News Stay informed about the latest enterprise technology news and product updates.

Web security strategy: Use cloud security services

Web security used to be mainly URL filtering and protocol validation, but as Eric Ogren explains, Web security clouds improve security with little impact on performance.

If you haven't focused on an enterprise-wide Web security strategy then it's time for a reality check. It's safe to assume that various parts of your organization are using Web applications and a cloud computing infrastructure or services, and the time to wrap a security strategy around that is now.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The recent Cisco Systems 2009 Annual Security Report illustrates the need for sound planning heading into 2010. Cloud-based tools and productivity applications that leverage the cloud are likely already being used in your organization and attackers are ready to pounce.

Traditional Web security primarily consisted of URL filtering, HTTP protocol validation, and single sign-on access controls. However, malware authors infect legitimate websites or change domain profiles faster than reputation systems can adapt, repositioning the effectiveness of URL filtering from antimalware security to acceptable use policy enforcement.

Protocol validation has been consolidated into firewalls to be able to catch traffic anomalies at the network edge before downstream systems can be affected. Web security has been left to endpoints, which makes updating signature definitions and software functionality costly for IT.

Eric Ogren's weekly security column:
Database activity monitoring lacks security lift: IBM's acquisition of Guardium does not validate DAM as a viable security market segment. The market has been hyped, says security expert Eric Ogren.

Health Net breach failure of security policy, technology: Investigators should question why an external hard drive contained seven years of data, but IT security should have had the appropriate security policies and technologies in place.

Secure your remote users in 2010: As companies shave operational costs by hiring more remote workers, IT security teams should plan to protect sensitive data being used by a highly mobile workforce in 2010

The good news for IT is that Internet traffic can be redirected through Web-based security clouds while retaining acceptable performance. Cloud security services can centralize processing and administration tasks, making it easier to scale effective security to enterprise levels while controlling costs.

Inbound traffic can be inspected for malware and authenticated access control enforced; outbound traffic can be checked for regulated data and transparent encryption applied according to policy. Administratively, centralizing Web security controls can facilitate adding application-level security for new Web-based applications and increasing inspection capacity for enhanced performance without widely distributing management burdens.

There are different approaches to Web security that can be blended to fit the requirements of the network infrastructure. Appliances, such as Microsoft's TMG or Check Point Security Inc.'s Gateway with a Web security software blade, work well in supporting branch offices or in cases where high performance filtering achieved by a dedicated appliance is required. Security cloud services, including those offered by Trend Micro Inc. and Zscaler Inc., allow security technologies to efficiently filter recognized malware without mass distribution of signatures to throttle low priority applications that consume network bandwidth, and allow all users to instantly benefit when new security features are added.

Corporate security clouds can follow the same model. This may be particularly desirable for data loss protection features where the enterprise prefers that blocked messages and data reside in on-premise systems rather than in a security service provider data center. Virtual desktop infrastructure projects also give IT the opportunity to deploy security as an independent security cloud. Instead of embedding Web security software in each VM or installing on each virtualized server, IT teams can route external-oriented traffic through security products to protect the business. For instance, Xceedium Inc. allows IT granular control over Internet access from within the data center while HyTrust provides controls over privileged user actions in a virtual data center -- both important capabilities in separating applications and desktops from security policy enforcement.

SearchSecurity radio:

While security teams are examining the feasibility of Web security clouds to protect the business, they can also investigate virtualizing help desk capabilities. Citrix Systems Inc. and Bomgar Corp. are two vendors that can easily download dissolvable agents over the Internet, allowing IT to support remote users over the Web. This approach relies on Web security to drive the costs out of service desk operations (e.g. fewer system software refreshes) and increase end-user satisfaction with quicker security and configuration problem resolution. While looking at assigning Web security responsibilities to security clouds, IT can also streamline service desk operations with centrally managed remote support software.

Enterprises that have yet to do so should reserve 2010 resources to re-examine the trends of Web security, the impact on the business and alternative approaches to meeting the security needs of ubiquitous Web access.

Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to

Dig Deeper on Cloud Security Services: Cloud-Based Vulnerability Scanning and Antivirus

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.