G05.2015 Secure Web Gateways

Magic Quadrant for Secure Web Gateways
28 May 2015 ID:G00267241
Analyst(s): Lawrence Orans, Peter Firstbrook
VIEW SUMMARY
The market for SWG solutions is still dominated by traditional on-premises appliances. But, the
use of cloud-based services is growing rapidly, and advanced threat protection functionality
remains an important differentiator.
Market Definition/Description
Secure Web gateways (SWGs) utilize URL filtering, advanced threat defense, legacy malware
protection and application control technologies to defend users from Internet-borne threats and
to help enterprises enforce Internet policy compliance. SWGs are implemented as on-premises
appliances (hardware and virtual), cloud-based services or in hybrid mode (combined on-premises
appliances and cloud-based services). Vendors continue to differ greatly in the maturity and
features of their cloud-based services and in their ability to protect enterprises from advanced
threats.
As highlighted in "Market Guide for Network Sandboxing," SWG vendors are competing against
firewall, intrusion prevention system (IPS) and unified threat management (UTM) vendors that
also sell sandboxing as an optional feature. The firewall vendors, Palo Alto Networks in particular,
have benefited from an early mover advantage in network sandboxing. In 2015, Gartner expects
that SWG vendors will compete more aggressively against the firewall/IPS/UTM vendors, and
against stand-alone sandboxing solutions, as more vendors offer network sandboxing solutions
that integrate with SWGs.
Organizations that are considering a move to SWG-based cloud services have many options, but
will find significant differences during the sales process. Some vendors, such as Blue Coat and
Zscaler, have strong partnerships with carriers and ISPs, which has proven to be a successful go-
to-market strategy because service providers can upsell secure Internet access with bandwidth
contracts. Other vendors, such as Barracuda Networks and Intel Security, have still not
demonstrated the vision in building an effective sales channel for cloud services. The traditional
value-added reseller (VAR) channel that many vendors rely upon for SWG appliance sales has
been largely ineffective in selling cloud-based services.
Because of the requirement to defend against advanced threats, it is no longer enough for a
cloud-based SWG to only offer the traditional SWG services (for example, URL filtering and basic
malware detection). Enterprises that connect remote offices (and headquarters offices) directly to
the Internet, without backhauling traffic to a centralized data center, will need cloud-based
advanced threat services. Vendors that offer cloud-based SWGs, and only offer on-premises
appliance-based advanced threat products, need to quickly port their advanced threat offerings
to a cloud platform and deliver this functionality as a service. Vendors such as Blue Coat, Intel
Security and others fall into this category.
Magic Quadrant
Figure 1. Magic Quadrant for Secure Web Gateways
EVALUATIONCRITERIADEFINITIONS
Ability to Execute
Product/Service: Core goods and services
offered by the vendor for the defined market.
This includes current product/service capabilities,
quality, feature sets, skills and so on, whether
offered natively or through OEM
agreements/partnerships as defined in the
market definition and detailed in the subcriteria.
Overall Viability: Viability includes an assessment
of the overall organization's financial health, the
financial and practical success of the business
unit, and the likelihood that the individual
business unit will continue investing in the
product, will continue offering the product and will
advance the state of the art within the
organization's portfolio of products.
Sales Execution/Pricing: The vendor's capabilities
in all presales activities and the structure that
supports them. This includes deal management,
pricing and negotiation, presales support, and the
overall effectiveness of the sales channel.
Market Responsiveness/Record: Ability to
respond, change direction, be flexible and
achieve competitive success as opportunities
develop, competitors act, customer needs evolve
and market dynamics change. This criterion also
considers the vendor's history of responsiveness.
Marketing Execution: The clarity, quality,
creativity and efficacy of programs designed to
deliver the organization's message to influence
the market, promote the brand and business,
increase awareness of the products, and establish
a positive identification with the product/brand
and organization in the minds of buyers. This
"mind share" can be driven by a combination of
publicity, promotional initiatives, thought
leadership, word of mouth and sales activities.
Customer Experience: Relationships, products
and services/programs that enable clients to be
successful with the products evaluated.
Specifically, this includes the ways customers
receive technical support or account support. This
can also include ancillary tools, customer support
programs (and the quality thereof), availability of
user groups, service-level agreements and so on.
Operations: The ability of the organization to
meet its goals and commitments. Factors include
the quality of the organizational structure,
including skills, experiences, programs, systems
and other vehicles that enable the organization to
operate effectively and efficiently on an ongoing
basis.
