|Industry||Network Security, Computer security, Internet security|
|Headquarters||San Jose, California, USA|
|Jay Chaudhry, CEO
William Welch, CRO
Daniel Druker, CMO
Sydney Carey, CFO
Amit Sinha, CTO
|Products||Internet security products|
Number of employees
|more than 500|
|Slogan||Making the Internet safe for business|
Zscaler is a global cloud-based information security company that provides Internet security, web security, next generation firewalls, sandboxing, SSL inspection, antivirus, vulnerability management and granular control of user activity in cloud computing, mobile and Internet of things - centric environments. As of 2015, Zscaler provides automated threat forensics and dynamic malware protection against advanced cyber threats, such as advanced persistent threats and spear phishing for more than 6,000 corporate, government and military organizations with more than 15 million paying users.
The company provides a cloud-based integrated-platform approach to Internet security, in contrast to many individual on-premises security appliances offered by vendors such as Palo Alto Networks, FireEye, Blue Coat Systems, Cisco, Check Point and Websense. The company often refers to itself as "the salesforce.com of information security, drawing a parallel to how Salesforce's cloud-based CRM platform massively disrupted the formerly dominant on-premises CRM software vendors such as Siebel, SAP, Vantive and Scopus
- 1 History, Fundraising, and Valuation
- 2 Deployments
- 3 Technology
- 4 Security as a Service Platform
- 5 Additional products
- 6 Technology Partnerships
- 7 Global Carrier Adoption
- 8 Recognition
- 9 SSL traffic considerations
- 10 User Concerns
- 11 References
History, Fundraising, and Valuation
The company was founded in 2008 by Jay Chaudhry, a serial security entrepreneur that previously founded and later sold AirDefense, CipherTrust, CoreHarbor and SecureIT and Kailash, the former chief architect of NetScaler. The company is unique among the private technology company "unicorns" in that it is almost entirely self-funded, has significant recurring revenue, is cash-flow positive, and is more than doubling it's business year over year. In 2012, Zscaler raised $5 million in venture capital from Lightspeed Venture Partners plus received a strategic investment from EMC Corporation as part of a $38 million expansion round. Zscaler has a reported company valuation of "well north of $1 billion."  On August 3, Zscaler announced a $100 million pre-IPO fundraising led by TPG Capital Growth. On September 23, 2015, Zscaler announced that the $100MM round had been oversubscribed and has been raised to $110 million including a $25 million investment from Google Capital. 
Zscaler is unusual for a Software as a Service company in that it started out serving the very high end of the market and is now growing downward - most SaaS companies start with the mid-market and grow upward. As of 2015, more than 50 of the Fortune 500 are standardized on Zscaler for their Internet security. The company's largest deployment is the National Health Services of the UK, with 1.6 million employees protected by Zscaler. This is reported to be the largest SaaS deployment of any kind in the world. Other large organizations that have deployed Zscaler include General Electric, United Airlines, Air France, Barclays, Procter and Gamble, Nestle, Huawei, VMware, NBC, Newscorp, the State of North Carolina, the United States Marines and NATO.
Zscaler is a cloud-based information security platform delivered through what is reportedly the world’s largest security cloud of more than 100 global data centers and more than 1,000 points of presence. To use Zscaler, Internet traffic from fixed locations such as branch offices or factories, roaming laptops, tablets and mobile phones and Internet of things devices is routed through Zscaler points of presence before going on to the public Internet. Localized data centers store security policies that can be pushed worldwide in seconds, following users as they travel around the globe to enforce these policies without latency. Zscaler serves as a cloud-based proxy and firewall, routing all traffic through its software to apply corporate and security policies, eliminating the time and money companies spend managing Web filtering, data leakage protection, SSL inspection, advanced threat protection and security on its own servers. Zscaler is designed to address the challenge of managing security in a world where cloud computing, mobility and the Internet of things are eroding the network perimeter. Zscaler centralizes administration of users and policies on a single Web interface with a simple visualization. Zscaler can provide comprehensive user reports in nearly real-time and is constantly gathering global threat data to protect its customers.
Security as a Service Platform
Most security products have historically been point solutions deployed as hardware appliances, Zscaler is very different as a cloud-based Security as a Service platform that requires no on-premises or on-device hardware or software. Zscaler is a broad platform integrating many different security applications - from web security to next generation firewall, SSL decryption and inspection, data leakage protection, intrusion detection, and advanced threat protection, so it can also be thought of as cloud-based, carrier-grade, globally deployed Unified Threat Management system.
