Professional Documents
Culture Documents
com
WHITE P APER Thinking Inside the Box: Benefits of an Internet Filtering Appliance
Sponsored by: St. Bernard Software Brian E. Burke May 2004 Christian A. Christiansen
P.508.872.8200
F.508.935.4015
IDC OPINION
The phrase "thinking outside the box" is often used to describe the creative process of coming up with a unique idea or process outside the norm. In this white paper, we use the phrase "thinking inside the box" to describe the benefits of an appliancebased Internet filtering solution that provides corporations, government agencies, and educational institutions with a cost-effective way of managing Internet access. This white paper describes the implementation and management issues of traditional software security solutions and discusses the critical elements that make for lowercost and easier-to-manage Internet filtering solutions. The document outlines the benefits of security appliances that focus on reducing complexity, increasing end-user productivity, minimizing configuration errors, and providing management with an easy-to-deploy true hardware appliance. This white paper highlights St. Bernard's iPrism solution and addresses the key ingredients in a comprehensive, cost-effective means for monitoring, filtering, and reporting Internet use. The security appliance market ranks among the fastest-growing segments of the worldwide IT security market. Because appliances have a low total cost of ownership (TCO), ease administrative overhead, facilitate management, consolidate support, and scale efficiently, their success is not surprising. Worldwide revenue from the security appliance market reached $2 billion in 2003. IDC forecasts that the security appliance market will increase at a 24% compound annual growth rate (CAGR) and reach $4.73 billion in 2007. Moreover, the secure content management (SCM) segment of security appliances (which includes Internet filtering) reached $379 million in 2003, representing an 83% growth over 2002. IDC believes that the market for SCM appliances will grow explosively over the next five years. We forecast the SCM appliance market to grow from $379 million in 2003 to almost $1.6 billion by 2007, representing a 66% CAGR from 2003 to 2007.
METHODOLOGY
IDC developed this white paper using a combination of existing market research and direct, in-depth, primary research. To gain insight into the challenges facing various organizations and to learn more about how St. Bernard's iPrism helps address these challenges IDC conducted in-depth interviews with IT executives at companies in the banking, education, and marketing sectors. In addition, IDC met with the St. Bernard team to review its goals and tactics. This study reflects all of these research perspectives.
SITUATION OVERVIEW
Simplifying Web Filtering
Corporate IT departments continue to experience budgetary pressures with regard to proper staffing levels while simultaneously being asked to provide higher levels of network accessibility, business continuity, and most of all, security. IT managers often must manage these expanding infrastructures with relatively bare-bones staffing and resources. Given these limits, they often look for "staff-easy" solutions that require minimal human intervention and relatively little training to manage. The cost associated with training the IT staff alone can be a heavy burden for corporate IT budgets. To meet these objectives, organizations are increasingly looking to appliance-based solutions (see Table 1).
T ABLE 1
Web Filtering Critical Success Factors
Provide easy installation and configuration Single-purpose, ready-to-go appliances often deploy with a simple wireline plug-in. Unlike software deployments, appliances eliminate many time-consuming separate installation and operating system version synchronization processes. Overall, organizations can administer appliances with fewer highly trained staffers because they need not deal with system synchronization and upgrade issues. Appliances do not require IT staff to learn arcane manual commands and protocols in order to configure and monitor network security or maintain the product itself.
Simplify administration
Products that enable central management of multiple remote configurations simplify administration. Moreover, the ability to handle administration tasks conveniently from a Web-based system administration console that IT staff can access from any location is extremely productive and cost effective. Users have a tendency to "experiment" with things, and the black-box approach limits the damage caused by curious users. Appliances not only improve security, they also reduce trouble calls to the help desk.
Customers rarely have the time or expertise to troubleshoot a problematic appliance. Therefore, it is more efficient to replace the faulty system with a fully functioning machine rather than try to fix it onsite. A quick replacement strategy ensures that customers quickly return to normal operations. Moreover, nontechnical personnel at remote sites can easily disconnect the old system and replace it with a new one. Because the new system is configured from a central location, the need for technical staff members to be onsite or to travel to remote locations is eliminated.
