ℹ️ How Cloudflare is Faster than Zscaler
Presented by: Ameet Naik, David Tuber
Originally aired on August 13, 2024 @ 9:30 PM - 10:00 PM EDT
Welcome to Cloudflare CIO Week 2023!
This CIO Week we’ll demonstrate how Cloudflare is helping CIOs keep data, devices and employees both safe and fast across hybrid and remote environments. We’ll show how Cloudflare accelerates digital transformation and modernizes networking and security towards a Zero Trust model.
In this episode, tune in for a conversation with Cloudflare's Ameet Naik and David Tuber.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
For more, don't miss the Cloudflare CIO Week Hub
English
CIO Week
Transcript
But. Everyone, welcome to another exciting innovation Week from Cloudflare.
So this today we're happy to kick off CIO Week and start off the year on this note.
And joining me today here is to talk to you about network performance updates.
 So Cloudflare is always working on making our network and our services faster and better for our customers.
 And joining me today as a person responsible for doing that too, is to say a quick hello.
Hi.
And what's your name? And I'm Ameet Nayk.
I'm responsible for product marketing and and platform marketing at Cloudflare.
So without much further ado, let's jump into it.
 So for every innovation week, we like to do a readout of all of the improvements we've made on the Cloudflare network and how it's better and how it's helping you do things faster with Cloudflare.
 And for this particular week, we focused on one very specific thing, which is to show you how Cloudflare is faster than Zscaler.
 So we've been focusing on bringing great Zero Trust products to the market for the last several years and also making them faster.
 And that's what Tubes has been spending a lot of its time on in the past, past a little while.
But before we jump into that and show you the results and show you what we found.
Tubes, why does all this matter?
 Why does performance matter?
It's a really good question. Specifically in Zero Trust, performance matters because performance is actually a threat vector.
So the way that you should think about this, if you're a CIO, is. If you have a user and they're having a really bad experience, the first thing they do is they turn Warp off or they turn off zscaler or they turn off their secure web gateway.
They turn off their client, they try and bypass their access. They try and get around anything that you have put in place to secure your network.
 This is the first thing they do because that's the thing that they associate in their minds is being slower.
 Because for a really long time VPNs and VPNs and assorted solutions like that, we're actually really slow.
 And so every time your users turn off their VPNs and turn off their and turn off their clients and turn off their access, secure access, bypass or try to bypass their secure access, they put your organization at risk.
And yeah, probably most of that is relatively meaningless traffic.
But meaningless traffic is how attackers get in is how you get compromised.
 And so the best way to protect your network on the public Internet is to make sure that your customers, your users don't turn the stuff off.
 And the best way to make sure that your users don't turn the stuff off is if they don't know that it's there.
 And the best way for them to not know it's there is for them to have a performance experience that is as good or if not better than the public Internet, which they're accustomed to using.
And this is the classic trade off between security and performance, right?
Security has historically been a bulldog and it's been an enforcement point.
It's required sort of choke points.
It's most users tend to see it as a thing that will slow everything down.
And do I really have to have it?
 And what kind of trade offs do they have to make as an organization to make sure that users have a good experience?
 But you're able to implement your secure security policies and stay compliant and reduce risk for the organizations.
Right.
Can you tell us a little bit more about sort of what's going on with the on the user experience side on it?
 Yeah, I mean, I think the biggest way that it's changing is that when you talk about enforcement points.
Those are largely going away.
 And that's really kind of the change that before customers would build their own networks.
There were when I was at Microsoft, there were a lot of customers who build their own MPLS networks, which would have specific egress points to the Internet, which my Office 365 friends would hate because it would totally screw up the performance for Office 365, and they would hate MPLS, they would hate all of these gateways, all of these VPNs that were built with specific egress points to the Internet.
They hate them all, and users hate them all too, because they create all of these weird paths to the Internet and all that stuff.
And those are largely going away.
And people are moving to secure access service edges such as Cloudflare and.
