I am speaking about the technology.
So is me…
What Palo Alto is doing is creating a cloud offering to enable them to maintain and sell more appliances. Their offering cannot stand alone and compete. It only works with an appliance infrastructure.
That’s why on the one hand Palo Alto has a larger TAM than ZS but on the other hand faces a tougher dilemma - to compete head on with ZS it effectively would have to not just cannibalise itself but abandon much of its pre-existing business.
Palo Alto is a stunningly successful company and no doubt will continue to survive and thrive, (just as CheckPoint has which was the firewall predecessor to Palo Alto and caught in the cross hairs when Palo Alto came up with the Next Gen firewall).
However just as Palo Alto was the new up and coming faster growth opportunity vs CheckPoint, so ZS is to Palo Alto. I switched out of my entire Palo Alto holdings and re-invested in Crowdstrike and ZS.
Ant
12 Likes
Without wanting to speak for Denny but I believe he was talking about 85% market penetration of the technology adoption as opposed to 85% market share for ZS.
A
That is correct. The terminology is important.
If there are 1000 people on an island, the market for soap is 1000 times the price of soap, $2.00 on average, or $2,000.
85% market penetration is 0.85 * 2,000 = $1700
If three providers are competing, their market share might be
A 60% = .06 * 1700 = $1,020
B 30% = .03 * 1700 = 510
C 10% - .01 * 1700 = 170
Total = $1,700
Soap users will continue to buy soap but it no longer is a growth market, the reason marketers invent gimmicks like perfumes, oils, colors, fancy wrappers, celebrity endorsements, and the Annual Soap Day Festival. LOL
Denny Schlesinger
6 Likes
Tinker,
How can an appliance help when your system is in a cloud?
Imagine that me and you are both running virtual data centers in AWS cloud, and that both are actually hosted at the new awesome data center in downtown Timbuktu.
The way VMWare wants to work is: never pass data out an Ethernet port and never put a server on one box when it can be spread among many. This means that your server and my server are actually virtually running on some of the same hardware. When my server decides to talk to your server it can go out an Ethernet port, through a router, and back in an Ethernet port. However, there is a strong possibility that the goes inna and goes outta are the exact same physical port.
VMware addressed this years ago, and Cisco too probably, by making virtual routers in the cloud, so the data never goes out of a port, it moves virtually within the cloud in the server center.
There is no box.
How can an appliance even hope to protect data?
Cheers
Qazulight
2 Likes
That is the point, appliances cannot. Appliances, however, are charged with doing so. The entire industry, absent the small SWG market is appliances, is firewalls, and is the disruption to initial firewalls, NGFW (Next Generation Fire Walls).
The NGFWs continue to exist because the data centers continue to exist that are not in the cloud and there are few options to remove the appliances for a DC except for Zscaler. iBoss is not up to snuff to do so as Zscaler does.
The virtual machines being spun out that are called “cloud” security or extensions of the appliances and have many limitations. Better, yes, limited, yes. The bandwidth extension example is but one such example.
Kingran is correct in that we don’t know the pace at which this innovation will diffuse into the marketplace. 85% in 5 years? In 10 years? In 3 years? 3 years seems unlikely to hit 85% diffusion into large corporate data centers. Beyond that I don’t know.
I do know that Zscaler has the only offering that provides this innovation on any real scale. How fast, how far…
Kingran’s comment on competition catching up however is pure speculation and there is no one anyone can point to presently in the market that qualifies as someone with a competitive offering or an offering that looks like it could be competitive within this new security innovation. I need to look at Cisco’s offering in more detail, and Blue Coat (who was #1 with its only real competition Zscaler - is now a broken company being spun out and sold and is completely appliance focused and expensive despite having excellent performance otherwise the sources say). Palo Alto is completely addicted and existentially dependent on its appliance strategy after one looks at their Prisma Access product.
But done a lot of digging and talking on the issue, much discussion here and elsewhere, and the gist comes down to (1) how fast the diffusion into the marketplace will happen, and (2) if any real competition arises to Zscaler. Of the two (1) we don’t known, (2) is unlikely gif en all we presently know. Prisma Access from Palo Alto is not real competition in regard to SWG technology.
Tinker
20 Likes
Qazulight,
The data has to flow in and out, however, to and form a user who can be anywhere in the world. Thus it then goes through an appliance or a virtual machine or Zscaler at that point.
Tinker
Tinker,
Thank you for continuing to add depth to this discussion. I have listened now several times to good portions of the Analyst Day YouTube. Here are some points on the new ZB2B product. This starts at 1:20:00 and goes to 2:14:31. The following points come from that segment.
UBS Analyst asked the question "why ZB2B has been carved out as a separate SKU, because in theory, Nothing would stop me as a customer to deploy ZPA for the use case?
