Zscaler Announces Intent to Acquire Airgap Networks to extend Zero Trust SASE

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Products & Solutions

Why Network Monitoring Tools Fail Within Secure Environments


There is a fundamental shift happening through digital transformation, which includes application transformation (data center to SaaS, IaaS, PaaS), network transformation (hub-and-spoke to direct connectivity), and security transformation (castle-and-moat to zero trust). As these shifts occur, network operations teams should consider a lens from the end user perspective to holistically visualize network traffic patterns.  

However, monitoring performance of private applications over a Virtual Private Network (VPN) is challenging. These encrypted tunnels typically block monitoring tools from providing insights when users complain (packet loss, high latencies, etc.). 

In order to understand why network monitoring tools fail within a secure environment, we must first look at how users connect. As employees continue to operate in a hybrid model, there are three common scenarios end users experience, all which pose challenges for network operations teams. 

Scenario 1: Direct connect to SaaS applications

The most basic scenario is when an end user connects directly to SaaS applications from a remote location (home/hotel). The traffic routes to a home wireless router which forwards packets to an Internet Service Provider (ISP) and connects to the SaaS application. In this scenario traffic is not secured, which leaves the end user vulnerable to attacks.


Challenge: Network operations team don’t own the connectivity between the end user's device and SaaS application, which makes it difficult to troubleshoot. In some cases, organizations will backhaul this traffic through a VPN before passing it to the application, which typically introduces latencies and causes poor end user experience. Additionally, as mentioned above, this traffic is encrypted and creates blindspots for monitoring tools.

Scenario 2: Secure SaaS applications

In this scenario, the end user again connects to their remote network (home/hotel), however, traffic is now forwarded to a security solution which inspects the traffic, and connects to the SaaS application.


Challenge: Network operations teams must utilize multiple tools to gain insights from end user devices, SaaS applications, and security solutions. This lack of end-to-end visibility from a single pane of glass into digital experiences forces IT teams into reactive troubleshooting versus proactively identifying and resolving issues. 

Scenario 3: Secure SaaS and private applications

In this scenario, SaaS applications and private applications are both secured. Traffic from the end user device starts the same as the first two scenarios, but adds an additional route for private applications (hosted on-premises or in a public cloud). 


Challenge: This scenario is complex when troubleshooting as network operations teams must diagnose several fragmented networks to piece together an end user's traffic to an application. This is time consuming, creates cumbersome processes, and requires network expertise to correlate data across multiple monitoring solutions. Additionally, with many security solutions, network operations teams tend to lose visibility into what happens with the traffic as it passes through security solutions, causing major blind spots for these teams. This seems to be the case any time traffic is sent over an encrypted network. 

Zscaler’s end-to-end digital experience monitoring solution

Digital Transformation is a journey but when you have a strategy, you must consider the end user and the impact to their overall performance. It’s good practice to consider the possible scenarios from your end users perspective. What’s required is a solution that provides visibility from the end user's device to any app to any location, without adding bloat to your network or end user’s device. With Zscaler Digital Experience (ZDX), organizations can now fully monitor the cloud application experience from the end-user perspective. ZDX restores visibility across the complete connection and quickly isolates user experience issues. ZDX delivers holistic, end-to-end user experience monitoring across any network, helping network operation teams streamline troubleshooting and improve user productivity across secure environments.


ZDX dashboard with detailed hop-by-hop analysis showing ISP latencies

For example, network operations teams need quick insight into potential areas of focus, so triaging issues is fast and painless. Many times the remote worker’s issue tends to be within their local environment, but it doesn’t mean it’s an issue at their physical location. Have you ever tried to Google “troubleshoot slow internet connection?” The results point to the home router. However, that doesn’t provide a holistic view of the situation.


Not all search responses yield the correct course of action

Take Careem as an example, a Dubai-based transportation, delivery, services, and payments organization faced a similar issue. Once they adopted ZDX, they quickly found their remote customer service representatives had issues with their local ISP (home Internet connection), which is beyond the home router. This means that if the IT team spent time troubleshooting the home router, it could take them hours or worse days before they actually found the issue. In some cases the issues actually resolve prior to the IT team solving it, which makes it difficult to find the root cause. Instead Careem leveraged ZDX, which provided the insights required to solve the end users problems, while empowering the IT team.

“Using ZDX we’ve improved our troubleshooting time by 62%, enabling us to quickly focus attention on the source of a user’s connectivity issue.” – Peeyush Patel CIO and CISO Careem

Careem’s business model includes supporting a virtual, high-touch, live customer service call center. 

ZDX not only provides insights into end user environments, it extends that into the Zscaler Zero Trust Exchange, the platform on which all Zscaler services are built. With ZDX, network operations teams get insights into Zscaler Internet Access (ZIA), which secures traffic to SaaS applications to ensure they are not causing any network congestion or excessive latencies. ZDX also supports Zscaler’s Private Access (ZPA), which protects private application traffic. Attackers lack the visibility into the private application, while ZDX turns the lights on. To do this, ZDX utilizes a feature called CloudPath to provide hop-by-hop network path analysis. It breaks down network latencies into segments in easy to read visual format. CloudPath works in conjunction with Zscaler’s Client Connector and Zero Trust Exchange to measure performance to the application. Whether the traffic is traversing the Zscaler cloud to a SaaS application or private application, ZDX provides complete visibility (even with the App Connector hop). 


ZDX provides complete end-to-end visibility for private applications

Network operations teams benefit from a centralized dashboard with all relevant telemetry data to troubleshoot and resolve user experience issues with both public and private applications. As you embark on your digital transformation journey to a secure world, consider how you plan to ensure a great end-user experience. Learn more about ZDX here.

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.