 That is nice because you don't have because basically the Cloudflare and Zscaler and whoever else in Palo Alto on the market.
We run that network for you.
You don't have to manage your egress points.
You can set your configuration, but then it should just work.
But which is really nice, but it's also terrifying.
 Giving up that control is very, very hard for a lot of people to do, and that's okay.
We understand that at Cloudflare we like to be hands on the network and we like to build these experiences.
 And part of the way that we build these experiences and we built these experiences for CDN is by getting out onto the last mile and getting your traffic as close, getting your traffic on the Cloudflare close as possible.
 If you if you told us, oh, actually that's not the case, you need to give control of your traffic over to someone else.
We'd be freaked out.
And that's, that's understandable.
We empathize with your pain.
 And because we empathize with your pain, we've built a network that is fast and reliable.
And with the release of our digital experience monitoring product, which I'm sure we've talked about before or we'll talk about after.
 Now you're getting more insights into that, and you can see the performance that your users have on the last mile all the way through end to end, because at the end of the day, end to end is what matters.
A user doesn't care if your gateway enforcement latency is 10 milliseconds.
That doesn't mean anything.
What is the gateway enforcement latency? Zscaler measures this thing called proxy latency.
 What it took me like ten reads through their blogs to actually understand what it meant.
And that's not like a knock of the blog writing. That's just means like, why do I care about this?
And the real answer is, is that you don't you don't care about proxy latency.
 You care about proxy latency as a component of a larger end to end measurement and from dealing with performance.
 In the CDN context, we actually have a really good checkpoint for that and it's called HTTP response.
 Most of your users, whether you like it or not, are going to be using HTTP from their devices to wherever, where whether that is a hosted resource like a JIRA or a Salesforce, maybe you're accessing that in the cloud.
So now it's out on the public Internet.
Maybe you're accessing a site through Remote Browser Isolation.
 Regardless, all of those, with the exception of the Secure web gateway are probably going to be HTTP and even the even the Secure web gateway is going to be mostly HTTP.
 Like that's just where most of the traffic on the internet is today, because HTTP is nice and easy.
 And if you actually read our Impact Week blog, about 90 to 80 to 90% of all traffic on the internet is using HTTP.
That's no exception for enterprises.
 And from a user perspective, at the end of the day, they just want the apps to work and they want them to be zippy, they want to be responsive, they want them to work on multiple platforms, not just desktop mobile as well.
 But the other thing that's really interesting that's changed, I think in the last decade, but more so in the last five years is like organizations are more global.
It's no longer okay to expect vast majority of your users to be in one region or one geography, right?
Your users are going to be traveling, they're going to be working remotely.
 You're going to have partners and contractors trying to access these apps from other parts of the world.
 And a big challenge for CIOs is how do you make sure that the end to end experience with the user is consistent, whether they're sitting in an office in Chicago and Copenhagen or in Cape Town?
Right.
Here's the interesting thing, and this is something that I kind of think about a lot, is that like, I'm not actually sure that the expectations have changed.
If you're using a VPN, you know, in the old days when you were using a VPN and you were using a VPN and like, you know, like the and like your experience through the VPN, your users experience with the VPN, it wasn't somebody else's fault.
That's the real problem is that it doesn't is that like CIOs now have a lot of tools that they're at their disposal to onboard their traffic.
 Somewhere to someone else's network and basically let them own end to end performance.
In the olden days, if someone was complaining about VPN performance.
Cio, the CIO had to handle it because you have the VPN, you have the MPLS, you have all that stuff.
So nothing's really changed.
It's just you can now complain to Zscaler or Cloudflare.
 And with Cloudflare network, our goal is you should never have a bad experience with digital experience monitoring.
We can now look and see if you are having a bad experience.
Why is that happening?
And so Cloudflare network being the fastest network in the world.
Is very appealing from a performance standpoint.
 But CIOs still want those tools so that they can know who to poke, because at the end of the day, diagnostics and troubleshooting network performance is always a Who do I blame?