Completeness of Vision
Market Understanding: Ability of the vendor to
understand buyers' wants and needs and to
translate those into products and services.
Vendors that show the highest degree of vision
listen to and understand buyers' wants and
needs, and can shape or enhance those with their
added vision.
Marketing Strategy: A clear, differentiated set of
messages consistently communicated throughout
the organization and externalized through the
website, advertising, customer programs and
positioning statements.
Sales Strategy: The strategy for selling products
that uses the appropriate network of direct and
indirect sales, marketing, service, and
communication affiliates that extend the scope
and depth of market reach, skills, expertise,
technologies, services and the customer base.
Offering (Product) Strategy: The vendor's
converted by Web2PDFConvert.com

Source: Gartner (May2015)
Vendor Strengths and Cautions
Barracuda Networks
Based in Campbell, California, Barracuda provides a broad array of cost-effective network and
application security products, as well as storage and productivity solutions. Barracuda's Web Filter
appliances are complemented by its cloud-based proxy service (Web Security Service). Barracuda
customers typically implement its appliances in transparent bridge mode to view all network
traffic, but the appliances can also be implemented in proxy mode. Barracuda is transitioning the
policy enforcement model of its cloud service from cloud-based enforcement to agent-based
enforcement (based on a cloud lookup mechanism). Barracuda licenses Lastline's cloud-based
sandbox technology and has integrated the solution with its firewall products. Integration with
Barracuda's SWG products will be delivered later in 2015. This year, Barracuda moves from the
Challengers quadrant to the Niche Players quadrant, due in part to its stagnant market share. Its
2009 acquisition of cloud-based SWG services vendor Purewire has added only marginal revenue
growth. Barracuda's Web Filter appliances are good candidates for SMBs and cost-conscious
enterprises.
Strengths
Barracuda's Instant Replacement program, which provides next-business-day shipping of
replacement units, includes a free appliance replacement unit every four years.
Application control is comprehensive and includes granular social media controls and social
media archiving. In-line deployments of Barracuda's SWG enable it to filter all ports and
protocols.
Barracuda provides a free, lightweight mobile data management capability to simplify the
deployment of its safe browser and the management of policies on mobile devices running
Apple iOS and Android.
Barracuda references commented favorably regarding the ease of deployment and
management of the Web Filter appliances.
Cautions
Dedicated focus on SMBs typically results in solutions that are missing features favored by
large-enterprise customers. Lack of support for authentication via Security Assertion Markup
Language (SAML) is an example of this trade-off.
At the time of this writing, malware detection techniques on Barracuda's SWG appliances are
primarily signature-based. There is very little real-time analysis of Web content, such as
static code analysis.
Barracuda's advanced threat defense strategy is heavily dependent on the technology that
it has licensed from Lastline, which is a small company. If Lastline gets acquired by another
security vendor, then Barracuda may need to revisit its advanced threat defense strategy.
Blue Coat
Based in Sunnyvale, California, Blue Coat offers appliance-based SWGs and a cloud-based SWG
approach to product development and delivery
that emphasizes differentiation, functionality,
methodology and feature sets as they map to
current and future requirements.
Business Model: The soundness and logic of the
vendor's underlying business proposition.
Vertical/Industry Strategy: The vendor's
strategy to direct resources, skills and offerings to
meet the specific needs of individual market
segments, including vertical markets.
Innovation: Direct, related, complementary and
synergistic layouts of resources, expertise or
capital for investment, consolidation, defensive or
pre-emptive purposes.
Geographic Strategy: The vendor's strategy to
direct resources, skills and offerings to meet the
specific needs of geographies outside the "home"
or native geography, either directly or through
partners, channels and subsidiaries as
appropriate for that geography and market.

service. In addition to its SWG solutions, Blue Coat also offers these appliance-based products: a
network sandbox (Malware Analysis Appliance), a network forensics tool (Security Analytics
Platform), and a malware detection appliance (Content Analysis System) that analyzes traffic
forwarded to it by Blue Coat proxies. A partnership with AT&T enables the carrier to resell Blue
Coat's cloud-based SWG service. In May 2015, private equity firm Bain Capital completed its
acquisition of Blue Coat from Thoma Bravo (also a private equity firm) for $2.4 billion. Bain
Capital's stated intent is to prepare Blue Coat for a return to public markets. Blue Coat's
appliances are good candidates for most large-enterprise customers, particularly those requiring
highly scalable SWGs. Blue Coat's cloud service is a good option for most enterprises.