#4097
2004 IDC
2004 IDC
#4097
To help circumvent the preceding situations, the ideal solution for corporations and HR departments should offer: ! Customization and flexibility. Corporations and HR departments need a customizable and flexible solution to easily enforce their acceptable usage policy (AUP). ! Ease of installation and configuration. One of the main benefits of security appliances is that they have very few installation and configuration issues. ! Accurate database and comprehensive reporting. Corporations and HR departments require an accurate database of URLs to minimize employee complaints of false positives and reduce help desk calls. They also need a comprehensive reporting tool that is easy to use and accurate.
#4097
2004 IDC
! Children's Internet Protection Act (CIPA). CIPA pertains to filtering requirements for K12 schools and libraries that provide Internet access and receive certain types of federal funding. This law requires schools and libraries to adopt an "Internet Safety Policy" and install filtering technology in order to receive certain federal funds. CIPA applies to all schools and libraries that receive discounted rates for the purchase of equipment and services used to access the Internet through the E-Rate program, the Library Services and Technology Act (LSTA), or Title III of the Elementary and Secondary Education Act (ESEA). ! Child Online Protection Act (COPA). COPA offenders who make "harmful" material available to children can be forced to pay a daily fine of up to $50,000 per violation, and they could spend up to six months in jail. The federal government can also sue in civil court for up to $50,000 per day and per violation. The enforcement of COPA is on hold as the Supreme Court and the American Civil Liberties Union (ACLU) consider the First Amendment issues raised by COPA's restrictions on Internet speech. The ideal solution for schools and libraries should offer: ! Ease of use. Because of scarce resources, overextended IT staffs in many schools and libraries struggle with implementing and maintaining a complex security and filtering system. Therefore, ease of installation and maintenance is essential when providing a Web filtering solution. ! Customization. Schools and libraries need solutions that can be customized for certain grade levels and that offer different policies for staff and students. ! Low total cost of ownership (TCO). The TCO for Internet filtering is very important because most schools and libraries have tight budgets and limited IT staffs. TCO involves not just the cost of the solution but also the time spent by IT managing the solution.
iPrism Overview
iPrism is a hardware appliance that monitors, filters, and reports on inappropriate Internet access within businesses, government agencies, and educational institutions. iPrism is a true hardware appliance that provides IT professionals with an easy-touse, comprehensive solution for managing users' Internet access while ensuring
2004 IDC
#4097
enforcement of an organization's AUP. The five most important characteristics of appliance-based solutions are: 1. 2. 3. 4. 5. Optimized for single-application Web filtering A true appliance with a hardened operating system for optimal security Automatic updates for database, operating system, and software Easy to install, configure, and maintain for decreased TCO Self-contained solution (no additional hardware or software required) to be full featured
Completely self-contained and transparent to end users, iPrism can be installed into a network without any additions to workstations or installation of software. The most common and easiest way to deploy iPrism is as a transparent bridge. When iPrism is configured to operate as a bridge, it is generally deployed between the firewall and internal network. In this configuration, iPrism transparently bridges all protocols between its interfaces. As a bridge, iPrism requires only one IP address, which it applies to both of its interfaces, as shown in Figure 1.
FIGURE 1
iPrism as a Bridge
#4097
2004 IDC
2004 IDC
#4097
On the surface, the repurposing of existing hardware and operating systems would seem to save money. However, IDC believes that this situation creates an inequitable trade-off. In other words, the cost savings from reusing old hardware is eliminated by the IT administrative costs of uninstalling unnecessary applications, deleting old data, reconfiguring the operating environment so it is secure, and reducing access privileges to just administrative personnel. Like many appliances, iPrism's operating environment reduces administrative overhead. Because there is no operating environment licensing fee with iPrism, IT departments do not have to deal with licensing issues, upgrades, and patches from a third-party vendor. An advertising agency summarized the appliance benefits as follows: "I would give it [iPrism] an A for ease of installation, management, and setup. The depth of coverage is definitely an A. Across the board it has been an awesome appliance. It really was painless."
