GigaOM Radar Report

Zscaler Cloud Protection Review & Alternatives

Zscaler Cloud Protection Review & Alternatives

Diego Asturias

Zscaler cloud protection solution is a comprehensive and complete cloud-delivered data protection provided in the unified Zscaler cloud platform. The Zscaler Cloud Protection provides the “security in the cloud approach” to protecting cloud workloads and data.

In this post, we’ll briefly review Zscaler and its new Cloud Protection solution. How does it work, and what are some of its operational elements? But if you are looking for zero trust protection of cloud workload with different capabilities, in the second half of the post, we’ll go through four excellent alternatives to Zscaler Cloud Protection.

Zscaler’s Cloud Security

Zscaler is a cloud security company leading the Zero-Trust technology domain. Their flagship product is their cloud-native Zero Trust Exchange (ZTE) platform, which protects customers from cyberattacks and data loss as they migrate their apps and infrastructure to the cloud. Zscaler has other products, such as Zscaler Internet Access (ZIA), Zscaler Private Access, Business to Business, Zscaler Digital Experience (ZDX), Zscaler Cloud Protection, and Zscaler Deception Technology.


Zscaler is one of the best examples of SASE (Secure Access Service Edge) and SSE (Secure Service Edge)— concepts coined by Gartner. SSE provides security and is different from SASE products, which are security frameworks that combine networking (SD-WAN) and network security services into one cloud-delivered platform.

SSE platforms such as Zscaler enable a secure and fast transformation to the cloud (without WAN edge connectivity). SSE platforms usually include SWG, ZTNA, CASB, FWaaS, Browser Isolation, data protection, decryption, and more. Zscaler was named a 2022 Gartner MQ Leader for SSE and a leader in 2020’s Secure Web Gateway Gartner’s Magic Quadrant for Best Secure Web Gateways (SWG).

Magic Quadrant for Best Secure Web Gateways (SWG)

Everything about Zscaler is built with zero-trust principles. So, it requires all internal or external users to authenticate, get authorized, and continue to be validated before being allowed into the network’s apps and data.

The Zscaler Cloud Protection

The Zscaler Cloud Protection (ZCP) is a “relatively new” cloud workload and data security platform that builds on top of the ZTE (Zero Trust Exchange) architecture. It extends zero trust protection to workload communications on and between clouds, including cloud-to-cloud, cloud-to-web, and cloud-to-data center. This helps protect communications within hybrid and multi-cloud environments.

Zscaler Cloud Protection

The one thing that stands out from the Zscaler Cloud Protection is its simplified and automated connectivity to the Zero Trust Exchange. This ZTE connectivity eliminates complexities when using virtual firewalls, gateways, VPNs, or routers and also reduces the attack surface. ZCP aims to ensure secure connections between any user, application, and device.

How does the Zscaler Cloud Protection work?

ZCP combines four existing Zscaler elements: Cloud Security Posture Management, app-to-app security, user-to-app security, and identity-based micro-segmentation. These elements help Zscaler users deal with the risk of migrating to the cloud while simultaneously reducing operational challenges.

  • Cloud Security Posture Management (CSPM) Zscaler’s CSPM identifies all cloud workloads and ensures they have a proper security posture. The Zscaler CSPM service performs ongoing inventories and monitors and automatically remediates all your services deployed on different public cloud providers, including SaaS, PaaS, IaaS, containers, and serverless resources. The CSPM is optimal for preventing cloud misconfigurations and vulnerabilities. This service also includes +3000 pre-built policy templates (for AWS, Azure, GCP, and SaaS) and mappings of the main regulatory frameworks.
  • Secure user-to-app access ZCP ensures safe and secure access to specific applications for all authorized users. Since the ZCP relies on Zscaler’s zero trust architecture, it helps the user access the application without exposure and risk. A zero-trust approach to accessing apps on the cloud can individually verify each user and device before granting access to each application. This approach substantially improves the VPN model or the static network-based policies.
  • Secure app-to-app access ZCP is designed to protect and simplify the access of apps to other apps on other clouds (multi-clouds), data centers (hybrid clouds), or the Internet. In general, app-to-app communications can be automatically deployed and configured without the additional complexities of VPNs, networking policies, gateways, etc. In addition, when it comes to cloud-to-Internet, the ZCP relies on Zscaler’s ZTE to secure and simplify access from any cloud without exposed attack surface.
  • Workload micro-segmentation Zscaler Cloud Protection finds the identity of communicating workloads and introduces Machine Learning (ML) and automation to micro-segment them. With micro-segmentation, you can manage security policies that limit traffic based on zero trust. ZCP automatically micro-segments, stops malware propagation and eliminates all lateral threat movement within AWS’s VPCs (Virtual Private Clouds) and Azure’s VNets (Virtual Networks).

How is Zscaler Cloud Protection deployed?

Zscaler is not deployed through hardware or virtual security appliances; instead, it comes via integrated (Security-as-a-Service) cloud-based security services. Its services are packaged in bundles paid on an annual (per user) subscription basis.

Free trial? No free plans or free trials are available.

Price: The prices are not listed on Zscaler’s official site. Request a Quote

Get a demo: Request a Zscaler product demo.

Best Zscaler Cloud Protection Alternatives

Below are four popular Zscaler Cloud Protection alternatives. All of the following products protect cloud workloads and data. Plus, they also come with zero trust protection built-in capabilities or can be easily extended to do so.

1. CrowdStrike Falcon Cloud Workload Protection (CWP)

CrowdStrike Falcon Cloud Workload Protection (CWP)

CrowdStrike is a leader in cloud-native endpoint protection solutions. CrowdStrike Falcon is their purpose-built endpoint security platform designed to stop threats and risks via a unified cloud-delivered set of technologies. This single platform (with a single agent) unifies endpoint security, cloud security, threat intelligence, identity protection, and more.