Is it my MPLS?
Is it my VPN?
Is it my last mile?
And now is it Zscaler?
Is it Cloudflare?
Is it whomever? And so we want to make that really, really easy.
And we're giving you the tools.
 And this is almost turning into a digital experience monitoring advertising segment, but we're basically just giving you the tools and digital experience monitoring to debug, like we debug and basically see where is the problem and if it's us all cool.
We now you have now given us everything we need to solve that problem. Yeah.
Just being able to see the end to end picture. Understand?
Okay. Is it the internet? Is it the office?
Is it the WiFi?
Is it is it the service that you're buying from from Zscaler or whoever?
It's really important to have that level of visibility and to kind of help you manage expectations and also manage performance.
So the important thing.
To add on to that.
And I think that our team who's been working on digital experience monitoring is done such a great job on this.
And you've got to make it braindead easy though.
 Like if you're moving from your VPN to Cloudflare, you know, obviously performance is great.
Like performance is is a win that you want to have. But at the end.
But. Performance isn't everything, because at the end of the day, if you're faster but more high touch, nobody's going to care.
Like your team is just going to say, okay, just turn Warp off.
Then I guess I don't want to deal with that.
Just turn it off.
 But no, like we want to make it incredibly easy to say I am having a problem with work and then they can pull up your information and see here is where your problem is.
It is a problem between Cloudflare and your application.
I'm going to go escalate to Cloudflare.
Cloudflare has all the tools they need to investigate this.
Let's go make that happen.
Alternatively, it may be, Hey you know, end user, your ISP is this really crappy.
 It's not really doing the things that it needs to be doing an upgrade if you're working from home or if it's the office of Hey, maybe call my ISP and give them a ring and see what's up and ask them to go fix this stuff.
 So you talked about a number of things that can negatively impact performance, things like hub and spoke networks, backhaul, traffic and think I mean, this is 2023 and we still see organizations backhaul traffic to central locations, Right.
What are your thoughts on that? Yeah, I mean, like performance on the Internet, You know, I was just on a call with a bunch of very, very smart people who talk about network performance.
 And they were talking about all these things about like, oh, like you have to like, maintain this number of connections and cueing and all of these things.
But like, network performance on the Internet is actually pretty easy.
 You need big empty pipes between where you are and where your data is, and you want as few people to touch that data as possible and you want it to go directly to that end point as humanly possible.
That's it.
That's it. It's like it's we make it a lot more complicated because there are so many people who touch the data.
 And with enterprise networks, that problem becomes compounded because not only do you have your last mile networks, like your Comcast and your Colts and your telecom Mnesias and your whomever and your Vocus whatever, depending on where you live.
But you've also got your cloud players, your zscaler is your guys who are sitting in front of those and providing protection and providing all that stuff.
And then you've got your Googles and your Amazons and your cloud providers.
 All of those are messing around and trying to be as fast as they can on their own.
And then you've also got your enterprise network, which adds a completely unintended wrench into the mix, because even though you have all of these networks that are doing these things to make you faster, at the end of the day, your enterprise network still needs to be on par with that.
And so that's a real challenge for a lot of enterprises.
 They don't they don't iterate at the speed that Cloudflare and Amazon and Google does.
 So yeah, of course it's going to be challenged and hub and spoke are going to happen, hairpins are going to happen.
 And, you know, you mentioned we still see hub and spoke hairpins like BPA and stuff like that.
I worked with a customer when I was in office where they sent all of their traffic through one place in the central United States, around the world, everywhere you could be in Japan, you could be in India, you could be in Australia, you were going out of the Midwest, United States.
That was it.
And like. It's mostly because security is generally regarded as kind of a I'm doing what I can to keep the lights on.
Zero Trust same thing. Doing what I can to keep the lights on.
Like I just got to like my users have.
 I have problems up to my eyeballs, my users, and I have to maintain the security posture.
