There is no world in which their product replaces firewalls, “next gen” or otherwise,
AJM, can you expand on this? This is the investment thesis for a lot of us.
ZScaler clearly states on their website that that is their objective, that that’s what they are advertising they do: https://www.zscaler.com/products/next-generation-firewall?ut…
And some of their customers already have.
I do not do this, because I don’t care at all if you listen to me.
I mean, you care a little. Enough to respond at least. Otherwise, why waste your time?
Do you track the Global 2000 penetration metric on any of your other investments? Is it something you care about outside of Zscaler?
Many of us are non-techies, so we simply follow the money. That’s why it’s important that these Global 2000 enterprises are spending money with them, as it is with any company I own. That doesn’t happen unless there’s a “there” there. I don’t think we disagree here. You seem to agree that Zscaler is offering something of value – I think you and others just disagree about whether it’s “revolutionary.”
There are some people here without technical backgrounds try to use rhetorical techniques and grandstanding to make it appear otherwise. It may even work on people that are non-practioners.
I don’t think anyone here tries to deceive with “rhetorical techniques.” Perhaps sometimes some of us can buy into the “revolutionary-ness” of a product or company, but personally I remain skeptical regarding Zscaler. The only disagreement I can detect between you and me is that I don’t think the investment is as risky as you said. You actually said, It might be the single riskiest stock I’ve ever heard of. (That may have been hyperbole, but you sounded serious.) My point is, no company that is growing like they are that you describe as “a fine company” that “should have a lot of customers” could possibly be the riskiest stock you’ve ever heard of, or you need to hear of more stocks. Maybe some dot bombs. So unless you correct me, I’ll assume what you meant is that you like Zscaler but not its valuation, even now. (Clearly there was plenty of risk at $80+.)
That said, maybe it is harder for ZS to keep a 50%+ growth rate than companies which have higher NER’s and shorter sales cycles. They’ll beat their 42% guidance, though, so I don’t see a ton of risk at the current valuation. Just maybe not as much upside as some think. I think we should be careful not to anchor to the former $80+/share price tag.
Bear
@Tinker - you made similar posts you made about Pivotal, Nutanix, and Nvidia. Credit to you for changing your mind after the numbers changed, but you seem to be very defensive about your investments and have trouble viewing things outside of an all-or-nothing dichotomy. You have some factual inaccuracies in your post about security products and services.
@Tinker - you made similar posts you made about Pivotal, Nutanix, and Nvidia. Credit to you for changing your mind after the numbers changed, but you seem to be very defensive about your investments and have trouble viewing things outside of an all-or-nothing dichotomy. You have some factual inaccuracies in your post about security products and services.
ajm, personal attacks when debating a stock are not acceptable on this board. Further posts like this will not be accepted.
Saul
“AJM, can you expand on this? This is the investment thesis for a lot of us.”
You can use a firewall and proxy for similar purposes. Firewalls, like the name suggests, keep things out. “Next generation” is a marketing term, or at least not a technical term. You can have firewalls that analyze patterns of requests and do static or dynamic analysis of payloads and enforce policy on that basis. Proxies take your traffic, manage access to what you can/can’t view, and sometimes relay traffic in ways that are otherwise like a firewall. Proxies can do the same thing as NG firewalls (analyze requests/patterns of request), like ZS claims they do (and I see no reason not to believe them). Proxies don’t have to TLS terminating.
A company can run its own proxies, and it can run its own firewalls. It can also consume either as a service. It can run both.
For very secure areas of your network, you want to keep people out. Firewalls will have a place in these. For some things, you will have people who are not in your network whose access you want to manage. Secure gateways/proxies will have a place here. They have overlap and you see PANW and ZS fighting for that area of overlap.
First, you should introspect why you think “400+ Global 2000” is meaningful. Do you track the Global 2000 penetration metric on any of your other investments? Is it something you care about outside of Zscaler? Are you tracking ZS to any forecasts on that metric?
In terms of the “S” curve this is an interesting datum. It sort of defines their TAM while a 20% market penetration is an indication that they are well on their way. If, as some claim, no one else does what they do, it also means that they have 100% market share of their niche. These are all indications that it is a good time to make an investment.
Denny Schlesinger
ajm, cannot respond to the issues attack the author. This gets tiring.
First, I sold Nvidia and Pivotal at their tops and moved on from them.
The mistake I made around Aug/September time frame was to
buy them back to play earnings for a day or two. Nvidia’s business just could not be as bad as the Street was saying. Turned out to be worse.
Pivotal, there was some good news associated w VMWARE that we thought (more than just me) was positive for Pivotal. So played earnings there for a bounce. That did not work either.
