ZScaler Technology Exploration

Maybe it’s my inner Peter Lynch, or perhaps just intellectual curiosity, but I like to understand what a company in which I’m thinking of investing does, and the why and how. If there are any ZScaler experts out there, I’d like corrections, reinforcement, or constructive feedback of any kind to this:

I think the elevator pitch for ZScaler is something like: “Since many enterprise applications are now hosted in the cloud, use of those applications by-passes much of traditional security practices. ZScaler will look at all your internet traffic to be sure it’s legit and clean, without installation of any hardware.”

Perhaps one example is people using GMail. When an employee connects to GMail, an https, or SSL, connection is established. That means the traffic between that employee and GMail is encrypted. The employee could mistakenly download viruses, supply credentials to bad actors, etc., without the enterprise knowing, much less being able to prevent. In the past, some companies blocked access to sites like Facebook or YouTube or GMail, but as soon as the employee took that laptop home, he could access them since he wasn’t on the corporate network. ZScaler addresses this.

One of the way in which ZScaler operates is by becoming a Man in the Middle (aka, MiTM). The employee’s computer (owned and setup by the company) sends data not to GMail or Salesforce or Facebook or Concur, but to ZScaler. ZScaler looks at the data, then sends it on to the proper destination if it’s clean. When that application responds, ZScaler gets the response, then sends it to the employee’s computer if it’s clean. Military people in sensitive locations who have had their paper correspondence examined and censored know the principle.

The internet literate among you may now be wondering how ZScaler can do this. After, we’re trained to believe that when our browser shows the lock symbol, our traffic is encrypted and private. The answer is that the employee’s computer is owned and setup by the company, and part of that setup is installing what’s know as a PAC file (Proxy Access Configuration) into the employee’s browsers. This is what redirects browser traffic to ZScaler. The ZScaler site certificate is also installed as trusted on the computer, so browsers won’t complain to the user about the redirection. You can read the gory details here: https://help.zscaler.com/zia/what-pac-file and here: https://help.zscaler.com/zia/how-do-i-deploy-ssl-inspection

In essence, the employee’s browser is establishing a secure connection to ZScaler’s servers and then ZScaler is establishing a second secure connection to the actual site the employee wanted. So while your broswer URL line might say: “https:www.facebook.com,” it’s not actually going directly there. The green lock icon is shown because where it is going (ZScaler) supplies a certificate that the browser trusts. I don’t know for sure, but I suspect that if your computer is configured to use ZScaler, you could click on the lock icon to look at the actual certificate being trusted, and it would be a ZScaler cert, not a Facebook cert. If someone is using ZScaler I’d appreciate it if they’d try this out and report back.

The same thing can be done on employee smartphones, but ZScaler also has an app (https://help.zscaler.com/z-app/what-zscaler-app ). Installing the app also installs the ZScaler cert. The end result is that all traffic, even non-broswer traffic, goes to ZScaler. Yes, even Angry Birds.

Note that traffic goes to ZScaler even if the computer/phone is not on the corporate network. To me, this raises privacy concerns. Say your corporate email is Outlook 365 and you use use, say, GMail for your private correspondence. On a ZScaler configured device even that GMail traffic would go to ZScaler for vetting even when you’re not doing company business. Now, I think that’s OK for a company-supplied computer (at least if the company tells you), but if the company is requiring you to use ZScaler on your personal phone in order to gain corporate data access, then even your private conversations on your private device are going to some third party.

In addition to user privacy concerns, there is also the potential that ZScaler itself gets hacked, in which case all corporate and personal data going through it might be exposed to bad actors, despite use of SSL. A data breach at ZScaler might have a larger impact as recent breaches at Equifax since it’s not just ID info, but actual corporate (or private) data. There have been some security issues with ZScaler in the past (for instance see https://securityaffairs.co/wordpress/56776/hacking/zscaler-c… ), but I haven’t seen anything too serious yet. There is also a potential for ZScaler to suffer from DoS (Denial of Service) or similar attacks, as well as the ZScaler service itself going down, in which all all corporate traffic is log jammed. Finally, there has to be a performance hit, since all traffic is encrypted and decrypted twice, plus whatever time it takes ZScaler to perform its filtering.

