White Paper

Hybrid Web Security: The Best of Cloud Computing and On-premises Combined
HISTORY OF WEB SECURITY
Web security has evolved along with the Web itself, and the varying threats and attacks that need to be controlled at any one time. Initially, the biggest threat to people using the Web was one of accidently viewing inappropriate content. This is where the original Block lists came from such as X-Block, a product in the history of M86 Security, and one of the first products available from the 8e6 side of the business. Productivity became an issue when businesses started providing wide spread access to users. To help manage time spent on shopping sites or personal email, time of day controls and quotas became popular. At this time, the threat from viruses and malware came from mainly floppy disk use, and then email use with viruses being attached to emails. As can be seen from the graphic below, the actual malware threat only shifted to the Web in the last several years, initially with the bad guys bringing up their own Web sites that were then listed by the URL filtering lists. Today, the reality is very different. Over 84% of all malware-infected Web sites are legitimate Web sites deemed to be safe by URL filtering lists. While many organizations today still consider URL filtering list-based products to be Web security solutions, in reality they are most useful for ensuring productivity. Organizations of all shapes and sizes need to be considering a secure Web gateway solution to provide effective security for Web usage. As evidenced by the graphic below, the change between Web 1.0 and Web 2.0 has been very dramatic.
The wild read-write Web 80,000,000 sites

Web 2.0

The mostly read-only Web 250,000 sites

Web 1.0

Collective Intelligence

Published Content

User-generated g Content

Published ub shed b s ed Content Content

User-g g User-generated Conten Content

45 million global users

1996

Over 1 billion global users

2006

The Web security threat has grown dramatically with Web 2.0 and the malware infection of legitimate Web sites. The social networking phenomenon has added rich social dialogue and crowd-based wisdom, but it has also provided a convenient cover to the bad guys by allowing them to capitalize on the lower suspicion level most users have when using the social network of their choice. Hence, more targeted and successful infections occur around Web 2.0 sites and activities. Other malware innovations such as polymorphic viruses have quickly emerged. In this case, the virus keeps changing itself on a regular basis to get around the signature updates. Another example is the runtime creation of viruses which sees a different virus sample created for each user, again causing the traditional signature-based AV scanners effectiveness to dramatically drop. In a recent study by M86 Security of 15,000 active live malicious Web sites, the combination of three leading AV scanners only yielded a block rate of 39%... combined!

TYPES OF ON-PREMISES WEB SECURITY

Historically, organizations have relied on gateway-based Web security solutions to provide an additional layer to desktopbased AV scanners. These solutions have largely grown from the URL Filtering lists which delivered the first Web security protection. These products came in either specialist-built and dedicated appliances such as M86s Web Filter, or in software such as

Another factor accelerating dynamic Web threats is the emergence of Web 2.0, and the resulting explosion in social networking sites. Web 1.0 is characterized as the read only Web- you downloaded information, viewed information from Web sites but contributed or uploaded very little.

m86security.com

the M86 WebMarshal solution. Organizations chose between these two types of solutions depending on their actual requirements and preferences. There are advantages and disadvantages for of each of these two on-premises options, and these are summarized in the table below:

REQUIREMENT Ease of Installation

SOFTWARE Varies. Typically good since software-based solutions are usually the first to market and pretty mature Good. Since software is installed on new or existing hardware, it will have many options when it comes to where it can be installed, and it can easily be shifted in case of hardware failure.

APPLIANCES Varies; depends on the product. At the heart of every appliance is software and the maturity of this software which is usually coupled to ease of use can vary widely. Poor. An Appliance solution is usually installed on a special dedicated hardware so it is difficult to plan for any hardware failures unless you have a spare appliance standing by, which is cost prohibitive. So do you invest in spare hardware or do you take the chance and have Internet usage that is not protected while the appliance is being fixed? This scenario gets easier in larger installations when you are relying on multiple appliances to scale, but you still need to allow for n+1 in case a single appliance does fail. Good. In the Web security market, some of the appliance-based solutions offer a wide range of options providing the customer with many options of how to integrate the solution into their network and directory.