As a long holding I openly and in real time sold Nvidia and Pivotal at their highs and moved on at great profit. I’ve stated my stupidity and lesson learned playing the earnings bounce game. DONT DO IT!
So you can stop trying to destroy my credibility.
Second, you did not even respond to my question. You said no way Zscaler replaces firewalls. And I stated REAL WORLD UNDISPUTED FACT: GE and Siemens and many other large enterprises got rid of their appliances.
So if they can, and did, and have done so for years with Zscaler, why is it that Zscaler cannot supplant firewalls?
You say you understand the tech. Is there a technical reason? Or, as more likely, industry obstinance in the race of a disruptive change to all you use to know?
I am finding it more and more ridiculous how many times I am personally attacked simply by putting out facts and hard questions to help our investing.
LETS JUST KNOCK IT OFF - please.
The question I posed is very germane. If there is an answer it would be very important for all of us to know.
Thank you.
Tinker
I am mostly a lurker at this point. This scratched an intellectual/technical itch for me. I don’t have PANW positions an I don’t have ZS positions in any way.
I really didn’t go into the, “single riskiest stock I’ve ever heard of” bit, you’re right and I should explain it a little. If someone compromised Zscaler and Zscaler had some sort of flaw in their approach to multi-tenancy, then an attacker could in theory get unencrypted access to all of ZS’s customers unencrypted data. If you read CRWD, FEYE, or other reports on APT techniques, then you are going to see that a nation state can devote a lot of resources and be very patient. Things that are not always the case at a public software company. A company only has to screw up once. Even if that’s not the case you have a finite number of public ZENs, per my understanding. You could potentially be very disruptive to a large number of companies by targeting them in some way. ZS’s architecture centralizes a lot of risk that is currently distributed.
That I agree with. ZS removes almost all attack vectors except to itself.
How much of a concern this is I don’t know. GE was an early adopter and they have as many high priority data as any company on Earth. I have never heard GE discuss this point.
I have never heard ZS discuss this point.
I have never heard a customer or non-customer raise this question.
I am positive it had to be raised and satisfactorily answered or how does an organization like GE or Siemens make such a dramatic change?
One thing often spoken of and demonstrated is how much cleaner the network is from viruses and the like than before Zscaler. GE’s CTO passionately discussed last year that he simply could not defend his network. If you cannot defend it, you don’t have a network. That is why they switched whole sale to Zscaler. Their network is now the internet and he controls this network that is applicable to GE.
In the 2019 investor slides there is a testimonial from a customer showing daily attacks before and after Zscaler. With Zscaler you are seeing 1 or 2 or 3 sneaking through and caught. Before Zscaler you are seeing 30, 40, 50 or more per day.
The network is safer. The attack vectors are removed.
This is a point I brought up multiple times and now you have and that is Zscaler is now the attack vector of interest.
How this is addressed I don’t know. I do know GE is quite satisfied with whatever the solution is.
Tinker
Appreciate the video. It helps me understand a bit more. What I took away from the video is that ZS is appropriate if I don’t have my own network. Companies that still rely on their old way of doing things - an internal network - will not gain anything by employing ZS.
What I understood the GE CTO say is that they no longer have internal networks and that everything resides on the cloud and secured by ZS. If I understood this correctly, as a business, all I have to provide is an internet connection and my employees are connected to everything corporate via the cloud. No more servers or security people checking on the latest update.
I can see how this has to be a top down sell and that it takes longer. If everything above is correct, CTOs will find themselves with a much smaller team to manage and lots of IT professionals will be hitting the street. No bureaucrat would willingly make his or her fiefdom smaller. CEOs will probably have to have the flash of insight into how to make this work.
I know I am slow to the game, but this helped me understand that the power was not in the security, but in the ability to get rid of your own network.
Me Likee.
Gordon
This is not all or nothing.
You can absolutely have an internal network and networkong onprem on the edge and also have zscaler utilized.
Those larger global 400 customers all likely have a hybrid model of onprem and cloud…some of their apps are in cloud and some are not.
Dreamer
One of the most powerful things I’ve seen for ZScaler is from that analyst day slides.
https://ir.zscaler.com/static-files/bcbf2456-f86a-43e9-adf2-…
Look at number 43. It is from a guest speaker from a major oil and gas company that ZScaler borrowed for their presentation.
The company highlights their infected computers per month. Pre ZScaler on left, post ZScaler on right. 60, , 80, two hundred or more per month. Post ZScaler = basically 0.
From an investor standpoint I don’t need too need much more about deep tech than what that slide shows.