Patrick Foxhoven CIO Zscaler, comments edited
But at the end of the day, there are fundamentally different buying centers and different customers that you’re trying to address.
If I’m in an organization, I have my IT organization, providing access to internal applications for my workforce
And then I had a whole partner ecosystem there are new economic buyers, like the Chief Digital Officer now and their job is to transform the business. So you have, you know, ZPA is more targeted towards the workforce. ZB2B to be is more targeted towards your partner ecosystem,
And the economic buyers are different, The sales motions are different. from a technology perspective, It’s very important for us to develop multiple identity providers support,
If you’re just dealing with one organization, you’re good to go.
If You are a bigger organization, you’re dealing with a partner ecosystem, you could have 300 different partners with 300 different identity sources, so there are some fundamental technology differences. At the end of the day, they are zero trust base, but different economic buyer, different sort of end users. One is a workforce, One is a partner ecosystem, And therefore we feel it’s building to get it into buckets.
Another B2B comment came earlier
But b2b is all about the same thing that you’re trying to do for rethinking users to applications, eliminating the attack surface, doing the zero trust network access style connectivity approach, That is very relevant. I would argue, sometimes it could even more relevant when it is a company and I’m giving a supplier access to my extranet to my ERP portal, or what I showed on stage was a web development tool that we use internally that we have third parties come in and collaborate with its core to how we develop our products, very sensitive applications that you’re giving to third parties. Think about what the attack surfaces, if you could bring those behind a ZPA style access, You obsolete the need for all the kinds of technologies that usually sit in front of those applications. And you’re you’re dramatically improving your your security posture with with b2b. And the pillars of b2b are similar to what I just showed with ZPA. But there’s some new ones. So browser access is key, because third parties, you’re not going to often be able to dictate install my app to access my business app. But you also we also had to build in the ability to do multiple identities, which is a kind of a new concept where it’s not just a company or a tenant in a cloud that’s consuming identity from there as your ad or they’re paying or author, whoever they have. We want customers to be able to federate identity to the third parties, because if I’m a company, I’m allowing another company into my network, I don’t want to create accounts for that other company in my directory, It would be way better if you can just federate identity to them directly. And so we built the ability and ZPA to consume identity from it’s not limited from, you know, however many third party suppliers, customers that they have will federate that identity. And then the other piece that we had to build as a part of b2b is browser isolation. So you really need to be careful about the data when you’re especially in the b2b context, the data that reaches the endpoint, because that’s a, pretend it’s a third party, you’re not necessarily responsible for securing that endpoint. And so we browser isolation gives us the ability, and this was in the demo as well to allow the access to occur, But restrain or restrict what data can actually leave. And we’re doing that by just, it looks like it’s a web application, but it’s actually just sending pixels to the device. There’s nothing that’s in the cache, the demo that you would have seen, there’s, if you try to copy and paste content, you can’t because it’s just pixels, You can even download files, and you can put policies around manipulating that. And to Jay’s earlier point, The only way you can do that style of controller security is to be in line to the traffic flows. No identity provider that’s in line just during authorization and then out of line, when they’re going to the application identity provider is going to be able to do that You have to be in line all the time, which is obviously core to what we do very well.
The above was transcribed via software and acronyms were not always accurate etc. Tinker, I suspect you could summarize this in the context of how this differentiates ZS from others. These presentations were before peers and critics and I believe shows why I and some of you are invested in ZS
Commway
4 Likes
Thanks Commway. The ZB2B product is something that does not presently exist from any other vendor as part of the stack (you can probably find it as a stand alone app). Zscaler
does not even know how to price this service yet but it resolves one of the larger security holes out there and improves a large pain point.
How large it gets? TBD. Zscaler does not know, I don’t know, nobody knows. Manufacturing is probably the first vertical. But this has great aspirational potential. Whether it succeeds or not is for the future but there is no contributions from this or other future products in guidance nor in perception.
Tinker
6 Likes
Kingran’s comment on competition catching up however is pure speculation and there is no one anyone can point to presently in the market that qualifies as someone with a competitive offering or an offering that looks like it could be competitive within this new security innovation
What ZS doing is not difficult to reproduce. In technology world, whenever an incumbent core is threatened, they react by copying the product and use any means available to compete, (yeah you can cry FUD all you want that’s not going to make any difference).
The best defense against this is, exploiting the first mover advantage and rapidly expanding and blanketing the market, taking a very high market share that makes the competition economically unviable.
Now, the challenge for ZS is they are not growing as fast as they should, the penetration at the big enterprises, the long-sales cycle and lastly enterprises should move a significant portion of their applications to cloud. They are significant challenges.
At the end of the day, assuming competition won’t catch up to ZS is also “speculation”, perhaps bit dirty and not pure like mine. 
2 Likes