Installation Flexibility

Integration Options

Fair. Even though software solutions are typically first to market, looking at Web security solutions, software products do typically offer slightly fewer options when it comes to integrating the solution into your network and directory. If your preferred method is supported, then great, but this can be a limiting factor with software solutions. Good. Most software solutions provide good ROI and value for money. As with anything, you get what you pay for. Spend more for better quality and bigger features. Spend less for what you need right now. Ensure that the solution is expandable and future-proof. Varies. It is very dependent on the hardware on which the software is installed. Also, typically not able to make use of specialist performanceenhancing hardware options like SSL decryption cards, for example. Good. Most software solutions provide good reports. A few offer excellent reporting systems but most are relatively basic. This is a key area to examine when evaluating different solutions. Make sure that the solution provides the reporting measures that you require. Fair. Software solutions need to be installed and configured before they are usable. Also, if the server they are loaded on is being used for other tasks, any lock down and hardening you are able to do on the Web security solution will be minimized.

Cost-Effective

Varies. The appliances themselves are a set configuration supporting a number of users. Anything below this minimum number and you will not be using the appliance to its maximum performance. Compare this to software solutions where other applications could be run on the same server. Good. Appliances are designed to do a defined job and just that job. Because of this, they will give excellent performance at doing that job.

Performance

Reporting

Varies. Usually equal to software.

Security

Excellent. As a single-purpose device usually based on a minimal operating system, appliancebased security products generally are a lot more secure than software solutions.

Hybrid Web Security

Page 2

Also, a consideration with traditional on-premises Web security solutions was how they can be deployed or installed into an organizations network. Proxy server-based products are popular as they are in-line. 8e6 Technologies, now part of M86 Security, also popularized a pass-by method. Each of these methods offer advantages and disadvantages as shown below:
REQUIREMENT Ease of Installation PROXY SERVER-BASED Difficult. Somehow all browsers need to be pointed through the proxy server either by manual settings on each workstation or by mandating settings through a group policy object, e.g., in Active Directory. Difficult. Being an in-line solution means that the solution needs to scan and process all traffic in real time as it is moving through the solution; this will add a degree of latency. It is how noticeable the latency is to end users that will dictate how accepted the solution is. Key to maintaining minimal latency is ensuring the solution is internally architected as efficiently as possible, and then couples this with realistic scaling to support true customer load. High. As an inline solution, a proxy-based product is able to effectively scan all browsing requests to the Internet as well as the downloaded content coming back. They also have the ability to scan file downloads and uploads for malware and to ensure they meet any policy requirements. Good. As an in-line solution proxy, server-based products can look deeply into all content passing through the solution, analyzing not just URL, but also page content for lexical analysis, active page content like scripts for any malicious indicators, and even file transfers for malware scanning. PASS-BY Easy. Pass-by solutions are not in-line solutions. They basically just listen on the network for any outbound URL requests, and do this by connecting to a mirror port on a network switch. They simply plug into the network with no changes required on user browsers. Fast. Pass-by solutions are not in-line so they do not impact user latency at all; they have zero impact in this area. However to successfully control and block inappropriate browsing sessions, they must be scaled well enough to be able to beat any Web server responding back to a user request because not only does the passby solution send a block page to the user, but it also sends a TCP reset to the Web server that the outbound URL request was made to. Minimal. Pass-by solutions are only able to scan for any outbound URL requests. This request occurs when a user clicks on a link or types a URL into their browser. The basis of any policy enforcement is on the requested URL and who the user is. Minimal. Pass-by solutions only scan the requested URL, so only any decision on whether to block or not is based on the URL and any previous analysis that has been done on the URL.