Anyway, since all data goes through ZScaler’s servers, ZScaler can do any kind of threat detection or filtering it wants, and can add/subtract those features without changing anything on corporate devices (once initial setup is complete). So, ZScaler has a good business model for creating new value-added services for which they can charge additional fees, and of course, ZScaler can charge based on actual usage, and lock-in would appear to be really high since to change away a company would have to reconfigure literally every employee’s computer and phone. Seems like a good business model to me. The main risk I see right now is that ZScaler gets hacked or does an internal update that causes it to have problems providing its service.

If anything above is wrong or mis-characterized, I’d sure like to hear about it. TIA.

Smorg,
Thanks for that post. Clarified a few things in my mind about which I had dimly formed questions.

As for performance hits, from what I have been able to glean so far, Zscaler performs better than running all the traffic through a collection of appliances. So, I think it’s a non-issue. In fact, Zscaler is more responsive than the alternative.

But you raise a couple of very valid concerns: 1) Zscaler getting hacked, and 2) Having the Zscaler PAC file on every device accessing the corporate network.

As for Zscaler getting hacked - well that’s a real issue and I’m not all that sure what they can do about establishing 100% confidence that they are impenetrable. I had not previously considered this in my maybe too glowing reviews of their technology. To date, no security measure has been able to assert that it’s hack proof. Even if they were to magically attain this status, any demonstration of how they were able to do so would reveal the means to penetrate the shield. So that’s a conundrum. In the final analysis, software is an intellectual construct, it’s a language, it has a vocabulary, syntax and grammar. Nothing can be asserted in software (at least nothing of a highly complex nature that deals with a multitude of intertwingled variables) that cannot be manipulated. There is no such thing as a mathematical certainty with complex software - we’re in the realm of probabilities. Even five 9s confidence is less than 100%.

The PAC issue is another factor that warrants consideration. Where I worked every employee and contractor was issued a company PC. For those who could demonstrate a need a cell phone was also issued (8 years ago when I retired cell phone access to data networks was not all that pervasive). It was impossible to access the corporate network on a privately owned device. That has all changed. But even before cloud computing and internet access was mundane, there was still an issue with supplier and customer access as well as a public facing, anonymous access website. The security strategy at the time was to “wall off” the portions of the network these outside parties were able to access. But keeping that wall secure was literally a daily battle. To be honest, I haven’t a clue how or if Zscaler addresses this issue.

You’ve raised a couple of serious concerns. I will have to learn more. My confidence in ZS has taken somewhat of a hit.

Like with autonomous driving not being perfect but much better than human driving, Zscaler security is much better than existed.

I suggest you listen to the keynote speech of GE’s CIO who specifies that in the end they had to conclude they had no network because ether could not trust their network. That is why they moved to making the internet their network. GE was ahead of the curve. They actually had to create their own software because Zs did not have sufficient financial security to be a GE vendor.

Once Ge obtained said they moved to Zs because with Zs they had a network again, because they could trust it.

Tinker

Yeah Tinker,
As i’ve been thinking on it, there are a couple of important issues, but they are relative to the alternatives. No matter what your security blanket, there are vulnerabilities. Can ZS be hacked, of course, all s/w locks can be picked. But that doesn’t mean it’s easy, it just means it’s possible.

As for the PAC, same deal really. Without or without ZS there are still customers and vendors and the general public who will access some parts of the corporate network. Any company will take all the necessary security precautions they have to in order to protect the production environment. They have to do that whether or not they use ZS.

So are there potential points of failure? Yes. Do those points of failure exist in any case? Also yes. ZS is still, by far the best answer for the majority of security requirements related to network protections. I just had to spend a day or so thinking on it.

I still appreciate Smorg bringing it up because I hadn’t really considered it before. I like to be reminded that I never have complete information. Keeps me humble. Keeps me thinking.

I suggest you listen to the keynote speech of GE’s CIO … GE was ahead of the curve.

