0% found this document useful (0 votes)
42 views20 pages

Sample 1

Uploaded by

shwteszt
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
42 views20 pages

Sample 1

Uploaded by

shwteszt
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

Magic Quadrant for Secure Web Gateway

Gartner RAS Core Research Note G00172783, Peter Firstbrook, Lawrence Orans, 8 January 2010

The SWG market continues to experience solid growth as


enterprise customers scramble to improve defenses from
an increasingly hostile Internet and safely use increasingly
interactive Web applications.

WHAT YOU NEED TO KNOW


The secure Web gateway (SWG) is a critical tool for protecting endpoints from various forms
of malware and other security risks, and for monitoring and controlling potentially dangerous

E
Web traffic.

M P L Proactive inbound and outbound security filtering technology should be the No. 1
consideration when selecting an SWG solution.

S A Ease of administration and scalable reporting is the second most important consideration,
and there is significant differentiation in this aspect of solutions.

Organizations must consider mobile devices and smaller branch offices when selecting
solutions, and highly weight Web security as a service (SecaaS) delivery capabilities.

Web application control and data loss prevention are important considerations for future-
proofing investments; however, these features are not very mature or widespread.

MAGIC QUADRANT
Market Overview
The SWG market continues to evolve rapidly. Enterprise IT organizations are under business
pressure to open up their networks to Internet applications, while struggling to keep Internet-
connected endpoints free from malware. SWGs provide filtering and control over the Internet
while enabling the broader use of beneficial interactive Web applications. As a result, security
has eclipsed employee productivity monitoring (i.e., URL filtering) as a primary motivator of
buyers in this market. SWG buyers are typically “Type A” security-conscious organizations in
industries such as finance, government agencies, defense, high-tech and pharmaceuticals.
However, we are starting to see more broad-based horizontal distribution of organizations
looking at SWGs to improve their endpoint security posture. Typically, these mainstream
adopters have been infected by malware, and an SWG represents the fastest and often least-
expensive means to improve endpoint security to thwart future infections.

Innovation and feature development are still being driven by smaller, dedicated SWG
companies; the traditional incumbent URL-filtering, antivirus and proxy cache vendors are
still playing catch-up. Despite rapid feature development, we still find it difficult in this market
to select vendors that satisfy buyers in all product features. Organizations should carefully
consider their needs before they attempt to select vendors, and stay focused on needs
during the selection process.
2
Buyers should consider the URL Figure 1. Magic Quadrant for Secure Web Gateway
categorization (particularly dynamic
categorization) and security “service” or challengers leaders
“subscription” aspect of the solution to be
of critical importance, and look for vendors
that have the resources to stay current with
the rapidly changing content and threat
landscape.

Security remains the No. 1 differentiator and


primary purpose of an SWG. We put extra
emphasis this year on real-time detection Blue Coat Systems

ability to execute
techniques that go well beyond file signature,
Symantec Cisco
URL categorization or static policy-based Websense
protection mechanisms. Unfortunately, Trend Micro McAfee
real-time security detection methods are Barracuda Networks
very difficult to evaluate and test, and no ContentKeeper Technologies M86 Security
standard testing methodology has emerged. Zscaler
We recommend organizations test shortlist CA FaceTime Communications
solutions in their networks to gather real- Webroot Software SafeNet
world results. Cymphonix
Optenet
URL classification and reporting is a close Clearswift
second critical capability, especially given that
most organizations would like to consolidate
proxy, application control, security and URL

SAMPLE
filtering/reporting into a single solution, and
leverage the existing URL-filtering budget. To
do this, they need, at a minimum, to replicate
existing reporting, and ideally improve on it niche players visionaries
with more-dynamic dashboards, graphical
reporting and better custom report creation
capabilities. As more and more Web content
completeness of vision
becomes user generated, organizations Source: Gartner (January 2010)
As of January 2010
that are concerned about acceptable usage
should seek out solutions that offer real-time
content classification in the gateway based on
keyword analysis and other indicators. The delivery model for SWG solutions is expanding from traditional
appliances and software, with the addition of virtual appliances
Web application control, and in particular bandwidth management that can operate on VMware and blade servers. The SecaaS
of applications, is an increasing requirement as organizations try market continues to heat up with significant enterprise interest as
to keep costs down and improve critical application performance. evidenced by increasing shortlist inclusions and acquisitions of
Data loss prevention (DLP) continues to be a differentiator of SecaaS providers by traditional appliance vendors. During 2009, we
solutions, and we expect that more SWG vendors will add DLP have seen Symantec acquire MessageLabs; McAfee acquire MX
capability in 2010. However, enterprise needs for DLP are still logic; Cisco acquire ScanSafe; and Barracuda Networks acquire
embryonic, and buyers must be careful to consider DLP across all Purewire. The ability to protect and apply policy to mobile endpoints
channels. DLP policy synchronization is one of the primary reasons is a significant benefit of SecaaS providers as organizations seek to
for integration of Web and e-mail security gateways; however, this improve protection for these often infected devices. Currently, well
capability is still rare — even among providers with both solutions. more than 85% of SecaaS buyers are less than 1,000 seats, but
adoption by larger organizations, including some with well more than
100,000 seats, is growing. Larger organizations typically see SecaaS

The Magic Quadrant is copyrighted January 2010 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a
marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by
Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those
vendors placed in the “Leaders” quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner
disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

© 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission
is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy,
completeness or adequacy of such information. Although Gartner’s research may discuss legal issues related to the information technology business, Gartner
does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or
inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.
3
as a way to reduce network costs, as well as protect and manage Dropped
mobile endpoints and smaller branch offices, while simplifying Marshal and 8e6 merged, and the newly formed company later
installation and ongoing management. acquired Finjan Software, and renamed itself M86 Security. Secure
Computing was acquired by McAfee, ScanSafe was acquired
Market Definition/Description by Cisco, MessageLabs and Mi5 Networks were acquired by
The SWG market is a composite market made up of multiple security Symantec, and Aladdin was acquired by SafeNet. These products
markets. URL filtering is the largest submarket. Other submarkets now appear under the parent company. CP Secure was acquired
include antivirus filtering for Web traffic, proxy caches and dedicated by Netgear. Netgear is incorporating CP Secure’s technology into
multifunctional SWG devices. Market distinctions are rapidly blurring its ProSecure unified threat management appliances, which don’t
as submarket vendors maneuver to compete in the broader SWG meet the inclusion criteria for this Magic Quadrant.
market, making market size estimates more difficult. We estimate
that the total composite market in 2008 exceeded $1.2 billion and Evaluation Criteria
was growing at a rate of 12% year over year. This is a significant
decline from the 44% growth rate reported last year. This decline is Ability to Execute
due, in part, to changes in our market sizing methodology to more Vertical positioning on the Ability to Execute (see Table 1) axis was
accurately reflect non-SWG revenue from multifunction market determined by evaluating these factors:
vendors, increasing price competition and slower-than-expected
growth in 4Q08. We expect that the average market growth rate will • Overall viability — The company’s financial strength, as well
increase to around the 15% range in 2010. This growth increase will as the SWG business unit’s visibility and importance for
be fueled partly by pent-up demand resulting from delayed projects. multiproduct companies
The dedicated SWG was the fastest-growing submarket, with
approximately 80% year-over-year growth.
• Sales execution/pricing — A comparison of pricing relative to
the market
Inclusion and Exclusion Criteria

SAMPLE
These criteria must be met to be included in this Magic Quadrant:
• Market responsiveness and track record — The speed in which
the vendor has spotted a market shift and produced a product
• Vendors must own unique content capability in at least one of that potential customers are looking for; as well as the size of
these categories: URL filtering, anti-malware or application-level the vendor’s installed base relative to the amount of time the
controls. This includes granular active content policies, dynamic product has been on the market
classification of websites and Web “reputation” systems, in
addition to traditional anti-spyware and anti-spyware engines
and URL lists. • Customer experience — Quality of the customer experience
based on reference calls and Gartner client teleconferences

• Vendors must have at least 50 production enterprise


installations. • Operations — Corporate resources (in other words,
management, business facilities, threat research, support and
distribution infrastructure) that the SWG business unit can draw
• SWG products that offer firewall functionality — for example, on to improve product functionality, marketing and sales
multifunction firewalls (also known as unified threat management
[UTM] devices) — are outside the scope of this analysis. These
devices are traditional network firewalls that also combine Table 1. Ability to Execute Evaluation Criteria
numerous network security technologies — such as anti-spam,
antivirus, network intrusion prevention system and URL filtering Evaluation Criteria Weighting
— into a single box. Multifunction firewalls are compelling for
Product/Service No rating
the small or midsize business (SMB) and branch office markets;
however, in most circumstances, enterprise buyers do not Overall Viability (Business Unit, Financial, High
consider multifunction firewalls as replacements for SWGs. Strategy, Organization)
Examples of vendors with multifunction firewall solutions include
Astaro, Check Point Software Technologies, Fortinet and Sales Execution/Pricing Standard
SonicWALL.
Market Responsiveness and Track Record High
• Vendors that rebrand and sell complete SWG solutions are not
Marketing Execution No rating
included. For example, Google resells Cisco/ScanSafe. Google
is not included in this analysis; but Cisco/ScanSafe is included. Customer Experience High