Strengths
The ProxySG is the strongest proxy in the market in terms of breadth of protocols and the
number of advanced features. It supports a broad set of protocols as well as extensive
authentication and directory integration options.
Blue Coat's hybrid offering (cloud service and on-premises appliances) enables operations
teams to manage policies from a single console (although policies can be pushed only in one
direction — from the cloud to on-premises appliances).
By integrating the detection capabilities of the Malware Analysis Appliance with the forensics
capabilities of the Security Analytics Platform, Blue Coat gives security operations teams the
ability to shorten the incident response window.
Blue Coat provides strong support for SSL. All ProxySG models include SSL hardware assist
to offload processing from the main CPU. The stand-alone SSL Visibility Appliance can be
used to decrypt SSL traffic and feed it to Blue Coat and non-Blue Coat security solutions (for
example, data loss prevention [DLP] and network sandboxes).
Cautions
Because Blue Coat's advanced threat defense solution requires multiple components, it is
expensive. The ProxySG does not deposit suspicious files directly into the Malware Analysis
Appliance. Customers must purchase the Content Analysis System if they want to
automatically detect suspicious files and analyze them in the Malware Analysis Appliance.
Blue Coat lacks a cloud-based sandbox. Customers that have migrated to a complete Blue
Coat cloud-based SWG (no on-premises SWGs) are unable to use network sandboxing
technology to detect threats and targeted attacks.
The ProxySG cannot monitor all network traffic (which is useful for detecting outbound
malware) when implemented in explicit proxy mode, which is how it is most commonly
deployed.
Cisco
Cisco, based in San Jose, California, is a leading supplier of networking infrastructure to large
enterprises. It offers on-premises appliances, the Web Security Appliance (WSA) and a cloud-
based service, Cloud Web Security (CWS). Recent acquisitions include Sourcefire (2013), Cognitive
Security (2013) and ThreatGRID (2014). Sourcefire's primary focus was on intrusion prevention.
Cognitive's focus was on threat analytics, and ThreatGRID was offering a cloud-based sandbox.
This year, Cisco moved from the Leaders quadrant into the Challengers quadrant, due in part to
its slow progress in developing a hybrid (on-premises equipment and cloud-based services)
strategy. By not offering a true hybrid solution, Cisco is missing an opportunity to help its WSA
customers selectively add cloud services and to provide a smooth transition to a hybrid or all-
cloud offering. Cisco also lost Completeness of Vision points due to nonuniform threat detection
capabilities between its on-premises and cloud-based services. As noted in the Cautions section,
Cognitive Threat Analytics (CTA) is integrated only with Cisco's cloud service. It has not yet been
integrated with Cisco's appliances, even though Cisco acquired Cognitive Security in February
2013. Cisco's WSA is a good solution for most midsize or large enterprises, while the CWS service
is a good option for most enterprises.
Strengths
The WSA provides multiple security layers on a single appliance. Adaptive scanning directs
suspicious content to the anti-malware engine that is best optimized to scan the content.
Advanced Malware Protection (AMP) technology from Sourcefire provides file reputation, file
analysis and retrospective alerts (to receive maximum value from AMP, Cisco recommends
installing the FireAMP Connector agent on endpoints). The ThreatGRID technology will
improve AMP's sandboxing capability once it has been fully integrated.
The Layer 4 Traffic Monitor feature on the WSA enables visibility across all ports and
protocols by connecting to a Switched Port Analyzer (SPAN) mirrored port on a LAN switch. By
monitoring all traffic (not just Web traffic), Cisco improves its malware detection capability.
The CWS service benefits from a number of traffic redirection options that are integrated into
existing Cisco products. The Adaptive Security Appliance (ASA) firewall, Integrated Services
Router (ISR) Generation 2 and WSA all support Cisco's "connector" software, which directs
traffic to the CWS service.
Mobile platform support is a strength of the CWS service for customers that have already
implemented Cisco's popular AnyConnect client. The cloud service supports Windows, Mac OS
X, Apple iOS, Android, Windows Phone 8 and BlackBerry.
Cautions
Despite its obvious network expertise and relationships, Cisco has not demonstrated
significant focus on the SWG market. Overall market share (on-premises appliances and
cloud services) has been flat since 2009, the year that Cisco acquired ScanSafe. Cisco's cloud
service has a surprisingly small global footprint (15 countries) given Cisco's resources and
the number of years it has been in the SWG market. Newer rivals have been more
aggressive in global expansion.
