Our journey with Prisma Access started out with a battlecard comparison of what Prisma Access had to offer versus what ZPA [Zscaler Private Access], Symantec, and F5 had to offer. In doing all of these comparisons, we realized that Palo Alto had built a cloud services fabric that is user-first and security-first.

If I compare Zscaler and Prisma Access, not all of the security controls that are in place with Zscaler are inherent to their own fabric. Zscaler has done a fantastic job with ZPA in terms of putting the components together. But when it comes to security enforcement, they are lagging behind on some things. One of them is the native security control component enforcement on their fabric. We feel like that is not done as efficiently as Prisma access does.

In a simple scenario when doing a side-by-side comparison, if we were onboarding and providing access to an end-user using ZPA, they would be able to get on and do their job fine. But when it comes to interoperability, cross-platform integration, and security enforcement, we feel that ZPA lacks some of the next-gen, advanced features that Prisma Access has to offer. Prisma Access provides us with cross-platform integration with things like Palo Alto AutoFocus and Cortex Data Lake, which is great. ZPA does not provide all of these extensive security features that we need. In a side-by-side comparison, this is where Prisma Access outshines its competitors.

With all of that in mind, the big question in our minds was, "Well, can you prove it?" PoCs are just PoCs. Where the rubber meets the road is when you can prove your claims. Palo Alto said, "Okay, sure. Let us show you how you can integrate with your existing antivirus platform, your existing content filtering platform, and your existing DLP platforms." We gave it a try. And then, we did various types of pen testing ourselves to see if it was really working the way they said it would. For example, could you take an encrypted file and try to bypass the DLP features? The answer was no. Prisma Access made sure that all of the compensating controls were not only in place but also being enforced. "In place" means you have a security guard, but you have told him to just keep a watch on things. If you have a robbery going on, just watch and don't do anything. Let the robbers do whatever they want. Don't even call the police. Prisma Access doesn't just watch, it calls the police.

We had used Zscaler for a proof of concept, but we wanted segmentation capabilities within the data center as well as for on-prem locations. We wanted to have local segmentation capabilities. We wanted a solution that scales inside the cloud but also on-prem. Zscaler didn't have that model in the past, so we went ahead with Prisma Access. That was the only PoC that we did in addition to Prisma Access.

With regards to other integrations, the integrations with Cisco SD-WAN still exist, but these are not a competitor of Prisma Access. These are just integrations.

I was already set on Palo Alto. We were doing a PoC with Palo Alto when COVID hit, and the codes did it for me. We had to get something stood up. Our hands were tied with Pulse because we couldn't support 2,000 users rushing in the door. The box would just tip over to that.

We evaluated Cato Networks, Cisco Umbrella, and Zscaler. We also had presentations from Perimeter 81 and CloudFlare.

We went for Prisma Access because it is able to integrate with their firewalls. They have very good connectivity. Palo Alto is a leader in the next-generation firewall, which means their security is good. 

When comparing Prisma Access with Zscaler, you can't do much customization with Zscaler. That's why we selected Prisma Access. I like Prisma Access more than Zscaler because Zscaler doesn't have many capabilities. It doesn't let you do much customization, and you just have to depend on what the provider gives you as signatures.

For me, Zscaler is more for web traffic. Zscaler is comparable to Prisma Access when it comes to web filtering, like a secure web gateway proxy. If you want to filter out all your traffic, not only the web traffic, then you should definitely go for Prisma Access. Zscaler can be used as a firewall. They say it is similar to Prisma Access to filter out applications, not only web applications, but with Zscaler, you can't make custom signatures. They don't give you a lot of customization. You just enable the features and hope that they're enough. You can't do customizations that most big companies want. So, as a web filtering solution, it is comparable to Prisma Access, but if you want to filter out all the traffic and not only web traffic, then it is not so comparable to Prisma Access.

Zscaler also doesn't have application-level capabilities. Zscaler can't work with SIP traffic where you have to dynamically open FTP ports. For that, the solution should listen to the control plane traffic to know which port to open. Zscaler doesn't support that. So, it is quite limited for anything other than web traffic. However, Prisma Access is more limited when you use it as a secure web gateway solution.

