Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Products & Solutions

How to Cut IT Costs with Zscaler Part 2: Optimizing Technology Costs

February 14, 2023 - 5 min read

Fiscal responsibility and cost-effective security have always been a priority for businesses. During times of economic uncertainty, the pressure IT leaders face to tighten budgets, reduce costs, and make every penny matter–all while stopping sophisticated cyberthreats–increases significantly. In the first blog of this series, we began our examination of IT cost challenges and how organizations around the world solve them by looking at the rising cost of data breaches enabled by perimeter-based architectures. In this second installment, let’s take a look at how organizations can optimize technology costs and why perimeter-based security approaches increase infrastructure costs and simply don’t make financial sense in today’s cloud and hybrid work environment.  

Hubs & spokes, and castles & moats, oh my!

Hub-and-spoke architectures were designed to route traffic to data centers to connect users, devices, and workloads to the network so they could access the applications and resources they needed. This approach worked when users and applications resided in the corporate office/data center. However, as users increasingly work from everywhere and applications migrate to the cloud, the network must continuously be expanded to provide private connections to every application, branch site, user, and device in every location. This interconnected network is protected by castle-and-moat security architectures that only offer organizations costly options that are a poor fit when it comes to securing the modern business.

Stacks of security appliances everywhere

The first option is to deploy point product security appliances—including firewalls, virtual private networks (VPNs), intrusion prevention systems, sandboxes, and more—to every office and remote location. The upfront CapEx investment in buying and deploying stacks of security appliances would be untenable (not to mention the cost and complexity of managing them). Plus, this approach still leaves organizations vulnerable when it comes to home offices and traveling users. 

Smaller + cheaper does not equal better

Few organizations can afford to replicate the HQ gateway security stack at all locations due to the cost of purchasing, configuring, managing, and maintaining such a complex deployment. Instead, organizations often compromise by deploying smaller, less expensive firewalls and security appliances to branch offices and remote locations. While that may reduce a portion of large upfront costs, it still drives the same management requirement. More importantly, it leaves the organization vulnerable to attack. Why? These smaller, less expensive devices are also less capable as they provide fewer security controls. This compromise also leaves your offices and remote users vulnerable, and you are only as strong as your weakest link. Organizations cannot afford the risk of this alternative. 

Call it a backhaul, boomerang, trombone, or hairpin - the result is the same

The other option is to backhaul traffic to data centers via Multi-Protocol Label Switching (MPLS) or VPN, and to run that traffic through large, centralized stacks of security appliances, which still entail massive CapEx costs. But this approach also leaves organizations struggling to keep MPLS and bandwidth spending in check. Backhauling traffic to the data center before ultimately sending it to cloud or SaaS applications introduces a hairpin effect. Essentially, you end up paying twice for your internet, SaaS, and cloud-bound traffic—once to carry your traffic over a costly private connection from the office or remote user to the data center, and again for it to go over the web to the requested resource–only to make the same trip in reverse. Additionally, as users become more widely distributed and the organization expands in size or geography, the user experience degrades due to traffic bottlenecks and latency, and costs grow exponentially (but more on that in a future blog).



Figure 1: Infrastructure requirements of perimeter-based architectures

Capacity planning requires a crystal ball

Choosing any of the aforementioned approaches leaves CIOs and CISOs facing the arduous task of capacity planning, which is a tricky balancing act. Legacy solutions, even virtual appliances, cannot scale the way the cloud can. This creates the need to predict traffic volume and organizational demands over the appliance lifecycle. 

Capacity planning calculations encompass many issues, including number of users, devices, platforms, operating systems, locations, and applications, as well as bandwidth consumption, edge and WAN infrastructure, traffic patterns across global time zones, and more. And that’s just for near-term operations. Plans must also account for annual growth in cloud-bound traffic looking three years or more into the future. Beyond routine operations, capacity planning forces you to forecast for accommodating sudden, unplanned spikes in bandwidth that cause slowdowns, frustrating users and customers alike.

Underestimating capacity requirements yields poor performance and a poor user experience, hindering an organization’s ability to fulfill its business mission. Overestimation leads to unnecessarily high costs and equipment sitting idle. Either way, resources are wasted.

There is a better way

Unfortunately, these tactics only provide a temporary and costly band-aid because firewalls, VPNs, and other legacy security approaches are not designed for the scale, service, or security requirements of modern business. Instead of costly hardware refreshes and the hefty infrastructure costs of perimeter-based architectures, organizations can reduce costs and capture superior economic value by embracing a zero trust architecture. With the Zscaler Zero Trust Exchange, an ESG economic value study found that organizations can reduce MPLS spend by 50% and cut up to 90% of their appliances, contributing to an ROI of 139%.




The Zscaler Zero Trust Exchange is an integrated platform of services that securely connects users, devices, workloads, and applications. It delivers fast, secure, direct-to-app connectivity that eliminates the need to backhaul traffic and minimizes spending on MPLS. As a cloud-delivered platform, Zscaler enables organizations to consolidate point-product hardware and eliminate the need for CapEx investments in firewalls, VPNs, VDI, and more. 



Figure 2: The Zscaler Zero Trust Exchange

Because the Zero Trust Exchange is built upon a cloud-based architecture designed to scale seamlessly with customer demand, it also eliminates capacity planning and over-provisioning, and frees up vital capital for more pertinent investments. 

Where to next?

To explore in detail how a true zero trust architecture can help you eliminate the financial burdens of costly infrastructure, download our white paper, “Delivering Unparalleled Security with Superior Economic Value: The Power of the One True Zero Trust Platform.”

Alternatively, dive into real-world success stories and gain insights into how organizations like yours cut IT cost and complexity with the Zero Trust Exchange in our ebook, “How Companies Reduce Costs with the One True Zero Trust Platform.” 

Click here to read Part 3 of this blog series, which will explore how Zscaler delivers superior economic value by improving operational efficiency. 


form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.