Cisco has been slow to integrate its cloud-based SWG with its on-premises SWG (IronPort

acquisition in 2007). Customers seeking a hybrid cloud/on-premises solution will need two
consoles. The consoles lack automated policy synchronization (to share policies between
cloud and on-premises users).
The CTA service, which detects threats based on Web log analysis, is not available to WSA
customers. Only CWS customers can use the CTA functionality.
ContentKeeper
ContentKeeper is based in Australia, where it has many large government, education and
commercial customers. It offers a family of SWG appliances, which deploy in transparent bridge
mode, and it also provides a hosted cloud-based service. ContentKeeper's advanced threat
solutions can be implemented on-premises or in its hosted cloud service. ContentKeeper has
been expanding its presence in North America. Its solutions are a good option for midsize or large
organizations and for K-12 schools in supported geographies.
Strengths
The bridge-based Secure Internet Gateway has been designed for high throughput.
Reference customers report throughput up to 5 Gbps.
Strong support for mobile devices enables ContentKeeper to appeal to K-12 school districts
and other organizations that issue tablets to end users.
ContentKeeper appliances support the ability to inspect SSL traffic.
Reference customers commented favorably on ContentKeeper's service and support.
Cautions
ContentKeeper lacks a shared, multitenant, IPsec-based cloud SWG service. It provides a
hosted cloud offering, where customers run virtual appliances hosted in Amazon's cloud
service (and in some ContentKeeper-managed data centers). Hosted offerings do not scale
as dynamically as shared multitenant clouds.
ContentKeeper has yet to earn recognition as a leading advanced threat defense company.
Prospective customers should carefully test the efficacy of its advanced threat capabilities
against competing solutions.
The workflow tools for responding to malware incidents need improvement. The lack of
severity indicators on ContentKeeper's dashboard makes it difficult to prioritize malware
alerts.
iboss
Iboss is a privately held company based in San Diego, California. It offers a family of appliance-
based platforms, which are typically deployed in transparent bridge mode. It also offers a cloud-
based service. In 2014, iboss announced FireSphere, an internally developed cloud-based service
for malware detection. Iboss is a good option for midsize or large enterprises and for K-12
schools in supported geographies.
Strengths
The FireSphere service combines multiple malware detection capabilities, including NetFlow
analysis and sandboxing technology.
Full SSL content inspection is provided agentless at the gateway, or with an optional agent-
based solution on endpoints. The agent is a scalable approach that relieves the iboss
appliance of the burden of managing certificates and of terminating and decrypting SSL
traffic.
Bandwidth controls are very flexible. For example, bandwidth quotas can be applied to a
specific organizational unit in Active Directory, and they also can be assigned to a specific
domain.
Iboss customers commented on the strength of its reporting capabilities.
Cautions
Prospective customers of iboss' cloud-based SWG service should test it carefully. Gartner
rarely sees customers adopting iboss as a pure-play cloud service. Most implementations of
the iboss cloud service are in hybrid mode (deployed in conjunction with an iboss appliance).
The iboss cloud-based service lacks support for SAML, a popular authentication technique
that many enterprises already have adopted to authenticate users to SaaS applications.
Iboss has only a limited set of customers outside North America. Prospective customers
outside North America should validate that iboss partners are qualified to provide sales and
technical support.
Intel Security(McAfee)
Intel Security, based in Santa Clara, California, offers a family of on-premises SWG appliances
(McAfee Web Protection) and cloud-based SWG services (McAfee SaaS Web Protection). The SWG
appliances are most commonly implemented as proxies, although they also can be deployed in
other modes, including in-line transparent bridges. Intel Security also offers an appliance-based
sandbox (McAfee Advanced Threat Defense). This year, Intel Security moved from the Leaders
quadrant into the Challengers quadrant, due in part to its lack of Completeness of Vision in
building a strong sales and distribution channel for its cloud-based service. For example, it lacks
strong partnerships with carriers and Internet service providers (ISPs), which have proved to be
highly effective sales channels for cloud-based SWG services. Intel Security also lost
Completeness of Vision points because it has been slow to emphasize network-based traffic
redirection to its cloud, while focusing more strongly on endpoint-based redirection (via the
McAfee Client Proxy agent). The industry trend is the opposite: The primary driver of cloud-based
SWG services is for enabling direct-to-net connectivity from remote offices (via network-based
redirection), whereas protecting mobile devices is a distant secondary driver. Intel Security's

appliance solutions are good candidates for most enterprise customers, particularly those that
are already McAfee ePolicy Orchestrator users. Prospective customers of the cloud service should
test it carefully.
