ZScaler For Dummies (ZPA vs VPN)

Sign me up



Hmm, I liked ZScaler as an investment, but this video is simply not compelling. If anything, the first 2/3 of it actually makes me question my investment in the company.

The first and third examples - of Outlook and Jira access - are simply not true today. My own company, not the most modern being founded in the mid 20th century and not using ZScaler, has enabled access to Outlook email, Sharepoint, and Jira without requiring that a VPN be stood up. So the comparisons there in the ZScaler video are just wrong. And I’d be surprised if my company was state of the art. I’ve posted here previously what Microsoft documents on how to setup Outlook 365 to enable secure access without VPNs (and without using ZScaler). ZScaler simply isn’t required for allowing access to Microsoft SaaS services without a VPN.

The second example was “won” by VPN, but, OK, it’s silly.

The fourth example, of having to re-establish a VPN session when you switch Wi-Fi networks, is again dependent on needing VPN. With things like Outlook and Sharepoint not requiring it, only legacy corporate storage “drives” need that. I’ll grant that if the connection drops you have to re-establish it, but again, at my company I almost never use VPN. For doing work on a plane, I haven’t had the need ever.

Where ZScaler does have an advantage comes about 2/3 of the way into the video - and that’s for spying on users. Since every time a user attempts to access something, that access is or isn’t granted by ZScaler, it makes sense that ZScaler knows who’s doing what. Of course, without ZScaler you just look at the logins to the specific services (Outlook, Jira, etc.) to get the same information. And even with ZScaler if you want to know what the user actually did there you have to go to the specific services anyway. I get that it takes a little longer since it’s not centralized like ZScaler, but that doesn’t seem to be a big deal to me.

Finally, I’ll grant the network performance debugging advantages of ZScaler. But compared to today’s non-VPN required access, putting ZScaler in the middle can only slow things down.

Maybe some ZScaler expert can show me where I’m wrong?


I’ve had to use VPNs on many occassions and I’ve hated it every single time.


Here is a good log as to what Zscaler does. I am sure there are other alternatives, but almost all of them involve appliances and virtual appliances/gateways. Direct to internet is only done via pure cloud solution. There is a reason why Microsoft sends two people to speak at Zscaler events, the CEO and the COO of Azure (or whatever his title is).

Zscaler in this blog introduces blockchain as well as another aspect of the future internet that Zscaler believes you will need Zscaler (or something similar) to enable just as GE specified that they needed Zscaler to enable their use of the internet as the network.

Zscaler does not have 100% of the market (more than 55% in web gateways, #4 ranked as of now in end point security (which seems incredible to me given how nascent Zscaler is and how competitive the end point security market is), but they are clearly doing something no one else is able to do. In the end it may just be a matter of degree, a matter of efficiency, or something that becomes more and more valuable the more and more the network morphs into really just the internet.

The trend is really hybrid in data centers. And in the hybrid data centers the existing appliance and end point products will still be relevant with Zscaler just part of the equation. That is why Zscaler is emphasizing its “greenfield” sales as predominant and that only collaterally are they supplanting the existing appliance gateways. Zscaler is really trying to avoid getting into a battle with the incumbents because they seem to believe that they enable something new that does not currently exist and that this alone will be sufficient to guide their growth for a long time to come, much less disrupting incumbents.

I just follow the numbers here, and Gartner that has had Zscaler as the clear leader for 8 years, and only one other company even making the leader quadrant with them in that time period (and that company sells perhaps the most expensive of hardware appliances as the core of its business model - according to Gartner and other sources). It demonstrates that what Zscaler does is not something anyone else was or is doing and this gives Zscaler an enormous first mover advantage into what is now becoming the decentralized internet that it is morphing to in growing numbers. Obviously still a minority technology choice.

SDN’s are growing like mad as well and AT&T thinks enough of Zscaler to have Zscaler their go to security apparatus for their SDN solutions, as an example.

So following the numbers, following the partners, following even what GE did, and until I see differently I don’t know what else to say.




We also expose we application to the outside (as your company did with Outlook, Sharepoint, and Jira). We do it with our HCM erp, our eTime software (for, you guessed it, recording our time), and Outlook 365. Two our employees were hacked (via social engineering) and as a result the thieves made of with good amount of money. We now have two-factor authentication to these apps. So, now we all have to carry a stupid dongle. This would not happen with ZPA.


1 Like

So, now we all have to carry a stupid dongle. This would not happen with ZPA.

OK, but that wasn’t in the video. Why didn’t ZScaler think that was important enough to make the top 5 reasons for using ZPA?

Note that ZPA can be considered as incorporating two factor authentication implicitly. Which is dependent on users machines (including phones) having ZPA installed and configured.

A few months ago I was in China. The only way to connect to a number of US websites, or for that matter even read my email (@gmail) is via a VPN.