“Look what we do for our customers”
Darth
https://www.zscaler.com/solutions/cloud-security
Why cloud security?
Security for everyone on the network
Traditional network security made sense when all your applications were hosted in the data center and users were all on the network. But with apps moving to the cloud, and users increasingly mobile, the stacks of appliances sitting in the data center are increasingly irrelevant. This model forces all traffic through the centralized data center for security and access controls—a complex configuration that results in a terrible user experience.
Cloud applications like Office 365 were designed to be accessed directly through local internet breakouts. Zscaler cloud security enables local breakouts with full security controls.
Zscaler delivers the DMZ as a service, with AV inspection, Next-Gen Firewall, Sandbox, Advanced Threat Protection, URL Filters, SSL Inspection, and more —all in a unified platform service. It’s airtight security without the cost and complexity of stacks of appliances, and it delivers a fast, secure user experience, whether users connect from an office, coffee shop, or airport, at home or abroad.
Gartner on public cloud spending in 2020
How does cloud security differ from “traditional” network security?
Digital transformation has changed the way people work
The corporate network that once sat behind a security perimeter is now the internet, and the only way to provide comprehensive protection for users, no matter where they connect, is by moving security and access controls to the cloud.
The Zscaler cloud is always current with the latest security updates to keep you protected from rapidly evolving malware. With tens of thousands of new phishing sites arriving every day, appliances can’t keep up. And Zscaler minimizes costs and eliminates the complexity of patching, updating, and maintaining hardware and software.
Zscaler security controls are built into a unified platform, so they communicate with each other to give you a cohesive picture of all the traffic that’s moving across your network. Through a single interface, you can gain insight into every request — by user, location, and device around the world — in seconds.
UBIQUITOUS
The cloud is always reachable from anywhere, any time, from any device.
SCALABLE
You can add new features and thousands of users without breaking a sweat.
INTEGRATED
Security and other services talk to each other so you get full visibility.
COMPREHENSIVE
The cloud scans every byte coming and going, including SSL and
CDN traffic.
INTELLIGENT
The cloud learns from every user and connection; any new threat is blocked for all.
Aren’t my cloud apps and data already secure?
Yes and no. Cloud services — like Amazon Web Services or Microsoft Office 365 — are responsible for safeguarding your data within their cloud environments, but not all cloud providers offer the same protections. You need full security and access controls to protect your users from risky applications and prevent data exfiltration. A Cloud Application Security Broker (CASB) provides risk scoring for many cloud applications, which can be used to create access policies. And, CASB can augment a cloud security platform by extending data leakage prevention. But CASB on its own does not provide protection against security breaches, ransomware, or other internet threats.
Cloud apps and data security
What about “hybrid” solutions?
As organizations increase their use of cloud-based apps, like Salesforce, Box, and Office 365, and move to infrastructures services like Microsoft Azure and Amazon Web Services (AWS), it makes sense to have traffic secured in the cloud as well. For legacy vendors who have been — and largely still are — selling on-premises hardware appliances, this reality poses a problem, because their bottom lines, and their duty to shareholders, involves moving boxes. This is why they’ve begun promoting so-called “hybrid solutions,” with data center security being handled by appliances, and mobile or branch security being handled by similar security stacks housed in cloud environments.
The problem with such a strategy is that it complicates, rather than simplifies, enterprise security, and cloud users and administrators get none of the benefits of a true cloud service — speed, scale, global visibility, and threat intelligence — benefits that can only be provided through a multi-tenant global architecture.
Companies that still rely on their old way of doing things - an internal network - will not gain anything by employing ZS.
Very, very few companies can do business these days with only an internal network.
CTOs will find themselves with a much smaller team to manage and lots of IT professionals will be hitting the street.
The only ones impacted would be those charged with maintaining the physical firewalls, not a high maintenance job so that one person can manage a large number of firewalls. I wouldn’t worry about impacting the unemployment numbers.
I think I am finally getting it. But, I wonder why companies would even maintain their own network, when they can use the internet. The cost of maintaining and/or growing a network is tremendous. To me, that seems to be the real power of ZS. So if you want to maintain a network, PNW will be just fine, but if you want to do away with the network and associated costs, headaches, etc, ZS is the solution.
I am old enough to remember the first networks. Security was always the first concern. If I don’t have to worry about security, I don’t care what network I use. Brilliant.
Grodon
I am not worried about impacting employees. I was only pointing out that reliance on the internet and cloud security could remove a lot of employees. Not to mention the equipment costs of maintaining the network.
It just seems to me that if I can encrypt my data and ensure its security, that I don’t care about networks or hiring people to monitor them. Why not do everything on the cloud? Seems to me it must be cheaper.