Added Operations Standard


SafeNet acquired Aladdin, and Symantec acquired Mi5 Networks
and MessageLabs. ZScaler and Optenet are new vendors added Source: Gartner (January 2010)
this year because they met the inclusion criteria.
4
Completeness of Vision over IP (VoIP), blogs, data-sharing portals, Web backup, remote
The Completeness of Vision (see Table 2) axis captures PC access, Web conferencing, chat and streaming media, is
the technical quality and completeness of the product and still immature in most products and represents a significant
organizational characteristics, such as how well the vendor differentiator. We considered the number of named applications
understands this market, its history of innovation, its marketing and that can be effectively blocked by checking a box on the
sales strategies, and its geographic presence. application category or a specific named application. The ability
to selectively block specific features of applications and the
presence of predeveloped policies to simplify deployment were
In “market understanding,” we ranked vendors on the strength of
given extra credit.
their commitment to the SWG market in the form of strong product
management, their vision for the SWG market and the degree to
which their road maps reflected a solid commitment of resources to • Manageability/scalability — Features that enhance the
achieve that vision. administration experience and minimize administration
overhead were compared. Extra credit was given to
In the product evaluation, we ranked vendors on these capabilities: products with a mature task-based management interface,
consolidated monitoring and reporting capabilities, and role-
based administration capability. Features such as policy
• Malware filtering — The most important capability in this synchronization between devices and multiple network
analysis is the ability to filter malware from all aspects of deployment options enhance the scalability and reliability of
inbound and outbound Web traffic. Signature-based malware solutions.
filtering is standard on almost all products evaluated.
Consequently, extra credit was given for non-signature-based
techniques for detecting malicious code and websites in • Delivery models — We looked at deployment options and form
real time as it crosses the gateway, as well as the range of factors. Appliance and software are standard. Extra credit was
inspected protocols, ports and traffic types. Products that can given to vendors that offer multiple form factors, such as Virtual
identify infected PCs and the infection by name, and enable appliances for VMware or other hypervisors and/or SecaaS
prioritized remediation, received extra credit. delivery models. We also looked at network deployment

SAMPLE
options, such as Proxy vs. in-line bridge, Internet Content
Adaptation Protocol (ICAP) and Web Cache Communication
• URL filtering — Databases of known websites are categorized Protocol (WCCP) compatibility.
by subject matter into groups to enforce acceptable use and
productivity and to reduce security risks. To displace incumbent
URL-filtering products and “steal” allocated budget, SWG • Related investments — We gave minor credit for vendors with
vendors will have to be competitive in this capability. Quality related investments, such as e-mail integration and native DLP
indicators, such as the depth of the page-level categorization, capability. Native DLP capability shows technical prowess and
the real-time categorization of uncategorized sites and pages, can be useful in tactical situations; however, integration with
dynamic risk analysis of uncategorized sites and pages, and the e-mail and/or dedicated DLP solutions is a more strategic
categorization of search results, were considered. feature.

• Application control — Granular, policy-based control of Web- Leaders


based applications, such as instant messaging (IM), multiplayer Leaders are high-momentum vendors (based on sales and “mind
games, Web storage, wikis, peer-to-peer (P2P), public voice share” growth) with emerging track records in Web gateway
security, as well as vision and business investments that indicate
they are well-positioned for the future. Leaders do not necessarily
Table 2. Completeness of Vision Evaluation Criteria
offer the best products for every customer project; however, they
Evaluation Criteria Weighting provide solutions that offer relatively lower risk.

Market Understanding High


Challengers
Marketing Strategy No rating Challengers are established vendors that offer SWG products but
do not yet offer strongly differentiated products, or their products
Sales Strategy No rating are in the early stages of development/deployment. Challenger
products perform well for a significant market segment, but may
Offering (Product) Strategy High not show feature richness or particular innovation. Buyers of
challenger products typically have less-complex requirements and/
Business Model No rating or are motivated by strategic relationships with these vendors
rather than requirements.
Vertical/Industry Strategy No rating

Innovation High Visionaries


Visionaries are distinguished by technical and/or product
Geographic Strategy No rating
innovation, but have not yet achieved the record of execution in the
Source: Gartner (January 2010) SWG market to give them the high visibility of the leaders or those
that lack the corporate resources of challengers. Expect state-of-
5
the-art technology from the visionary vendors, but buyers should be filters, the Web Security Service performs numerous advanced
wary of a strategic reliance on these vendors and should monitor security checks, including page analysis, URL reputation,
the vendors’ viability closely. Given the maturity of this market, exploit kit detection, JavaScript analysis and bot detection.
visionaries represent good acquisition candidates. Challengers URL filtering is driven by the Barracuda database as well as
that may have neglected technology innovation and/or vendors in dynamic filtering for uncategorized sites. Advanced options
related markets are likely buyers of visionary vendors. Thus, these include coaching and password-protected bypass with custom
vendors represent a slightly higher risk of business disruptions. blocking pages for each rule. The solution also allows quotas
based on connection bytes and time limits. Application control
Niche Players includes several dozen named applications in four categories:
browsers, IM, P2P file sharing, and streaming media that are
Niche player products typically are solid solutions for one of the based on request and response headers and traffic signatures.
three primary SWG requirements — URL filtering, malware and They also offer some options for Web browser control. The DLP
application control — but they lack comprehensive features capability includes five static DLP libraries/lexicons and Secure
of visionaries and the market presence or resources of the Sockets Layer (SSL) scanning by category
challengers. Customers that are aligned with the focus of a niche
vendor often find such provider offerings to be “best-of-need”
solutions. • Redirecting traffic to the Barracuda Purewire service is enabled
with an optional on-premises caching appliance (hardware or
virtual software) that caches traffic and provides for on-premises
Vendor Strengths and Cautions
authentication, Microsoft Internet Security and Acceleration (ISA)
Barracuda Networks plug-in, and a variety of direct connect and Active Directory
Barracuda Networks offers a range of inexpensive proxy-based configurations. The Barracuda Purewire Web Security Service
appliances that leverage open-source technologies and enjoys also offers a tamper-proof software client for roaming laptop
high mind share in the SMB market due to extensive marketing users that enforces remote/roaming traffic through a cloud
and an effective sales channel. It continues to experience solid service.
global growth, primarily with customers that have less than 1,000

SAMPLE
seats. Barracuda recently acquired startup SecaaS SWG provider Cautions
Purewire, and the company plans on using Purewire as a base for
an expanded set of SecaaS offerings. Barracuda’s solid growth and • The Barracuda Web Filter appliance lacks enterprise-class
the acquisition of Purewire helped its execution score, moving it up administration and reporting capabilities. Advanced ad hoc
into Challenger status this year. Barracuda Web Filter appliances reporting features are lacking, and custom reports are limited
are a good shortlist inclusion for SMBs looking for “set and forget” to filter settings on existing reports. The dashboard is not
functionality at a reasonable price. The Barracuda (Purewire) customizable. It offers only a single administration account
SecaaS offering is also reasonable in supported geographies. and does not support role-based administration. Some policy
features, such as file-type blocking, are very manual rather than
Strengths menu-driven, and the overall workflow is feature-based instead
of task-based. The appliance can only store six months of
• The Barracuda Web Filter’s Web graphical user interface data; longer-term data storage or aggregated reporting across
(GUI) is basic and designed for ease of use. Deployment is multiple boxes requires the Barracuda Control Center. Security
simplified with all settings in a single page with easily accessible threat reporting does not provide any guidance on the severity
suggested configuration settings and contextual help. The of a particular threat, nor does it provide links to more detail on
dashboard includes a summary of top reports, including the threats.
infection activity, hyperlinked to the detailed reports. Real-time
log information can be filtered by a number of parameters • Barracuda relies heavily on open-source databases for URL
for easy troubleshooting. Malware protection is provided by and antivirus filtering (Clam AntiVirus) supplemented with
open-source Clam AntiVirus, augmented with some in-house- Barracuda’s own research labs. However, Barracuda’s research
developed signatures. The management console includes labs have not earned a strong reputation in the industry.
optional infection thresholds that can kick off alerts or launch a Barracuda added the security researchers from Purewire to its
malware removal tool. Application controls include a fair number roster; however, with the industry-standard antivirus vendors
of IM networks, software updaters, media stores, remote struggling to keep up with the increasing volume of threats, it
desktop utilities, toolbars and Skype. The Barracuda Web Filter will have to invest in more research capability to continue to
is one of the most economically priced solutions in this Magic improve.
Quadrant, and annual updates are priced per appliance rather
than per seat.
• Purewire was an emerging startup when it was acquired,
and Barracuda management has an ambitious road map for
• The Barracuda Web Security Service (formerly Purewire) offers a integration of the existing Barracuda backup service as well
very clean and well-organized policy and reporting interface that as building an expanding line of SecaaS offerings in several
is simple and logical. Dashboard elements all offer a consistent markets. The Purewire service still needs to mature to compete
hyperlinked drill down into three levels of increasingly granular against the more-established SecaaS vendors in this space.
data. All security protection methods are included in the base The management interface is missing some enterprise options,
price. In addition to using several signature and blacklist-based such as expansive role-based administration, customization
6
of dashboard elements, quick links to tasks and full policy • Blue Coat is often one of the least-expensive URL-filtering
administration audit reporting. Security threat reporting would options. Its URL-filtering pricing model is based on a one-time
be improved with more information, such as severity, and perpetual license fee plus annual maintenance charges.
more-detailed information about specific threats. Reporting is
very basic and could be improved with more customization
• Blue Coat’s SSL termination capabilities (via an optional card
options. Predeveloped reports are too narrow and lack a
on ProxySG) enable Blue Coat to terminate and decrypt SSL
single management summary report on activity. Purewire
content and hand it off (via ICAP) to third-party devices, such as
does not offer a zero-client footprint option with transparent
DLP scanners (Blue Coat partners with five DLP vendors), for
authentication.
further analysis.

