Your SlideShare is downloading. ×
  • Like
Cool Vendors in Software-as-a-Service Security, 2009
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Cool Vendors in Software-as-a-Service Security, 2009



  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Research Publication Date: 17 March 2009 ID Number: G00165350 Cool Vendors in Software-as-a-Service Security, 2009 Ray Wagner, Peter Firstbrook, Arabella Hallawell, John Girard, John Pescatore, Kelly M. Kavanagh, Neil MacDonald Software-as-a-service (SaaS) offerings are emerging as important security tools, especially for cost-sensitive and highly distributed business and computing environments. Security decision makers need to be aware of the potential benefits and problems presented by this approach. Key Findings • The demand for flexible, responsive, cost-effective security solutions is driving intense Gartner client interest in security-as-a-service offerings. • Security-as-a-service offerings are often most attractive to small and midsize businesses (SMBs) attempting to reduce costs, and to enterprises with large notebook-computer and small office/home office (SOHO) populations. • These service offerings can be viable alternatives for many security needs, but they also have their own issues, including concerns about intellectual property rights. Recommendations • Consider innovative new SaaS offerings — including Gartner cool vendors — when looking for flexible, cost-effective answers to security problems. • Do not base product or service implementation decisions entirely on technological innovation, but also on real-world workability and vendor capability. © 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.
  • 2. TABLE OF CONTENTS Analysis ............................................................................................................................................. 3 1.0 What You Need to Know ................................................................................................ 3 2.0 AnchorFree ..................................................................................................................... 3 3.0 Cemaphore Systems ...................................................................................................... 4 4.0 Purewire.......................................................................................................................... 5 5.0 WhiteHat Security........................................................................................................... 6 6.0 Zscaler ............................................................................................................................ 7 Recommended Reading.................................................................................................................... 7 Publication Date: 17 March 2009/ID Number: G00165350 Page 2 of 8 © 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
  • 3. ANALYSIS This research does not constitute an exhaustive list of vendors in any given technology area, but rather is designed to highlight interesting, new and innovative vendors, products and services. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 1.0 What You Need to Know Gartner client interest in SaaS security has intensified to the point that this year, for the first time, we are presenting a cool vendors document focusing on this discrete market segment. The cool vendors that Gartner's security analysts have chosen for 2009 represent the leading edge in technological innovation in this crucial area. These vendors may not offer solutions that are appropriate for every enterprise's needs, but chief information security officers (CISOs) and other key security decision makers should keep these vendors' offerings — and the changes in the business and threat environments they represent — on their "radar screens" in the coming year. For assessments of cool vendors in two other important security market segments, see "Cool Vendors in Infrastructure Protection, 2009" and "Cool Vendors in Identity and Access Management, 2009." 2.0 AnchorFree Sunnyvale, California, USA ( ) Analysis by John Girard Why Cool: AnchorFree is the developer of Hotspot Shield, the first — and, to date, the only — free virtual private network (VPN) portal designed to provide privacy by encryption for anyone accessing the Internet from a public hot spot (for example, an unprotected wireless access point or a wired visitor network). Free Hypertext Transfer Protocol Secure (HTTPS) encryption of traffic between the user and the Internet on visitor networks means that the Web traffic is secured in a personal VPN and cannot be intercepted. Users reach the Internet via a dedicated portal address owned by AnchorFree, so Hotspot Shield also provides a basic proxy shield, because the user's official IP address becomes anonymous. Growing user privacy concerns can drive interest in services that combine encryption and anonymization, and proxies to increase "public privacy." AnchorFree's offering is attractive, because the company has an established track record and is presently the only provider offering this type of VPN. Many anonymous projects are available, but AnchorFree is the only provider known to be offering serious privacy protections, and some of the other projects may attract illicit activity, as well as legitimate users seeking privacy. The