IDC: Top Five Considerations for Cloud-Based Security


Published on

October 2012 reports by IDC. Source :

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

IDC: Top Five Considerations for Cloud-Based Security

  1. 1. I D C A N A L Y S T C O N N E C T I O N Phil Hochmuth Program Manager, Security ProductsConsidering a Move to Cloud -Based WebSecurity? Answ ers to Your Top QuestionsOctober 2012With the rise of cloud applications and an increasingly mobile workforce, Web security that can bedelivered as a service across a global network is becoming critical in order to protect users andensure that policies for social media and other traffic can be enforced consistently anywhere at anytime. Along with protecting employees who are using company-owned mobile devices, enterprisesmust efficiently secure an increasing number of mobile workers who are using unmanaged devices(bring your own device, or BYOD). Cloud-based Web solutions can secure mobile users withoutrequiring VPN backhaul to an onsite gateway or security agents installed on clients. The worldwideWeb security market reached $1.9 billion in 2011, growing 12.1% over 2010, and IDC predicts thatthe market will grow to $3.2 billion in 2016, representing an 11.2% compound annual growth rate(CAGR) from 2011 to 2016. Web security SaaS will be the fastest-growing segment of the Websecurity market. Web security SaaS will grow from $250.4 million in 2011 to $695.2 million in 2016,representing a 22.7% CAGR. Pressure on enterprise IT security teams to secure and controlcorporate data in an increasingly unmanaged endpoint environment is driving much of this marketgrowth; more than a third of enterprises cite data loss as their top security concern, according toIDCs 2011 Security Survey; meanwhile, nearly two-thirds of enterprises are challenged by end userswho do not follow corporate security policies.The following questions were posed by Blue Coat to Phil Hochmuth, program manager for IDCsSecurity Products service, on behalf of Blue Coats customers.Q. What are the top business or security challenges and requirements driving Web security SaaS adoption?A. One initial challenge is the general extension of the security perimeter. For most enterprises, the corporate boundary between the external Internet and internal networks and LANs has essentially dissolved as more employees are using mobile devices outside the office. This is a result of more people working from home as well as corporations extending to more branch and remote offices globally. It is more difficult to maintain the traditional network perimeter in these scenarios. Having a "hard wall" around employees has always been the main defense and control point for enterprise security. Mobile devices stretch the control zone that enterprises traditionally had over endpoints, often making these controls less effective or inefficient to implement. Another challenge is the explosion of social networking use. Social networking can be both a time-wasting tool and a productivity-enhancing tool for enterprises, depending on how its used and who is using it. For example, many enterprises have official Twitter and Facebook accounts, and certain employees are required to access them and keep them up to date. The new reality in many enterprises is that employees increasingly need real-time access toIDC 1385
  2. 2. social networks, both inside corporate perimeters and during off hours or from remote locations, and the need to ensure that corporate policies for these applications "follow the user" is becoming acute. Cloud-based security solutions can provide a more overarching and ubiquitous type of security service, and mobility and social network usage are two very good reasons that enterprises are looking at these kinds of solutions. A cloud-based solution can deliver consistent, universal security policies for users wherever they are located — inside the office, at home, or in a hotel room — at any time.Q. What are the top features that enterprises look for in cloud-based Web security?A. Scalability is key — the ability to handle lots of traffic with low latency as well as enable universal delivery. Enterprises need services that are always available and that provide the same user experience no matter where a user is located. This requires a Web security vendor to have a global presence in terms of datacenters for regional support as well as things like redundant hardware, tier 1 connectivity, and strong SLAs for each location. Another important feature is the ability to enforce policy controls over social media applications across all platforms: desktops, laptops, mobile browsers, etc. This is something that advanced Web security solutions are moving toward. Also, as with an on-premise Web security solution, a cloud-based solution must have strong bidirectional threat detection capabilities, including the ability to see incoming threats (i.e., viruses or malware) as well as outgoing threats (i.e., Botnet commands) and control traffic or sensitive data that might be leaving the organization through a Web channel. Inbound-only detection falls short of identifying data streams that could be threats. Often, this outbound data can be more damaging to an organization than in-bound threats; it could involve a compromised corporate PC sending attack traffic to another site or individual (under the control of cybercriminals) or an employee or an outsider intentionally sending out (or extracting) valuable data via the Web. As a result, having bidirectional traffic inspection capability is critical.Q. What is hybrid Web security, and what are the most important criteria enterprises should look for when deploying this security architecture?A. Hybrid Web security is a combination of on-premise Web security appliances (or virtual appliances) and a cloud-based Web security service. The idea is that these complementary technologies can protect corporate users and data regardless of device or location. Generally, the two platforms are used in concert, where cloud services protect mobile/remote workers and on-premise appliances/software protect in-office employees. The approach can provide broader security controls and more flexibility in terms of handling some of the challenges related to mobility and social networking. One important criterion of hybrid is the ability to create policies in a single place, a "universal policy," which an organization can deploy and enforce on both platforms. For example, an end user who accesses a social networking site on a corporate laptop, whether at the office, at home, or in a hotel on a business trip, would still be controlled by policies in a hybrid Web security scenario: When the employee is outside the perimeter, the laptop is secured by the cloud service; when the employee is on-premise, the laptop is secured by the gateway or virtual appliance. However, the true value of hybrid is not to simply apply the same policy everywhere. The ability to have policies that automatically adapt — based on the context of the end users connection, location, and device — is another important aspect to consider. In the traveling 2 ©2012 IDC