#4097
2004 IDC
The majority of customers we interviewed said that they collected data before turning on the blocking. This makes the reporting feature critical to the customers' evaluation process because the reports essentially guide their initial policy creation. Because Web filtering is often a partnership between IT and HR, the reports must be easily understood by all parties. Moreover, senior management often wants to see the results as well. Therefore, reporting must supply graphical output that can accommodate their requests for high-level and detailed views of employees' Web browsing. All HR-related information is sensitive and may be the subject of litigation (e.g., contested disciplinary actions or wrongful dismissal suits); therefore, IDC believes reports must be protected from unauthorized access or changes. iPrism provides this protection by allowing the administrator to delegate access to run and view reports only to specified people in the organization. The flexibility of reporting is highlighted by a midwestern school district's need for auditing in an unusual situation. A number of teachers in the school district participate in virtual race teams, including NASCAR. The superintendent was concerned with the amount of work time being spent on these hobbies. Using iPrism, the school district was able to track employee activity and report on this activity on a daily basis. The IT administrator for the school district told IDC, "We found that some people were spending 4 or 5 hours a day [on these virtual race team sites]." Equipped with this information, the school district was able to tackle and resolve the problem. The reporting was accurate and easy to use, with the IT administrator remarking that "having those reports sent to my email box makes it even nicer." In this case, not only was the IT administrator happy, but the superintendent also appreciated his efforts. An advertising agency pointed out the need for good reporting so that IT could report to HR and tune iPrism: "The [policies] we have been able to self-define have been great. We can tweak [the reporting] and find out things that we needed to see in order to take numbers up to HR." In particular, management personnel at the agency appreciated the detailed reporting and the amount of information they were able to gather during their 30-day evaluation period. They stated that being able to sort by type of site as well as by usernames was extremely helpful. Reporting was essential to the IT administrator, who further commented, "The reporting was very solid."
Easing Customization
After monitoring and evaluating users' Internet usage, companies must then address the next major step: policy creation. Policy creation is an iterative process that evaluates the early reports against business units' individual needs. Customization is needed to handle the many policy creation issues. For example, several education IT administrators pointed out that a commercial filtering solution with a "one-size-fits-all" configuration doesn't work for them. iPrism gives organizations the ability to add sites to and/or delete sites from the iPrism database as well as create custom categories.
2004 IDC
#4097
A bank indicated that iPrism required very little customization. The network administrator at the bank told IDC, "We just checked off certain groups of Web sites that we wanted to eliminate, such as sports, gambling, games, etc." Moreover, many organizations also want the ability to set custom policies depending on the time of the day. For example, organizations may allow employees to visit nonbusiness-related Web sites during their lunch hour. The same bank said that it allowed everything to go through at first to provide a baseline of what sites were being accessed. Armed with this knowledge, the bank was able to configure iPrism to allow its employees to access the most popular sites only during certain times of the day.
Operation
Keeping the appliances and Web filtering running consistently and reliably is crucial. This means reducing downtime to a minimum and ensuring that failures are quickly resolved.
Managing Remote Sites
To further simplify network management, Web-based management interfaces enable IT to manage these appliances from any location. One IT administrator reported that he was still able to administer his iPrism appliance when he was out of town, which he felt was a particularly important benefit. Administrators do not have to worry about software or database updates because they are automatic with iPrism. All these features lead to streamlined, centralized administration that reduces complexity and travel to individual sites.
Minimizing Downtime and Support Issues
Small and medium-sized firms just don't have the time or resources to deal with complex support issues. IDC believes these firms like appliances because they want one vendor and "one throat to choke" when things go wrong. Downtime is especially loathsome for any IT manager, but small and medium-sized companies often can't afford highly available systems. In the event of failure, customers want a rapid fix or replacement. Several IT administrators said, "[Our iPrism] hasn't had any downtime at all." One education customer felt confident that the failure of one box would not cause any problems: "Since St. Bernard has a 24-hour replacement policy, if it does go down, I can have one here the next day." When we asked the IT administrator at a regional bank in the western United States whether or not appliances have any specific benefit over software, he said, "I need something that I can completely rely on. If I have any issues with the [iPrism appliance], I know I can just call the manufacturer and they will support me from the screw to the software. I don't have to worry about a hard drive or a CPU or something like that going down. I feel that an appliance has big advantages over a software-only solution [in ease of maintenance and support]."
10
#4097
2004 IDC
However, customers like it even better when support is not needed. Several IT administrators commented, "Yes, once you get it [iPrism] all set up and configured, you can pretty much just leave it alone. You don't need to baby-sit it, which is nice." Because appliances are integrated at the factory by a single vendor, they tend to cause fewer problems, and the appliance's single-vendor solutions mean that support questions are handled quickly and completely. Overall, iPrism customers rarely had support problems and felt that any problems that occurred were handled efficiently.
