Hosted Web Security Protects Disparate Branch Offices, Mobile Workers

Hosted Web security services are an attractive option for distributed WAN environments, particularly when the distance to corporate hubs and the sheer number and variety of branch locations make back-hauling Internet traffic impractical and inefficient. With the rise of bandwidth-intense, performance-sensitive corporate applications, such as video and VoIP, it makes increasing sense to provide direct Internet access to remote offices, especially with users accessing YouTube, and streaming and downloading video and music.

"Even in North America, where bandwidth is inexpensive, there's a growing recognition it is inefficient to backhaul and more efficient to provide direct Internet access to the branch," said Gartner research director Lawrence Orans. "The challenge is how you do it securely? Now that we have cloud-based security service, it's very doable." Self-service (ATMs etc.) and security technology provider Diebold, for example, has locations ranging from 2,000 people to two in more than 90 countries. Centralized corporate services are generally provided over a private network, but "when it comes to Internet, there too many variables--high-bandwidth apps, too many distance factors, latency issues from halfway around the world," said Kevin Phillips, regional security director and architect.

"It was difficult to find a single product to accommodate all the different scenarios," said Phillips, who has used hosted Web security service, Cisco ScanSafe, across the company since the end of 2009. The alternative was putting Web security gateway appliances in each location, but he didn't want either the additional capex or the burden of managing additional boxes, especially in smaller offices.

The Web security gateway market grew largely from URL filtering, which is more of an acceptable use and productivity tool than security, particularly since the Web became the dominant vector for malware distribution. The compromise of legitimate sites, the spread of malware through advertising and the sheer volume of suspect sites has spurred the need for scanning Web traffic. A number of URL filtering vendors as well as some start-ups began offering Web scanning appliances and/or software, as did several desktop AV companies, through acquisition and/or in house development. Today, most of these companies offer SaaS options for Web security as well, after ScanSafe offered the first hosted service. Several email security SaaS vendors also added Web security services.

Enterprises have the option of going entirely with a hosted service, or adopting a hybrid model in which they deploy appliances at large, central locations, where they have the IT resources and expertise to support them, and a service for smaller offices and mobile users. Gartner's Orans said this is common when it is impractical to ship hardware to a new branch office in a remote location. "You have to do a cost analysis," he said. "It's often still more cost effective to buy an appliance and depreciate it than to pay per user, per month for the cloud." On the other hand, that means going with the same vendor to service remote users and on prem at central sites. There's obvious benefit going with a single vendor in a hybrid deployment, if you can integrated policy, a "single pane of glass."However, your Web security appliance vendor may not have a hosted service that meets your requirements. Also, a number of the hosted services have recently been acquired and are not fully integrated with on-prem products. In a flurry of activity in recent months, Symantec acquired MessageLabs, McAfee bought MXLogic, Barracuda purchased Purewire and Cisco Systems acquired ScanSafe.

If you are considering a hosted service, make sure latency is not an issue. This will depend on the service provider's coverage where your offices are located. The more remote the location, the more problematic this may be. "Latency is an important factor," said Diebold's Phillips. "I noticed it immediately as soon as I started discussing it with the business units we deployed with. That was their first question."

Phillips said he and ScanSafe went through testing to determine the best coverage points, and that they do experience some latency in more remote locations. But those are less sensitive, he said, because they are used to a little lag. "Anything that causes lag or delay is unacceptable to the business," said Alex Belgard, information security engineer for Crutchfield, a Charlottesville, Va.-based consumer electronics retailer, which uses Zscaler's hosted service. This is particularly true for the company's call center, where reps are calling up Web pages for product information.

From a security perspective, the mobile workforce is a prime factor in favor of a hosted service. Appliances don't cover mobile workers, a major risk at home and on the road. Of course, companies have the option of forcing them to use the corporate VPN for all Internet access, but that's an expensive and inefficient approach as you eat up bandwidth hauling all that traffic in, then sending it back out to the end user. "If I'm a CEO, I have 5,000 gateways because I have 5,000 employees, and they carry laptops everywhere," said Manoj Apte, VP of product management for ZScaler, the sole remaining major pure-play SaaS Web security provider.

With a hosted service, mobile users are automatically redirected to the vendor cloud no matter where they access the Internet. This can be done in a variety of ways, such as a light agent or a configuration file. An appliance at a branch doesn't support mobile workers," said Orans. "They're not protected when they travel, when they're at the hotel; they're not protected at home. Cloud-based offerings all have mobile support. It's a key benefit"