So I'm doing the best that I can. Yeah, that's what it is.
And so that's the biggest challenge that you see.
 And Cloudflare makes that easy because with Cloudflare you can do what you can to keep the lights on running through Cloudflare and let us take care of the performance.
 And the other challenges as you move from historic sort of traditional appliance based versions of security enforcement points to cloud native, right?
 It's really important to have all of the services you need in one place, right, So that your traffic is not zigzagging around multiple data centers just for no reason, gathering additional penalty and additional latency points.
Right.
With Cloudflare, often like customer traffic hits one of our data centers, it's a server and all the services, whether it's your address browser and a reverse proxy, whether it's Secure Web Gateway, Browser Isolation, and sometimes even the content may all be on the exact same server, the exact same rack.
Right? And that's a huge advantage in terms of the performance gains that customers will see.
 Yeah, and you mentioned that and that's really honestly the biggest thing is that like and when we talk about our secure gateway data where we analyzed, where we where we looked at us versus the scalar versus control for Workers hosted sites, Cloudflare hosted sites, we do better than the control, and that's because you minimize the number of hops.
 If you host a full stack service on workers on Cloudflare and you're connecting that through a secure gateway, everything is connecting and terminating in the same place.
The less time you have to spend on the Internet. The fast you're going to be.
And Cloudflare plus Workers plus Secure web gateway makes that true.
And we can see that in the data that we collected.
Cool.
So let's dive into the main topic of the blog. Which blog which is Cloudflare is faster than Zscaler.
So give us a quick summary of the numbers and what are we test?
How do we test it?
And then let's walk through each of the scenarios. Yeah, so high level, I think we're faster about 55% faster than Zscaler for Secure web gateway scenarios, we're about 38% faster than Zscaler for secure application security Zero Trust scenarios and about 41% faster than Zscaler for remote browsing scenarios.
Remote Browser Isolation scenarios. So a good chunk faster.
 That is like those numbers are nothing to sneeze at and those are all for P 95 or 95 percentile response times and to end time to first bites.
 So basically we looked and when we built these tests, we built them and wanted to run them from as close to the end user as possible, mimicking exactly what a user would do when they would access these services.
 Know I know that these scaler likes to measure performance as kind of an atomic thing.
Like, well, we are really only these guys will tell you like we're really only in control of like a tiny portion of your request and they have a blog, several blogs about this.
They're like, there is this end to end latency, which is many, many things, but like there is this thing called proxy latency.
 And we are so fast that no, they're not, but like that approach to performance monitoring is valid.
In certain cases.
 But in this particular case, when we talked about what end users care about ensuring that end users have a good performance, it misses the mark by a lot.
 We want to look at 95th percentile response because that's what your end users are going to be seeing when they use these services.
 And one of the things I often think about is like, what's the value in having this big Cloudflare network?
And this is really it.
 It allows us to control more things in the path between the user and the application.
It allows us to have more predictability, more control, more visibility.
And we do see problems. We can go in and we can actually fix it.
We can make put bigger pipes for data centers, closer to users or add capacity.
And I think that's just something that Zscaler just doesn't have.
Right.
And these killers got like good presents in some locations.
But when you get down to the long tail.
It stops really mattering.
Like the long tail is really where Cloudflare shines and doesn't.
And that's that's kind of by Zscaler design.
Like Zscaler is not really trying to compete with Cloudflare.
They're trying to compete with Palo Alto.
 They're trying to compete with older firewall, older VPN replacement models, and they're not looking to build out their network.
 But as you can tell from this data, maybe they should like, maybe like Zscaler building out a big network and making sure that they can get great and user performance is clearly beneficial.
 And the more sites that get hosted on Cloudflare, the more people who move to Cloudflare, who move to kind of and a last mile focused view of the world, the more that Cloudflare and our large network and it's continuing to grow even will become more and more important and the less value a network that is kind of more static will have.
And you hit upon a good point, right?
There's a few different ways of doing this, right?