So all these discussions about ZS versus fw etc, comes down to an argument about whether companies are going to continue maintain and installing their own equipment and people to configure and maintain them.
The end result seems to me that unless a company is really leaning forward, we are going to have to wait for companies to slowly migrate their operations to the cloud and ZS. I can imagine this is the land and expand for ZS. As equipment and networks age, CTOs will want to replace that equipment with ZS instead of buying replacement equipment. So the growth might be more gradual.
If I were at the investor seminar, I would like to have asked the question, “typically, how much of a company’s traffic is handled by ZS initially, and what is the typical time for the entire operation to change over”
Gordon
I think I am finally getting it. But, I wonder why companies would even maintain their own network, when they can use the internet. The cost of maintaining and/or growing a network is tremendous. To me, that seems to be the real power of ZS. So if you want to maintain a network, PNW will be just fine, but if you want to do away with the network and associated costs, headaches, etc, ZS is the solution.
I am old enough to remember the first networks. Security was always the first concern. If I don’t have to worry about security, I don’t care what network I use. Brilliant.
Grodon,
It is way more than that.
I have 3 devices that the company provides for me to access the network. I have multiple ways, including Starbucks wi-fi to access the network from. Additionally, from inside the network, it matters not if I am VPN’d in or connected to secured router, the applications I use have to grab data from outside the network.
Finally, I tend to access the network on the fly, literally at 80
miles per hour. (I am not looking at the screens but the equipment is syncing in the background.) Moreover, most of the highly paid technicians are expected to work in the manner.
So there is no edge.
Cheers
Qazulight
Gordon,
The ZPA product protects your internal data center. So Zscaler does exactly as you say, allows you to make the internet your network and also allows you to maintain your own internal cloud network and keep your applications and data in your own internal data center.
The ZPA product is presently much smaller than the ZIA core product. At present 14% of NEW sales are ZPA. Not 14% of total sales. So probably around 8, 9, 10% of total revenues, but growing faster than ZIA, perhaps in the 100%+ range but the number is not given.
One of the latest products is zB2B that enables you to offer your applications (whether internal or external) to your partners/suppliers/third party users while maintaining your Zscaler security (as third parties are a real security risk point) and does this without having to add the third party to your directories.
Thus extending more the utility of what is possible for both internal and external applications. Remains to be seen if there is rapid uptake of this product or not.
Tinker
https://m.youtube.com/watch?v=ZDZovcEvW1Y
I saw that and saw the ebook piece on ZS’s site, but was hoping for something more technical and couldn’t find it elsewhere. I’m not sure that the CTO said that zScaler completely displaced firewalls, but that it displaced firewalls in a large use case. I feel like I’ll be at risk of repeating myself, but Zscaler is a fine company. I think there are use cases for ZS and use cases for firewalls. If competitive RFPs and egos weren’t evolved I wonder if ZS or PANW would concede that the are converging on similar looking of product (pZENs? Prisma?). It’s not a perfect description, but the firewall vs proxy distinction is somewhat dependent on what side of the connection you are on. The risk of dismissing a PANW or Fortinet or whomever as a FUD spreading legacy vendor vs ZS as a transformative agent of change is that you frame it in a way that minimizes the advantages of other approaches, the threat of those vendors adapting and competing, and the growth and margin risk from more competitive sales landscapes.
I suspect that what most CIOs wants is for a single vendor to consolidate a bunch of the current vendors. I want a proxy for my mobile/byod fleet. Hell, maybe for branch offices/stores. I want my employee and confidential/classified data in a secured private network that is firewalled. I want endpoints on every device with device level enforcement with IoC/STIX telemetry from the best intelligence network. I want both proxy and firewall policy response upon endpoint alerts (and block infested hosts). I want endpoints quarantine on IoA recognition at network level, and I want that to be the same set of IoAs for proxy and firewalls. I want the best possible IoC/STIX/IoA available. I don’t think any single vendor has an inside track on this, and I don’t think you can rely on any single one of these approaches in isolation.
As a brief postscript (not at you Tinker, but to comments made as I was writing this post), as I have little time to respond more here today: I have said this here a lot of times. Please, for goodness’ sake, be skeptical of 1) CEO statements 2) Company provided case studies 3) Company provided white papers 4) IR presentations at analyst days. These are marketing tools. Seriously, has only ever read one where the conclusion was, “you should go with our competitor” or “this customer switched to our competitor, and it really was a better case for them” or “this customer adopted our software and has had mediocre results but hasn’t found it worthwhile to switch vendors”.