Future Planning
Planning for the future is a broad topic, but respondents pinpointed two major goals: dealing with growth in headcount and changing user behavior.
Anticipating Scalability Needs
A bank voiced concern about the scalability of client-based solutions relative to that of appliance-based solutions. The bank considered several software packages, but it did not like the fact that implementing them meant leaving software on each workstation. It also had concerns with scalability. In the end, it felt that iPrism addressed both of these concerns. The bank simply stated that with iPrism "you don't have to worry as you scale." Because the bank felt it could easily add appliances for scalability, it was comfortable with iPrism's ability to support its long-term growth plans. Moreover, the bank, along with several other customers, cited iPrism's central management feature that allows administrators to manage additional appliances at remote sites without deploying additional administrative personnel.
Changing User Behavior
Modifying user behavior to reduce administrative overhead is another factor in lowering cost. When asked about iPrism's performance, an IT administrator for an advertising agency addressed this issue but also commented about user behavior and bandwidth utilization. He mentioned that iPrism keeps up with the load and added, "I haven't noticed any slowdown in traffic. If anything, since people know that [iPrism] is now in place, they are not using up bandwidth to [access disapproved Web sites]." Most customers with whom we spoke cited the reduction in bandwidth usage as a significant benefit. While they could not enumerate the benefit, customers generally view bandwidth as limited and costly. Moreover, senior management is often asked to fund more bandwidth and would naturally favor a Web filtering solution that conserves bandwidth and thereby avoids expensive upgrades.
CHALLENGES/OPPORTUNITIES
Customers were decidedly positive about iPrism. In fact, it was difficult to elicit any criticisms or challenges. When pressed, they mentioned two concerns: 1. Product range is not a current issue, but a few customers indicated that they would like a larger model in the future. (Currently, iPrism is available in only one model, although St. Bernard plans on releasing a high-performance model in August 2004.)
2004 IDC
#4097
11
2.
Storage capacity for logs is driving the need for larger appliances, not CPU. To solve the storage issue, some customers have moved the logs to other servers, but they would like to keep the logs on the box in the future. This would provide a complete audit trail in case of legal challenges. However, we believe the customers who noted this issue were probably using older models of the hardware. St. Bernard informed IDC that it had addressed this issue with a product release last year.
Opportunities
In addition to their interest in larger appliances, customers raised the possibility of integrating Web filtering with email security. Many customers indicated that they are running iPrism with St. Bernard's ePrism email security appliance, yet we found it surprising that no one asked for the consolidation of these two appliances into a single box. Overall, we believe that St. Bernard may provide this merged capability in a future product release. Given St. Bernard's position as a leading appliance-based Web filtering solution vendor and the high levels of current customer satisfaction, we believe that its future developments will accelerate the acceptance of Web filtering and email security appliances.
CONCLUSION
St. Bernard's iPrism appliance provides corporations, government agencies, and educational institutions with a comprehensive, cost-effective way of managing Internet access. Appliances combine flexibility, performance, and administrative efficiency into one box. iPrism takes these benefits and applies them to the Web filtering market. More important, it offers a robust solution that complies with midtier customers' unique requirements for simple operation, lower administrative costs, and solid support. St. Bernard has done a superb job of providing an appliance-based approach to the complexities of Web filtering. Greater content management and access control will help enterprises, government agencies, and educational institutions enable essential Web-based business initiatives more securely and easily. Overall, IDC believes the iPrism appliance from St. Bernard is well positioned to serve the broad base of market demand for an easyto-use and cost-effective Web filtering solution. iPrism is a registered trademark of Internet Products Inc. Internet Products is a wholly owned subsidiary of St. Bernard Software Inc.
Copyright Notice
External Publication of IDC Information and Data Any IDC information that is to be used in advertising, press releases, or promotional materials requires prior written approval from the appropriate IDC Vice President or Country Manager. A draft of the proposed document should accompany any such request. IDC reserves the right to deny approval of external usage for any reason. Copyright 2004 IDC. Reproduction without written permission is completely forbidden.
12
#4097
2004 IDC