The Internet is the attack vector of choice for malware developers and data thieves of all stripes because the HTTP protocol constitutes a big, gaping hole in your defenses. While some users bring grief on themselves by browsing inappropriate and risky pages, criminals target legitimate sites to distribute malware through corrupted banner ads, Web redirects, and other nefarious techniques.
You can't close the hole because end users rely on the Web for business tools. What you can do, however, is purchase border enforcement to cover your assets. These Web-security-as-a-service suites, like the on-premises software and appliances sold by competitors, provide a slate of capabilities, including Web filters to block users from surfing inappropriate or compromised sites; malware filters to pluck viruses, Trojans, and spyware from inbound content; and data loss prevention tools to stop sensitive information from leaking out of the organization.
But is outsourcing Web security to the Web a smart career move?
The service model has three advantages over traditional on-premises products: lower capital costs, faster deployment of the application, and a reduced management burden on in-house IT staff. Service-based Web security can also help protect remote users when they're off the corporate network. And you've got a range of choices in providers, from upstarts like Purewire, ScanSafe, and Zscaler to established vendors such as Kaspersky, McAfee, Symantec, and Websense.
Sounds good in theory, but latency could derail adoption.
Caught In The Slow Lane?
The theory behind doing Web security in the cloud is relatively simple: Redirect all of your outbound internet traffic to a Web security infrastructure hosted by your vendor of choice. Pick the security services to which you want to subscribe. Develop and enable your policy through a Web management interface. Last, point your client browsers to the vendor's Web security gateway, and you're done.
As is usually the case, however, theory and reality differ. With an on-premises Web security system, users traverse your Internet router and are protected within the LAN environment at wire speed, reducing the potential for latency. With off-site, provider-based Web security, you're adding an additional hop to a proxy over the Internet itself, and that introduces the possibility of slowdowns. The question is, how much latency is too much? End users won't get much sympathy from IT if they complain that Hulu is jittery at work, but line-of-business managers will kick down your door if Salesforce or online meeting apps start to wobble.
"The concern about additional latency is one of the first questions we are asked by every potential customer," says Paul Judge, co-founder and CTO of Purewire. As you'd expect, Judge says the latency from his service is imperceptible.
Luckily for IT, it's simple enough to put vendor claims to the test. Most let potential customers create an evaluation account to put the service through its paces. If a potential partner balks at this, walk away.
Overall user experience depends on a host of variables, such as whether a cached copy of the content requested is available either locally or from another source. It's important that network engineers understand a few factors when choosing a provider. Primary among them is a firm grasp of your users' Web behavior, where the provider's proxy servers are physically located, and whether the provider can also supply a caching appliance to minimize latency.
Before signing on, be confident that the provider will be able to scale its infrastructure as it adds customers. And as with any service, you'll need to get details on the provider's service-level agreements.
|Web Security Services' Benefits And Drawbacks|
Having Web security software or appliances on the corporate network is great, but all that effort can be undone by just one user whose corporate laptop gets infected with a Trojan when she was casually surfing at the airport while waiting for a flight home.
Service-based Web security can ensure that end user Web traffic is always routed through the provider's filters. They do this by having administrators configure users' browsers to send them directly to the provider's proxy servers.
Of course, latency is just as much of an issue for road warriors as office staff. Referencing a proxy server 3,000 miles away over a slow Internet link isn't an efficient way to balance Web security and usability. To address that, many Web security providers use third-party geolocation databases to home in on a user's physical location as he executes a DNS query, and point him to the provider's nearest point of presence.
A compelling argument for any service is low capital costs. We've done some back-of-the-napkin calculations to compare on-premises vs. Web security service options. Let's assume your business has a single office with 500 employees. For around $25,000, you can purchase a Web proxy appliance with a 500-user license and a one-year license for a URL filter. If you want antivirus and malware prevention, you'll need another appliance. Our favorite reseller quoted us around $6,700 for a BlueCoat ProxyAV appliance with a 500 user license. A one-year subscription to the MacAfee A/V engine will cost you another $3,000. Don't forget to add in around $5,000 in maintenance per year for both.
By our math, capital expenses are just under $35,000.
Let's compare that with the service option. Purewire gave us ballpark pricing of $30 per user, per year for its Web security service. For a 500-user shop, all of your licensing costs are operating expenses; the bill comes in at $15,000 per year ($30 times 500 users).
Here's where the decision gets tougher. While the capital expense may be greater for an on-premises package, the ongoing costs will drop considerably in subsequent years, while the service costs generally will remain the same or rise. Over three to five years, it's likely there will be very little difference in the total cost of ownership between the two options.
Thus, the decision will have to include other variables, such as the extra features you could get with hosted Web security tools, like application control, data loss prevention, and consolidated logging/reporting. Security requirements mandate that some organizations store Web access logs for years. Any level of detailed logging on a large scale is sure to generate gigabytes of data. Hosted log management is a value-add that many Web security service providers are touting.
By contrast, the potential for business-critical Web apps to be impeded by slowdowns could quickly overwhelm any benefits you might see in a cloud option. Web security services will live or die on how well they can keep latency down. We'll be watching.
Randy George is an industry analyst covering security and infrastructure topics.