• Purewire only has data centers in Atlanta, Oakland, California,


• Blue Coat offers an endpoint agent (free of charge) that
and London. Barracuda Networks has data centers supporting
provides URL-filtering support (and application acceleration) for
its Barracuda Backup Service (launched in November 2008)
mobile workers.
in Detroit, the District of Columbia and London. The company
needs to invest in a global enforcement infrastructure and
Cautions
support presence outside the U.S. to appeal to global
enterprise customers.
• Blue Coat is the only provider that requires antivirus processing
Blue Coat Systems on a dedicated appliance. The ProxyAV continues to be a
liability in the SMB market, where it adds costs and requires
Blue Coat is one of the original proxy cache vendors, and has integration with Blue Coat’s proxy appliance.
maintained a consistent dedicated focus on the demanding SWG
market for large enterprise and service providers. Blue Coat,
with its Mach5 products, is also a major player in the enterprise • Blue Coat’s lack of a SecaaS offering is a liability, given the
WAN optimization controller (WOC), which enables application rapid growth of the SecaaS market. In December 2009, Blue
acceleration. The company fell back slightly in Completeness of Coat announced plans to enter the SecaaS market in 2010 with

SAMPLE
Vision compared with its peers in this Magic Quadrant due to a lack an internally developed service.
of focus on real-time malware detection in the gateway and lack of
a SecaaS delivery solution. Blue Coat remains the overwhelming • Blue Coat offers limited real-time, on-box malware and URL
installed base leader in the enterprise proxy market and continues categorization technology. Blue Coat sends uncategorized
to show up on the majority of large enterprise shortlists. URLs to its cloud-based WebPulse service for dynamic
categorization and for malware analysis. This cloud-based
Strengths approach is a valid method for detecting many forms of
malware. However, the cloud approach limits Blue Coat’s
• The ProxySG product is well-tested for scalability and ability to perform malware analysis on websites that
performance in the demanding large enterprise market, and require authenticated access (e.g., social networking sites).
includes numerous advanced proxy features, such as support Alternatively, real-time on-box malware analysis, offered by
for a long list of protocols, extensive authentication and several Blue Coat competitors, provides the advantage of
directory integration options, raw policy scripting capabilities, analyzing content on-premises, which minimizes latency and
command line interface in addition to a GUI, SSL decryption, provides better protection against targeted threats.
support for ICAP, and centralized management and reporting.
The company has one of the largest development and support • Blue Coat cannot monitor all network traffic in its most
organizations in this market. commonly deployed proxy mode, but it can be configured in
other modes to monitor all traffic.
• ProxySG supports nine URL-filtering databases, including its
own, and four antivirus engines on its ProxyAV platforms — the • Although the management interface and reporting infrastructure
most options of any vendor in the market. is improving, smaller customers complain that it is still geared
toward larger enterprises with extensive networking experience.
• In addition to signature scanning, ProxySG exploits a frequently
updated URL database (owned by Blue Coat) to detect known • Blue Coat lacks DLP capabilities on its ProxySG appliance,
malicious URLs, and has static policy triggers to validate or limit although it can integrate via the ICAP protocol with a range of
active content (for example, ActiveX Controls or Java Applets) third-party DLP solutions.
as well as limited active code analysis to detect unknown
malware.
CA
CA’s proxy-based SWG product, WebFilter Proxy, is a component
• Blue Coat maintains URL database freshness and relevance of CA Gateway Security, which includes e-mail security and
by automatically sending unclassified URLs to one of five data provides a common management interface, as well as policy and
centers “in the cloud” for categorization and malware detection. reporting for Web and e-mail gateways. The CA WebFilter is a
possible shortlist inclusion for SMBs looking for a suite solution that
includes e-mail protection.
7
Strengths • URL filtering could benefit from more-advanced options, such
as a coaching option, and bandwidth control or quality of
service. Application blocking is URL-based or port blocking,
• The Web and e-mail software appliances can be bundled
and is not menu-driven.
together for smaller organizations or physically separated for
larger organizations.
• The proxy does not support SSL termination or ICAP, which
limits its DLP capabilities (it cannot hand off SSL-encrypted
• Malware detection is provided by the CA anti-malware
content to a DLP sensor). Inbound and outbound malware
database team, which is one of the larger malware research
can evade detection by port/protocol hopping or tunneling in
organizations.
HTTP/S.

• URL filtering is provided using the McAfee database. It has


• The proxy does not support native FTP.
some advanced features, such as self-authorization, time-based
policy elements and basic application control based on URL
classification. • CA offers only software for Microsoft platforms, so it will
be hard-pressed to match the ease of use of purpose-built
appliances. Support and cost of the underlying Windows
• The WebFilter has strong native DLP capability for a SWG,
hardware and software should factor into the total cost of
including the ability to parse some document files for content
ownership calculation.
checking, keyword dictionaries, regular expression matching
and file binary detection.
Cisco
• The management interface supports the broadest number of IronPort (a Cisco-owned company) designed its S-Series
languages (10). proxy/cache from the ground up to address the multifunction
requirements of a modern SWG and the scalability needs of

SAMPLE
demanding large enterprise customers. The S-Series appliance
• CA Gateway Security is very reasonably priced. is rapidly maturing and experiencing very solid growth in the
larger enterprise proxy/cache market. Cisco recently acquired the
• CA Gateway Security can be installed as a plug-in to pioneering SWG SecaaS company ScanSafe. ScanSafe continues
Microsoft’s ISA Server (proxy and multifunction platform). to execute well and has the largest market share in the SecaaS
market including several organizations with well more than 100,000
Cautions seats. ScanSafe is expected to form the basis of an increasing
array of Cisco SecaaS offerings, starting with the addition of
e-mail. Cisco’s credibility with the network operations team, the
• Malware detection is provided by the same signatures as for progressive development and market growth of the S-Series
e-mail and end nodes (different signatures at the SWG and and the acquisition of the leading SecaaS provider moved Cisco
at the desktop enhances security) and advanced, real-time into the Leaders quadrant this year. Cisco/IronPort S-series is a
threat detection is very limited. Indeed, CA’s position is that the strong shortlist inclusion for large enterprise customers, while the
“gateway” is the wrong place to combat spyware. ScanSafe solution is strong for any enterprise size. The eventual
integration of these two will make a powerful hybrid combination.
• Some customers reported that the Gateway Security
management console was difficult to use, with numerous Strengths
applications and pop-up windows. Policy development
is difficult to troubleshoot without an audit summary. • The S-Series provides good on-box malware detection. It
Administrators or auditors must restep through the policy provides parallel scanning capabilities across multiple verdict
development process to spot errors or troubleshoot. engines for inbound as well as outbound security and content
scanning. Signature databases are offered from Webroot
• The real-time graphical dashboard is weak, with a limited log and McAfee, and can be run simultaneously. Non-signature-
view and some server statistics only. The reporting tool is based detection includes exploit filters that proactively examine
required to view details; however, the dashboard is not linked page content, site reputation, bot network traffic detection,
to the reporter with any hotlinks. Administrators must open transaction rules and Cisco-generated threat center rules. It
the reporting tool, “Reporter,” and find the relevant report. also uses a mirroring port (SPAN port) network interface card
Reports are very basic, and there are only a limited number of for out-of-band traffic analysis to detect evasive outbound
predeveloped reports. Included reports are not comprehensive, phone-home traffic or application traffic. The S-Series is one of
although it does also include a customizable report generator to the few products that includes a full native FTP proxy and SSL
create customizable reports. Report scheduling is provided by traffic decryption.
yet another application utility.
• Cisco/IronPort’s URL categorization engine is augmented
• Although the dashboard has outbound malware statistics, with a dynamic classification engine for unclassified sites and
details are buried in a custom report and actions are limited. user-generated content. The S-Series also offers application
The ability to isolate and repair infected clients is lacking. control using application signatures to identity and block/allow
8
a large collection of Web-based applications, including Skype secure e-mail gateway appliances, although policy can be
and popular IM applications. The S-Series provides good DLP manually exported from the e-mail gateway and imported to the
functionality with the combination of integrated on-box Data S-Series.
Security Policies and the choice of advanced DLP content
scanning through ICAP interoperability with third-party DLP
• The S-Series is one of the more expensive SWG appliances in
solution RSA and Symantec/Vontu. Policy options include the
the market, and Cisco charges extra for the SenderBase Web
ability to block “posting” to Web 2.0 type sites.
reputation filter.

• IronPort has numerous features to enhance the scalability of the


• S-Series reporting is improving; however, it is still a weak spot.
S-Series for demanding large enterprise needs including native
There is no ability to customize the on-box dashboards, nor is
Active-Active clustering, centralized management for up to 150
it always possible to drill down into detailed off-box (Sawmill)
servers per management server, appliances that can support up
reporting from top-level dashboards. Per-user reports and
to 1.8 terabytes of storage with hot-swappable, Serial Attached
forensic investigative reporting are weak. The appliances
SCSI (SAS) drives and RAID 10 configuration and RAID1
can store 30 days of on-box log data, but they offer limited
mirroring, six 1Gb network interface as well as a fiber option. In
reporting functionality. To generate reports from log data that
addition, the security scanning is enhanced by stream scanning,
is older than 30 days, users must export log data to a third-
which enables scanning for larger or long-lived objects without
party log analysis and reporting package from Sawmill (requires
creating the bottlenecks associated with buffer-based scanning.
a Windows server). The Sawmill package is also required to
generate detailed per-user statistics, even for on-box-stored
• ScanSafe’s Web-based management interface is clean data. The M-series management server is the logical place for
and simple to use, even for nontechnical users. Customers this reporting, and Cisco is expected to deliver this functionality
commented on the ease of deployment in migrating to the during the next 12 months.
ScanSafe service. The graphical dashboard is hyperlinked to
filtered log views. Near-real-time customized reporting was
• ScanSafe’s early leadership position and lack of competition
significantly improved in the latest version with data mining
has resulted in lethargic feature growth and innovation. It

SAMPLE
capability. The service offers a real-time classification service
is beginning to change now that it is facing competition
to classify unknown URLs into a small set of typically blocked
from more-nimble startups; however, product features and
categories (for example, pornography or gambling). URL
global presence should be better, given such an early lead in
filtering is enhanced with some advanced functionality, such
this market. We expect the infusion of Cisco resources will
as bandwidth and time-based quotas, and a “search ahead”
reinvigorate the company.
feature that decorates search engines with URL classification.