In the past, this has been a bit of an added expense, but pretty reliable. Not this time. The connection was always hard to make, I would have to try to connect to a number of different servers before I succeeded, sometimes not at all. The connection was constantly interrupted after being connected for a short while.

The Chinese even used the VPN as a pathway to change settings on my PC and phone. I had reinitiate my PC wireless settings on more than one occasion (among other disruptions this causes your PC to forget every memorized website).

Lesson - VPNs are unreliable in situations where some entity really wants to interfere with the connection and can even be used to gain access to your device.


Lesson - VPNs are unreliable in situations where some entity really wants to interfere with the connection and can even be used to gain access to your device.

I feel there are a number of misconceptions here.

  1. One reason to use VPNs in China is to get access to sites that the Chinese government blocks (known as the “Great Firewall of China”. see https://en.wikipedia.org/wiki/Great_Firewall ). Note that using VPNs is currently illegal in China!

  2. The Great Firewall has become more and more sophisticated over time. Just a short time ago, most VPNs worked, but now those VPN servers have been blocked as well. Only VPNs that are able to mask their connection will work today. Speeds can be affected and the best VPN products are actually adaptive in their connections.

  3. It’s EXTREMELY unlikely that you were attacked through the VPN, unless you were using some VPN service that has been compromised by the Chinese government. See this https://www.vpnmentor.com/blog/can-vpns-hacked-take-deeper-l… for more information. What VPN provider were you using? More likely is that your devices were hacked just connecting to the internet access point before you connected to the VPN.

  4. Even ZScaler apparently has some performance issues in China. ZScaler community thread here: https://community.zscaler.com/t/looking-for-experiences-with…

  5. Since with ZScaler you’re still connecting to a local access point, there’s nothing to stop hacks to your device. ZScaler protects the traffic to and from the ZScaler configured company sites you’re accessing, but any other traffic is outside of ZScaler and so you are completely unprotected. The corporation stays protected, since any attacks driving from your computer to the company are examined by ZScaler’s services, but your end device is most certainly not.

VPN will better protect your device than ZScaler since any non-business traffic you engage in with the VPN is encrypted and hidden from hackers. Of course, if you’re a high value target, the government could be attempting to crack the VPN encryption (and if the source prime number keys are less than 1024 it’s actually pretty easy), but then hopefully you know more about this then than I.


The corporation stays protected, since any attacks driving from your computer to the company are examined by ZScaler’s services, but your end device is most certainly not.

Perfect from the perspective of the investor.
Enterprises pay the bills.


1 Like

My VPN was ExpressVPN, a popular VPN which claimed to provide the “best service in China.”

I don’t believe my PC and phone were both hacked by some random intruder. No data was destroyed or taken to the best of my knowledge. The only thing that appeared to be the objective of the intrusion was to interfere with my ability to access blocked websites such as Facebook, Google, etc.

The reason I say that is the nature of the hack, particularly the phone hack. The ExpressVPN software was disabled and a response to trying to start the VPN was a screen with the ExpressVPN logo that informed me that the software was under revision and my service would be restored when complete. After about a day’s worth of this message I contacted ExpressVPN service desk and the message I received was complete news to them. They advised I download and reinstall the VPN. Fortunately, they provided a link that I could access.

The service desk freely admitted to the numerous problems with PC access in China. They went through several s/w revisions while I was there. They claimed to be working frantically, day and night to restore normal service (in the three months I was in China, this goal was never achieved). I spent several hours in chat sessions with the service desk during the three months I was in China. This is really not my most favorite way to spend my time.

I did not mean to imply that Zscaler would have been a solution. Sorry if you got that from my message. I should have indicated it was OT. My only point was that the VPN was worse than just unreliable. In that my device internals were messed with I have no doubt that serious damage may have been inflicted, but restraint was shown. The only thing that came from the intrusion (so far as I know anyway) was impairment of my ability to tunnel thought the Chinese firewall.

As recently as 2017 I had no problem accessing “blocked” sites from China with a VPN. 2018 was a completely different story.

BTW, I complained about my service several times while in China and again when I got back to the US. ExpressVPN refunded my full subscription fee with no question or argument.


I still harken back to this article from last summer. To date nothing Zscaler numbers have shown have given any indication the author may not be right.

How Zscaler may finally be the one to eradicate VPNs. This author has seen other technologies for security promise this and that, but it is only with Zscaler that he sees one that finally might just be capable of doing so, and not only capable, but also give you reason to want to do so.

Always a good read, to of course be tested with real world numbers and results and actions as we move prospectively forward.

It is why so many analysts and industry experts consider Zscaler to be such a disruptive technology. Whether or not it lives up to potential is something we will only see as time allows us.



Here is the succinct instructions on how to deal with the ZEN problem in China:


For those who want the low level technical solution.