October 2012 reports by IDC. Source : http://goo.gl/DBr7r

1. I D C A N A L Y S T C O N N E C T I O N
Phil Hochmuth
Program Manager, Security Products
Considering a Move to Cloud -Based Web
Security? Answ ers to Your Top Questions
October 2012
With the rise of cloud applications and an increasingly mobile workforce, Web security that can be
delivered as a service across a global network is becoming critical in order to protect users and
ensure that policies for social media and other traffic can be enforced consistently anywhere at any
time. Along with protecting employees who are using company-owned mobile devices, enterprises
must efficiently secure an increasing number of mobile workers who are using unmanaged devices
(bring your own device, or BYOD). Cloud-based Web solutions can secure mobile users without
requiring VPN backhaul to an onsite gateway or security agents installed on clients. The worldwide
Web security market reached $1.9 billion in 2011, growing 12.1% over 2010, and IDC predicts that
the market will grow to $3.2 billion in 2016, representing an 11.2% compound annual growth rate
(CAGR) from 2011 to 2016. Web security SaaS will be the fastest-growing segment of the Web
security market. Web security SaaS will grow from $250.4 million in 2011 to $695.2 million in 2016,
representing a 22.7% CAGR. Pressure on enterprise IT security teams to secure and control
corporate data in an increasingly unmanaged endpoint environment is driving much of this market
growth; more than a third of enterprises cite data loss as their top security concern, according to
IDC's 2011 Security Survey; meanwhile, nearly two-thirds of enterprises are challenged by end users
who do not follow corporate security policies.
The following questions were posed by Blue Coat to Phil Hochmuth, program manager for IDC's
Security Products service, on behalf of Blue Coat's customers.
Q. What are the top business or security challenges and requirements driving Web
security SaaS adoption?
A. One initial challenge is the general extension of the security perimeter. For most enterprises,
the corporate boundary between the external Internet and internal networks and LANs has
essentially dissolved as more employees are using mobile devices outside the office. This is
a result of more people working from home as well as corporations extending to more branch
and remote offices globally. It is more difficult to maintain the traditional network perimeter in
these scenarios. Having a "hard wall" around employees has always been the main defense
and control point for enterprise security. Mobile devices stretch the control zone that
enterprises traditionally had over endpoints, often making these controls less effective or
inefficient to implement.
Another challenge is the explosion of social networking use. Social networking can be both a
time-wasting tool and a productivity-enhancing tool for enterprises, depending on how it's
used and who is using it. For example, many enterprises have official Twitter and Facebook
accounts, and certain employees are required to access them and keep them up to date. The
new reality in many enterprises is that employees increasingly need real-time access to
IDC 1385

2. social networks, both inside corporate perimeters and during off hours or from remote
locations, and the need to ensure that corporate policies for these applications "follow the
user" is becoming acute.
Cloud-based security solutions can provide a more overarching and ubiquitous type of
security service, and mobility and social network usage are two very good reasons that
enterprises are looking at these kinds of solutions. A cloud-based solution can deliver
consistent, universal security policies for users wherever they are located — inside the office,
at home, or in a hotel room — at any time.
Q. What are the top features that enterprises look for in cloud-based Web security?
A. Scalability is key — the ability to handle lots of traffic with low latency as well as enable
universal delivery. Enterprises need services that are always available and that provide the
same user experience no matter where a user is located. This requires a Web security
vendor to have a global presence in terms of datacenters for regional support as well as
things like redundant hardware, tier 1 connectivity, and strong SLAs for each location.
Another important feature is the ability to enforce policy controls over social media
applications across all platforms: desktops, laptops, mobile browsers, etc. This is something
that advanced Web security solutions are moving toward. Also, as with an on-premise Web
security solution, a cloud-based solution must have strong bidirectional threat detection
capabilities, including the ability to see incoming threats (i.e., viruses or malware) as well as
outgoing threats (i.e., Botnet commands) and control traffic or sensitive data that might be
leaving the organization through a Web channel.
Inbound-only detection falls short of identifying data streams that could be threats. Often, this
outbound data can be more damaging to an organization than in-bound threats; it could
involve a compromised corporate PC sending attack traffic to another site or individual (under
the control of cybercriminals) or an employee or an outsider intentionally sending out (or
extracting) valuable data via the Web. As a result, having bidirectional traffic inspection
capability is critical.
Q. What is hybrid Web security, and what are the most important criteria enterprises
should look for when deploying this security architecture?
A. Hybrid Web security is a combination of on-premise Web security appliances (or virtual
appliances) and a cloud-based Web security service. The idea is that these complementary
technologies can protect corporate users and data regardless of device or location.
Generally, the two platforms are used in concert, where cloud services protect mobile/remote
workers and on-premise appliances/software protect in-office employees. The approach can
provide broader security controls and more flexibility in terms of handling some of the
challenges related to mobility and social networking.
One important criterion of hybrid is the ability to create policies in a single place, a "universal
policy," which an organization can deploy and enforce on both platforms. For example, an
end user who accesses a social networking site on a corporate laptop, whether at the office,
at home, or in a hotel on a business trip, would still be controlled by policies in a hybrid Web
security scenario: When the employee is outside the perimeter, the laptop is secured by the
cloud service; when the employee is on-premise, the laptop is secured by the gateway or
virtual appliance.
However, the true value of hybrid is not to simply apply the same policy everywhere. The
ability to have policies that automatically adapt — based on the context of the end user's
connection, location, and device — is another important aspect to consider. In the traveling
2 ©2012 IDC