Zscaler for Advanced Persistent Threats
Zscaler for APTs provides protection from zero-day attacks and advanced persistent threats by combining proactive protection against known threats, file-based behavioral analysis and sandboxing, botnet detection and blocking, data exfiltration detection and blocking, plus security analytics such as threat intelligence feeds. Zscaler for APTs consolidates the commoditized features of existing security appliances to protect, detect and remediate advanced security threats. Zscaler's cloud-based sandboxing is unique in that it is ultimately based on a terminating proxy - this means that it can quarantine files for inspection instead of only making pass/block decisions. This prevents the "Patient 0" problem associated with sandboxing appliances like FireEye and Next Generation Firewalls like Palo Alto Networks that pass the first instance of an unrecognized new file, allow the infection to take place, and alert later if the file turns out to be malicious.
Zscaler Next Generation Firewall
Zscaler Next Generation Firewall is an application and user-aware firewall that provides visibility and control over network traffic. It is unique in that it is entirely cloud-based and does not require any on-premise hardware or software, making it suited for protecting branch offices, retail stores, factories, remote location, mobile devices and Internet of Things deployments. Zscaler Next Generation Firewall also includes traditional firewall capabilities such as control over network ports and protocols.
Zscaler Shift uses DNS to secure Internet traffic. When a device requests the IP address of a location on the Internet from Zscaler's DNS servers, one of three things will happen. If the location is known to be safe, it's normal Internet address will be returned. If the location is known to be malicious, dangerous or non-compliant with acceptable use policy, an appropriate security warning will be returned. If the security status of the requested location is indeterminate, the request will automatically be shifted (hence the name) through Zscaler's global security mesh for inspection. Hence the product seeks to combine fast to deploy DNS-based security with robust proxy-based security. To deploy Zscaler Shift, the device to be protected or the firewall / router at the Internet egress point is configured to use Zscaler's anycast DNS servers, located at 22.214.171.124 and 126.96.36.199. Zscaler Shift competes most directly with OpenDNS which was acquired in the summer of 2015 by Cisco
Zscaler Web Security
Zscaler Web Security is a secure web gateway, which also includes a web filter, that runs on top of the Zscaler Security as a Service platform. In the Spring of 2015, both Gartner Group and Forrester Research ranked Zscaler Web Security at the upper right of their Magic Quadrant and Wave reports, respectively. Zscaler Web Security primarily competes with hardware appliances for web security from Blue Coat Systems, Websense and Cisco. As the information technology landscape has been shifting away from on-premise software and toward cloud computing, the product is reported to have replaced more than two million seats formerly protected by Blue Coat Systems and Websense security appliances.
Zscaler Cloud Application Security
In 2015, Zscaler introduced Cloud Application Security capabilities designed to provide security, access management, visibility and policy-based controls over SaaS and cloud computing applications. Gartner Group is promoting the acronym CASB (cloud access security broker) to describe this category of functionality. Pure-play CASB vendors also plug into Zscaler's platform to provide additional capabilities such as shadow-IT application discovery.
Zscaler Security Grader
In 2014, Zscaler released a free HTML5-based network security testing tool called Zscaler Security Grader. Zscaler Security Grader runs a suite of automated tests that inspects an organization's network security posture from the perspective of the client device that is running the test. For example, it tests to see whether virus samples hosted on content delivery networks are blocked, it attempts to exfiltrate valid payment card and social security numbers, and it detects whether communications with servers in prohibited countries such as North Korea and Iran are blocked. The tool is useful to quickly understand whether current network security infrastructure is properly implemented and configured.
Zscaler Mobile Security
Zscaler Mobile Security extends its real-time analysis and protection to mobile devices in BYOD environments by routing mobile traffic through its global cloud. Zscaler Mobile Security provides visibility into mobile application traffic, protection from web-based threats and rogue applications and policy enforcement on mobile devices.
Zscaler integrates with single sign-on providers including Azure AD, RSA, Okta, OneLogin and Ping Identity to enable simplified cloud application security. Zscaler integrates with mobile device management (MDM) vendors, including AirWatch and MobileIron to enhance MDM with mobile security. Zscaler integrates with security information and event management (SIEM) vendors, including HP ArcSight, IBM QRadar and Splunk, enabling data analysis, digital security forensics and compliance with industry and government regulations.
