Zscaler: “we want to be the Salesforce.com of Internet security!”

this piece was originally written for the Orange Business Live blog

On November 15, I was invited with a group of journalist to a press tour in the Silicon Valley (a sequel to our June 2010 press tour in the Valley). Our first presentation took place in Sunnyvale, Calif. at the main office of Zscaler, a ground-breaking cloud security provider, which is also a partner of Orange Business Services.

The landscape has evolved

The security landscape has changed dramatically over the past decade. Whereas most security threats (apart from social engineering) used to come from outside devices like floppy disks or the more recent usb keys, the vast majority of threats are now directly coming from the Internet. This has forced enterprises to equip themselves with a flurry of protection devices and software which have, over the years, generated  staggering complexity; and now, this complexity is increasingly getting out of hand. Traffic and policy management have become so important that the very dissemination of such rules and policies are a major pain-point for CIOs, not to mention the fact that simple techniques such as url filtering for instance are not always proving very effective. Besides, traditional security measures generate humongous log files. Something had to be done, mostly in that age of cloud computing, in which all clients are now seeking to rent their IT instead of buying it. Zscaler’s approach is therefore not to compete in the same market as traditional players, but to redefine the game plan by providing security in the cloud.

The Zscaler blog

The company is security savvy and dedicated to the Web community. To that intent Zscaler have developed a R&D blog available at http://research.zscaler.com: the blog is packed with information about Web security and you are mostly advised to download their own blacksheep firefox plug-in, a security device which will protect your device from the firesheep wifi sniffing plug-in so as to avoid that your facebook details be stolen by malicious people.

The Future?

What will be the future for Zscaler? Will the company sell itself to a bigger company? Zscaler is getting so many calls from VCs throughout the week that it would be an option if its CEO didn’t think that this isn’t one of his objectives. Zscaler is now performing so well that they think they are in a position “to build the salesforce.com of Internet Security”.

So far, the security market is a $1.2bn market dominated by a few players and then there are small players in the background. But the market is growing 30% year on year and Zscaler’s CEO think that it is still new and that “noone had ever done it properly so far”. This is why Zscaler thinks it can be a major player in that market by disrupting it and changing the ball game.

Below is a transcript of the presentation as it was delivered on November 15 in Sunnyvale, Calif. (the presentation was delivered by Shrey Bhatia, Zscaler’s head of worldwide field management and its CEO, Jay Chaudhry)

overview of Zscaler and its products

  • largest standalone cloud security company protecting 800 companies in 140 countries, millions of users
  • manage a cloud deployed across 40+ data centres globally
  • r&d over 3 continents and own 30 patents on cloud security technologies
  • with offices in 15 countries, US, Europe and APA
  • positioned as the “most visionary” company by Gartner
  • growing revenue by 50%
  • clients include LVMH, Allianz, VW, Coca Cola, Wipro etc.
  • “anyone who uses the Internet is a potential client of ours”
  • in France, there are already  many clients (see slide)already, and Orange Business Services is a partner of Zscaler’s (some of the French clients quoted on that slide were closed with Orange Business Services)

market overview: examples of how security is evolving on the Internet

  • Web (http protocol) has become main attack vector
  • over 80% of threats coming from the Web from 5% in 2000
  • It’s no longer USB disks or floppy disks
  • 85% of all traffic coming in and out of all companies (all types, small or large) is Web-based, this is why threats are coming from there too

Challenges facing the world in terms of Internet security

  • all content is active, live with Flash and Java, and this is what is making security threats more challenging
  • filtering: most companies want to control where employees are going. But the old list-based url is not working anymore. Facebook, wikipedia have evolving urls and it’s changing all the time. Besides blocking Facebook is an issue if the same company is launching multi million dollar advertising campaigns on Facebook!
  • Web 1.0 sites were read-only whereas Web 2.0 sites are now a cause for iinformation leaks: webmail, blogs, IM …
  • bandwidth is a real issue. Video is 20 times more exacting than text and companies are very concerned about the amount of bandwidth which is being used by video
  • Road warriers are new challenge too: people go to salesforce.com and so many online applications that the Web has become so critical. So it is of paramount importance to protect the road warriers
  • the last and one of the biggest challenge is cost and complexity: CEOs impose CIOs to do 20% more with a flat or even decreased budget

What Zscaler does and how they do it

  • Zscaler sits between the user and the Internet anywhere in the world, whereever they are, and whatever device they use. User goes to the Zscaler cloud, and Zscaler is the trusted third party and is termiinating the transaction to the Internet.
  • This is done with no hardware, no software, no plug-in, nothing!
  • This is why very international companies choose Zscaler.
  • How is it done?
    • in the browser, one has proxy settings, and one has to change the proxy setting, it’s all you have to do and it can be done remotely
    • can be done at device or office level, from the firewall or router
    • Zscaler’s cloud is the most global cloud in the industry
    • The “policies” are kept in the cloud and are moved around as companies and users are moving by moving the policies to the closest data centre. This is what is called “shadow policies”
    • Latency is important, and this is why data centres have to be as close to users as possible
    • In the past 6-7 years, companies have deployed MPLS networks: the biggest benefit is that bandwidth is divided by 2 and that latency is also improved. But network topologies are changing slowly because enterprises have spent a lot of time putting all their network topology together and they are naturally reluctant to throw everything away now. Hence it’s best to let them be more comfident with the service before they change their network infrastructure and re-engineer it.
  • cost-effectiveness
    • for all French customers, Zscaler is managing tens of thousands of users with just two boxes, and this is a lot easier and more cost effective than managing the complexity of myriad CPE’s (Customer Premises Equipment)
  • Will it slow things down?
    • Traditional security devices are firewall devices which weren’t designed to scale
    • Zscaler had to build new boxes which are very scalable
    • Standard costs to open 1 data centre is $1m, whereas Zscaler is able to open one for a fraction of that, with 2 boxes and can serve half a million users for that price
    • nanolog technology is a special technology which compresses logs and speeds up transactions, it has been developed by Zscaler (traditional logs for an average large company are going to generate 50-100GB of data every day. none of that information can be searched or used)
  • If everything is centralised how do minimise threats?
    • the goal of a cracker is to get to the user’s machine an monetise information or turn it into a bot
    • Zscaler is just a conduit, hence it’s just a bridge, and there is not much value in accessing Zscaler’s boxes
    • Zscaler spends an awful lot of time and R&D to protect their servers and make the service safe

