I D C

A N A L Y S T

C O N N E C T I O N

Phil Hochmuth
Program Manager, Security Products

Considering a Move to Cloud -Based Web Security? Answ ers to Your Top Questions
October 2012
With the rise of cloud applications and an increasingly mobile workforce, Web security that can be delivered as a service across a global network is becoming critical in order to protect users and ensure that policies for social media and other traffic can be enforced consistently anywhere at any time. Along with protecting employees who are using company-owned mobile devices, enterprises must efficiently secure an increasing number of mobile workers who are using unmanaged devices (bring your own device, or BYOD). Cloud-based Web solutions can secure mobile users without requiring VPN backhaul to an onsite gateway or security agents installed on clients. The worldwide Web security market reached $1.9 billion in 2011, growing 12.1% over 2010, and IDC predicts that the market will grow to $3.2 billion in 2016, representing an 11.2% compound annual growth rate (CAGR) from 2011 to 2016. Web security SaaS will be the fastest-growing segment of the Web security market. Web security SaaS will grow from $250.4 million in 2011 to $695.2 million in 2016, representing a 22.7% CAGR. Pressure on enterprise IT security teams to secure and control corporate data in an increasingly unmanaged endpoint environment is driving much of this market growth; more than a third of enterprises cite data loss as their top security concern, according to IDC's 2011 Security Survey; meanwhile, nearly two-thirds of enterprises are challenged by end users who do not follow corporate security policies. The following questions were posed by Blue Coat to Phil Hochmuth, program manager for IDC's Security Products service, on behalf of Blue Coat's customers. Q. A. What are the top business or security challenges and requirements driving Web security SaaS adoption? One initial challenge is the general extension of the security perimeter. For most enterprises, the corporate boundary between the external Internet and internal networks and LANs has essentially dissolved as more employees are using mobile devices outside the office. This is a result of more people working from home as well as corporations extending to more branch and remote offices globally. It is more difficult to maintain the traditional network perimeter in these scenarios. Having a "hard wall" around employees has always been the main defense and control point for enterprise security. Mobile devices stretch the control zone that enterprises traditionally had over endpoints, often making these controls less effective or inefficient to implement. Another challenge is the explosion of social networking use. Social networking can be both a time-wasting tool and a productivity-enhancing tool for enterprises, depending on how it's used and who is using it. For example, many enterprises have official Twitter and Facebook accounts, and certain employees are required to access them and keep them up to date. The new reality in many enterprises is that employees increasingly need real-time access to

IDC 1385

social networks, both inside corporate perimeters and during off hours or from remote locations, and the need to ensure that corporate policies for these applications "follow the user" is becoming acute. Cloud-based security solutions can provide a more overarching and ubiquitous type of security service, and mobility and social network usage are two very good reasons that enterprises are looking at these kinds of solutions. A cloud-based solution can deliver consistent, universal security policies for users wherever they are located inside the office, at home, or in a hotel room at any time. Q. A. What are the top features that enterprises look for in cloud-based Web security? Scalability is key the ability to handle lots of traffic with low latency as well as enable universal delivery. Enterprises need services that are always available and that provide the same user experience no matter where a user is located. This requires a Web security vendor to have a global presence in terms of datacenters for regional support as well as things like redundant hardware, tier 1 connectivity, and strong SLAs for each location. Another important feature is the ability to enforce policy controls over social media applications across all platforms: desktops, laptops, mobile browsers, etc. This is something that advanced Web security solutions are moving toward. Also, as with an on-premise Web security solution, a cloud-based solution must have strong bidirectional threat detection capabilities, including the ability to see incoming threats (i.e., viruses or malware) as well as outgoing threats (i.e., Botnet commands) and control traffic or sensitive data that might be leaving the organization through a Web channel. Inbound-only detection falls short of identifying data streams that could be threats. Often, this outbound data can be more damaging to an organization than in-bound threats; it could involve a compromised corporate PC sending attack traffic to another site or individual (under the control of cybercriminals) or an employee or an outsider intentionally sending out (or extracting) valuable data via the Web. As a result, having bidirectional traffic inspection capability is critical. Q. A. What is hybrid Web security, and what are the most important criteria enterprises should look for when deploying this security architecture? Hybrid Web security is a combination of on-premise Web security appliances (or virtual appliances) and a cloud-based Web security service. The idea is that these complementary technologies can protect corporate users and data regardless of device or location. Generally, the two platforms are used in concert, where cloud services protect mobile/remote workers and on-premise appliances/software protect in-office employees. The approach can provide broader security controls and more flexibility in terms of handling some of the challenges related to mobility and social networking. One important criterion of hybrid is the ability to create policies in a single place, a "universal policy," which an organization can deploy and enforce on both platforms. For example, an end user who accesses a social networking site on a corporate laptop, whether at the office, at home, or in a hotel on a business trip, would still be controlled by policies in a hybrid Web security scenario: When the employee is outside the perimeter, the laptop is secured by the cloud service; when the employee is on-premise, the laptop is secured by the gateway or virtual appliance. However, the true value of hybrid is not to simply apply the same policy everywhere. The ability to have policies that automatically adapt based on the context of the end user's connection, location, and device is another important aspect to consider. In the traveling
2 2012 IDC

