Chances are, you don't have malware protection where it is most likely to infect your users' computers: the Web.
"When malware shifted to email, everybody put antivirus in the email stream," said Gartner analyst Peter Firstbrook. "Now, all malware has been shifting to the Internet, but not a lot of people have responded by putting security there."
While Web security gateways are a billion-dollar business, most of that is from Web URL filtering, according to Gartner, which said that less than one-third of organizations use Web-based antimalware. There are a number of Web security gateway products on the market, but buying, deploying and managing more appliances is not an attractive solution to smaller businesses.
Let's examine the advantages and limitations of the alternative: hosted Web security services. These are relatively new, but there are a number of options from pure-play startups, large security companies that have developed services off their product-based technologies, and hosted email security service providers that have developed Web security as a natural complement.
HOW WEB SECURITY SERVICES ARE DIFFERENT THAN URL FILTERING
Web security products and services grew out of URL filtering, which was designed primarily to improve user productivity and to enforce acceptable use policies. URL filtering is not Web security; basic Web filtering works off a database of known sites based on a category--pornography, gambling, etc. Web security gateways, whether on-premise or in the cloud, intercept Web traffic and determine in real-time whether the request is going to a malicious site and/or whether the site is attempting to pass malware back to the end user. They're an important complement to your desktop AV, which is important, but insufficient. Sundry lab tests show that endpoint protection products miss many zero-day attacks, for example.
Hosted services are an attractive option for companies with 1,000 seats and fewer, whose managers are overtaxed and who are about to invest in additional hardware that will need to be refreshed every two or three years.
"The price points are coming down now to where it's really, really economical," said Gartner's Firstbrook, "especially if you are already outsourcing email security."
Hosted email security is an important point to consider. It's increasingly many midmarket companies' first foray into SaaS-based security. If you've had a good experience with email security, a Web security service is a logical next step.
HOW TO CHOOSE A WEB SECURITY SERVICES PROVIDER
You have a lot of options in today's hosted Web security market. ScanSafe Inc., the first SaaS company in the market, was joined last year by Zscaler Inc. and Purewire Inc. Product-based companies have added hosted services. Websense Inc., for example, acquired SurfControl Inc. Email security providers, such as MX Logic Inc. (recently acquired by McAfee Inc.) and MessageLabs Inc. (now Symantec Corp.), have also developed Web security services.
Some things to consider when choosing a service provider:
Remote users. One of the compelling points of SaaS-based Web security is that your users are protected, even when they are off the corporate network or VPN. People are liable to surf the Net injudiciously at home or on the road, but the malware they pick up will infect your network just as surely.
Service providers can redirect any user request to their data centers for scanning. However, take note of how they do it. One way is to simply reconfigure the browser to send traffic to the vendor, but some providers require that you install and manage client software, a headache you probably want to do without.
Other services. Getting other services, particularly email, from the same vendor will simplify management, integrate reporting and give you one support source, common billing and more. Zscaler and Purewire only offer Web security services, so at least for now, you'll have to mix and match if either appeals to you. Google OEMs ScanSafe, which returns the favor by OEM-ing Google's Postini email security. Most other vendors offer both, including products as well as services.
Viability. Startups will probably give customers a lot of TLC, in the form of customization, support and attractive pricing, but they will likely not give you the feeling of peace at night that you get from choosing giants such as Cisco, Symantec or McAfee.
Availability. Look for service-level agreements that assure close to 100 % uptime. Investigate the company's infrastructure: if a data center goes down, is another--preferably in the same hemisphere--going to take over transparently? This is your Web traffic, after all--it's one thing to lose Web security for an hour, another to lose Web access.
Latency is a related issue, but it's harder to assess and difficult to prove if the service provider, or other issues beyond its control, is responsible for slow performance.
Management interface. The service provider is doing the heavy lifting, but you'll still want to control policy changes, user access, etc. Look for something that's easy to use, allows you to delegate administration and manages multiple services from one portal.
Directory integration. This is absolutely critical for products and services. Web security gateways should give you granular controls over group and individual Web access and security policy, including exceptions for busy requirements, administered through Active Directory and other popular directories.
Send comments on this technical tip firstname.lastname@example.org.
This was first published in August 2009