Performance

Policy Capability

Security Coverage

The common disadvantage of all of these solutions is that the organization has to house and administer the solutions in terms of patching and other maintenance functions. This has caused a new option where a third party company hosts and maintains the security solution, cloud-based Web security.

from the cloud solution. This idea has the benefit of scanning in the cloud, but all logging information and data is still stored back at the customers site. Infrastructure Configuration Control On-premises Web security solutions have been available far longer than the newer cloud based systems and as such typically deliver a very rich and granular capability. Many organizations also like the network deployment capabilities of on-premises solutions, including options like ICAP or WCCP, as well as the ease of connection to the corporate directory for user identification and policy definition. This actually brings up an interesting area that of user identification and authentication. These two terms may seem similar but they can be very different. User identification is the simpler task, which means that we have identified who we think the user is and will apply policy/track usage based on that profile. On the other hand, user authentication is more of a guarantee that a particular user is who they say they are by forcing an authentication step each time they start a browsing session. More simplistic solutions may do this by presenting Page 3

ADVANTAGES OF ON-PREMISES WEB SECURITY

Data Control For an organization that is controlled by strict regulatory controls or is inherently very protective of all its data, having the Web security solution on site provides peace of mind, and may well be necessary to meet certain compliance legislation and guidance. Careful investigation of this area however is suggested as many regulations have not been updated for the new cloud computing world and may well be satisfied with appropriate controls or in-country cloud-based storage. Another consideration could be the local processing of reports on-premises with the Web security logging data downloaded Hybrid Web Security

an authentication window to the user which quickly becomes tiring; more mature solutions can use methods like Windows NTLM which reports the local logged-on user and you trust the authentication step that was completed when the user logged on. If your organization is particularly sensitive to Internet usage and relies on forensic quality reports to report and act on inappropriate usage, you will need to consider authentication to provide a higher guarantee of a users actual usage. Security Data Location Compliance Conflicting requirements from compliance regulations can be a big challenge which can be further compounded by any location-based requirements such as any data unable to be held outside the country of where the organization resides. Switzerland can be an example of this, or that all data must be held by countries that have been approved in terms of data handling procedures. An example of this are the EU data handling regulations that state that any data can only be held in a country that has approved data management processes; at present, that excludes the USA. Enterprise Security Control Larger organizations will have many administrators that might only be responsible for a subset of users, so ensuring that they only have control over their subset of users can be very important this is also known as delegated administration. Reporting is often based on this model perhaps HR personnel can directly access the reporting console themselves and run just the reports that they need. With more administrators and report generators accessing the system, keeping track of any changes and actions is critical, and this is where audit logs come into play.

Infrastructure Complexity Management Todays threat landscape and the advent of Web 2.0 have resulted in not only more serious threats but, far higher volumes. This has resulted in more capable, but also complex security solutions. When integrated onsite, these solutions can demand significant server resources and can also be very difficult to properly integrate into an organizations network while maintaining performance. System Version Updates With the more serious Internet threats facing organizations today, and the speed at which new threats emerge, having an effective and resilient product updating mechanism is vital to ensure customers are protected as much as possible. The volume of product rule updates, threat data updates and product updates themselves is just increasing. These can present challenges for organizations with strict change control processes, not to mention the quick fall-off of protection should something go wrong. Mobile and Branch Office Support: Awkward and Expensive Perhaps one of the most difficult requirements to solve with on-premises solutions is how to extend coverage to a mobile workforce and small branch offices. In the past, organizations have mandated that all mobile users connect back to HQ for Internet access, or branch offices relay all of their Internet traffic back through HQ, where the on-premises solutions are located. Think of the ineffective case of forcing a small branch office in Singapore to connect back through HQ in the States for access to local Singapore Web sites. Also, with mobile users, not only will they revert to what works the fastest, which will be to go to the Internet directly, but they will also have little to no security coverage, so not only do they infect themselves, but what happens when they do connect back into the organizations network with infected laptops?

