Hosted Web security services are an attractive option for distributed WAN environments, particularly when the distance to corporate hubs and the sheer number and variety of branch locations make back-hauling Internet traffic impractical and inefficient. With the rise of bandwidth-intense, performance-sensitive corporate applications, such as video and VoIP, it makes increasing sense to provide direct Internet access to remote offices, especially with users accessing YouTube, and streaming and downloading video and music.
"Even in North America, where bandwidth is inexpensive, there's a growing recognition it is inefficient to backhaul and more efficient to provide direct Internet access to the branch," said Gartner research director Lawrence Orans. "The challenge is how you do it securely? Now that we have cloud-based security service, it's very doable." Self-service (ATMs etc.) and security technology provider Diebold, for example, has locations ranging from 2,000 people to two in more than 90 countries. Centralized corporate services are generally provided over a private network, but "when it comes to Internet, there too many variables--high-bandwidth apps, too many distance factors, latency issues from halfway around the world," said Kevin Phillips, regional security director and architect.
"It was difficult to find a single product to accommodate all the different scenarios," said Phillips, who has used hosted Web security service, Cisco ScanSafe, across the company since the end of 2009. The alternative was putting Web security gateway appliances in each location, but he didn't want either the additional capex or the burden of managing additional boxes, especially in smaller offices.
The Web security gateway market grew largely from URL filtering, which is more of an acceptable use and productivity tool than security, particularly since the Web became the dominant vector for malware distribution. The compromise of legitimate sites, the spread of malware through advertising and the sheer volume of suspect sites has spurred the need for scanning Web traffic. A number of URL filtering vendors as well as some start-ups began offering Web scanning appliances and/or software, as did several desktop AV companies, through acquisition and/or in house development. Today, most of these companies offer SaaS options for Web security as well, after ScanSafe offered the first hosted service. Several email security SaaS vendors also added Web security services.
Enterprises have the option of going entirely with a hosted service, or adopting a hybrid model in which they deploy appliances at large, central locations, where they have the IT resources and expertise to support them, and a service for smaller offices and mobile users. Gartner's Orans said this is common when it is impractical to ship hardware to a new branch office in a remote location. "You have to do a cost analysis," he said. "It's often still more cost effective to buy an appliance and depreciate it than to pay per user, per month for the cloud." On the other hand, that means going with the same vendor to service remote users and on prem at central sites. There's obvious benefit going with a single vendor in a hybrid deployment, if you can integrated policy, a "single pane of glass."