 There's the Zscaler approach, which is just build data centers and many parts of the world, right?
There's a Cloudflare approach, which is sort of build the whole network.
There's a third approach that some vendors have taken, which is not really the topic of this blog, but it's to run the services on a public cloud provider, right?
How do you think that compares to what we do or what Zscaler does?
It's a good try.
I think that, you know.
 That kind of like doing that is basically a substitute for not building out a network.
And I liken it to kind of what Zscaler does. The scaler likes to get really close to the clouds because their argument is, well, if you can get close to the clouds, then the hop between zscaler and the clouds will be relatively renewed.
And that's true.
That is true. That's optimizing for one portion of the connection.
But you're not optimizing for the last mile.
And the last mile is a very is almost harder.
It's not almost her.
It is harder to solve.
And.
A lot of the clouds basically just kind of gave up the ghost and they were like, We'll do our best, but no promises.
 Google's got like a really Google and Microsoft, and I think Adobe has this, but I'm not entirely sure they've got like a really good caching network.
 So basically for their CDNs and for their downloads and stuff like that, they've got a really good like last mile edge embeddable network.
These are not so much right.
 They're not in the content business, they're in the Secure Web Gateway business, which means that they're not really invested in getting close to the users.
They're focused in getting close to where their users are going. At Cloudflare, we're focused on both, right?
 We want to also we want to do as these dealers doing and getting close to where the customer data is.
 Because we have a huge CDN business, we have tiered cache, we have Cache Reserve are two.
All of these things that store data that matters and we need to be close to the origins to get there.
But we also need to get close in the last mile.
 We've got our Edge partner program, we've got a whole bunch of stuff that gets us right on the user's doorstep so that we can provide a better experience and as you said, control more of the path.
 And so even if all we end up doing is Proxying traffic between our last mile edge nodes and our data and our nodes that are closer to our data centers, that's still fine because we have a full picture of the Internet and we can see where that traffic should go.
 And so that allows us to be a little bit more fine grained about how we think about performance as opposed to someone who's basically saying, Well, I'll just put it on your ISP and just hope that the ISP is doing the right thing.
 As we've seen and as last month as enterprise customers have often seen, ISPs aren't doing the right thing and it's very, very hard to get them to change.
 And the only way to really get them to change and do what you want is to build an MPLS network, which is a huge overhead and a task that nobody really wants to do anymore.
 And I think, like you mentioned, it comes back to sort of control visibility, but also control, right?
 We having that more of the Internet path means that we can make decisions, we can make better decisions, we can see congestion in one area of the network.
We can go add capacity there now.
Right.
Whereas if you depend on the ISP, if you wait for the public cloud providers have awesome massive global networks, right?
 But they're not going to make their investment decisions that capacity decisions based on one customer or one service.
Right.
They're going to take a more macro view and maybe they'll add capacity to it, but maybe two years down the road.
Right.
Whereas if we see pain now in one part of the world, we can add capacity to it now and solve the problem and improve the service performance overall.
And that's I think that's the other big difference, right?
Rather than waiting for somebody else to do it for you.
Yeah, I think that's generally true.
 Like being in control of your own destiny allows you to make decisions that are a little bit more short term and.
That's definitely something that Cloudflare does pretty well.
Yeah.
So just digging a little bit deeper, I know we've got about 5 minutes left, digging a little bit deeper into that.
The tests that we ran, did we do these in?
Did we work with a third party?
Yeah.
So for the for the gateway tests, we did these in-house. Basically, the secure web gateway tests are very challenging to do and I could probably talk for hours about why Secure web gateway performance analysis is very challenging to do, and I've gone pretty hard on Zscaler on their proxy wait and see stuff.
But after doing the tests myself, I actually don't blame them. Like Gateway performance is a very, very challenging aspect of any performance analysis because a lot of the existing tools just don't do what we need them to do.