DISADVANTAGES OF ON-PREMISES WEB SECURITY

Total Cost of Ownership On-premises solutions whether they are appliance-based or software-based (still need to be installed somewhere), incur capital costs for at least the related hardware requirements. Sometimes software licenses add costs if the solution is based on a perpetual license system where the customer purchases the user licenses just once. Then, the only on-going costs will be maintenance. Other solutions will have a subscription system where you purchase access to user licenses on a yearly basis which can be cheaper up front but this advantage will decrease overtime compared to a perpetual model. Whichever method is used, on-premises customers will have an upfront cost component as well as on-going cost components. Initial Costs On-premises solutions do have a couple of licensing models as covered above perpetual- or subscription-based, but both of these do have an up-front component which will hit an organizations capital budget. Today, many organizations are looking to move as many expenses as possible to operating expenses, which is possible when costs occur on a regular basis, i.e., monthly or yearly.

EMERGENCE OF CLOUD-BASED WEB SECURITY

The last 10 years in the software business have seen the rapid emergence of several new and industry-defining software providers who deliver solutions exclusively in the Software-asa-Service (SaaS) model. Among the best know examples are Google and SalesForce.com. The network security business has mirrored this trend with fast growing managed service providers such as Postini, MX Logic, and Message Labs quickly establishing a large market for email security in the cloud, over roughly the past 10 years. The market for cloudbased Web security has also rapidly emerged in the last three years, and is projected to grow at two times the rate of secure Web gateway on-premises appliances (per International Data Corp) over the next three years.

CLOUD-BASED WEB SECURITY TYPES

Cloud-based Web security can be divided into two primary architectural categories. Pure cloud Web security solutions run as software completely within Infrastructure-as-a-Service (IaaS) facilities, without any on-premises equipment or software. Pure

Hybrid Web Security

Page 4

cloud Web security is managed through browser-based tools and causes all subscriber HTTP/HTTPS traffic to route through the cloud node to deliver services like URL filtering, malware blocking, and content filtering.

Hybrid cloud Web security solutions run a combination of on-premises hardware/software and cloud-based software. The hybrid approach is often designed to meet specific requirements of existing on-premises appliance installations, such as adding support for mobile users or meeting requirements for logging and reporting data storage.

ADVANTAGES OF PURE CLOUD

Total Cost of Ownership Software-as-a-Service delivered through rented cloud computing infrastructure (or Infrastructure-as-a-Service) is a proven cost reduction method for enterprise information technology consumption, made even more popular by the recent world-wide recession and slow recovery. Ownership costs for on-premises security solutions consist not only of standard licensing, support, and subscription charges, but also ongoing on-site information technology labor for systems management and maintenance. Socalled Total Cost of Ownership, or TCO, is an advantage for pure cloud solutions, because initial startup costs are lower without licensed software or hardware. Pure cloud TCO also benefits from the ongoing management of the service in the SaaS Hybrid Web Security Page 5

facilities, where processes for systems management and maintenance are leveraged across thousands of systems. The following chart provides a typical comparison analysis of TCO for an on-premises vs. pure cloud solution for a 100-user small enterprise:
$18,000 $16,000 $14,000 $12,000 $10,000 $8,000 $6,000 $4,000 $2,000 $0
End Yr. 2 End Yr. 3 End Yr. 4 End Yr. 5 End Yr. 6 End Yr.7
On- n premises SaaS

Version and Feature Enhancement Benefits SaaS vendors often implement their software in the cloud, such that a single central version is configurable and manageable for all subscribers. This is often described as multi-tenancy. Multiple subscribers consume the application with safe access and management of their data. When SaaS vendors develop new features and functions, they can update the central version of the application and deliver it simultaneously to all subscribers. This can speed up the process of responding to feature requirements, because it eliminates the process of delivering and integrating new versions to thousands or more different onpremises installations.