employee scenario, when the employee moves from inside the office to a less secure environment, such as a hotel, the security controls might actually be adjusted. The policy might tighten the level of access of the employee or limit things that the employee can do when connecting from an unsecure location versus the corporate LAN. Having policies that not only can be enforced on both cloud and on-premise platforms but also can factor in the context of the connection and end-user activity is a differentiating capability. Unified reporting is also an important aspect of hybrid Web security. The ability to understand all corporate user activities in a single unified format, both when users are in the office and when they are traveling and using laptops or tablets, is an increasingly critical feature for Web security deployments that integrate on-premise and cloud-based Web security solutions. Q. A. How is the BYOD phenomenon affecting enterprise Web security, and how are IT security professionals reacting to it? While enterprises are just starting to understand how to secure company-issued mobile devices, BYOD adds an additional level of complexity. More than 40% of enterprises in IDC's 2011 Security Survey said that the introduction of unmanaged mobile devices into their environments would be a top security challenge over the next year. However, enterprises are worried about more than just the devices; they are also concerned about what employees will be doing on these gadgets. Nearly 50% of enterprises cited increased sophistication of attacks (such as targeted attacks) as a top challenge, while nearly 60% of enterprises said they are worried most about employees underestimating the importance of following corporate security policies. Enterprises know they need to secure the use of devices that they do not own or control while considering the dual scenarios of business use and personal use of these devices. There is less control over these devices in general versus a traditional laptop or even a tablet that might have been issued by the corporation to the end users. With BYOD, enterprises are not able to put agents on clients, whether for antivirus, bandwidth management, Web security, or site monitoring tools. Organizations just don't have the access to the machines. In response, many organizations are looking at cloud-based Web security to control this situation. They see cloud as a solution to address the BYOD problem. Whether the device is on-premise or offsite, it can still connect to the cloud service, which will provide a level of security that follows the device wherever it goes. Additionally, certain advanced cloud/SaaS services can provide universal policy protection regardless of the type of network the device is attached to on-premise LAN, unmanaged WiFi, or the employee's personal 3G/4G connection. Q. A. Can you talk about best practices for securing personal mobile devices? The first step many enterprises take in controlling BYOD environments is setting expectations as to what types of applications and tools will be made available to these devices. Not every internal corporate application can be feasibly delivered to all types of personal devices. A trade-off scenario between the end user and IT must be established; personal devices are fine to use, but certain restrictions or policies will be enforced. The same acceptable use policies for Web access and data access should be expected on personal mobile devices, especially when workers use these devices on corporate WiFi networks. Some enterprises have had success setting up tiered levels of service for BYOD, depending on the level of corporate control that is given to these devices. For instance, for completely unmanaged devices, control policies might mirror the type of access that is given to guests or visiting contractors limited Internet access or even a captive portal for tracking
2012 IDC 3

and auditing. Some enterprises are also deploying "containerization" strategies for corporate application and data access; this can involve providing access to virtual desktops on personal devices (such as noncorporate PCs or tablets) or deploying mobile device management (MDM) technologies that can provide "sealed off" access to corporate data and applications on personal smartphones, without allowing data to be downloaded or saved to the device. Even with these types of access controls and security infrastructure in place, gaps in security and control can occur. Enterprises can tightly control what resources personal devices can access on the corporate network. However, there is a blind spot in terms of what other types of applications and tools are running on personal devices. Applications in particular are an issue because end users may be using their own applications on personal mobile devices that are attached to a corporate WiFi network. These applications, downloaded by end users to their own personal devices, could be used to transmit or share sensitive files of information or violate corporate acceptable use policies. In addition, this traffic can fly under the radar of tiered access control infrastructures. A cloudbased Web security service can provide additional features to fill in this security "app gap"; a cloud-based Web security service separate from on-LAN infrastructure controls can block such applications from using the corporate network. In scenarios where BYOD endpoints can be configured to proxy through a cloud service, this type of protection follows the BYOD end user beyond the corporate network to other WiFi or cellular connections.

A B O U T

T H I S

A N A L Y S T

Phil Hochmuth is the program manager of IDC's Security Products service. In this role, he conducts primary research and provides insight and analysis on a range of enterprise security markets, including data loss prevention (DLP), information protection and control (IPC), messaging security, and Web security. His research also examines the convergence of these, and other, security technologies as enterprises address new and evolving data security challenges.

A B O U T

T H I S

P U B L I C A T I O N

This publication was produced by IDC Go-to-Market Services. The opinion, analysis, and research results presented herein are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC Go-to-Market Services makes IDC content available in a wide range of formats for distribution by various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee.
C O P Y R I G H T A N D R E S T R I C T I O N S

Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires prior written approval from IDC. For permission requests, contact the GMS information line at 508-988-7610 or gms@idc.com. Translation and/or localization of this document requires an additional license from IDC. For more information on IDC, visit www.idc.com. For more information on IDC GMS, visit www.idc.com/gms. Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com

2012 IDC