AnchorFree user scenario is fundamentally consumer-oriented, but the Hotspot Shield offering can provide similar protections for businesses that are not running VPNs. AnchorFree has received considerable media attention and also has an experienced management team and significant venture-capital funding. Challenges: AnchorFree relies on splash and banner advertising to subsidize this service, so users must opt in for solicitations in exchange for the access benefits of the personal VPN. In effect, they are trading one privacy issue for another. Free and unprotected hot-spot activity will certainly continue and increase. But, if privacy-protecting services require users to opt in to surrender information, then those users are likely to become wary. Moreover, owners and defenders of proprietary rights — for example, the Recording Industry Association of America (RIAA) — could become concerned enough about possible violations to take legal action. Publication Date: 17 March 2009/ID Number: G00165350 Page 3 of 8 © 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
  • 4. Who Should Care: Enterprises that allow users to access corporate e-mail through unprotected applications, such as Outlook Web Access (OWA), without a Secure Sockets Layer (SSL) VPN may see an opportunity to increase their defenses against local attacks. However, they should treat the "downstream" privacy implications of advertising-driven services with caution. Moreover, the opportunity to use any proxy service for unauthorized access to restricted materials on enterprise systems (for example, viewing the media site from outside the U.S., which is prohibited) may raise liability concerns. Recommended Reading "Wi-Fi Security Best Practices for Traveling Employees" 3.0 Cemaphore Systems San Mateo, California, and Provo, Utah USA ( ) Analysis by Neil MacDonald Why Cool: Cemaphore Systems' core offering, MailShadow, has for some time been providing enterprises with a way to use lower-cost hosted e-mail services as a high-availability option for their on-premises e-mail solutions — essentially using hosted services as an inexpensive backup. Now, with enterprises increasingly seeking to migrate to hosted e-mail solutions, Cemaphore has added solutions to enable the seamless migration from on-premises to cloud-based e-mail. This offering includes a cipher-proxy service, which ciphers enterprise e-mail stored in hosted Microsoft Exchange or Gmail before it is stored at the mail provider's location. Deciphering the text, rather than encrypting it, replaces the contents of the e-mail message with nonsense strings using a lookup dictionary (for example, all occurrences of "partner" might be replaced with "aV%dcca" in e-mail, calendars and contact information). This approach offers two important benefits. The first is that it obfuscates the e-mail contents, addressing enterprise privacy concerns. This could also be accomplished via encryption, but encryption of the e-mail breaks the search capabilities of the e-mail hosters. Thus, the more important benefit of the ciphering algorithm is that the searching and indexing capabilities of Gmail and hosted Exchange still work — for example, a search for "partner " is changed to "aV%dcca" before being queried against the index. Moreover, the index created by the hoster and the e-mail are obfuscated via the ciphering process for privacy. By providing a client-side agent and server-based proxy, Cemaphore makes it possible to intercept and map a search request to the hosted e-mail service to the cipher dictionary so that searches of hosted e-mail work correctly. E-mail forwarded to outside parties is deciphered before forwarding. In addition to the cipher dictionary, a cipher key may be optionally encrypted and appended to each e-mail in the event the dictionary is unavailable. Challenges: Cemaphore's innovative use of ciphering for e-mail obfuscation while preserving search functionality is patented, but is nonetheless likely to be copied and provided as a service by the e-mail hosters. The technology should be extended to explicitly support text-based attachments (for example, PDFs), but this use has not yet been tested. (Cemaphore supports only hosted Exchange and Gmail.) The Cemaphore approach has appeal for the protection of any text-based content stored on any off-premises infrastructure — for example, documents in hosted collaboration systems or hosted CRM solutions. However, such an expanded approach could distract Cemaphore from its core focus on e-mail availability and migrations. Who Should Care: Cemaphore's primary value proposition lies with the use of low-cost hosted e-mail providers as a form of inexpensive backup and as a tool to migrate from on-premises Exchange-based e-mail solutions to cloud-based e-mail solutions from Microsoft or Google. The Publication Date: 17 March 2009/ID Number: G00165350 Page 4 of 8 © 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