Strengths
The McAfee Web Protection appliance integrates with the Advanced Threat Defense
appliance. It automatically deposits suspicious files in the sandbox for analysis.
McAfee Web Protection has strong malware protection due to its on-box browser code
emulation capabilities. The solution provides the ability to adjust the sensitivity of malware
detection. A rule-based policy engine enables flexible policy creation.
Intel Security has a good implementation of a hybrid cloud/on-premises solution. While policy
synchronization is only unidirectional (from on-premises to the cloud), flexible controls enable
some policies to be synced, whereas others are not. Log file synchronization can be
configured in specified time intervals.
Intel Security provides strong support for scanning SSL traffic with its McAfee Web Protection
appliance and its cloud-based service. For example, the solutions can be configured to
automatically enforce SSL certificate decisions so that end users don't have the option to
accept an unknown or expired certificate.
Cautions
Intel Security lacks a cloud-based sandbox. Customers that have migrated completely to an
all-cloud-based service (no on-premises SWGs) are unable to use Intel Security's network
sandboxing technology to detect threats and targeted attacks.
Some of Intel Security's reference customers reported dissatisfaction with its cloud service.
Adoption of the service has been slow due to Intel Security being late with key features,
such as IPsec support (available since January 2015). Intel Security also has been slow to
grow its global footprint (13 data centers as of 2014).
Intel Security's preferred approach for protecting Apple iOS and Android devices via its cloud
service uses proxy settings. This approach can be easily defeated by knowledgeable users.
The lack of a strong partnership with a leading ISP or telecom carrier limits Intel Security's
ability to target large enterprises with its cloud-based service.
Sangfor
Sangfor is a network optimization and security vendor based in China. Approximately half of its
revenue comes from its SWG products; the remaining revenue comes from its next-generation
firewall, VPN, WAN optimization controllers and application delivery controller products. Sangfor's
SWG comes in a hardware appliance form factor, and it is implemented as an in-line transparent
bridge. In 2014, Sangfor enhanced its SWG by adding DLP support and wireless networking
functions and enhanced its application recognition capabilities. The company offers two versions
of its SWG product: one aimed at the Chinese market, and one aimed at English-speaking
countries. Nearly all the company's revenue comes from the Asia/Pacific region. Sangfor is a
candidate for organizations that are based in China and in supported countries in the Asia/Pacific
region.
Strengths
Sangfor has strong application control features. It can apply granular policies to Weibo,
Facebook and other Web-based applications, and it also has developed network signatures
to block port-evasive applications like BitTorrent and Skype.
Sangfor's SWG includes a wireless controller, which is capable of managing Sangfor wireless
access points. The controller includes a feature to detect and block unauthorized Wi-Fi hot
spots in an enterprise wireless environment.
Sangfor offers a cloud-based sandbox. Sangfor's SWG automatically feeds suspicious objects
to the sandbox.
Sangfor's in-line transparent bridge mode enables flexible and granular bandwidth control
capabilities. Bandwidth utilization parameters can be specified for uplink and downlink traffic.
Cautions
Sangfor does not offer a cloud-based SWG service.
The console dashboard for malware detection is basic and lacks severity indicators to
prioritize alerts.
Sophos
Based in the U.K., Sophos provides a broad range of network and application gateways and an
endpoint protection platform that it is converging into a unified security solution aimed primarily at
small or midmarket enterprises. The Sophos Web Appliance (SWA) can be deployed in proxy or
transparent in-line bridge mode, and Sophos offers SWG functionality integrated into its UTM
appliances. Sophos' acquisition of Mojave Networks (2014) forms the basis of its multitenant cloud
Web filtering service. Midsize organizations, particularly those that are Sophos desktop
customers, should consider Sophos' SWG solutions.
Strengths
Ease of use is a key design criterion for Sophos. Features include automated network and
directory discovery, contextual help functions, and simple policy configuration.
Sophos is an established player in the malware detection market. The SWA uses Sophos-
developed technology to perform a pre-execution analysis of all downloaded code, including
binary files and JavaScript. The appliance also provides outbound command and control
(C&C) traffic detection with linkage to known malware-removal tools.