• ScanSafe’s management interface is better suited for simple


• ScanSafe offers simple outbound DLP functionality (dictionary
policy constructs. Setting up a policy may require multiple
keyword matching, named file detection and preconfigured
steps to implement a single rule. The policy is tied to specific
number formats), and file hash matching can integrate with
protocols, and a troubleshooting policy is complicated by
some enterprise DLP vendors.
lack of readable summaries. It does not have the capability to
create a reporting role that only has access to specific group
Cautions data. Outbound threat information is minimal, lacking severity
indicators or detailed information about infections. For laptop
• Cisco will face some cultural and product integration challenges users, it does not have a zero footprint authenticated client
with ScanSafe, including refocusing the sales and channel on solution. ScanSafe charges an extra fee for its Anywhere+
service selling, integrating the ScanSafe endpoint client with service (for roaming employees) and its IM Control service.
Cisco’s remote access/AnyConnectVPN client, and delivering Application control is limited and URL-based, rather than based
a unified IronPort/ScanSafe reporting and unified policy on network signature protocol. Like other services and proxy
management console, which Gartner estimates will require, at products, ScanSafe can only see outbound traffic in HTTP
minimum, six months. traffic, and will miss evasive applications and malware.

• The S-Series has a strong foundational design; however, it still Clearswift


needs refinement of the management interface and is missing Clearswift is a veteran secure e-mail gateway vendor with a
some advanced features. It is clearly designed for larger high profile in EMEA. It has integrated its proxy-based SWG —
enterprises with demanding network requirements but does Clearswift Web Appliance — with its e-mail security solution to
not scale down well for SMBs with simpler needs. Application provide cross-channel policy and consolidated reporting. Overall,
control is not well instrumented and requires administrators to Clearswift’s primary advantage is its integration with its e-mail
understand the network behavior of some evasive applications solutions and the provision of DLP across both channels, making
to build an effective policy. It does not provide bandwidth it a good choice for existing e-mail customers or EMEA buyers
management or QoS options. Application control and QoS are looking for both solutions from the same vendor.
scheduled to be addressed in 1H10. It lacks the ability to block
certain functions in Web applications, such as Web mail and
social networking. DLP is not yet integrated with the IronPort
9
Strengths block based on the specific characteristics of the application
found in the HTTP content. It cannot filter or manage evasive
applications, such as Skype.
• Clearswift offers a clean, logical browser-based interface for
policy development that is easy to use, even for nontechnical
users. E-mail and the Web are managed in the same console. • It does not support in-line/bridge mode deployments, ICAP or
Multiple devices can be managed from any machine. WCCP.

• Policy development for DLP is very good and several policy • Pricing is very high relative to peers
constructs —Sarbanes-Oxley Act (SOX), Gramm-Leach-
Bliley Act (GLBA), Payment Card Industry (PCI) Data Security ContentKeeper Technologies
Standard, Securities and Exchange Commission, accounting
terms and stock market terms — are included. The same policy ContentKeeper Technologies is based in Australia, where it has
can apply to Web and e-mail, and it is possible to intercept and many large government and commercial customers. It offers a
copy/archive Web mail and IM traffic that triggers DLP policy. family of SWG appliances that deploy as an in-line bridge. The main
Clearswift also provides strong policy audit and printable policy focus of the company is URL filtering, and the company maintains
summaries for troubleshooting. its own URL-filtering database. Signature-based antivirus protection
is licensed from Kaspersky, and is available as an integrated
on-box offering. SecaaS-based e-mail security is available via an
• Clearswift offers good reporting capability. All machines in a OEM partnership with Webroot. ContentKeeper is a good option
cluster are capable of local or consolidated reporting. Reports for organizations looking for simpler URL filtering capability in
are active and include a hyperlink drill-down of details. Malware supported geographies.
filtering is provided by Kaspersky and Sunbelt Software. It is
augmented with some in-house, preconfigured, policy-based Strengths
code analysis. The Clearswift Web Appliance is capable
of SSL certificate validation, decryption and inspection.

SAMPLE
URL categorization is provided by the RuleSpace database • ContentKeeper offers a series of five appliances, the largest
augmented by real-time dynamic classification of uncategorized of which is based on IBM blade server technology, which the
sites. company claims has a maximum throughput rate of 14 Gbps.
The appliances “fail open” due to a high-availability hardware
module. In addition to supporting in-line bridge mode, the
• Clearswift offers a good array of form factors including a appliances also proxy SSL traffic and provide decryption
dedicated hardware appliance, soft appliance for installation on capabilities. IPS capabilities are provided via Snort signatures.
any hardware, or as a virtual appliance for VMware, and has
native ability to “peer” a cluster of appliances together.
• The Advanced Reporting Module (ARM) is an optional solution
Cautions that provides good graphical analysis of log information,
including the option to display data in bar and pie charts.
The ContentKeeper appliances can be set to export data to
• Clearswift remains an EMEA brand and does not enjoy the ARM in real time or on a periodic basis. The ARM may
significant brand recognition in North America. Its market share be deployed on the ContentKeeper appliance or off-box.
in the SWG market is very small. Real-time monitoring and alerting are achieved through the
ContentKeeper Monitor package. ContentKeeper provides
• Malware detection is primarily limited to signatures and only strong bandwidth control capabilities. It provides bandwidth
in HTTP/S traffic. It does not include out-of-band malware quotas and QoS features.
detection, and reporting is missing detailed threat information or
severity indicators. The solution cannot isolate or clean infected • All ContentKeeper appliances maintain a feedback loop with
machines. the ContentKeeper data center. On an hourly basis, the Web-
only appliances receive updates to the URL database, and they
• Enterprise management features such as group-level send any unclassified URLs to the data center for analysis and
administration and reporting, customizable dashboards and log classification. ContentKeeper appliances with the integrated
file searching are lacking. Centralized management is limited to antivirus support call in for updates every five minutes. The
supporting nine local boxes. feedback loop is supplemented with URLs obtained via Web
crawling techniques, and suspicious sites are further analyzed
for malware.
• Application control is limited to blocking URL destinations (and/
or streaming protocols) and file-type blocking. It is possible
to detect and block specific applications, but it requires the • ContentKeeper provides application control for more than 90
creation of custom rules within the appliance to identify and applications.
10
• ContentKeeper offers one of the most cost-effective URL- applications. Bandwidth shaping can be performed at a broad
filtering solutions in the market. level for virtual LANs, IP ranges, and Active Director Groups, or
at a very precise level down to specific Host MAC or IP address,
Cautions Web category, specific URL, file type, mime type and user.

• ContentKeeper has a weak presence in Europe and North • The Network Composer includes more than 650 application
America (more than 50% of its sales are in the Asia/Pacific signatures that can be used to build network policies for
region). blocking or allowing applications. Applications can also be
prioritized in terms of relative importance, using the bandwidth
control capabilities described.
• Malware detection and control is limited. Only one option
(Kaspersky) is offered for on-box signature-based malware
protection. Outbound malware detection lacks detail. It shows • Cymphonix offers a series of seven appliances, the largest of
which malware infected websites have been blocked, but which the company claims has a maximum throughput rate of
— unlike some other solutions — does not contain severity 200 Mbps. The appliances can be configured to “fail open.” In
indicators or detailed information about infections. addition to supporting the in-line bridge mode, the appliances
also proxy SSL traffic and provide decryption capabilities.
Cymphonix also offers a useful free network utility that enables
• The SecaaS offering, which is primarily targeted at SMBs,
organizations to identify rogue and bandwidth hogging
lacks several enterprise-class capabilities. User authentication
application traffic on their networks.
and traffic forwarding (to the cloud) requires an agent on
every endpoint (several SecaaS providers offer integration
with domain controllers to avoid endpoint software). The SWG • The Web GUI is simple and easy to use, and the reporting
SecaaS offering provides limited application control and does capability is good. Tabs provide easy navigation to a collection
not offer real-time malware detection. of reports that can be modified, saved and scheduled, and
reports provide hyperlink drill-downs that show more details.
Policy management is easy to use, and includes numerous

SAMPLE
• On-box reporting via the Monitor package and hyperlinks to the
advanced functions to combine application-shaping and
ARM for drill-down analysis needs improvement. ContentKeeper
content-control policies to individuals or groups.
has plans to introduce an enhanced GUI in 2010.

• In 2009, Cymphonix strengthened its reseller channel program


• Uncategorized URLs are not classified in real time. Updates to
and expanded into EMEA and Asia/Pacific.
the ContentKeeper appliances are dependent on configurable
call-in parameters (one hour for Web-only appliances and five
Cautions
minutes for Web and antivirus appliances). The URL database
needs more granularity. It only supports 32 categories; most
competitors support more than twice as many categories • Although Gartner believes that Cymphonix is growing faster
(although custom categories can be added). than the SWG market, it remains one of the smallest vendors in
this Magic Quadrant and still has low market share and brand
Cymphonix recognition.
Cymphonix, a privately held Utah-based company, was founded
in 2004. The Cymphonix Network Composer is an appliance- • There is no centralized reporting/management interface for
based product that is mostly deployed as an in-line transparent managing clusters or geographically dispersed gateways; one is
bridge, but it can also be deployed as a proxy. Cymphonix licenses scheduled for release in 1Q10.
malware signatures from Sunbelt and Clam AntiVirus. The URL-
filtering database is licensed from Rulespace and is enhanced • Some customers have complained about Cymphonix’s licensing
through internally maintained updates. Cymphonix is a good fit model, which is based on IP addresses and not users. With the
for SMBs looking for a single SWG with advanced bandwidth address-based model, printers, IP phones and non-browser-
management capabilities at a reasonable price. Its ability to detect based devices must be manually identified and placed in an
and block proxy anonymizers (used to bypass URL filtering) makes “exception list” so that they are not counted.
it a good fit for the K-12 education environment.