Global Carrier Adoption
Close to 50% of Zscaler's business is touched by one of the global telephone companies. As of 2015, AT&T, Verizon, British Telecom, Orange Business Services and Swisscom are all actively reselling Zscaler as part of their networking and security services. In January 2015, Zscaler closed a nearly $10,000,000 transaction at a Global 100 manufacturing company with British Telecom. Carrier adoption of Zscaler within very large distributed enterprises is tightly tied to cloud-enabled networking, which is the elimination of traffic backhaul across Multiprotocol Label Switching networks, in which network traffic is broken out locally via commodity Internet connections to local Zscaler data centers instead of being backhauled to corporate data centers over MPLS, typically resulting in 80% to 95% reduction in MPLS traffic with commensurate reduction in wide area networking costs.
Zscaler was named a “Cool Vendors in Cloud Security Services, 2011” by Gartner. Zscaler was named a “Leader” in the Gartner “Magic Quadrant for Secure Web Gateway.” Zscaler was named an “Emerging Vendor 2011: Security Vendors” by CRN. Zscaler was named a “Best Web Content Management Finalist” in the SC Magazine
Zscaler was named a “Leader” in the Gartner “Magic Quadrant for Secure Web Gateways.” Zscaler was named an “Emerging Vendor 2012: Security Vendors” by CRN. Zscaler CEO Jay Chaudhry was named a “The Top 25 Disrupters Of 2012” by CRN.
Zscaler was named a “Leader” in the Gartner “Magic Quadrant for Secure Web Gateways.” Zscaler was named an “Emerging Vendor 2013: Security Vendors” by CRN. Zscaler was named a “Tech 10: Hot Antivirus Alternatives For 2013” by CRN. Zscaler was named a Red Herring “2013 Top 100 North America: Winners.”
Zscaler was named a “Leader” in the Gartner “Magic Quadrant for Secure Web Gateways.” Zscaler was named a “Leader” in the Forrester Research “SaaS Web Security report” Zscaler was named to the JPM Securities Fast 50 List of the Hottest Privately Held Companies
SSL traffic considerations
The Zscaler service operates by having all of the Internet traffic from its clients sent through Zscaler's network of global data centers. In order to monitor or inspect secure HTTPS connections, Zscaler implements what is known as a man-in-the-middle attack to decrypt SSL traffic for users going through the Zscaler service. When a user attempts to open an HTTPS website, Zscaler mimics the website, as the user accesses the server. In response to a CONNECT request by the web browser, the server will send Zscaler a server certificate. Zscaler will then check the validity of the cert and then create a new cert signed by Zscaler. The new cert will be sent to the Web Browser, and assuming that the user has pre-installed a company root cert, the browser will check the validity of the cert and then accept and install the cert and then will continue to access the website. If a root cert has not been installed, then the user will receive an error stating that there is a problem with the website’s security certification and user will have the option to continue or not.
Since Zscaler is able to decrypt traffic, they are able to scan the content for any malicious traffic that would have otherwise come in over an encrypted channel while applying policy based on the unencrypted traffic for the user. They can also detect and block outbound attempts to exfiltrate data, such as by botnets, even when connections are encrypted by SSL. When they enable SSL decryption they also allow the administrator to specify which URL categories or custom domains should not be decrypted in order to ensure user privacy. Zscaler also has the option of blocking access to specific URL categories or customer domains, regardless of whether SSL decryption is enabled or not.
In a corporate or academic environment, the decision to use Zscaler, and the rollout of the Zscaler services, will not necessarily be known by the individual users (visitors, employees, or students). In particular, an HTTPS connection is intended to be secure against eavesdropping, and in other contexts, the way in which Zscaler replaces the SSL certificate of the website in order to monitor HTTPS traffic would be considered a cryptographic attack. Without explicit knowledge as to the extent of Zscaler's monitoring, users may assume that a secure HTTPS connection is indeed secure against eavesdropping. Such a connection may be used for personal reasons such as personal webmail or online banking or shopping, thereby unknowingly exposing the user's personal details to Zscaler.
It should be noted that Zscaler can be configured to bypass SSL interception for specific sites, applications or category of site (e.g. Banking, Medical).