The CrowdStrike Falcon Cloud Workload Protection (CWP) is an extended service from CrowdStrike Falcon. It provides complete visibility into your workloads and containers deployed across all your cloud’s resources, allowing faster and more accurate detection, investigation, and response.

CrowdStrike Falcon CWP is an excellent alternative to Zscaler. Although CrowdStrike was born to protect endpoints with their EDR solution, now they have expanded to cover cloud workloads and even provide their own cloud-native CrowdStrike Zero Trust.


  • Secure your cloud-native stack across workloads, containers, and Kubernetes apps.
  • Automate detection and response of suspicious activities.
  • CWP allows key integrations that support CI/CD workflows.
  • Secure all your AWS, Azure, and CGP resources.
  • It comes with pre-built image scanning policies to identify and stop vulnerabilities.
  • Automatically discover cloud workloads in multi-cloud deployments (without an agent).

How to start with CrowdStrike Falcon CWP?

Request a custom free demo and contact CrowdStrike customer service for more information. Although there is no CWP free trial available, you can start with CrowdStrike software with Falcon Prevent (a powerful AV) for a 15-day free trial.

2. Barracuda CloudGen Firewall

Barracuda CloudGen Firewall

Barracuda is a leading global provider of network security, app delivery, email protection, and data protection solutions. Their products range from Zero Trust Access (ZTA), SASE, Cloud/Gen Firewall, Secure SD-WAN, and Web Security & Filtering.

Barracuda CloudGen Firewalls are another perfect alternative to Zscaler Cloud Protection. Barracuda CloudGen Firewalls are a set of next-generation firewalls that provide sophisticated defense techniques to protect data, users, and workloads regardless of where they are deployed— on-prem or in public clouds (Azure, AWS, and GCP). These next-gen firewalls provide a multi-layered security approach to protect from advanced persistent threats.


  • Real-time network protection against many different network threats, vulnerabilities, or exploits.
  • Multi-layered for security, including advanced threat signatures, behavioral analytics, and more.
  • Advanced Threat Protection (ATP) to stop zero-day attacks.
  • Barracuda’s ATP is connected with Barracudas’s global intelligence network.
  • Easy deployment for the cloud with templates, API, and integration with cloud-native features.
  • Built-in SD-WAN lets you connect your branches, distributed sites, or multiple clouds.

How to start with Barracuda CloudGen Firewall?

Barracuda CloudGen Firewall can be deployed as an appliance, virtual machine, on the public cloud (Azure, AWS, and GCP), or for Managed Service Providers (MSP). Use the price calculator to get an estimated price. Subscribe to Barracuda CloudGen Firewalls and get a free trial.

3. Forcepoint ONE

Forcepoint ONE

Forcepoint is a cybersecurity company leader in data and user protection. They were named Visionary in Gartner Magic Quadrant in 2022 for Security Service Edge (SSE). Forcepoint ONE is another excellent Zscaler Cloud Protection alternative, as they also provide a zero-trust architecture as a foundation for Forcepoint ONE and beyond.

Their Forcepoint ONE is the get-go for customers wanting to adopt the SSE. It is an all-in-one cloud-native security platform designed to protect sensitive data distributed across the web or in the cloud and on-prem applications. From one platform, you can gain visibility, access control, and data protection on all devices, including BYOD. In addition, Forcepoint ONE also provides one console with access to multiple SSE solutions, including gateways such as the Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA), threat protection, DLP, and zero trust.


  • Three gateways in one: SWG, CASB, and ZTNA.
  • DLP and Malware scanning is integrated into the gateways.
  • Industry-leading threat protection capabilities.
  • It uses a cloud-based console through a single endpoint agent.
  • Agentless support for unmanaged devices.

How to start with Forcepoint ONE?

Schedule a Demo or watch their on-demand demo.

4. Cloudflare Zero Trust Platform

Cloudflare Zero Trust Platform

Cloudflare is one of the largest networks of servers in the world, built with the sole purpose of improving the security, performance, and reliability of anything that is connected to the Internet. Cloudflare’s services protect external-facing (internal) resources, including applications, websites, and APIs.

The Cloudflare Zero Trust platform is another great alternative to the Zscaler Cloud Protection platform. This zero-trust platform uses Cloudflare’s massive global edge network to make internet access faster and safer for users. In addition, you can access the Zero-Trust platform and SASE elements through the Cloudflare One platform.


  • Zero Trust Network Access (ZTNA) to protect any user-to-application connection.
  • Block phishing and malware with a Secure Web Gateway (SWG).
  • Access to other services; VPN, CASB, Firewall-as-a-Service, and browser isolation.
  • Access to Cloudflare One, the platform that unifies all SASE and SSE elements.
  • Access to one of the fastest and largest global networks in the world.

How to start with Cloudflare Zero Trust Platform?

Sign up for the Teams Edition, and you can start a limited-time free trial of Cloudflare’s Zero Trust platform.

Final Verdict

The Zscaler Cloud Protection solution ensures that all your data and applications are properly configured and secure. This comprehensive solution also brings a powerful zero-trust approach to the table and uses four elements on top; a Cloud Security Posture Management solution, user-to-app security, app-to-app security, and microsegments workloads.

If you are looking for different solutions to protect cloud workloads with zero-trust security, then great alternatives to Zscaler Cloud Protection are CrowdStrike Falcon Workload Protection, Barracuda CloudGen Firewall, ForcePoint ONE, and Cloudflare Zero Trust platform.

GigaOM Radar Report