In an earlier blog on why the approach to admin access needed to change, I touched on the point...
On July 11 Microsoft announced three services under the Entra product family. The first of the three spin-off Microsoft AAD into Entra ID (queue groans about a rename), but also builds on this with more identity features/categories/services. Identity lies at the heart of a modern zero-trust architecture, and Microsoft has made good ground already in this area over recent years.
But it’s the other two services, Microsoft Internet Access and Microsoft Private Access, that really generated some water cooler chatter. While it wasn’t the world’s best-kept secret that Microsoft was developing Secure Service Edge (SSE) products, it was still a very significant launch.
Now if you’re reading this, you quite possibly know that we’re pretty proud of our Zscaler partnership - it’s kinda hard to miss as we’re almost as good at telling people about it as we are at delivering Zscaler services. So the obvious question we were getting asked was “So what does this mean for Zscaler?”. Especially when Entra Internet Access and Entra Private Access follow the same naming convention as Zscaler Internet Access and Zscaler Private Access….
Well at risk of saying the wrong thing and upsetting one of, or both, Zscaler and Microsoft, I’ll tell you. My opinion of course.
First, you have to start with the fact that Microsoft and Zscaler have a significant tech partnership themselves. While they could throw that away, in the complex world we live in, there is still value in their collaboration for both parties. There are a number of integrations between both products that seek to enrich each other's ecosystems and to provide security admins already overwhelmed with tools, a slightly simpler world. We increasingly see companies that welcome ecosystem plays rather than build monopolies as being more successful. Will they throw that away? I hope not.
The real question really is not whether Microsoft will displace Zscaler’s market share, but how much will Microsoft displace Zscaler.
Microsoft has grown enormously as a security company both in the breadth of its offerings but also their depth. While Microsoft security products were scoffed at for some time, this is no longer the case. And Microsoft is rapidly democratising services that were previously out of reach for the average Joe. Defender Vulnerability Management is a good example of this, providing a tiered offering where customers with licences like M365 Business Premium now get a basic set of Vulnerability Management capabilities included. Or the inclusion of SANS training in Defender for M365 Attack Simulation Training.
However, and there is a, however, Microsoft hasn’t leapt to a position as a reputable provider of security tools but rather has built up to it over a number of years. When Microsoft first released Azure Firewall it was so ridiculously basic, to the extent that you couldn’t even get logs out of it, that it really was a non-starter for anything but a lab for quite some time. And Entra Internet Access and Private Access look like they have very much started in the same vein. So timing is important. Initially, these products are unlikely to have a huge impact on Zscaler.
Microsoft also hasn’t traditionally been a network company. Now you can argue that with their cloud services, they (and those of other hyperscalers) look more like a global carrier today than, well, global carriers (i.e. AT&T). They also have services like Azure Virtual WAN and Azure Firewall. However, there is a big difference between being a destination, as a cloud provider is, and being the highway. You are the Internet provider for your consumer, and you are dealing with the complexity of all sorts of things transiting your network that you don’t really know about, that you now have to inspect. We aren’t just forwarding packets here…. Zscaler was built by a bunch of very smart network folk, and while it would be ludicrous to suggest that Microsoft hasn’t hired some of the best around the market to build their products, they also do have multiple focuses as a business.
Finally, Zscaler is also much more than a basic SSE service now. SSE providers vary greatly. Some SSE services are rather simplistic, and others have a lot more depth. Zscaler was founded in 2007 and while they spent a large amount of their history developing ZIA, they have since been quick to build on their Zero Trust Exchange platform by introducing new services like Zscaler Digital Experience and Zscaler Cloud Native Posture Controls while also building a lot more depth into their core products which now have extensive data protection capabilities as well as in-built deception technology. Whether Microsoft’s vision for Entra Network Access products is to go this far, is yet to be seen.
So while EIA and EPA will have some impact on ZIA and ZPA, I would expect until the Entra products mature a lot more, this will start at the smaller end of the market. These are often SMBs that may not have an SSE service in place today and still be relying on traditional products. I would expect the more immediate impact could be to Zscaler competitors who play more at this end of the market like Cisco Umbrella and Netskope.
Microsoft has proven an ability to develop increasingly capable security products, and I would expect they will be sinking a lot of development capital into their Network Access suite in coming years - plus if Entra ID wasn’t enough of a hint, tightly coupling these with Identity-based security.
Microsoft almost needed to make at least some sort of a move in this space especially around Private Access as AWS had announced its Verified Access solution at Re:Invent 2022 and Google has had its BeyondTrust model for some years now.
In summary, Microsoft hasn’t so much announced that it’s a Zscaler competitor, more that it might be in a couple of years depending on the customer segment, what they build into their product and how well and quickly they can execute.