  3. 3. employee scenario, when the employee moves from inside the office to a less secure environment, such as a hotel, the security controls might actually be adjusted. The policy might tighten the level of access of the employee or limit things that the employee can do when connecting from an unsecure location versus the corporate LAN. Having policies that not only can be enforced on both cloud and on-premise platforms but also can factor in the context of the connection and end-user activity is a differentiating capability. Unified reporting is also an important aspect of hybrid Web security. The ability to understand all corporate user activities in a single unified format, both when users are in the office and when they are traveling and using laptops or tablets, is an increasingly critical feature for Web security deployments that integrate on-premise and cloud-based Web security solutions.Q. How is the BYOD phenomenon affecting enterprise Web security, and how are IT security professionals reacting to it?A. While enterprises are just starting to understand how to secure company-issued mobile devices, BYOD adds an additional level of complexity. More than 40% of enterprises in IDCs 2011 Security Survey said that the introduction of unmanaged mobile devices into their environments would be a top security challenge over the next year. However, enterprises are worried about more than just the devices; they are also concerned about what employees will be doing on these gadgets. Nearly 50% of enterprises cited increased sophistication of attacks (such as targeted attacks) as a top challenge, while nearly 60% of enterprises said they are worried most about employees underestimating the importance of following corporate security policies. Enterprises know they need to secure the use of devices that they do not own or control while considering the dual scenarios of business use and personal use of these devices. There is less control over these devices in general versus a traditional laptop or even a tablet that might have been issued by the corporation to the end users. With BYOD, enterprises are not able to put agents on clients, whether for antivirus, bandwidth management, Web security, or site monitoring tools. Organizations just dont have the access to the machines. In response, many organizations are looking at cloud-based Web security to control this situation. They see cloud as a solution to address the BYOD problem. Whether the device is on-premise or offsite, it can still connect to the cloud service, which will provide a level of security that follows the device wherever it goes. Additionally, certain advanced cloud/SaaS services can provide universal policy protection regardless of the type of network the device is attached to — on-premise LAN, unmanaged WiFi, or the employees personal 3G/4G connection.Q. Can you talk about best practices for securing personal mobile devices?A. The first step many enterprises take in controlling BYOD environments is setting expectations as to what types of applications and tools will be made available to these devices. Not every internal corporate application can be feasibly delivered to all types of personal devices. A trade-off scenario between the end user and IT must be established; personal devices are fine to use, but certain restrictions or policies will be enforced. The same acceptable use policies for Web access and data access should be expected on personal mobile devices, especially when workers use these devices on corporate WiFi networks. Some enterprises have had success setting up tiered levels of service for BYOD, depending on the level of corporate control that is given to these devices. For instance, for completely unmanaged devices, control policies might mirror the type of access that is given to guests or visiting contractors — limited Internet access or even a captive portal for tracking©2012 IDC 3
  4. 4. and auditing. Some enterprises are also deploying "containerization" strategies for corporate application and data access; this can involve providing access to virtual desktops on personal devices (such as noncorporate PCs or tablets) or deploying mobile device management (MDM) technologies that can provide "sealed off" access to corporate data and applications on personal smartphones, without allowing data to be downloaded or saved to the device. Even with these types of access controls and security infrastructure in place, gaps in security and control can occur. Enterprises can tightly control what resources personal devices can access on the corporate network. However, there is a blind spot in terms of what other types of applications and tools are running on personal devices. Applications in particular are an issue because end users may be using their own applications on personal mobile devices that are attached to a corporate WiFi network. These applications, downloaded by end users to their own personal devices, could be used to transmit or share sensitive files of information or violate corporate acceptable use policies. In addition, this traffic can fly under the radar of tiered access control infrastructures. A cloud- based Web security service can provide additional features to fill in this security "app gap"; a cloud-based Web security service — separate from on-LAN infrastructure controls — can block such applications from using the corporate network. In scenarios where BYOD endpoints can be configured to proxy through a cloud service, this type of protection follows the BYOD end user beyond the corporate network to other WiFi or cellular connections. A B O U T T H I S A N A L Y S T Phil Hochmuth is the program manager of IDCs Security Products service. In this role, he conducts primary research and provides insight and analysis on a range of enterprise security markets, including data loss prevention (DLP), information protection and control (IPC), messaging security, and Web security. His research also examines the convergence of these, and other, security technologies as enterprises address new and evolving data security challenges.A B O U T T H I S P U B L I C A T I O NThis publication was produced by IDC Go-to-Market Services. The opinion, analysis, and research results presented hereinare drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendorsponsorship is noted. IDC Go-to-Market Services makes IDC content available in a wide range of formats for distribution byvarious companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee.C O P Y R I G H T A N D R E S T R I C T I O N SAny IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requiresprior written approval from IDC. For permission requests, contact the GMS information line at 508-988-7610 or and/or localization of this document requires an additional license from IDC.For more information on IDC, visit For more information on IDC GMS, visit Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 4 ©2012 IDC