If you haven't focused on an enterprise-wide Web security strategy then it's time for a reality check. It's safe...
to assume that various parts of your organization are using Web applications and a cloud computing infrastructure or services, and the time to wrap a security strategy around that is now.
The recent Cisco Systems 2009 Annual Security Report illustrates the need for sound planning heading into 2010. Cloud-based tools and productivity applications that leverage the cloud are likely already being used in your organization and attackers are ready to pounce.
Traditional Web security primarily consisted of URL filtering, HTTP protocol validation, and single sign-on access controls. However, malware authors infect legitimate websites or change domain profiles faster than reputation systems can adapt, repositioning the effectiveness of URL filtering from antimalware security to acceptable use policy enforcement.
Protocol validation has been consolidated into firewalls to be able to catch traffic anomalies at the network edge before downstream systems can be affected. Web security has been left to endpoints, which makes updating signature definitions and software functionality costly for IT.
The good news for IT is that Internet traffic can be redirected through Web-based security clouds while retaining acceptable performance. Cloud security services can centralize processing and administration tasks, making it easier to scale effective security to enterprise levels while controlling costs.
Inbound traffic can be inspected for malware and authenticated access control enforced; outbound traffic can be checked for regulated data and transparent encryption applied according to policy. Administratively, centralizing Web security controls can facilitate adding application-level security for new Web-based applications and increasing inspection capacity for enhanced performance without widely distributing management burdens.
There are different approaches to Web security that can be blended to fit the requirements of the network infrastructure. Appliances, such as Microsoft's TMG or Check Point Security Inc.'s Gateway with a Web security software blade, work well in supporting branch offices or in cases where high performance filtering achieved by a dedicated appliance is required. Security cloud services, including those offered by Trend Micro Inc. and Zscaler Inc., allow security technologies to efficiently filter recognized malware without mass distribution of signatures to throttle low priority applications that consume network bandwidth, and allow all users to instantly benefit when new security features are added.
Corporate security clouds can follow the same model. This may be particularly desirable for data loss protection features where the enterprise prefers that blocked messages and data reside in on-premise systems rather than in a security service provider data center. Virtual desktop infrastructure projects also give IT the opportunity to deploy security as an independent security cloud. Instead of embedding Web security software in each VM or installing on each virtualized server, IT teams can route external-oriented traffic through security products to protect the business. For instance, Xceedium Inc. allows IT granular control over Internet access from within the data center while HyTrust provides controls over privileged user actions in a virtual data center -- both important capabilities in separating applications and desktops from security policy enforcement.
While security teams are examining the feasibility of Web security clouds to protect the business, they can also investigate virtualizing help desk capabilities. Citrix Systems Inc. and Bomgar Corp. are two vendors that can easily download dissolvable agents over the Internet, allowing IT to support remote users over the Web. This approach relies on Web security to drive the costs out of service desk operations (e.g. fewer system software refreshes) and increase end-user satisfaction with quicker security and configuration problem resolution. While looking at assigning Web security responsibilities to security clouds, IT can also streamline service desk operations with centrally managed remote support software.
Enterprises that have yet to do so should reserve 2010 resources to re-examine the trends of Web security, the impact on the business and alternative approaches to meeting the security needs of ubiquitous Web access.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to email@example.com.