  • 5. company's innovative use of ciphering will appeal to information security professionals concerned about the storage of potentially sensitive e-mail content off-premises. Moreover, the ciphering approach provides additional protection against the possibility of the e-mail service provider potentially indexing the content of e-mails (for example, for display advertising purposes) and inadvertently exposing sensitive information in the process. Recommended Reading "Hype Cycle for Business Continuity Management, 2008" 4.0 Purewire Atlanta, Georgia, USA ( ) Analysis by Arabella Hallawell and John Pescatore Why Cool: Purewire delivers Web security as a SaaS offering — a high-growth market segment. The SaaS model has particular appeal for cost-sensitive SMBs, and for enterprises with large numbers of notebook computers and SOHO/branch-office locations, because forcing traffic through a provider is a more attractive option than making multiple hardware investments and backhauling traffic. Gartner believes that Web security will see rapid growth in security-as-a- service delivery, just like what happened in the e-mail security market. Purewire's management team was part of the team at e-mail security startup CipherTrust, which was acquired by Secure Computing. Purewire supplements traditional antivirus and URL filtering (using McAfee and Secure Computing technologies) by crawling and attempting to assign a "reputation" to Web sites and Web content. The company's Sandbox technology deals with Web- based malware that does not show up on blacklists, whitelists or reputation lists. Purewire offers multiple deployment models, including a local appliance to perform authentication and local caching, as well as client plug-ins and proxy auto-config file modifications. The company also offers support for several mobile devices. Challenges: The long-term challenge for all security-as-a-service companies that involve high- volume, low-latency traffic inspection and processing is to demonstrate that they can grow their revenue fast enough to keep ahead of their costs. The availability of cloud-based computing resources helps this business equation, but companies that own their own cloud-based infrastructures — among them, Akamai, AT&T, Google and Microsoft — will have pricing advantages. Gartner believes that business partnerships with business-SaaS vendors (such as and the business versions of consumer-grade services (such as Facebook and Twitter) will be important in the future. Purewire will need to carve out market share in an increasingly competitive market. The company's current and potential competitors include secure Web gateway vendors, such as MX Logic, Symantec, Webroot Software and Websense, which have already rolled out "as a service" offerings, as well as ScanSafe, which has signed reseller deals with Google/Postini and AT&T. Purewire will also need to differentiate itself from another startup, Zscaler, which has a similar offering and ready access to capital, and must rapidly build out an international infrastructure. The current economic and funding environment will not support as many "look-alike" startups as in past years. Who Should Care: Purewire's offerings will interest CISOs who want to augment their endpoint protection solutions to keep pace with the changing threatscape and deal with the increasing need to allow mobile employees to access SaaS directly over the Internet. Network engineers replacing outdated URL filtering solutions — and especially those working for companies that Publication Date: 17 March 2009/ID Number: G00165350 Page 5 of 8 © 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
  • 6. have a high percentage of notebook computers or SOHO locations — should also evaluate Purewire. Recommended Reading "A Buyer's Guide to Secure Web Gateways" "Magic Quadrant for Secure Web Gateway" "Market for Secure Web Gateways Delivered as SaaS Heating Up" "Why Malware Filtering Is Necessary in the Web Gateway" 5.0 WhiteHat Security Santa Clara, California, USA ( ) Analysis by Kelly Kavanagh Why Cool: Gartner selected WhiteHat Security as a cool vendor because it has integrated its SaaS Web security testing functionality with shielding capabilities. In April 2008, WhiteHat released a version of its Sentinel application security testing service that is integrated with Web application firewalls (WAFs). This enables the Sentinel service to discover security vulnerabilities in Web applications, develop WAF blocking rules specific to the found vulnerabilities, and have those rules invoked by WAFs from F5 and Breach Security. This capability improves WAF accuracy through vulnerability-specific blocking, and is also marketed as providing complete compliance with Payment Card Industry (PCI) Requirement 6.6. The ability to shield specific vulnerabilities via the WAF can reduce the cost of PCI compliance, because fixes to application code can be performed on existing maintenance schedules, with the production application shielded from attempted exploits. The Sentinel service, originally introduced in 2003, is delivered as a tiered SaaS offering. Its subscription-based delivery provides several of the benefits of security as a service, including procurement through operating budgets (rather than capital expenditure), rapid implementation, frequent automatic functionality updates and low switching costs. Sentinel management functions and reports are available to clients via a Web interface. Sentinel Standard Edition includes coverage of Web Application Security Consortium (WASC) technical vulnerabilities (including command execution, information disclosure and client-side vulnerabilities) and PCI Requirement 6.6. An upgraded service, Premium Edition, offers increased testing customization through WhiteHat