Rolling Review: SaaS Web Security Services Kickoff

The Web is a dangerous place. Enterprises have turned to premises products, both gateway- and client-based, to filter inbound Web malware and stop users from surfing to compromised or outright malicious sites. Now enterprises have another option: a growing number of providers offer Web security as a service (SaaS). These services promise similar protection to what you'd get with a premises product, but without the capital outlay or ongoing operational costs. Generally speaking, SaaS-based Web security works likes this: proxy your outbound Internet traffic through the closest point of presence that your Web security vendor provides, and you're magically protected from advanced attacks and data loss.

While providers will be happy to sign you up for accounts for your entire fleet of PCs and laptops, we believe enterprises are approaching the SaaS Web market to help fill gaps in their premises protection, not to replace existing premises products. The idea is to use an online service to protect branch offices and road warriors. That's a logical place for medium and large companies to start, particularly with a relatively untested market such as SaaS Web security, because at this point we don't see SaaS providers being able to scale to protect tens of thousands of your users.

Because this is an untested market, we need to ask some basic questions, such as, "Does it really work? Will it introduce an unacceptable level of latency for your users? And what will it cost you?"

To answer those questions, we're launching a new Rolling Review of cloud-based Web Security solutions. We've invited several players into the lab to show what they can do for you. These include Barracuda Networks (through its acquisition of Purewire), Cisco Systems (through its acquisition of ScanSafe), McAfee and zScaler. With the help of Core Security technologies and through some tricks of our own, we have plenty of shots to take at our participants. We'll look at four areas: malware protection, latency, reporting and value-added extras that will inform your decision about buying.

Malware Protection: Infecting your PC with malware is turning into big business, and malware developers are finding all sorts of ways to score new victims, such as targeting the most popular Web searches for their exploits. During the 2010 Winter Olympics, Chris Null from Yahoo Tech blogged about the top 10 Olympians whose search results raised the chances of infecting your PC with malware. Reports by Finjan's security research team detail how control of large numbers of compromised PCs is sold on the black market. You can purchase control of zombie PCs in batches of 10, 100 or 1,000 for whatever purpose suits you.

If you've ever had to clean up the mess that malware leaves behind, you know how long it can take to recover from such infections, if you can recover at all. The most damaging malware can necessitate a complete wipe and reload of your OS, and if the victim happens to be one of your remote users, the problem is magnified. The last thing you need is a deal torpedoed because your sales superstar can't boot her laptop for an important presentation.

The minimum requirement for SaaS Web security providers is to offer protection that's at least as good as you'd get from a client or gateway AV/malware product. SaaS Web security providers will argue they can do even better, because every time they update signature libraries, users are automatically protected--without troubling your IT staff to push those updates to premises appliances or thousands of end users. The SaaS providers also talk up malware detection techniques such as behavioral analysis, which they claim can help them identify bad stuff without a signature.

We'll test the accuracy of each SaaS solution in two ways. First, we'll throw each Web security solution a softball and run our test clients through a script that will try to access a database of well-known malware sites. One of the databases we'll use is malwaredomains.com. URL filtering is one of the most basic, and most important, aspects of comprehensive malware prevention. We'll report to you how accurate each solution was filtering out known malware sites.

The second, more challenging security task will be a test of each provider's behavioral analysis engine. Effective malware prevention requires more than a signature-based engine and a URL filter. Increasingly, effective malware protection requires the ability to scan content for intent. The Aurora attack at Google is a perfect example of how active code inside an attachment can slip through your defenses. According to security researchers, the Aurora attack skillfully exploited a zero-day vulnerability in IE that was packaged in a PDF and delivered in a way that made it appear as legitimate internal corporate communications.

With the help of Core Security, a penetration testing company, we'll unleash some attacks that will attempt to simulate an Aurora-like attack and see how the various players handle the threat. We'll also execute attacks that are clearly outside the normal behavior of a legitimate site. For example, as we browse the Internet, we would not expect or want a site to drop a new key in our system's registry. We'll infect a Website with code that will attempt to write to our system registry to see how such an event is handled. Finally, we'll look at each solution's ability to handle cross-site scripting and other attacks.

Latency: The most secure solution historically has also been the ugliest: load a proxy client and route outbound HTTP remote user traffic through your malware protection appliance at headquarters. But do you really want a road warrior in San Francisco routing through Boston for Internet services? For most of us, the answer is no. As a result, extending on-premises security appliances to protect remote users is generally not an option from a latency perspective--particularly when business-based Web apps are growing more common. But can cloud Web security vendors really do it any better? 

To minimize latency, most Web security solutions use DNS geolocation. By identifying the physical location where the IP block you're using is located, Web security vendors can route your outbound Internet traffic through its closest co-located provider. Part of our testing will include reporting details on each provider's Web security backbone. If most of your remote users are located in California, but your Web security vendor is most heavily fortified on the East Coast, then you have a problem.

The ultimate perception of latency by a user depends on variables like the user's connection, PC hardware, the Web security provider and the site your user connects to. To ensure an apples-to-apples comparison on latency, we're going to base the results around two simple metrics: how long it takes to load a non-cached page without the Web security solution, and how long it takes to load the same non-cached page with the Web security solution. Our comparisons will be done regionally, so to account for differences in network connections, we'll measure our Internet speed and report openly any differences that affect our results.

Reporting: Reporting is a vital element in security and is increasingly a required component of any compliance initiative. If you're going to augment (or replace) your premises product with a SaaS provider, you must ensure the reporting you get is equal to or better than what you have now. Many organizations have policies that necessitate the long-term storing of logs for security and auditing, so we'll also look at what each vendor offers for storing historical logs or offloading them to a log management product.

The Extras: Recently, SaaS Web security vendors have started to diversify their offerings to distinguish themselves from the pack. As a result, you can expect to see more functionality that extends the traditional URL filtering and malware protection features that all vendors offer. New features like rudimentary Data Loss Prevention (DLP) and application control are starting to surface in some solutions. If a particular vendor in our lineup offers any value-adds that might affect your decision to buy, we'll report them to you and let you know how effective they are in the labs. We'll also look at what shifting your Web security service to the cloud is really going to cost you. If you've made a significant investment an on-premises solution, then you might need to wait on the sidelines as you recoup your investment. But if you have no existing Web security capability, is SaaS really less expensive? At the conclusion of our rolling review, we'll serve up a detailed total cost of ownership report (TCO) of premises vs. SaaS that will help you make a wise decision.