Strengths • Some customers reported excessive miscategorizations of


URLs, although the 8.7 release in September 2009 replaced
the categorization engine with the RuleSpace engine, which has
• Cymphonix offers one of the strongest bandwidth control less reliance on dynamic classification.
capabilities in the SWG market. Its bandwidth-shaping policies
can be nested within one another for more granular control. For
example, users in a particular role can be assigned a maximum • There are no DLP capabilities or related e-mail protection
of 30% of available bandwidth for an Internet connection. This products.
group can be further shaped, so that 10% of its bandwidth
is assigned to IM, while 70% is reserved for mission-critical • There is no support for ICAP or WCCP.
11
FaceTime Communications • Multiple USGs can be clustered to share a database, which
FaceTime, a privately held company based in California, started in then allows for a shared repository of configuration and
the IM security market and has branched out into the broader SWG reporting for multiple geographically dispersed USGs.
market. The company’s installed base includes a significant number
of large enterprise businesses, primarily in North America. These • Customers can choose between two URL-filtering databases.
include many financial institutions, which were the primary buyers FaceTime’s URL-filtering policy is average, but includes some
of IM security solutions. It has its own malware and application advanced features, such as a coaching option for soft blocking.
research capabilities, and the deepest visibility and controls for Web
2.0 type Internet applications. FaceTime’s Unified Security Gateway Cautions
(USG) appliance can be deployed by connecting to a SPAN/mirror
port and in-line, and can also interface to proxies via the ICAP
protocol. When deployed in-line, the USG can proxy HTTP/S and • FaceTime’s biggest challenge is improving its visibility and
traffic from common IM and enterprise unified communications (UC) mind share against increasingly larger and more-strategic
services. FaceTime is a strong choice for organizations looking for competition. It needs to rapidly expand its channel partners and
fine-grained Web application controls. its client base, because it is at risk of becoming a niche provider
in the financial services market.
Strengths
• FaceTime’s URL-filtering capabilities do not offer the ability to
dynamically classify uncategorized websites, and URL-filtering
• FaceTime revised its management interface during the past
updates are only provided daily (many vendors provide hourly
12 months, and the resulting Version 3.0 has a significantly
or subhourly updates). DLP keyword filtering capability can be
improved dashboard and reporting capability, as well as a more
used to classify pages, but this capability is not predefined,
flexible and scalable object-based policy engine. The dashboard
and users would have to create and fine-tune their own
is fully customizable, and administrators can create their own
categorization policies. There is no integrated URL client for
look and feel, adding virtually any report as a dashboard
mobile employees and no SecaaS solution.
element. All dashboard elements are hyperlinked to reports

SAMPLE
and log data detail. V3.0 also offers a unique fully customizable
“Heatmap” dashboard element that enables administrators to • FaceTime relies on signature engines for malware and has
visualize traffic and events rapidly. limited on-box ability to dynamically inspect Web pages for
malicious intent.
• FaceTime has the deepest visibility and controls for Internet
applications, with more than 4,000 named applications, • FaceTime does not cache content and does not offer
including IM, P2P, anonymizers, IP television, gaming software, bandwidth QoS options to improve the performance of priority
multimedia, remote administration tools, virtual worlds, VoIP, applications.
Web-based IM and Web conferencing. In particular, FaceTime
offers the strongest control for Skype. A special plug-in to the M86 Security
USG appliance enables it to detect and block malicious URLs
within Skype IMs. M86 Security is a newly formed company comprised of these four
companies, all of which were independent as of October 2008:

• FaceTime continues to leverage its 2005 acquisition of XBlock


Systems for a malware-filtering database, as well as an optional • Marshal — E-mail and SWG solutions for the SMB market.
Sunbelt software malware database and a Web antivirus Marshal’s solutions are deployed as software or as appliances,
database from Sophos. USG also offers some behavior-based and can function as a proxy or can be integrated with
detection techniques. Reporting on inbound and outbound Microsoft’s ISA Server.
threats is very strong and includes the specific detailed
information on the malware (for example, name, threat rating • 8e6 — URL filtering for the K-12 and large enterprise market.
and more) and links to FaceTime’s Web-based reference site, The 8e6 solution is deployed as an out-of-band appliance
spywareguide.com. attached to a “mirrored” port on a LAN switch.

• FaceTime offers good DLP and archiving capabilities for IM • Avinti — Behavioral malware detection for e-mail security (M86
traffic and HTTP/S traffic (e.g., Web mail and blog posts). is now also applying the technology to analyze Web threats).
For example, policies can be enabled to control and log all
outbound content for blog posts to social networking sites and
• Finjan — Proxy-based SWG with real-time code analysis
also for Web mail traffic. Policy options include taking a screen
technology for detecting Web-based malware. Finjan has a
shot of the Web page for which DLP policy is triggered. The
broad mix of customers (SMB and large enterprises) in EMEA
logging can also be triggered by lexicon match (for example,
and a more focused group of large enterprise customers in the
log all credit card numbers posted to a social networking site).
U.S.
DLP capabilities can also be exploited for dynamic content-level
blocking of offensive text content.
12
In November 2008, Marshal merged with 8e6 to become Cautions
Marshal8e6. In April 2009, Marshal8e6 acquired Avinti, and in
September it renamed itself M86 Security. In November 2009, M86
• M86’s overall strategy will be challenging to execute. It will
announced its acquisition of Finjan. M86’s strategy of acquiring
be difficult to compete in multiple market segments while
good malware detection technology, particularly Finjan, helped
integrating the technology from four different development
it earn Visionary status, although as we note, it faces challenges
teams into a cohesive product, with a unified management
around product integration and cross-selling its solutions into new
interface, while competing against the market leaders. M86
markets. The Finjan offering is M86’s strongest enterprise SWG
now consists of four previously independent companies with a
solution, and is a good shortlist inclusion for security-conscious
combined customer base of companies ranging from SMBs to
organizations.
very large enterprises. M86’s plans to grow its large enterprise
business and to also maintain a strong SMB presence
Strengths represents a difficult sales, marketing and product management
challenge.
• Through its mergers and acquisitions, M86 owns a broad base
of SWG and secure e-mail gateway technologies. Marshal’s • In addition to the product integration challenges, M86 has plans
historic product focus was in the SMB e-mail security market, to introduce SecaaS services, for e-mail and SWG. The e-mail
and it also was an early entrant in the SWG market. 8e6 SecaaS market is already mature, and the SWG SecaaS market
was a “pure-play” URL-filtering appliance vendor with solid is highly competitive and will mature quickly. Time to market is a
performance and reporting capabilities for the K-12 market serious issue.
and for large enterprises. The acquisition of Avinti provided
technology for runtime code analysis to detect malware. The
Finjan acquisition gives M86 strong content analysis security • Finjan’s on-box reporting is very basic and requires Windows
technology in a proxy-based appliance. Finjan has been a and SQL database licenses for the reporting server. Larger
pioneer in real-time code analysis technology, which scans enterprises that require long-term storage and consolidated
a broad array of Web programming languages (for example, reporting will find the on-box reporting limited. In 2010, M86
plans to utilize Linux-based technology that it acquired from 8e6

SAMPLE
HTML, JavaScript, VBScript and Java) for malicious intent. M86
has moved quickly to provide some basic integration across for its SWG reporting server.
the Marshal, 8e6 and Avinti products, by correlating threat
information between its e-mail and Web solutions. McAfee
McAfee moves into the Leaders quadrant this year with the
• The Finjan acquisition should progress relatively smoothly, acquisition of Secure Computing. The McAfee Web Gateway
since the CEO of M86 was previously the CEO of Finjan. Other (MWG) is the new name for the Secure Computing Secure
executives have also worked at both companies, which should Web Gateway, which Secure acquired from CyberGuard, which
accelerate the process of forming a unified corporate culture. purchased Webwasher. It is now McAfee’s flagship Web gateway
appliances, although McAfee will continue to support its legacy
e-mail and Web Security Appliance product primarily for SMB
• Finjan provides strong real-time malware filtering based on
customers. This analysis focuses entirely on the flagship MWG
content inspection, good application control and some DLP
product, which remains a solid choice for many enterprise buyers,
capability in a proxy-based scalable appliance. Finjan has a
especially those that are already McAfee ePolicy Orchestrator (ePO)
good installed base in large security-focused organizations. The
users.
Finjan product is the strongest enterprise-class SWG solution
in M86’s product family and will serve as the platform for
integrating M86’s newly acquired technologies. Marshal offers Strengths
secure e-mail gateways and an SWG solution in software and
appliance form factors. It has several strengths as a stand- • The MWG Ajax/Web-based management interface is well-
alone SMB-focused solution, including a strong management organized, easy to navigate and deploy for technical users,
interface, reusable policy elements and good DLP support for and offers numerous advanced management features such
multiple signature-based malware scanning engines. as granular role-based administration, data anonymization,
FTP command filtering, object-oriented policy, native
• 8e6 solution has several strengths as a stand-alone URL centralized management and user quotas. MWG is gradually
filtering solution, particularly for real-time reporting and alerting being integrated with McAfee’s ePolicy ePO management
of Internet usage, although this capability requires the Threat platform. MWG has a reporting application that offers tiered
Analysis Reporter appliance and the Enterprise Reporter administration and ships with enterprise version of MySQL or
appliance to provide log analysis. It’s URL filtering appliances integrates with Microsoft SQL or an Oracle Database.
are positioned out of band, so they install easily and do not
require integration with proxy caches or firewalls (although, • MWG has strong on-box malware protection with a choice of
as an independent solution, 8e6 does not provide adequate Avira or McAfee’s signature engine, as well as some zero-day
malware protection). security technology, which includes real-time code analysis
technology that scans a broad array of Web programming
languages for malicious intent. The URL categorization engine is
augmented with its own TrustedSource URL reputation data.
13
• McAfee has a solid antivirus research team and data feeds from Optenet
its TrustedSource reputation system, which has been expanded Optenet, a new entrant into this Magic Quadrant, is a private
to cover URLs clear. company spun out of the University of Navarra’s School of
Engineering in San Sebastian, Spain. The company is the only one
• MWG includes several advanced URL-filtering policy features, in this Magic Quadrant that offers a product-based, multitenant
such as progressive lockout, which senses multiple bad URL (i.e., enables service delivery to multiple customers using shared
requests and locks out Internet access. Bandwidth quotas, infrastructure) SWG and e-mail infrastructure solution (Note that
coaching and soft blocking are also available. SecaaS vendors all offer multitenancy). It is primarily aimed at
carriers, managed security service provider (MSSPs) and large
enterprises that want to create SecaaS service offerings for their
• The product includes SSL decryption, which will combine
own clients. Optenet is a strong shortlist contender for large
well with McAfee’s strong native DLP capability. Management
organizations and service providers planning on delivering a
integration with e-mail security will provide a benefit, especially
multitennancy SecaaS-type solution.
with DLP administration.
Strengths
• In addition to its appliance-based offerings, McAfee has
relaunched Secure computing SecaaS Web Protection Service
• Optenet’s recently launched Ajax-based dashboard and
and ported MWG to the McAfee Content Security Blade Server
management interface is the same for Web and e-mail
architecture to meet large enterprise/ISP needs. McAfee also
solutions. It is very customizable, enabling users to add different
recently acquired MXLogic, which offers e-mail and Web
reports in numerous combinations. Hyperlink drill-downs allow
security; however, we expect the Secure Computing SecaaS
fast movement form the dashboard into active reports and log
platform to replace the MX logic Web filtering infrastructure.
data. Most report elements can be right-clicked for context-
aware options. Role-based management includes four roles.
Cautions
Policy auditing and policy review capabilities are very good.
Optenet also offers a command line interface and direct policy