Forcepoint also has a Cloud Security Gateway solution, but we ran away from them. Their cloud solution sometimes couldn't decrypt the web traffic. They had a bug when you want to decrypt one site from a category. For example, you want to decrypt Facebook, but you don't want to decrypt the social media category. In the Forcepoint GUI, you can specify that. In the GUI, it works, but in reality, it doesn't. There is a bug where the site will be decrypted or not decrypted only depending on the main category. You can't in reality change a site's decryption settings. Forcepoint didn't tell us they have this bug. They took two months to admit that and even got angry with me.

I did demos of around 16 different products that do something similar, including Zscaler, Netskope, Fortinet, Twingate, and Tailscale. Palo Alto was the only solution that could give us dedicated egress IPs. 

We evaluated Cato Networks, Check Point, and Prisma Access. We went for Prisma Access because of its features and its integration with other cybersecurity solutions. Its integration is easy, and it takes less time to integrate it with other cybersecurity solutions. 

There are also open-source applications. They are also good, but they need more tuning and more time to get to the level of solutions like Prisma Access. A benefit of these open-source solutions is that you can tune them according to your environment. They are also free, so there is a cost-benefit.

Before we did our last renewal we looked at a couple of other products. We chose to renew because of the pricing and licensing of this solution. 

Where I'm working now we have FortiGate but at my old company, we didn't prefer that. When Palo Alto did the presentation at my old company, we understood they were professionals and that their features were more valuable than FortiGate.

We evaluated other options like Zscaler and Netskope. Prisma Access has more coverage for ports and protocols. It doesn't only inspect web protocols but all ports and protocols, and that's an advantage. Other solutions are still relying on web protocols.

The positive side of these other solutions, because they came along a little later, is that they have understood the demerits of a solution like Prisma Access. They are using more cloud-native components and microservices architectures. That makes these solutions faster. As I said, some config changes in Prisma Access take 14 to 15 minutes, but these other solutions literally take a minute to make the same config changes happen.

It's a constant race.

We evaluated a few, including Sysdig, Threat Stack, and Lacework. The deciding factor was the ease of use. It's critical to understand what you're looking at and for the platform to provide value with reports. The data presentation in Prisma was more straightforward.

In addition to Zscaler, we looked at Netskope and Cato Networks.

We evaluated Zscaler Private Access and multiple other cloud solutions.

Compared to Zscaler and other services, the advantage of Prisma Access is that it supports both data and voice. The other vendors don't support voice. With Prisma Access, we don't need to look for any other services or solutions. It supports your data and voice services as well and that is one of our most important requirements.

We did look at other vendors when we were deciding on our VPN software and we went with Palo Alto for security reasons. 

We didn't run any PoC with other vendors. Before we were introduced to Prisma Access we were thinking of moving also our Firewalls to Meraki (as we will do with our switches). I believe no other vendor can offer what Palo Alto with Prisma provides, at least at this moment.

The evaluation happened before my time here, but we had people who had worked with Palo Alto previously. They knew its reputation and were happy with it. I think the switch happened directly.

We looked at other competitors, including Aruba, HP, Cisco, and Microsoft Enterprise solutions. 

Zscaler is a good product. In terms of features, Prisma Access by Palo Alto Networks and Zscaler are at the same level. Prisma Access by Palo Alto Networks may have an advantage over Zscaler in terms of security. Palo Alto Networks comes from security vendors, and Zscaler is available from cloud vendors. When it comes to simplicity and connectivity, Zscaler is better than Prisma Access by Palo Alto Networks.

We did not have a great deal of time to evaluate other products.

We looked into multiple options, and we chose Prisma considering the price and the features it offered.

We started off with AWS three years ago. As the number of accounts grew, we felt the need to use some sort of cloud governance tool because it is not possible for us to log in to each account and look for issues that may impact the organization. That's why we started to use Prisma. We are using multiple solutions from Palo Alto. We use Twistlock for container scanning and things like that.

There are now more vendors doing this, such as Oracle, but when we started there were very few. This is one of the reasons for choosing this solution.

We just checked which firewall was top rated. We selected two such firewalls. One was Check Point and the other was Palo Alto. Both of them are comparatively good.

We did evaluate other options but only Palo Alto Networks could offer what we were looking for.

Here in Egypt, there are about 93 system integrators and we have a partnership with Fortinet. We consider our connections because we need to avoid conflict with our partners and conflict with other solutions in our portfolio. We choose Palo Alto and Check Point to avoid conflict with our partners. The market is very crowded with FortiGate technical solutions and partners, so we avoid these.