Zscaler services

  • 4 types of Services come on top of that infrastructure:
    • Web security: Antivirus and Advanced threats browser contro, E-mail security
    • Web control: url filtering, web 2.0, limiting bandwidth (i.e. ensuring that YouTube for instance will not take up more than 30% of the total bandwidth)
    • Web DLP (data leaks/loss prevention)
    • Web analytics


  • save money and time, best security and policy management, real time reporting, easy to deploy data loss protection mechanism, near-zero latency (high performance proxy and breadth of cloud), integrated email & web
  • What Zscaler isn’t: Zscaler isn’t playing in the Wan optimisation space

Clustrix devises new file data management system to better support highly transactional web sites

“web companies shouldn’t have to spend time on the infrastructure, they should spend all their time trying to make their site better!” Paul Mikesell, CEO and co-founder of Clustrix

a surfeit of data requires that new tools be invented

Data overflow has never been such a mind-boggling problem. New social media websites with hordes of users and multi-million connections as well as e-commerce behemoths with vast amounts of product, user and user preference data are causing database sizes to reach unprecedented levels. The result is overwhelming: scaling issues are staggering, incremental online expansion is towering, the impact on fault tolerance and availability are dire and we are not even mentioning TCO or ease of data management.

Let’s take an example with direct impact on users:  if someone were launching a query in Facebook across all of your friends’ friends you wouldn’t be able to do it because of the partitioning of all the databases.

These biggest pain points in the market were the starting point for the creation of Clustrix, a new venture co-founded by Sergei Tsarev and Paul Mikesell. On June 4, at the end of our trip to the Silicon Valley, we were greeted by Mikesell (left on our photo) and Daniel Liddle (right) at the Clustrix office, at the heart of San Francisco.

Clustrix has 3 ½ years of existence and has spent much time building the technology, it is funded by Sequoia ventures. The company was born from issues seen about scability issues at Mikesell’s previous start-up Isilon. The early 90s and the dot com boom put pressure on application servers and enhanced the need to increase storage hence the building of a massively performant database systems. This is the point from which the need to create Clustrix has arised.

doing away with ‘sharding’ makes TCO 14 times lower

Clustrix built a system which allows you to upgrade from 1 node (or server) to hundreds of nodes (or servers) in one single database, the system is delivered and sold like a hardware and software appliance.

So far, “sharding” has been the only way to solve data management scalability issues, but Clustrix now offers an alternative. “Sharding” is the application partitioning of data across isolated databases whereas Clustrix is offering a single instance scalable database. “Sharding is not just costly, it is also very risky” Mikesell points out.

>>> read on at http://blogs.orange-business.com/live/2010/06/web-companies-shouldnt-have-to.html

8 lessons learnt from entrepreneurs in the Silicon Valley

I have just come back from a week spent in the Silicon Valley, during which I was
able to have meetings – as
part of a press tour – with various start-ups in the areas of IT infrastructure,
software , storage area networks to name but a few of the subjects that were tackled
during that trip. Beyond the various interviews and discussions that we had with
leading entrepreneurs in the Bay area, I have tried to highlight the eight points
which, at this very moment and in my opinion, are making the Silicon Valley stand
out from the rest of the world in terms of high-tech innovation; here they are:

  • above all, the Silicon Valley is about a state of mind in sync with entrepreneurship; the whole Valley is resonating with the desire to foster free enterprise and innovate,
  • secondly, there is the possibility for such entrepreneurs to find easy money and the real ecosystem to launch new ideas and new services,
  • thirdly, swiftness of action, which enables a new high-tech venture to be set up in something like 3 months or even less,
  • fourthly, the strength of the Silicon Valley is in the software, what ever the application concerned, even in the infrastructure business. We have indeed seen several start-ups work up to 4 years in order to develop a new operating system and therefore try and get a leg up in competition,
  • fifthly, a true myth, which enables the Silicon Valley to live on, despite the current credit crunch and the crisis that everyone has been through,
  • the sixth characteristic of the Bay area is private money, often coming from families or entrepreneurs (not VCs) who have succeeded; ethnic funds are also involved significantly (Indian and Chinese mainly),
  • the seventh reason is a sense of a global perspective, whereby Silicon Valley entrepreneurs are thinking global even before the opportunity arises to launch beyond their local markets,
  • lastly, the intensive use of offshoring for software developments, with unlikely countries like France being used as cheap alternatives to Bay area developers (a junior php developer in the silicon valley is paid $60,000
    to 80,000 a year, a senior developer $120,000 to $150,000 per annum).

As a conclusion, it’s not just one reason that makes the Silicon Valley different from what is seen elsewhere, often copied and rarely matched, even in the United States. This region is really a maelstrom of innovation and entrepreneurship.

note: picture Yann A Gourvennec, Orange Business Services: the photo was taken at the plug and play tech centre in Sunnyvale.