3. employee scenario, when the employee moves from inside the office to a less secure
environment, such as a hotel, the security controls might actually be adjusted. The policy
might tighten the level of access of the employee or limit things that the employee can do
when connecting from an unsecure location versus the corporate LAN. Having policies that
not only can be enforced on both cloud and on-premise platforms but also can factor in the
context of the connection and end-user activity is a differentiating capability.
Unified reporting is also an important aspect of hybrid Web security. The ability to understand
all corporate user activities in a single unified format, both when users are in the office and
when they are traveling and using laptops or tablets, is an increasingly critical feature for
Web security deployments that integrate on-premise and cloud-based Web security
solutions.
Q. How is the BYOD phenomenon affecting enterprise Web security, and how are IT
security professionals reacting to it?
A. While enterprises are just starting to understand how to secure company-issued mobile
devices, BYOD adds an additional level of complexity. More than 40% of enterprises in IDC's
2011 Security Survey said that the introduction of unmanaged mobile devices into their
environments would be a top security challenge over the next year. However, enterprises are
worried about more than just the devices; they are also concerned about what employees will
be doing on these gadgets. Nearly 50% of enterprises cited increased sophistication of
attacks (such as targeted attacks) as a top challenge, while nearly 60% of enterprises said
they are worried most about employees underestimating the importance of following
corporate security policies.
Enterprises know they need to secure the use of devices that they do not own or control
while considering the dual scenarios of business use and personal use of these devices.
There is less control over these devices in general versus a traditional laptop or even a tablet
that might have been issued by the corporation to the end users. With BYOD, enterprises are
not able to put agents on clients, whether for antivirus, bandwidth management, Web
security, or site monitoring tools. Organizations just don't have the access to the machines.
In response, many organizations are looking at cloud-based Web security to control this
situation. They see cloud as a solution to address the BYOD problem. Whether the device is
on-premise or offsite, it can still connect to the cloud service, which will provide a level of
security that follows the device wherever it goes. Additionally, certain advanced cloud/SaaS
services can provide universal policy protection regardless of the type of network the device
is attached to — on-premise LAN, unmanaged WiFi, or the employee's personal 3G/4G
connection.
Q. Can you talk about best practices for securing personal mobile devices?
A. The first step many enterprises take in controlling BYOD environments is setting expectations
as to what types of applications and tools will be made available to these devices. Not every
internal corporate application can be feasibly delivered to all types of personal devices. A
trade-off scenario between the end user and IT must be established; personal devices are
fine to use, but certain restrictions or policies will be enforced.
The same acceptable use policies for Web access and data access should be expected on
personal mobile devices, especially when workers use these devices on corporate WiFi
networks. Some enterprises have had success setting up tiered levels of service for BYOD,
depending on the level of corporate control that is given to these devices. For instance, for
completely unmanaged devices, control policies might mirror the type of access that is given
to guests or visiting contractors — limited Internet access or even a captive portal for tracking
©2012 IDC 3

4. and auditing. Some enterprises are also deploying "containerization" strategies for corporate
application and data access; this can involve providing access to virtual desktops on personal
devices (such as noncorporate PCs or tablets) or deploying mobile device management
(MDM) technologies that can provide "sealed off" access to corporate data and applications
on personal smartphones, without allowing data to be downloaded or saved to the device.
Even with these types of access controls and security infrastructure in place, gaps in security
and control can occur. Enterprises can tightly control what resources personal devices can
access on the corporate network. However, there is a blind spot in terms of what other types
of applications and tools are running on personal devices. Applications in particular are an
issue because end users may be using their own applications on personal mobile devices
that are attached to a corporate WiFi network. These applications, downloaded by end users
to their own personal devices, could be used to transmit or share sensitive files of information
or violate corporate acceptable use policies.
In addition, this traffic can fly under the radar of tiered access control infrastructures. A cloud-
based Web security service can provide additional features to fill in this security "app gap"; a
cloud-based Web security service — separate from on-LAN infrastructure controls — can
block such applications from using the corporate network. In scenarios where BYOD
endpoints can be configured to proxy through a cloud service, this type of protection follows
the BYOD end user beyond the corporate network to other WiFi or cellular connections.
A B O U T T H I S A N A L Y S T
Phil Hochmuth is the program manager of IDC's Security Products service. In this role, he conducts primary research and
provides insight and analysis on a range of enterprise security markets, including data loss prevention (DLP), information
protection and control (IPC), messaging security, and Web security. His research also examines the convergence of these,
and other, security technologies as enterprises address new and evolving data security challenges.
A B O U T T H I S P U B L I C A T I O N
This publication was produced by IDC Go-to-Market Services. The opinion, analysis, and research results presented herein
are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor
sponsorship is noted. IDC Go-to-Market Services makes IDC content available in a wide range of formats for distribution by
various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee.
C O P Y R I G H T A N D R E S T R I C T I O N S
Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires
prior written approval from IDC. For permission requests, contact the GMS information line at 508-988-7610 or gms@idc.com.
Translation and/or localization of this document requires an additional license from IDC.
For more information on IDC, visit www.idc.com. For more information on IDC GMS, visit www.idc.com/gms.
Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com
4 ©2012 IDC