TCO for On-premise s vs. SaaS

DISADVANTAGES OF PURE CLOUD

Data Location Non-compliance Pure cloud IaaS providers vary in their world-wide data center location coverage. SaaS vendors typically operate either from major IaaS facility providers such as RackSpace and Amazon Web Services, or have built up their own managed facilities. In either case, facilities are not located in every country, and certain countries mandate storage of logs and reports within their geographic boundaries. Latency and Performance Routing all inbound and outbound Web traffic through another network hop to the Web security cloud node has the potential to introduce response time delay for end users. The primary factors determining whether a performance impact is occurring include the end-to-end network throughput per user, and the load on the scanning service in the Web security cloud node.

As in most such analyses, the initial upfront costs for the onpremises solution are significantly higher, as are ongoing IT labor and support costs. Eventually the lines cross due to the effect of higher recurring costs with SaaS, but the crossing point may be several years beyond the useful life of the technology being consumed. Initial Costs Pure cloud solutions also benefit from the flexibility to incrementally deploy users based on gradual expansion. The typical on-premises purchase accounts for all eventual users of a system, and the quantity of hardware and/or software purchased for the system when fully deployed. Too frequently after such purchases, it is often several years or more before all of the purchased licenses and devices are actually deployed to the full user base at full capacity. Pure cloud solutions are typically purchased by month or by quarter, and only for users as they are added to the service. Thus, pure cloud solutions offer much greater control over the timing of purchase costs associated with user rollout. Simplification of Information Technology Resource Management A typical on-premises system requires knowledgeable installation and management of the devices and/or software that surround and integrate with the solution. This means everything from network infrastructure equipment, to operating system patching, to database administration and management. Each on-premises installation is a collection of dependent subsystems which must be successfully managed both independently and collectively by on-site IT personnel. Pure cloud solutions outsource most of this problem to the IaaS provider, who is managing the dependent subsystems by platform across thousands of servers, switches, firewalls, and virtual machines. The only information technologies that need to be managed on-premises to consume SaaS from the cloud, are PC systems with browsers and Internet connectivity. The result is a simple environment for delivering information technology to the enterprise.

THE BEST OF BOTH WORLDS: M86 SECURE WEB SERVICE HYBRID

M86 Security is now offering an option for the Secure Web Gateway which combines on-premises appliance technology with cloud-based Web security services. Known as M86 Secure Web Service Hybrid (SWSH), this option creates a unified Web security administrative process and system for security officers who must manage end user Web security across corporate on network, mobile and remote branch office-use cases. SWSH also logs and reports all block cases to a single logging and reporting system which stores security data on-premises. Branch office and remote users route all Web traffic by either direct IP or proxy through the Web security cloud node services provided. For customers with existing Secure Web Gateway investments, or for customers with requirements that include mobile user and branch office support, unified logging and reporting, unified user administration, unified policy management, and report/log data location compliance, SWSH offers the best of both on-premises and cloud-computing worlds.

TRY BEFORE YOU BUY

M86 Security offers free product trials and evaluations. Simply contact us or visit www.m86security.com/downloads
Corporate Headquarters 828 West Taft Avenue Orange, CA 92865 United States Phone: +1 (714) 282-6111 Fax: +1 (714) 282-6116 International Headquarters Renaissance 2200 Basing View, Basingstoke Hampshire RG21 4EQ United Kingdom Phone: +44 (0) 1256 848 080 Fax: +44 (0) 1256 848 060 Asia-Pacific Millennium Centre, Bldg C, Level 1 600 Great South Road Ellerslie, Auckland, 1051 New Zealand Phone: +64 (0) 9 984 5700 Fax: +64 (0) 9 984 5720

Version 04/06/10

Copyright 2010 M86 Security. All rights reserved. M86 Security is a registered trademark of M86 Security. All other product and company names mentioned herein are trademarks or registered trademarks of their respective companies.