://www.cloudflare.com/products/zero-trust/cloudflare-vs-zscaler/, and Matthew Prince’s tweet: https://twitter.com/eastdakota/status/1540751277713260545. Is this just marketing?

    2. Cloudflare mentions in the above page that Zscalar’s services are siloed compared to their “Who would pick siloed services as a first choice? No one. That is why all Cloudflare on-ramps and edge services actually work together” and that “Cloudflare uniformly connects and secures end-to-end using one network and control plane to provide a better experience for both your IT practitioners and end users.” What am I missing here? What makes Cloudflare’s services “one-network” while ZScalar’s are not?

    Thanks for any clarification!

    Calum

    • poffringa

      Hi Calum – thanks for the feedback. First, let me clarify that I am bullish on Cloudflare’s prospects in the Zero Trust space. I am trying to present a balanced view, acknowledging that Zscaler is the recognized leader in Zero Trust at this point (by Gartner for example in the latest SSE quadrant). With that said, Cloudflare has demonstrated a rapid pace of innovation and has a broader foundation of network infrastructure and other services, which they should be able to leverage to make significant inroads. The biggest advantage, I think, has to do with Cloudflare’s focus on optimizing traffic routing across their network, which should result in a better experience for users who connect to it for Zero Trust services. While Zscaler advertises 150 data centers, those are mostly in the northern hemisphere and co-located with the hyperscaler regions. They focus less on the routing of a global user to their switchboard.

      Here are some answers:

      1) The comparison page is mostly focused on the differences in architecture and advantages of Cloudflare’s integrated network, which I agree with. I also agree that Cloudflare has now caught up with Zscaler in offering a product in each segment of a SSE solution. Cloudflare just needs to keep adding to their feature set in each of those segments. Zscaler generally has more integrations in place and their products are more mature. For example, Cloudflare’s CASB solution is in beta. Their DLP solution was just introduced during Cloudflare One week and is in a closed beta. It has some basic capabilities for identifying sensitive data, like Regex pattern matching on PII. Zscaler, on the other hand, has those and just announced a few higher level features like OCR and AI-enabled document grouping by type. With that said, I agree with the CEO that Cloudflare’s general pace of innovation will likely result in a very fast trajectory to feature parity. Then, Cloudflare’s advantages in architecture, network coverage and intelligent routing will provide differentiation. That is in addition to Cloudflare’s broader product offering in application services, developer platform and data storage. For enterprises that connect to Cloudflare’s network, they can be offered bundled product packages that include Zero Trust and these other services.

      2) Zscaler relies on network from the hyperscalers for part of the traffic path. They also have much less control over the network routing from the individual user to their central data centers. Their service delivery is split across their 150 different data centers. Cloudflare, on the other hand, runs every service in every one of their 270+ data centers. They also have full control of the network path and can intelligently route traffic from data center to data center, versus relying on different network traffic providers for the full user path. This allows Cloudflare to provide a better user experience for the connection from a user in one distant location to a private workload in another.

  3. Scott

    Great article!

  4. Dan

    Hi Peter,

    Great article as always!

    It does look like Cloudflare is trying to become a more complete and better SSE solution, but if ZScaler and other providers can already offer all the features that a customer would need, and if they sign the customers now, how hard would it be to switch to a different provider like Cloudflare? It feels like Zero Trust is pretty complicated to implement, and I don’t think a company is going to want to switch to another provider without a big incentive.

    Thanks

    Dan

    • poffringa

      Thanks for the feedback. I agree that a Zero Trust solution would be fairly sticky once implemented. The opportunity for Cloudflare would be to bundle in more services, like DDOS, network services, data storage, etc. to entice an enterprise to move to their Zero Trust solution. Fortunately, the onboarding for Cloudflare is fairly straightforward and can be handled in segments. You are correct that the next 12-24 months will be a great time to have a Zero Trust solution in market.