The URL filtering product HCR ManorCare Inc. used in-house never worked right. It misapplied business rules and caused problems for users. “It was very inconsistent,” said Thomas Vines, director of information security at the Toledo, Ohio-based health care provider. “It was just a big pain to manage.”
When the product came up for renewal, the company knew it had to make a change. With more than 500 locations and an array of health care services, including skilled nursing and rehabilitation centers, assisted living facilities, and hospice and home health care, HCR ManorCare’s Web security needs were challenging. Including the corporate headquarters, the company has about 40,000 Internet users. “We have a very diverse population,” Vines said. “All these different constituencies have different needs.”
At the suggestion of CentraComm, a Findlay, Ohio-based managed service provider that runs HCR ManorCare’s security operations center, he began considering Zscaler Inc.’s Web Security Software as a Service. After putting Sunnyvale, Calif.-based Zscaler up against three competitors in a bakeoff and testing its ability to stop advanced threats, Vines’ team was sold on the security SaaS. “We didn’t have any hardware to buy or software to license. We didn’t have to send someone to training or build a new team. It was really easy,” he said.
Cloud-based Web security gateways are a growing market, driven by companies looking to reduce their total cost of ownership, said Peter Firstbrook, research director at Gartner. They make up only about 11% of the secure Web gateway market today, but Firstbrook expects that number to grow to 20% by 2015. It’s a lot easier for a company, especially one with dozens of locations, to roll out Web security SaaS, he said.
Zscaler helped jump start the market for cloud-based Web security gateways by taking several steps to make the technology highly scalable and easy for companies to integrate their users into the system, Firstbrook said. “They’re using a lot of industry standards and making it easier to consume the technology than ever before,” he said.
Unlike other services, Zscaler doesn’t require any client software; there’s the potential that an end user could disable it, but companies can easily re-enable the service through the Microsoft Group Policy feature, he said.
Dave Shackleford, founder and principal consultant with Voodoo Security and also a certified SANS instructor, said cloud-based security services like Zscaler’s are similar in many ways to traditional outsourced Web and email security services, “but now have additional scalability and flexibility due to virtual instances of the ‘appliances’ running for each customer.”
“Filtering spam and handling URL filters and other common Web security elements is an additional burden on in-house teams that makes little sense to shoulder themselves,” he added.
They also offer options for both enterprises and SMBs, Shackleford said. “In large, distributed organizations that have many branch offices, piping all the traffic back to a corporate data center may not make sense, so sending it through a cloud SaaS could be a great way to cost-effectively mitigate these two areas.
At HCR ManorCare, the plan was to roll out Zscaler’s Web security SaaS first to corporate executives. “We wanted to make sure it was the right mix of security controls with service delivery, and give them a first-hand view of what their staff and lines of business would experience with this new product,” Vines said. But a network glitch caused traffic to switch from an old network to the new network configured with Zscaler. Overnight, about 2,000 corporate users had Zscaler. The sudden switch was a tremendous success with only seven helpdesk calls, Vines said.
Vines estimates that Zscaler saved HRC the company more than $150,000 in hardware and software costs. “We didn’t have to upgrade computers, grow expertise, dedicate more LAN and WAN ports to support more traffic, build new category lists, set up anything on our switches or firewalls,” he said. “We got to skip all that. Instead of having a year-long project to upgrade Web filtering, we did it overnight.”
For HCR ManorCare, switching to a cloud-based service for Web security didn’t require any shift in corporate thinking. “We weren’t adverse to cloud services strategically,” Vines said. “HCR has had cloud services in the business for years.” Plus, Zscaler doesn’t store any data, he added.
“Instead of having infrastructure in your data center, you’re leveraging the cloud to do something in a data flow that makes tons of sense,” he said.
Firstbrook said that while Zscaler -- like other cloud-based secure Web and email gateways -- doesn’t store business critical enterprise data, it does store log data that could contain enough metadata for an attacker to infer business secrets, such as mergers and acquisitions. Zscaler does not encrypt its log data but compresses it with a unique algorithm and uses client tokens rather than full names, which would require a typical hacker to have extensive knowledge about this process to decipher this data, he said. The vendor also offers private log servers if companies want to keep data on site.
Web gateway security SaaS provides opportunities to protect roaming devices such as mobile devices and laptops that typically are not protected by on premise gateways without heavy clients, Firstbrook noted. At HCR ManorCare, the Zscaler Web security SaaS also protects the company’s mobile users.
“When an authenticated mobile user, like an iPad user, browses out to Google they follow the same path as a business computer and get the same cloud services provided by Zscaler,” Vines said. “It is a very important component in our defense in depth strategy to secure and protect mobile assets. For instance, since iOS 4 doesn’t have AV yet, we depend heavily on Zscaler’s capabilities to protect those devices from malware.”
Another plus was Zscaler’s guaranteed 99.99% availability, Vines said. “We had never considered building a Web filtering system with four 9s. That was economically unrealistic for us.”
Firstbrook said there is an increasing array of antimalware security solutions available as a service. “For most organizations, these services are less expensive and better than their on-premises counterparts. Security buyers should not continue to buy on premise solutions without considering the benefits of SaaS solutions,” he said.