- Stephenson, Peter. "Zscaler Security Cloud". SC Magazine. Retrieved 2013-06-03.
- Stone, Brad. "Web Filtering Moves to the Cloud". New York Times. Retrieved 2008-08-04.
- Samuels, Diana. "Zscaler raises $38M for cloud security". Silicon Valley Business Journal. Retrieved 2012-08-29.
- Hardy, Quentin. "A Billion-Dollar Cloud, and Not So Exclusive". New York Times. Retrieved 2013-02-04.
- Somerville, Heather. "Cyber security firm Zscaler closes $110 million round". Reuters. Retrieved 2015-09-23.
- Higginbotham, Stacey. "Zscaler finally accepts VC dollars – and gets $38M". GigaOm. Retrieved 2012-09-29.
- Westervelt, Robert. "Zscaler’s Cloud Security Platform Has Eye on Advanced Persistent Threats". CRN. Retrieved 2013-09-17.
- Lennon, Mike. "Zscaler Launches Cloud-based APT Protection Solution". Security Week. Retrieved 2013-09-17.
- Shimel, Alan. "Zscaler moves mobile security beyond MDM". Network World. Retrieved 2013-06-17.
- Dunn, John. "Zscaler Fixes BYOD Risk with New Mobile Traffic Cloud Filtering". CIO. Retrieved 2013-06-08.
- Hoffman, Stefanie. "Zscaler Boosts Cloud Security with SSO". Channelnomics. Retrieved 2013-01-31.
- Magazine, SC. "Zscaler announces new mobile security solution". SC Magazine. Retrieved 2013-06-04.
- Watch, Market. "Zscaler SIEM Integration Accelerates 'Big Data' Analysis for Security and Compliance". MarketWatch. Retrieved 2013-09-24.
- "Startup Of The Week: Zscaler - Internet - Internet security". Informationweek.com. 2008-08-16. Retrieved 2013-10-15.
- "Cool Vendors in Software-as-a-Service Security, 2009 | 913630". Gartner.com. 2009-03-17. Retrieved 2013-10-15.
- "Cool Vendors in Cloud Security Services, 2011 | 1647715". Gartner.com. 2011-04-21. Retrieved 2013-10-15.
- "Magic Quadrant for Secure Web Gateway | 1697715". Gartner.com. 2011-05-25. Retrieved 2013-10-15.
- "Page 22 - Emerging Vendors 2011: Security Vendors". Crn.com. Retrieved 2013-10-15.
- "Best Web Content Management | SC Magazine Awards". Awards.scmagazine.com. Retrieved 2013-10-15.
- "Magic Quadrant for Secure Web Gateways | 2025616". Gartner.com. 2012-05-24. Retrieved 2013-10-15.
- "Page 20 - Emerging Vendors 2012: Security Vendors". Crn.com. Retrieved 2013-10-15.
- Bent, Kristin. "Page 18 - The Top 25 Disrupters Of 2012". Crn.com. Retrieved 2013-10-15.
- "Magic Quadrant for Secure Web Gateways | 2498315". Gartner.com. 2013-05-28. Retrieved 2013-10-15.
- "Page 34 - Emerging Vendors 2013: Security Vendors". Crn.com. Retrieved 2013-10-15.
- Westervelt, Robert. "Page 3 - Tech 10: Hot Antivirus Alternatives For 2013". Crn.com. Retrieved 2013-10-15.
- "2013 Top 100 North America: Winners". Redherring.com. Retrieved 2013-10-15.
- "Magic Quadrant for Secure Web Gateways | 2498315". Gartner.com. 2013-05-28. Retrieved 2013-10-15.
- "Magic Quadrant for Secure Web Gateways | 2498315". Gartner.com. 2015-06-03. Retrieved 2015-06-03.
- "Forrester 2015 Web security wave". forrester.com. 2015-06-23. Retrieved 2015-05-23.
- "Zscaler Cracks Cloud Security". Enterprisenetworkingplanet.com. 2011-05-03. Retrieved 2013-10-15.
- "Z-SCALER CERTIFICATE ERROR MESSAGES ON IPAD". Mcnc.org. Retrieved 2013-10-15.
- "ZAP - Zscaler Application Profiler". Zap.zscaler.com. Retrieved 2013-10-15.
|Wikimedia Commons has media related to Zscaler.|