I think you mean GE’s CTO. I found this: https://www.youtube.com/watch?v=gs6tPBXr2rA, which I’ll watch when I get a chance.

But for now, it would appear that GE underwent a major restructuring effort, including hardware changes, to be able to adopt this new paradigm. Surely you’re not saying potential customers also need to take on that level of restructuring to need/want ZScaler. And, in terms of effort and willingness, it is perhaps telling that GE’s former CTO, Larry Biaginim left GE to work at ZScaler inn 2016. As Tinker says, GE is ahead of the adoption curve. We need to assess how ready companies further behind GE are in terms of buying ZScaler’s offerings.

But to be clear, I wasn’t pointing out potential privacy and security concerns with ZScaler to say that ZScaler wasn’t a good investment or even a good solution, but rather just issues that arise out of my exploration into ZScaler’s technology.

https://discussion.fool.com/refresh-on-zscaler-34022538.aspx

Here is comment and quite telling argument regarding Zscaler and SD-WAN. SDWAN expected to grow at 65% compounded growth. It makes the internet the network for each location. You can either plug in another appliance or Zscaler it. That is why ATT was at Zenith as a keynote.

This is all greenfield stuff w out replacing a single existing appliance. From these greenfield opportunities companies try it out and end up expanding to other areas of the company as they like the simplicity and performance.

Tinker

SDWAN expected to grow at 65% compounded growth. It makes the internet the network for each location. You can either plug in another appliance or Zscaler it. That is why ATT was at Zenith as a keynote.

This is all greenfield stuff w out replacing a single existing appliance.

1. SD-WAN will indeed appear to have high compounded growth rates, because it’s starting from such small base. In Q1 of this year the TOTAL market was only $162Millon according to IHS (https://www.lightreading.com/carrier-sdn/sd-wan/sd-wan-reven… ).

2. When Tinker talks about not replacing appliances and “greenfield stuff,” what I believe he’s referring to (I’m sure he’ll correct me if I’m wrong) is network extensions to support remote employees, which is different than the GE solution he touts so frequently.

So, where does this leave us?

Even if you wanted to take a long term view and believe that SD-WAN is the future one impediment is that the hardware it replaces has a long operating life. So, it’s likely to take time to really take off. Even worse for us, it doesn’t appear there’s a good public SD-WAN company in which to invest (https://searchsdn.techtarget.com/opinion/Vendors-vie-for-a-p… ). Aryaka and Silver Peak are private companies, and the other two in the top four are Cisco and VMWare (both after purchasing other companies).

Going to a complete networking re-architecture as GE is doing (still not complete) is a big decision for many companies and entrenched networking professionals will push back hard. There are many issues to consider. Aryaka’s big selling point is that its own global network is faster than the public internet, but are companies ready to outsource their network? (Yes, ZScaler works on Aryaka’s network).

What I don’t yet understand is how SD-WAN is competition for VPN, but if I take that as truth, then it finally puts ZScaler’s VPN trash talk into perspective. ZScaler itself isn’t a VPN replacement, but if you have VPN you won’t be running ZScaler, whereas if you’re running an SD-WAN you should consider ZScaler. So, at least that much makes sense.

Just an elaboration, $162 million in SD-WAN revenues were only for Q1, one quarter. Each subsequent quarter should show sequential growth. Lets just call it $750 million for the year.

That grows to $1.237 billion next year, $2 billion the following year, $3.369 billion the next year, and so on. If you want to not use appliances and you want the #1 security system for SD-WAN you are going with Zscaler. Of course there are many that will buy incumbent solutions.

For all of the last 4qs, Zscaler only had revenues of $190 million and they own much more than 50% of the SWG market. At&T is a partner, Cisco is a partner? don’t know about this (Cisco likes to sell its own security products), VMWARE is a partner, that puts the #1 SD-WAN vendor, AT&T a strong Zscaler partner, VMWare is everywhere, but do not know their ranking…

Either way, the definition of SD-WAN is making the internet the corporate net. Meaning the remote office hooks to the internet, and then you can run it through the VPN at the central data center, or you can free things up, with GE being the most extreme example. Of the two VPN is more expensive, less protective, gives poorer performance, and much higher maintenance.