Sophos places strong emphasis on service and support. It optionally monitors customers'

appliances and provides alerts for critical hardware conditions, such as high temperatures or
faulty disk drives.
Mobile users who are running the Sophos endpoint protection platform benefit from DNS-
based enforcement of URL filtering policy and logging when clients are off-LAN. The Mojave
acquisition provides Sophos with a dedicated cloud-filtering network.
Cautions
Sophos' focus on ease of use and out-of-the-box functionality can be limiting for large-
enterprise customers that value more granular controls. For example, the Mojave cloud is
capable of integrating only with a single directory, and reference customers noted that
advanced reporting and multidestination syslog support were lacking.
Sophos is in midtransition to a more unified offering. Capabilities are vastly different
between the three primary offerings (UTM, cloud and SWG appliances), and integration is still
in development. For example, proxy appliances and cloud offerings are incapable of
inspecting nonproxied traffic, while UTM appliances can inspect all ports and protocols, but
have fewer advanced SWG functions.
Sophos does not yet offer a sandboxing solution for advanced targeted threats.
Symantec
Symantec is based in Mountain View, California. It has two offerings in the SWG market: (1) the
Symantec.cloud service; and (2) the Symantec Web Gateway appliance, which may be deployed
as an in-line transparent bridge, as a proxy or in SPAN mode. Symantec continues to work toward
delivering the advanced threat protection product and service suite that it announced in May
2014. In September 2014, Symantec announced the appointment of Michael A. Brown as the
company's CEO (he had been serving as interim CEO). In October 2014, Symantec announced
that it will split into two publicly traded companies — one selling security software, and the other
providing data management. The security company will retain the Symantec name, and Brown will
continue to lead it. Symantec's cloud-based SWG offering is a good option for SMBs that do not
need a hybrid approach. Although the appliance may be appropriate for some SMBs, it has
significant limitations for large enterprises.
Strengths
Symantec.cloud provides strong DLP support (a separate license is required) with the ability
to configure flexible policies.
Support for multiple languages broadens Symantec.cloud's appeal in many non-English-
speaking countries.
Symantec's SWG offerings benefit from its strong malware research labs and its Insight file
reputation engine.
Cautions
Symantec has not integrated its cloud-based SWG (MessageLabs acquisition of 2008) with
its on-premises SWG (Mi5 Networks acquisition of 2009). Customers seeking a hybrid
cloud/on-premises solution will need two consoles, and the consoles lack policy
synchronization and log synchronization.
Symantec lacks a network sandbox and other technologies for detecting advanced threats
and targeted attacks.
Symantec's cloud service does not support IPsec or Generic Routing Encapsulation (GRE)
tunnels, the two most common techniques for redirecting traffic from remote offices to an
SWG cloud service.
Symantec's strategy for supporting mobile devices needs improvement. Its Smart Connect
agent is a strong solution for Windows laptops, but Symantec does not offer a similar agent
for Mac OS X. Proxy autoconfiguration (PAC) files, which knowledgeable users can easily
subvert, are needed to redirect traffic from Apple iOS, Android and Mac OS X devices to the
Symantec.cloud SWG service.
Trend Micro
Based in Tokyo, Trend Micro ("Trend") is a provider of endpoint protection, content protection and
application gateway solutions. Trend offers an on-premises virtual appliance solution (InterScan
Web Security Virtual Appliance [IWSVA]) and a cloud service (InterScan Web Security as a Service
[IWSaaS]). IWS can be implemented as a transparent bridge or a proxy, and can be optionally
enhanced by Trend Micro's Deep Discovery network sandbox. Trend Micro is a candidate primarily
for organizations that already have a strategic relationship with the company.
Strengths
The IWSVA and IWSaaS solutions are strengthened by Trend Micro's global threat
intelligence, script analyzer capabilities and botnet detection. Optional offerings include the
Deep Discovery sandbox for on-premises malware analysis and the Damage Cleanup
Services for remediation of compromised endpoints.
A single licensing model allows customers to mix cloud and on-premises solutions, and a
specific hybrid console provides an integration point for synchronizing policies and reporting
for cloud and on-premises users.
Application control is strong with IWSVA, and includes the ability to set time-of-day and
bandwidth quota policies.
Trend Micro's cloud-based SWG service has good geographic coverage for the Asia/Pacific
region.