SAMPLE
• McAfee still has lots of integration work to do to integrate with script editing for more-proficient users.
ePO and its DLP, e-mail and endpoint solutions to deliver the
security and deployment advantages of a single solution.
• The solution can be deployed in bridge and proxy/cache
mode or WCCP and ICAP, and provides malware filtering
• Long-term McAfee customers have suffered from very for HTTP, FTP HTTPS POP SMTP and MMS on a variety of
inconsistent support experiences throughout mergers. It will platforms, including crossbeam and Linux (Red Hat), as well as
take time for McAfee support to gain enough experience to offer appliances.
a good support experience. Premium support is recommended.
• Optenet augments Kaspersky, Sophos and Snort Signatures,
• Management features are still maturing, and customer with its own security analysis for emerging threats. Outbound
references indicate that product documentation is lacking. threat reporting includes a severity indicator in a graphical
Some commands can only be executed via a command line format.
interface, the dashboard cannot be customized; it lacks a raw
log search capability, the policy change audit log is very basic,
• Application control includes numerous named applications
and the solution lacks the ability to review policy in a single
detected via network signature detection. The solution also
page. Some changes require a server reboot.
offers bandwidth management and QoS features, as well as
a good network analyzer that provides network application
• Outbound malware reporting is still absent on the dashboard visibility.
in any detail, and reports do not include severity indicators,
trending information, or quick links to detailed threat information
• URL filtering is provided with its own URL database augmented
or automated remediation.
by a dynamic categorization engine. SSL decryption enables
dynamic classification of encrypted content. Spanish URL
• Consolidated and advanced reporting functions require the categorization, in particular, is strong. It also has an image
Web reporting product, which is a separate application with a analyzer for pornography detection.
different look and feel from the management interface, and it
does not have hyperlinks from the dashboard logs or reports
• Optenet is very attractively priced.
on the appliance. The basic Web Reporter version is included
with the appliance; however, the Premium version is required
for advanced features, such as delegated administration and
ad hoc reporting. The number of canned reports is low, and
some reports do not have obvious features, such as pie graph
options. Some customers complained about the scalability of
the reporting interface.
14
Cautions • Application controls are above average and include an extensive
list (more than 450) of potentially unwanted applications. It
also supports blocking of IM file attachments and enforcing
• Optenet’s client base is primarily centered in southern Europe,
acceptable browser types. eSafe provides basic DLP protection
and it has little brand recognition or presence in other markets.
with consistent policies across e-mail and Web traffic. It
It has an office in the U.S., and is aggressively planning
can monitor, log and alert on files attempting to leave the
expansion. Although the company has numerous small
organization, and it supports archiving of outbound content for
enterprise customers, the solution is designed primarily for the
forensic purposes.
needs of telecoms and large enterprises.
Cautions
• Options for redirecting mobile clients to the service are very
limited, and a globally roaming user is not always automatically
directed to the nearest available data center. • eSafe continues to struggle with brand awareness, especially
in North America and overall with its SWG product mind share,
and growth is slower than the overall market. Safenet’s strategy
• The inclusion of some firewall and IPS-specific configuration in of combining the eSafe SWG with encryption and identity and
the management policy can cause some confusion. access management (IAM) is embryonic, and although these
are some of the components of a enterprise data security
• Application control does not include any ability to block specific program, very few enterprises currently consider these domains
features. together when making purchasing decisions. eSafe lacks many
enterprise-class DLP features.

• The outbound security reporting does not include any


information type of threats or any detailed threat information. • Despite significant improvements in the management interface
and reporting engine, some enterprise features are still lacking.
The dashboard is not customizable, and with the volume of
• The solution does not include any DLP capability. reports available, it would be beneficial to have a “favorites”

SAMPLE
tab. Policy creation is not object-oriented and will be difficult to
SafeNet scale for organizations with numerous policy exceptions. The
In March 2009, SafeNet and Aladdin merged under common eSafe products lack bandwidth control capabilities, such as
management as a result of Aladdin’s acquisition by Vector Capital enforcing bandwidth utilization policies. Policies for establishing
(SafeNet’s private equity owner). Aladdin was better known for its time usage quotas are limited and there is no coaching or soft-
identity token business, but it was an early entrant in the SWG market. blocking capability. Outbound malware reporting is weak, the
The eSafe Web Security Gateway solution is now part of SafeNet’s dashboard has no outbound threat information and predefined
Enterprise Data Protection (EDP) strategy, which combines encryption reports lack severity indicators or detail that would aid in
and multifactor authentication with the SWG and its native DLP remediation. eSafe does not provided dynamic classification of
capability. Aladdin had a good cross-section of enterprise customers uncategorized URLs in real time.
mostly in EMEA, and also had a presence in North America and the
Asia/Pacific region. Its growth rate stalled by our analysis in 2008, Symantec
bringing down its execution score. eSafe is a reasonable shortlist Symantec entered the SWG market in 2009 with two major
inclusion for midmarket enterprises in supported geographies. acquisitions. The company acquired SWG and e-mail security
SecaaS provider MessageLabs (October 2008) and appliance
Strengths provider Mi5 Networks (April 2009). Mi5 is now a part of the
Symantec Enterprise Security Group and has been relaunched as
• eSafe has significantly improved its dashboard, reporting and the Symantec Secure Web Gateway (SSWG). MessageLabs is a
management interface from last year focusing on midmarket good shortlist inclusion for customers looking for a simple-to-use,
needs for lower administration. The dashboard has extensive service-based solution, especially if they are also interested in
information in a graphical format with hyperlinked drill-down into e-mail security services — especially existing MessageLabs e-mail
detailed report information. The reporting engine was improved security clients. SSWG is a good shortlist inclusion for customers
with more than 240 predefined reports, including graphical end- looking for a scalable, in-line appliance SWG or those looking to
user activity reports. Incident and forensic analysis is easy with augment their existing proxy cache solutions with better security
strong log file search functionality with drop-down picklists of and application control.
potential search terms.
Strengths

• Aladdin’s heritage as an antivirus company shows in its


strong malware filtering capabilities, which includes in-memory • MessageLabs is one of the leading SecaaS secure e-mail
code emulation for analyzing suspicious code, vulnerability gateway vendors, and its Web GUI has the same simple and
shielding, script analysis, active content policy options, and easy-to-use interface as the e-mail service, making it a good
SSL decryption. Aladdin added an optional Kaspersky engine in choice for customers looking for both services. We expect
2008. The eSafe Web Security Gateway is usually deployed as that Symantec will gradually build on MesssageLabs as its
an in-line bridge, allowing it to see all network traffic, but it can strategic foundation for various SecaaS offerings, starting with
also function as a proxy. Symantec’s existing online net backup service and introducing a
15
hosted endpoint protection platform (EPP) management server deployment capability with the SWG and Symantec’s endpoint
service. MessageLabs has expanded its footprint and now has protection clients. In the near term, this introduces some
nine datacenters for the Web Security Service, (Arizona, Virginia, disruption risk. Symantec will also face some cultural challenges
London, Amsterdam, Frankfurt, Hong Kong, Tokyo, Osaka and with MessageLabs, particularly in refocusing its sales and
Sydney) and expects to increase that number to 11 in 2010. channel teams on service/selling.
We anticipate this expansion will continue with management
interface localization, and greater local sales and support, due
• Despite initial successes, Mi5 lost significant market momentum
to the Symantec channel.
due to the Symantec acquisition, which it is only now beginning
to regain. Symantec faces credibility challenges with network
• MessageLabs customers give it high marks for service and equipment buyers after its poorly executed withdrawal from the
support. The service offers strong antivirus, latency, uptime network firewall and IPS markets. While Symantec owns the
and support service-level agreements. Caching popular necessary technical components of an SWG solution, it has yet
sites and adding gzip compression are used to accelerate to demonstrate that its SWG business can grow at the same
website delivery and minimize latency. Malware is filtered with pace or faster than the overall market.
Symantec’s own antivirus scanner as well as the F-Secure
engine, augmented by MessageLabs’ Skeptic malware
• The MessageLabs services have suffered from slow feature
filters. The URL database is licensed from Websense, and
development to enhance the management interface, especially
MessageLabs augments it when it discovers URLs that have
for a service provider. The dashboard and reporting features
been identified as containing malware. MessageLabs also offers
haven’t changed significantly since last year, and reporting has
a hosted enterprise IM solution and IM hygiene services that
been cited as needing significant improvement by customers.
include malware filtering, stripping malicious URL links, DLP and
Outbound malware reporting is minimal and does not show
file transfer blocking.
severity indicators or threat detail yet. Links to Symantec’s
threat library and correlated data showing high-risk PCs would
• The appliance-based SSWG is most commonly deployed as be an improvement. The service only supports relatively simple
an in-line bridge (it may also be deployed out of band, on a policies and does not allow conditions. There is no way to

SAMPLE
mirrored port), which enables bidirectional malware scanning print policies for reporting audit or troubleshooting purposes,
of most ports and protocols, and provides for simple network although customers can request a printed copy from the
implementation. Scale is achieved by correctly sizing the MessageLabs help desk team. The URL policy would benefit
appliance for the network (up to 1 Gbps), or using a load from advanced options, such as self-authorization, coaching
balancer to deploy multiple boxes to get beyond 1 Gbps. In-line and bandwidth limitations. Application control is very limited and
deployment allows for very broad protocol-level application based only on URL destination rather than network/protocol
control with binary control (blocking/allow) and policy control of signatures. IM hygiene and application control are offered as a
a large number of named applications, such as P2P, IM, games separate service and not included in the basic package.
and remote access. URL filtering is provided by an optional IBM
URL database.
• Symantec’s decision to substitute its own malware scanning
engine (Mi5 had licensed Sunbelt and Sophos) in the SSWG
• SSWG has strong management interfaces. Policy creation is was shortsighted and is limiting to organizations that already
done on single-page view with intelligent options based on use Symantec signatures at the desktop (using different
previous selections. The dashboard and reporting interface signatures on the SWG and at the desktop is a stronger
is also strong. Most notable is the reporting emphasis on defense-in-depth model). While we appreciate SSWG’s intuitive
outbound traffic that indicates the presence of specific malware, management interface, its unique design can cause some
the severity and type of the threat, and quick access to more problems for larger enterprises. For example, it is difficult to
detail. Dashboard data is hyperlinked to relevant reports, and add users to multiple groups for policy, the dashboard is not
logs with granular details (for example, geolocation data, search customizable and some customers complained that they
terms, file names/types and cross-referencing to greatly aid couldn’t configure complex granular policy or integrate with
forensic analysis). SSWG provides a centralized server for less-common directory environments. SSWG does not proxy
configuration and consolidated reporting, and long-term storage applications or offer a cache, although this is in the road map
of log data. Symantec replaced the Sophos and Sunbelt scan for 2010. SSWG application control can be improved, such
engines and remediation tools (previously licensed by Mi5) with as blocking social networking and blog postings, and granular
its own scan engine and URL blacklist, while retaining Mi5’s Web application function control. The solution would benefit
network traffic detection techniques, botnet, malware phone- from the IM control capability Symantec acquired from IMlogic
home detection, and inbound content inspection. — currently in the e-mail gateway. SSL decryption is still
missing, although this is in the road map for 2010. Advanced
Cautions policy options, such as coaching or self-authorization, time and
bandwidth quota or bandwidth rate shaping, are missing.
• The Symantec acquisition adds significant resources to
MessageLabs, but also introduces a number of potential • Symantec faces the overall challenge of integrating three
distractions from its core mission. Symantec is planning a slow security products into an SWG solution with a unified
and methodical integration, but, at the same time, it plans to management console. In addition to MessageLabs and Mi5,
expand its range of SecaaS services and create integrated Symantec also owns DLP technology from its Vontu acquisition.
16
Currently, Symantec has some interoperability between Vontu • IWSS is software-based — it does not offer an SWG hardware
and the MessageLabs Web Security Service; however, Gartner appliance. Trend Micro’s SecaaS solution has not been
expects that full integration of DLP capabilities with its more successful. IWSS solutions are still lacking in numerous
comprehensive Vontu technology will require a six- to 12-month large-enterprise features, such as advanced role-based
integration effort, and will necessitate evolving packaging and administration, policy summaries and multiple directory
pricing as Symantec attempts to balance single-channel DLP synchronization. Bandwidth control is limited to quotas only.
needs with enterprise market needs. The outbound malware detection report, which is significantly
improved in V5, still lacks severity indicators to enable prioritized
Trend Micro remediation.
Trend Micro is the only EPP vendor that has a long history of
focus on antivirus for the Web gateway market. As a result, it has • Application control is limited to binary blocking of some P2P,
a respectable market share with global enterprises. However, the IM and URL categorization blocking. Trend Micro does not
company has not sufficiently invested in advanced features that have any onboard DLP, although it does offer an endpoint DLP
differentiate its Interscan Web Security Suite (IWSS) SWG offering solution.
and allow it to break into the Leaders quadrant. Still, Trend Micro is
a respected shortlist inclusion for midsize and smaller organizations. • Like other EPP vendors in this market, Trend Micro’s biggest
challenge in the enterprise is offering buyers a suite that
Strengths provides sufficient “defenses in depth.” Malware detection is
provided by the same signatures as for e-mail and end nodes.
• The management interface is significantly improved in the
recently launched V5, with a very customizable Adobe Flex • There is no ability to protect off-LAN devices without OfficeScan
dashboard environment and significantly improved advanced EPP or apply URL filtering policy/reporting for mobile devices.
reporting. New customized reports can be created using
open-source iReport and added as a dashboard element or in
Webroot Software
completely new tabs. Dashboards provide quick hyperlinked

SAMPLE
drill-down into detailed logs. In distributed environments, a Webroot Software is better known for its endpoint spyware
centralized IWSS instance can act as a consolidated reporting protection solutions; with the acquisition of Email Systems in 2007,
engine/database and remove a task from the scan engine to the company is offering e-mail security and Webroot created its
improve and consolidate local performance. own SWG services via a SecaaS offering. Webroot is a good
shortlist inclusion for SMBs looking for service provider options in
supported geographies.
• Malware detection is provided by Trend Micro’s signature
database, and reputation service is augmented by its in-the-
Strengths
cloud “smart protection network.” Trend Micro’s damage
cleanup service can provide remote client remediation for
known threats. IWSS offers a quarantine disposition action for • Malware protection is provided by Webroot and a Sophos
parking suspicious files or blocked FTP file types. Suspicious malware signature database. Nonsignature threat detection
files can be automatically sent to Trend Micro labs for analysis. capabilities include an anti-phishing engine, as well as
heuristic-based JavaScript, XSS, Shellcode, and polymorphic
attack analysis. Webroot has had considerable experience
• Trend Micro offers its own URL categorization database and
and a strong track record in the area of Web-borne malware
offers time of day, and time and bandwidth quota policy
detection, which has been the company’s focus since its
options. Application control includes some P2P and IM traffic
inception in 1997.
types that are detected by network signatures.

• Webroot operates three data centers — in the U.S., U.K. and


• The IWSS family of products offers numerous product
Sydney, Australia — and uses Amazon infrastructure in the
platform options (for example, Crossbeam integration, Linux,
eastern U.S. and Dublin, Ireland. The service uses compression
Windows, Solaris and VMware virtual appliance) and numerous
and HTTP translation to accelerate content from the data center
deployment options (for example, ICAP, WCCP, transparent
to end users to minimize latency. HTTP traffic is redirected
bridge, and forward and reverse proxy). Multiple IWSS
to these proxies via a local proxy or firewall settings, a client
products can be pooled or clustered with automatic policy
proxy setting or a client software agent. The mobile client is
synchronization for increased redundancy and scale.
easy to use and configurable via the cloud-based centralized
management console, it is not proxy auto-configuration (PAC)
Cautions file-based, nor does it require an authentication server on
premises.
• Despite Trend Micro’s history in this market, it has failed to lead
the market with enterprise-class features. This has allowed the • The Web management interface provides centralized
more aggressive competition to steal mind share, particularly management of Web and e-mail service, is user friendly and can
in large enterprises. Trend Micro needs to invest in advanced be administered by nontechnical users. The unique graphical
product features if it wants to regain momentum in the SWG view of its URL-filtering policy is especially easy to understand.
market. It provides a granular role-based administration rights capability,
17
and good role-based policy and policy audit logs. Log search share, the breadth and depth of its initial offerings and the success
capability is also very good. Log data includes the search term of its proxy-based SWG platform moved it into the Leader quadrant
query string and has a link to the search results, which is a this year. Given the breadth of its product family, Websense is a good
good feature to help understand user intent. shortlist inclusion for any size company.

• Policy options include blocking certain files by type and size, Strengths
and a soft block function that enables users to visit a blocked
category for a length of time. Quota-based policies can be • Websense’s URL-filtering solution has a solid North American
configured to limit the amount of bandwidth used in a specified and EMEA presence in companies of all sizes, and a strong
time window. The URL filtering provides an anonymous proxy distribution channel that enables it to target large enterprises and
detection capability. SMBs. The introduction of its proxy-based SWG solution gives
Websense the ability to up-sell its installed base from the URL-
• The service includes search results (Google, Yahoo, MSN Live filtering solution to the broader SWG capability, and gain more
Search and Ask.com) decorated with security warnings and account ownership and loyalty in the process. The company is
URL categorization icons. primarily focused on the Web gateway market, and has extensive
experience and resources dedicated to detecting Web-borne
malware. With the exception of the third-party signatures,
Cautions
Websense owns all the core technology in its products. It is well-
positioned to execute on its road map to offer hybrid (customer
• Webroot has had initial success in the SMB market (fewer than premises-based and SecaaS-based) SWG solutions that can be
1,000 seats), but has failed to get the attention of the larger managed by a unified policy console.
enterprise customers. It needs to improve its enterprise feature
set and expand its global footprint and channel to break out
• Websense’s management console is one of the best in the
of its SMB niche. Although Webroot has done a good job of
market and is consistent across all its offerings (except the
catching up to the state of the art in the management console

SAMPLE
SecaaS solution). Navigation is task-based, and policy creation
and feature set, it has not yet distinguished itself with any
is intuitive and easy to use. There is a useful customizable
outstanding differentiated feature that would move it into the
toolbox element that enables common tasks to be consolidated
Visionaries quadrant.
into a single menu. The dashboard includes hyperlink drill-
downs into more-detailed reporting data. Policy can be
• The dashboard is very basic and static, with little customization. developed in a single pane, with extensive parameters and a
There are no hyperlinks to drill down into the detail from logical workflow. URL policy parameters are broad, and include
dashboard elements. Reporting is basic, with limited advanced options such as bandwidth, time restrictions and quotas.
functions. There is no ability to create ad hoc reports, although Optional category-based SSL traffic decryption is included to
administrators can change options on the 25 report templates filter encrypted Web traffic.
to get different slices of data. Reports do not offer multiple
chart types — only bar charts and tables. Outbound threats
• In addition to third-party malware signatures and the Websense
are in static reports, but not in real-time dashboard views, and
database of infected URLS, the WSG provides very extensive
threat information is restricted to threat types. There are no
on-box, real-time malware content analysis to detect suspicious
links to malware encyclopedia information or severity indicators.
code fragments and other signs of infection.
There is no user-readable policy summary for auditing or
troubleshooting. Limited customization capability makes it
difficult to create regional block pages for global companies. • Application control includes more than 125 applications, such
as IM and chat, streaming media, P2P file sharing, e-mail
and collaboration based on network signatures. Websense’s
• Application control is limited to blocking URLs of registration
Network Agent provides an out-of-band network analyzer that
servers, and the solution offers no DLP capability.
enables the combined solution to monitor all traffic (not just
traffic destined for the proxy) for malware application and DLP
• Like other SWG SecaaS providers, inbound and outbound violations, and provides overall traffic analysis capabilities.
malware detection is limited to HTTP traffic types that are
redirected to the service.
• The acquisition of PortAuthority in 2007 provided Websense
with strong DLP technology, which is now offered as an
Websense additional module that enables granular content-aware policy
and reporting. Data detection techniques are complete, and the
Websense has a long history in the Web filtering market, and the product includes several predefined dictionaries and policies.
company dominates the market for URL-filtering software. The
acquisition of SurfControl in 2007 added a SecaaS offering now called • Websense is one of the few vendors that can offer software,
Websense Hosted Web Security Gateway (HWSG). Websense’s first appliances, client software and SecaaS. Websense software
proxy-based multifunction SWG solution, “Websense Web Security solutions can run on Windows, Linux and Solaris, as well as on
Gateway (WSG) — released just prior to last year’s Magic Quadrant — numerous third-party network hardware platforms (firewalls and
is gaining traction now that it has been released in an appliance form- proxies). In addition, Websense has partnered with Crossbeam,
factor. Websense’s dedicated focus on the SWG market, its market Celestix Networks, Resilience and HP for preinstalled solutions.
18
Cautions • The policy manager is very easy to use and logical. All policy
is user-based and follows roaming users, allowing immediate
service at the nearest enforcement node.
• Despite significant technology investments, Websense still
needs to prove that it can make the transition from a relatively
uncontested software-based URL-filtering vendor to a • Zscaler has several methods for redirecting clients that are very
multiplatform SWG vendor in a much more hotly contested simple to set up. It is the only vendor to offer redirection with
market against significantly more strategic competitors. While authentication without a software client on mobile devices. It
Websense has a significant installed base, up-selling clients also supports standards-based Generic Routing Encapsulation
to the WSG platform or service creates opportunities for the (GRE) tunnels, and can host customer PAC files.
competition to get a foot in the door.
• Zscaler offers two levels of security protection. In addition
• The WSG appliance and software is still not widely deployed, to using several signature and blacklist-based filters, Zscaler
and early feedback regarding service and support from v10000 has numerous advanced security checks including page
customers has been mixed. It needs to add various sizes of analysis, URL reputation, and script analysis. Zscaler provides
appliances to appeal to the SMB market. Some aspects of reporting and policy options to enable organizations to block
Websense’s reporting need improving. Specifically, outbound unsupported or vulnerable browsers or browser versions.
malware reporting is lacking in actionable detail, and scheduled
reports lack more-visual graphs.
• Application control includes numerous named applications that
can be blocked using a combination of destination URL and
• Websense needs to add more data centers to improve the some network signature analysis. Companies under pressure
geographic coverage of its SecaaS service, particularly in the to liberalize productivity filters will appreciate the option to allow
Middle East and Asia/Pacific. Websense is busy overlaying the Web 2.0/social networking page view while blocking posting
same management interface as the appliance and software to these sites, as well as optional DLP, which is adequate
to the SecaaS service, which will allow customers to move for most organizations’ corporate or government-compliance
seamlessly from appliances to services or use a hybrid needs. Zscaler offers granular, policy-based control of Web-

SAMPLE
approach. However, the service dashboard would benefit from based applications, such as IM, blogs, streaming and Web mail,
more performance metrics and service-level commitments. including QoS bandwidth control.

• Websense is more expensive than its counterparts; however, it • Zscaler’s unique architecture and highly scalable purpose-built
generally matches competitive prices in large, contested deals. enforcement nodes enables fast global deployments. Its SecaaS
offering already has the largest global footprint of data centers
Zscaler (among all SecaaS SWG vendors in this Magic Quadrant)
and continues to expand. It also allows for “private node” and
Zscaler is a new SecaaS vendor in the SWG market in 2009. The “private cloud” deployments for very large organizations, service
company invested significant resources in a unique multitenancy providers, or organizations in unique geographies.
architecture that disconnects policy administration, reporting and
enforcement, enabling each element to scale independently. It
Cautions
is now investing in rapid feature development, global rollout of
enforcement nodes and sales presence, resulting in impressive
growth in numerous global markets among small and very • Although Zscaler has had early market success competing
large enterprise clients. Zscaler is a very strong choice for any against other SecaaS startups, the market will be different
organization interested in a SecaaS SWG solution. in 2010 with the Cisco/ScanSafe and Barracuda/Purewire
deals. Now, it is competing against more-mature organizations
Strengths with better-established sales and support organizations. For
the most part, these competitors are able to offer a broader
portfolio of solutions, as well as multiple delivery form factors
• The management interface (Flash-based) is easy to use, even and hybrid offerings.
for nontechnical administrators. All reports are dashboards
and are based on live data and allow hyperlinked drill down
into detailed log data. Zscaler’s Nanolog technology reduces • While most of Zscaler’s customers in 2009 were from the SMB
log size by a factor of 50, enabling very fast reports and market, it also won several large deals that were greater than
longer retention of detailed data. The dashboard has a unique 100,000 seats. Zscaler needs to prove its ability to successfully
“compared to industry peers” report, which shows relative data deploy and support these large enterprise customers.
compared to averages for Zscaler customers. Zscaler provides
latency statistics for each stage of a round trip Web request,
enabling fast troubleshooting as well as SLA-compliance
monitoring.
19
• Zscaler does not offer e-mail security or other services for Acronym Key and Glossary Terms
companies looking to consolidate SecaaS vendors (e-mail spam
and virus filtering is scheduled for 1Q10). ARM advanced reporting module
CSG content security gateway
CSV comma-separated values
• Although its enforcement nodes are widely geographically
DLP data leak prevention
dispersed, the reporting and policy data reside only in the U.S.
EMEA Europe, the Middle East and Africa
and England so far. The company has plans to add reporting
ePO epolicy orchestrator
and policy servers to its Asia/Pacific data centers in the future.
GLBA Gramm-Leach-Bliley Act
GRE Generic Routing Encapsulation
• The management interface is missing full customization of GUI graphical user interface
dashboard elements. Report information about threats could HTTP/S HTTP over SSL
be improved. Outbound threats reports do not include any ICAP Internet Content Adaptation Protocol
severity indicator or link to detailed information about threats, IM instant messaging
and there is no consolidated threat report with drill-down data. IP Internet protocol
In particular, a consolidated and prioritized report on outbound IWSS Interscan Web Security Suite
traffic indicating action items for PC operations would be useful MMC Microsoft management console
(i.e., combination of application and security traffic types). OS operating system
PAC proxy auto-configuration
P2P peer-to-peer
• There are no native FTP application controls, but it does
PCI Payment Card Industry
support stand-alone FTP clients as well as FTP over HTTP.
SecaaS Security software as a service
SMB small or midsize business
• Clientless redirection methods for laptops are lightweight and SSL Secure Sockets Layer
easy to use, but not tamperproof. Like other SecaaS offerings, SOX Sarbanes-Oxley Act
application control and outbound threats that do not use port SQL Structured Query Language

SAMPLE
80, and 443 (HTTP, HTTP/S) can evade detection unless all SWG secure Web gateway
traffic is redirected to Zscaler. TCO total cost of ownership
USG unified security gateway
Vendors Added or Dropped UTM unified threat management
VoIP voice over IP
We review and adjust our inclusion criteria for Magic Quadrants
WCCP Web Cache Communication Protocol
and MarketScopes as markets change. As a result of these
adjustments, the mix of vendors in any Magic Quadrant or
MarketScope may change over time. A vendor appearing in a
Magic Quadrant or MarketScope one year and not the next does
not necessarily indicate that we have changed our opinion of that
vendor. This may be a reflection of a change in the market and,
therefore, changed evaluation criteria, or a change of focus by a
vendor.
20
Evaluation Criteria Definitions
Ability to Execute
Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current
product/service capabilities, quality, feature sets and skills, whether offered natively or through OEM agreements/partnerships as
defined in the market definition and detailed in the subcriteria.

Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an assessment of the overall organization’s
financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will
continue investing in the product, will continue offering the product and will advance the state of the art within the organization’s
portfolio of products.

Sales Execution/Pricing: The vendor’s capabilities in all presales activities and the structure that supports them. This includes
deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.

Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success
as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the
vendor’s history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message to
influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification
with the product/brand and organization in the minds of buyers. This “mind share” can be driven by a combination of publicity,
promotional initiatives, thought leadership, word-of-mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products

SAMPLE
evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include
ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.

Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational
structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively
and efficiently on an ongoing basis.

Completeness of Vision
Market Understanding: Ability of the vendor to understand buyers’ wants and needs and to translate those into products and
services. Vendors that show the highest degree of vision listen to and understand buyers’ wants and needs, and can shape or
enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and
externalized through the Web site, advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service
and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services, and the
customer base.

Offering (Product) Strategy: The vendor’s approach to product development and delivery that emphasizes differentiation,
functionality, methodology and feature sets as they map to current and future requirements.

Business Model: The soundness and logic of the vendor’s underlying business proposition.

Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual
market segments, including vertical markets.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation,
defensive or pre-emptive purposes.

Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies
outside the “home” or native geography, either directly or through partners, channels and subsidiaries as appropriate for that
geography and market.

You might also like