URL filtering has long been an IT security staple, but that market is barely recognizable now, having given way to Web gateway security, a new generation of tools and services focusing on antimalware, near real-time evaluation of site content and application controls. Web gateway security products filter inbound and outbound Internet traffic, with the aim of preventing users from unknowingly downloading malware and detecting malicious outbound traffic.
URL filtering is still an important component of Web gateway security products. But, these products typically relied on periodically updated databases that fit known sites into a variety of categories. These databases could contain millions of URLs, but are largely static. Now effective URL filtering is dynamic, because vendors use reputation and other screening techniques to size up new sites.
Application control, the third standard component of Web security gateways, in addition to antimalware and URL filtering, allows customers to either ban services such as instant messaging, P2P apps and Skype, or use policy to limit who uses them and when.
Malware threat moves to the Web
Some customers may believe that the combination of firewalls, email antivirus and desktop antimalware is protecting their networks and users, but these tools are simply not enough.
The threat has moved from embedded email viruses to malicious and compromised websites where malware is loaded onto users PCs or they are tricked into giving up passwords or IDs.
Social networking sites Facebook, MySpace or Twitter, for example, have arguably become the greatest Web security headache and a primary driver for buying Web gateway security products and services. Solution providers are no longer just evaluating websites, but also user-generated content on those sites.
"With proliferation of Web 2.0 technology, you absolutely need these kinds of tools because the model has changed," said Forrester Research Inc. senior analyst John Kindervag.
And while the Marine Corps has banned social networking sites, and security managers at many companies would probably like to as well, they are a fact of life. The demand is coming not just from employees, but from management executives who see the possibilities for business use and don't want to be left behind as competitors leverage social networking for commerce.
Sell Web security as service or product
Web gateway security can be sold as an appliance, software, cloud services or a combination. For example, a large distributed enterprise might opt for appliances at corporate headquarters and a Software as a Service (SaaS) approach for branch offices.
Typically, the same vendor offers both email and Web security products and/or services, giving VARs a foot in the door with customers and prospects that need email security and recognize the need for Web security.
The two technologies tend to complement each other since they both scan and filter Internet traffic,and can leverage many of the same techniques, such as reputation-based filtering.
"You're pulling data characteristics from both sides. It's almost like calculating a credit score," said Chris Ireland, manager of corporate information systems at Orlando, Fla.-based Coleman Technologies Inc., a Cisco IronPort Systems Inc. partner.
Both email security and Web security gateway products provide opportunities for managed services through remote management consoles. Web security, in particular, often requires professional services in larger deployments because of the complexity involved in tuning policies and integrating directories across multiple domains.
VARs can add Web security from the same company the customer is already using for email security. The customer benefits from common management consoles or service portals, and can, in some cases, run both email and Web security on the same appliance.
The trick is selling customers on the need for adding the Web gateway, based on the shift from email to Web-borne malware, but today, companies are much more attuned to the nature of the threat.
"We don't have a huge education challenge," said Bob Hansmann, senior manager of product marketing for Blue Coat Systems' secure Web gateway line. "Customers are aware of the limits of how much AV scanners and patching can do. Our partners don't have quite the uphill battle of two years ago."
Cloud-based Web security is a particularly attractive selling opportunity in the SMB market where customers need rapid, high-volume deployments that can be supported through remote management consoles.
But the SaaS model also translates well to enterprises because the technology scales so nicely -- why deploy a couple of hundred appliances when all the traffic is going back and forth in the cloud anyway?
From a channel perspective, proof of concept is easier and the sales cycle is shorter. VARs no longer have to deal with the time and cost of installation, configuration and network integration to run a demonstration test. Companies that are hamstrung by reduced capital budgets will likely be amenable to services, which come out of operating expenses.
True, margins on product sales and some support services opportunities are lower, but VARs can still do as well or, in some cases, better with SaaS offerings.
"There may be lower revenue, but higher profit," Kindervag said. "Margins will be higher because it is a service."
Web security gateway market consolidation
This market has been consolidating fairly rapidly, so resellers and integrators have fewer vendors to choose from, but, on the plus side, those vendors offer a more comprehensive portfolio of products and services. Most vendors offer both email and Web security, either on their own or through OEM deals.
"Our solution providers -- MSPs, VARs -- have been asking for Web security for a long time," said Scott Barlow, vice president of sales and marketing for Reflexion Networks Inc., a hosted email service provider. Reflexion resells Purewire Inc.'s Web Security Service in an OEM partnership.
There are few remaining independent product vendors: Symantec Corp. acquired Mi5 Inc.; Websense Inc. acquired SurfControl plc., McAfee Inc. bought Secure Computing Corp.; 8e6 Technologies merged with Marshal Inc.
On the SaaS side, Scansafe Services LLC has been around for several years, and newcomers Purewire and Zscaler Inc. both came into the market a year ago. However, the major remaining combined email/Web security SaaS vendors, MessageLabs Inc. and MxLogic Inc., have been acquired by Symantec and McAfee respectively.
But as the number of vendors shrinks, the market should grow.
"There's a lot of opportunity for growth in this market because there is a lot of growth in Web 2.0," Kindervag said. "The ubiquity of Web 2.0 means companies will need more security around it."