Cautions
The IWSaaS cloud service is missing some enterprise-class features, such as cloud-based

malware sandboxing, security information and event management (SIEM) integration and
DLP support. Data centers are limited to nine countries.
Outbound malware detection lacks detailed information on threats.
Trend Micro has three consoles for its SWG offerings: an on-premises-only console for
IWSVA, a cloud-only console for IWSaaS and a separate console for the hybrid offering. This
approach adds operational complexity as enterprises grow and evolve with the Trend Micro
offering.
Trustwave
Trustwave is based in Chicago. It offers a diversified security product and managed security
services portfolio, including application security, DLP, email security, Web application firewall, SIEM
and network access control. In addition, it offers numerous managed security services, including
incident response and penetration testing. Its Secure Web Gateway appliance is a proxy-based
gateway that specializes in real-time malware detection. Trustwave's SWG solutions are good
options for customers that already have one or more Trustwave products or services, or for those
that are seeking an SWG-managed service. In April 2015, Singtel announced its intent to acquire
Trustwave and operate it as a stand-alone business. As of May 2015, the deal is pending
regulatory approval.
Strengths
The Trustwave Managed Anti-Malware Service provides deployment, policy management,
security monitoring and alerting as a service for on-premises SWG installations.
Research and insight from incident response investigations and penetration tests enhance
Trustwave's strong real-time browser code emulation, which is the primary technology in its
malware detection strategy.
Application control support for instant messaging (IM) and social media allows granular policy
options. Application control support for Dropbox, Google Drive, Microsoft OneDrive, Apple
iCloud Drive and Box enables granular policy controls for uploading, downloading, sharing,
and deleting files and folders.
Trustwave's DLP engine is fully integrated with its Secure Web Gateway product.
Cautions
Trustwave does not offer a cloud-only SWG service.
Trustwave lacks the network sandboxing capabilities that many SWG vendors offer as
optional features.
Support for mobile devices (iOS and Android) is weak due to Trustwave's lack of an IPsec-
based multitenant gateway in its hybrid service offering.
The dashboard console is weaker than many competing offerings. It lacks severity indicators
to prioritize malware alerts. Dashboard panels provide only limited customization.
The Secure Web Gateway product lacks the ability to block port-evasive applications, such as
BitTorrent and Skype. Port-evasive outbound traffic to command-and-control centers cannot
be blocked either.
Websense
Websense, which is based in Austin, Texas, is owned by private equity firm Vista Equity Partners.
Websense offers SWG appliances (hardware and software) and a cloud-based service. It also
offers a cloud-based network sandboxing solution, known as the Web Sandbox Module, which
was developed in-house. Websense appliances are good options for midsize enterprises, and its
cloud service is a good option for most enterprises. In April 2015, Raytheon entered into a
definitive agreement with Vista Equity Partners to form a new company, combining Websense
with its Raytheon Cyber Products business unit. At the time of this writing, the deal is pending
regulatory approval.
Strengths
Websense has a strong offering for organizations that are interested in a hybrid SWG
strategy (on-premises and cloud-based). Its Triton management console provides a common
point for policy management, reporting and logging in hybrid environments.
Websense's Triton AP-Web automatically deposits suspicious files in the cloud-based Web
Sandbox Module.
Websense uses its DLP technology in its appliances and cloud service to inspect suspicious
outbound traffic patterns. This feature uses deep packet inspection, and it does not require
an additional licensing fee.
Websense has a good strategy for mobile support. A Websense client for Windows and Mac
OS X endpoints handles traffic redirection and authentication to the Websense cloud service.
AirWatch customers will benefit from an integration with Websense that provisions
certificates on mobile devices (Apple iOS and Android) and directs traffic to the Websense
cloud (via IPsec) when the user generates Web traffic.
Cautions
The console for the cloud-only service (Cloud Triton Manager) is different from the console
that is used to manage the hybrid and on-premises solutions (Triton Manager). Customers
that begin with a cloud-only service and add V-Series appliances later would need to switch
to the Triton Manager console.
Gartner rarely sees Websense's X10G, a blade-server appliance aimed at large enterprises,
in competitive bids. Enterprises that are considering the X10G should carefully check
references.
The lack of a strong partnership with an ISP or telecom carrier limits Websense's ability to
target large enterprises with its cloud-based service.

As Websense forms a new company and integrates technology from Raytheon, its increased
focus on threat defense may result in reduced focus on its core SWG functionality.