So yeah, I could go for hours on that. But for the other ones, for our for our application access and our Remote Browser Isolation, we worked with a third party, a third party called Intercom, basically ask them, Hey, compare us and Zscaler and tell us what you see.
They ran a bunch of tests.
They basically did end user facing tests.
So what they did was for application access, they took a JIRA instance.
 So JIRA, for those of you who don't know, is basically like a ticketing system for for applications that you basically create tickets and you action them and you then close them, which allows you to keep track of work.
 We compared the we basically mimicked a user logging into a JIRA instance and then refreshing the page once they had the token.
So that's called a cold session.
A cold session and a warm session or a new session versus an existing session.
 They, the short answer is, is that their performance characteristics look a little bit different.
So we want to look at them differently. So we had a user mimic, a call, a new session versus an existing session measure performance against both of those and then show what we saw.
 And basically the answers we saw is the Cloudflare is a lot faster for both new sessions and for existing sessions.
 So a lot of really good work done on our side to get the network to that point where we can beat the scalar even in any way, shape or form.
 And if anyone wants to go to the gritty details of reports available on the link from the blog, it's available on our website.
 You can download it and take a look at all of the detailed methodology used, how the desperate conducted and the results that we found.
Right.
So this is all really exciting. I think you've made some really important and valid arguments.
 You've sort of made some measurements and proven that the Cloudflare network is actually better at the end of the day.
How does this benefit CIOs?
What can they get out of it?
What can they solve by having a faster, more performing network?
I mean, it ties back to what we said at the beginning, right?
 A faster, more performant network means users are less likely to turn off your your Zero Trust services and you want your services to be always on.
If they're off, then people can.
If they're off, then people won't use them.
 If they're not only if people want to use them, but they open themselves up to attack.
They open. They open themselves up to, you know. Now invasion, invasion, whatever.
 At the end of the day, you had a castle-and-moat before where basically VPNs were locked down.
Everything was locked down as hard as you can.
 You moved to Zero Trust and say, okay, I'm going to let the public Internet direct my traffic and be fast, but I'm going to implement these policies on my devices and on my ED and on my networks so that I can manage my access and I can manage all that stuff.
And if people aren't using that. That it's not working, then all you've just done is put your network on the public Internet.
Which takes you back to the start. So performance matters because if people don't feel the need to use these things, then your network will be more secure.
You'll sleep better at night, and that's the end of the day.
 We just like we built all this stuff so that CIOs can just kind of fire and forget because you have so many things to do besides worrying about like my user can't this one user can't access this thing?
 Like whatever you want to build tools to make your enterprise and your company so much better.
And if you spend less time worrying about the basics you have been with to do that.
Yeah, and fire and forget.
It's a great line, but also like eliminate the trade offs.
Security shouldn't be a negotiation.
It shouldn't be a trade off.
It shouldn't be something that degrades performance. At the end of the day.
I mean, this if you get fewer travel tickets, if you get more happy users, fewer inconsistencies and what users are able to do from across the world.
Right. I think that's a net win for the business and for the company. So this is really exciting how if somebody wants to give this a drive today, how can they do that?
Yeah, well, good for.
 Good news for all of our enterprise users is that if you want to try it out, we've got pay as you go.
We've got trial versions so you can just access in the Cloudflare dashboard today.
So all of these tools, it's like this blog post is more of a deep dive into how these existing products perform.
 You should definitely go into the dashboard, go to Cloudflare, try these products for yourself today and tell us what you tell us what you found out.
You know, run the same test that we ran.
You can do it.
We've made all the tests very repeatable. So just tell us what you ran and let us know how it goes.
Yeah.
We want to show you the Cloudflare network is faster. We're willing to do it.
Thanks, Jim.
This is really exciting and I hope users found this session useful. We've got a little bit more insight into the data and the methodology and the thought process behind this blog post.
And thanks again for joining us for this session.
And stay tuned for the next one.
And welcome to CIO Week.
Welcome to CIO Week.
Thanks for tuning in. Ap.