Plus, each appliance needs to be upgraded, maintained, etc. Not so easy to go to remote offices and update things together and all the same systems, etc. Zscaler on the other hand does it for you since it is a SaaS.

Either way, the SD-WAN market is an enormous opportunity for Zs from their current market size and given the market growth rate and just how well Zs is renowned in the market by vendors and how it clearly offers the simplest and most elegant solution, with best performance, lowest maintenance and it appears best security. But each vendor to their own.

I am not sure how large the security portion of this market is, obviously much less than the total market, but you can still see how large and fast growing this opportunity is for Zs, particularly given their present smallish size relative to the market.

Tinker

"SD-WAN is currently a maturing market, expected to reach $861M worldwide in 2018, as early adopters of SD-WAN are expanding existing deployments, having proved the SD-WAN business case.

looks like I underestimate 2018 revenues. This article specifies it is $861 million. It also lists VMWare as the #1 vendor. VMWare and Zs are tied at the hip in these installations…

Tinker

https://www.zscaler.com/solutions/vpn-retirement

Btw this is Zscaler’s VPN replacement pitch. Is quite compelling and it isolates each user from the network, and making you invisible from the internet. Thus you can use the Starbucks WiFi for convenience w o any security issues. Literally you can access a public WiFi and no one can hack what you are doing despite the open network.

The high level is about Nitty gritty is for someone else. I find the high level view plus real world business performance to be enough.

The only near competitor I can find is iBoss if someone wants to look. They do offer appliances but I am not certain they are required. Seems more optional, but hard to tell. They use a proprietary node technology that Gartner says works very well. Then again Gartner said Symantec had great stuff too, albeit expensive. And very appliance dependent.

Tinker

Tinker,

Do you mind listing your current holdings? I know you are very concentrated, usually only invested in maybe 2-3 holdings, so obviously very high conviction from your standpoint.

I think a while ago, you held ANET and NVDA? But sold those and now it’s maybe ZS and NTNX? And PVTL before the last report.

Just curious if you care to share/confirm.

That’s interesting.

what if the employee uses a different web browser that may not have been configured? or would the configuration apply to any web browser that runs on your laptop or phone?

tj

The employee will not be on the corporate network nor will Zscaler allow access to a non Zscaler equipped browser. Thereby the employee cannot by pass security as they can and often do out of convenience using traditional systems. It is yet another security improvement that Zscaler provides.

Tinker

thejusticier: what if the employee uses a different web browser that may not have been configured? or would the configuration apply to any web browser that runs on your laptop or phone?

XMFBreakerTinker: The employee will not be on the corporate network nor will Zscaler allow access to a non Zscaler equipped browser. Thereby the employee cannot by pass security as they can and often do out of convenience using traditional systems. It is yet another security improvement that Zscaler provides.

Let me attempt some clarifications. First, the ZScaler mobile app does indeed cover all access from that phone/tablet, like a VPN would. Not for laptop/desktop, though. But, more importantly, the application itself is configured to only connect to ZScaler directly. This is necessary to reject any external hacker requests. Remember, ZScaler acts as a middle-man between request and requestor. ZScaler will reject any non-authorized user and the app will reject any request that doesn’t come from ZScaler. Exceptions can be made, such as allowing an inside the corporate network application to respond directly to an inside the corporate network user, but that hinders some of the security that ZScaler can provide so I suspect most companies don’t do that.

I don’t know what Tinker means by “by pass security as they can and often do out of convenience using traditional systems.” Typically, internal applications are on the corporate network and literally not accessible except from the corporate network. Remote employees must use VPN to get on the corporate network, which requires them to log in. That’s secure and not bypassable, albeit inconvenient.

What ZScaler adds is protection from hackers getting viruses and such onto employee computers and having those viruses, once the employee is on the network, from doing damage to ZScaler protected applications. The virus would go through ZScaler’s server software, which scans it and only sends it to the app if it’s clean. Of course, ZScaler itself may have a bug or may not recognize certain viruses and let something through that it shouldn’t, but that’s not much different than any other security solution today.