security analyst review and intervention, and coverage of WASC business logic vulnerabilities, in addition to WASC technical vulnerabilities. Challenges: WhiteHat faces several challenges, notably from large competitors offering more- comprehensive application security testing capabilities (static and dynamic) as a service, as well as product versions that address in-house testing requirements and the ability to integrate testing into application development tools. The company must also compete with network vulnerability assessment providers that are adding limited application scanning to their offerings, as well as security as a service delivery options. WhiteHat is privately held and venture-capital-funded, which means that prospective customers have less visibility into its business and finances than with publicly held vendors. WhiteHat must also deal with the problem of keeping compliance- driven customers, who will seek to reduce the cost of compliance over time. The security-as-a- service delivery model keeps switching costs low for these customers. Who Should Care: Enterprise application owners seeking to improve the security of Web applications, and those charged with meeting PCI Requirement 6.6 with requirements for rapid deployment, should evaluate WhiteHat Security's offerings. Publication Date: 17 March 2009/ID Number: G00165350 Page 6 of 8 © 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
  • 7. Recommended Reading "Defining the Security-as-a-Service Market" 6.0 Zscaler Santa Clara, California, USA ( ) Analysis by Peter Firstbrook and Arabella Hallawell Why Cool: Zscaler is one of a number of "startups" in the fast-growing SaaS secure Web gateway market (see "Market for Secure Web Gateways Delivered as SaaS Heating Up"). What sets Zscaler apart is its highly modular and scalable architecture, which enables it to separate enforcement from reporting and management. This enables Zscaler to scatter enforcement points throughout the Internet — in effect, performing Akamai-style load balancing in reverse — to improve performance. Zscaler relied heavily on load balancing and application acceleration fundamentals to improve the scalability and reliability of its architecture, and its competitors may not find this easy to duplicate. Zscaler also provides digital loss prevention and application control capabilities in addition to antivirus and malware. Zscaler resides outside the firewall, and it is unique in providing user-name-specific reporting that does not require any additional client-side software components. Zscaler provides globally consolidated real-time reporting with transaction- level drill-down. Finally, the company's aggressive pricing (which is enabled by the choice of architecture and deployment) is shifting the total cost of ownership argument in favor of SaaS solutions in the secure Web gateway market. Unlike many other startups, Zscaler, which is funded by Jay Chaudhry, an IT entrepreneur, does not require outside venture-capital backing during its ramp-up phase. Challenges: Zscaler must deal with the usual challenges facing any startup trying to gain "mind share," but it also has the added challenge of introducing a new delivery model. Competitors (including Symantec/MessageLabs, Websense and Google/ScanSafe) with significant channel reach will help to drive market demand, but these competitors will also take the majority of the business unless Zscaler executes quickly and demonstrates superior features. Enterprises that have already bought SaaS e-mail security services, and those that are looking for both Web and e-mail from the same provider, are natural prospects, but Zscaler does not participate in the e- mail security market. Who Should Care: CISOs and other security managers who want to augment their endpoint protection solutions to keep pace with the changing threat environment, and network engineers replacing outdated URL filtering solutions, should consider the Zscaler offering. This type of solution is particularly interesting to enterprises that have a high percentage of notebook computers, large enterprises with many Internet gateways and SOHO locations. Recommended Reading "A Buyer's Guide to Secure Web Gateways" "Magic Quadrant for Secure Web Gateway" "Market for Secure Web Gateways Delivered as SaaS Heating Up" "Why Malware Filtering Is Necessary in the Web Gateway" RECOMMENDED READING "A Buyer's Guide to Secure Web Gateways" Publication Date: 17 March 2009/ID Number: G00165350 Page 7 of 8 © 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
  • 8. "Defining the Security-as-a-Service Market" "Magic Quadrant for Secure Web Gateway" "Market for Secure Web Gateways Delivered as SaaS Heating Up" "Why Malware Filtering Is Necessary in the Web Gateway" "Wi-Fi Security Best Practices for Traveling Employees" REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 U.S.A. +1 203 964 0096 European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611 Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA +61 2 9459 4600 Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo 153-0042 JAPAN +81 3 3481 3670 Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, 12551 9° andar—World Trade Center 04578-903—São Paulo SP BRAZIL +55 11 3443 1509 Publication Date: 17 March 2009/ID Number: G00165350 Page 8 of 8 © 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved.