The Web security market got two new players today, Zscaler Inc. and Purewire Inc., both Software as a Service (SaaS)-based alternatives to appliances offered by most competitors. And, they have a common pedigree.
Jay Chaudhry, founder of email security company CipherTrust Inc. (acquired by Secure Computing in 2006), heads up Zscaler Inc., while three former CipherTrust executives -- chairman/CEO Steve Raber, president/COO Michael Van Bruinisse and CTO Paul Judge -- announced PureView Inc.
URL filtering has been a fixture at many enterprises for years, but the focus has not been on security, it has been on user productivity and HR policies -- users cruising Amazon.com, eBay, ESPN.com, or far worse, porn or gambling sites on company time and computers.
"URL filtering is still the primary use case," said John Kindervag, senior analyst at Forrester Research Inc. "You take something everyone has to do anyway and make it easier to do with less overhead."
That's changing, though, as Web-borne malware rivals surpass email as an attack vector. Criminals use phishing and other ploys to lure users to websites that download Trojans and other nasty stuff. The problem is exacerbated as legitimate websites are often compromised, and traditional signature-based antimalware doesn't detect script-based attacks.
Web 2.0 introduced a whole new vector. With users uploading and downloading so much content, who and what do you trust?
URL filtering companies attempted to address the problem by blacklisting known bad sites, but with millions of websites, they were spitting into the wind. Since enterprises want more granular control over where employees Web surf, they are looking beyond desktop security to contain malware.
"We were looking for something that will offer protection from viruses, Trojans and worms for users," said John Penrod, CISO for The Weather Channel Inc. and an early Zscaler adopter. "That is definitely on the forefront for us. We have a number of point devices (desktop antimalware, firewalls, inline IPS, etc.,) that do portions of this, but up until today, we really haven't had an overall holistic view on protecting from phishing, viruses and things of that nature."
For the most part, the nascent Web security gateway market has been owned by appliance vendors such as URL filtering leader Websense Inc., traditional antivirus vendors McAfee Inc., Trend Micro Inc. and Sophos Inc., and email security vendors Secure Computing Corp. (CipherTrust) and Cisco Systems Inc. (via its acquisition of CipherTrust rival IronPort).
But, as in other security arenas, service providers have been quick to offer an alternative to buying, deploying and maintaining multiple appliances. These include Scansafe Inc., which OEMs for companies like Google Inc. (Postini), AT&T Inc. and MessageLabs Inc. Appliance vendors like Secure Computing offer services as well.
"[SaaS] alleviates a lot of the problems of buying equipment, dealing with capital budgets, and dealing with the hassles of managing and maintaining equipment," said Forrester's Kindervag. "I think this is the kind of thing people are generally wiling to outsource, because although it's mission critical, it's Web surfing. The Web is important, but doesn't contain the kind of data they would be afraid to outsource."
"How can users have a rich Internet experience, [and be] protected in any place, on any device, with the same policy in force?" asked Zscaler's Chaudhry. "The only way is through multi-tenant global infrastructure in a SaaS solution."
"For the cost of renewing your URL filtering subscription, the service does that, [it also] does URL reputation, object security and people reputation," said Purewire's Judge. "All in the cloud, without putting a strain on your network."
Zscaler and Purewire offer URL filtering, HTTP traffic scanning, user Web access control and application control. In addition, Zscaler has developed its own data loss prevention technology for Web channels -- webmail, IM and file uploads.
"We're not trying to be a Vontu or a Vericept," said Chaudhry, "but we have 80% of the functionality for 20% of the cost."
Both services redirect outbound network traffic through simple configuration changes in firewalls or proxies. Both work with Active Directory to establish group policies, although Purewire requires an appliance on-site for that option, while Zscaler leverages proxy auto-configuration (PAC) files. Further remote Purewire users who are not logged onto the corporate network need client software to redirect their Web traffic. Zscaler simple uses a cookie that persists for 24 hours since the user was last on the network. After that, the user has to log into the service.
Zscaler has built an extensive infrastructure throughout the U.S., Europe and Asia to support a high performance global service, with five central authority centers for policy definition, and a number of processing gateways for executing policy and detecting threats in some 25 cities.
Chaudhry has a strong track record for successful startups, with wireless intrusion prevention leader AirDefense Inc. (which is being acquired by Motorola), as well as Air2Web Inc., CoreHarbor Inc. and SecureIT Inc.
"He has had a great track record of anticipating the market," said Kindervag.