Zscaler
Zscaler, which is based in San Jose, California, is a pure-play provider of cloud-based SWG
services. In 2014, Zscaler added network sandboxing and next-generation firewalling services.
Zscaler also offers a DNS-based Web filtering service. Zscaler continues to be the fastest-growing
vendor in this market, as well as one of the most innovative vendors. Zscaler is a good option for
most enterprises that are seeking a cloud-based SWG.
Strengths
Zscaler applies all its malware detection engines to all content, including SSL traffic that it
decrypts via SSL, regardless of site reputation. This approach yields up-to-date malware
ratings on websites.
Zscaler has the largest global cloud footprint, with more than 100 enforcement nodes in 30
countries.
Zscaler leads the SWG market in several cloud innovations, including colocating and direct
peering with popular cloud services (such as Amazon, Microsoft, Salesforce and Akamai) in
order to reduce latency. It provides flexible implementation options by offering a broad set of
choices for traffic redirection and authentication. It was the first to expose its cloud uptime
and event statistics to the public via its trust.zscaler.com portal.
Zscaler's updated console display (based on HTML5) enables role-based administrative
access. Views can be customized according to administrative rights and privileges.
An optional streaming log service provides near-real-time export of logs from the cloud to on-
premises servers, where they can be analyzed by a SIEM solution. Enterprises that have
more than one SIEM solution can filter log events from the Zscaler console and direct log
entries to specific SIEM solutions.
Cautions
Zscaler encourages the use of PAC files for Windows and Mac OS X systems for mobile
employees, but knowledgeable users can subvert PAC file traffic redirection. Also, port-
evasive applications (such as Skype, BitTorrent and some malware) will not be forwarded to
the Zscaler network from endpoints that rely only on PAC files.
The management console lacks severity indicators to prioritize outbound malware alerts.
Also, information to aid in remediation is lacking.
Zscaler offers a cloud-based next-generation firewall as an add-on to its SWG service. The
firewall service is not intended to replace enterprise firewalls protecting corporate data
centers. It is primarily suitable for branch and remote offices and roaming laptops.
Vendors Added and Dropped
We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets
change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or
MarketScope may change over time. A vendor's appearance in a Magic Quadrant or MarketScope
one year and not the next does not necessarily indicate that we have changed our opinion of that
vendor. It may be a reflection of a change in the market and, therefore, changed evaluation
criteria, or of a change of focus by that vendor.
Added
None
Dropped
None
Inclusion and Exclusion Criteria
These criteria must be met for vendors to be included in this Magic Quadrant:
Vendors must provide all three components of an SWG:
URL filtering
Anti-malware protection
Web application control capabilities
Pure-play URL filtering solutions have been excluded.
The vendor's URL filtering component must be primarily focused on categorizing English-
language websites.
Vendors must have at least $15 million in SWG product revenue in their latest complete fiscal
years.
Vendors must have an installed base of at least 2,000 customers or aggregate endpoint
coverage of at least 5 million seats.
UTM devices and next-generation firewall devices that offer URL filtering and malware protection
have been excluded. This Magic Quadrant analyzes solutions that are optimized for SWG
functionality.
Vendors that license complete SWG products and services from other vendors have been
excluded. For example, ISPs and other service providers that offer cloud-based SWG services
licensed from other providers have been excluded.

Evaluation Criteria
Ability to Execute
Product or service: This is an evaluation of the features and functions of the vendor's SWG
solution. Malware detection and advanced threat defense functionality will be weighted
heavily to reflect the significance that enterprises place on these capabilities.
Overall viability: This includes an assessment of the overall organization's financial health, the
financial and practical success of the business unit, and the likelihood that the business unit
will continue to invest in the product.
Sales execution/pricing: This is a comparison of pricing relative to the market.
Market responsiveness/record: This criterion reflects how quickly the vendor has spotted a
market shift and produced a product that potential customers are looking for; it is also the
size of the vendor's installed base relative to the amount of time the product has been on
the market.
Marketing execution: This is the effectiveness of the vendor's marketing programs, and its
ability to create awareness and mind share in the SWG market.
Customer experience: This is the quality of the customer experience based on reference calls
and Gartner client teleconferences.
Table 1. Ability to Execute Evaluation
Criteria
Evaluation Criteria Weighting
Product or Service High
Overall Viability High
Sales Execution/Pricing Not Rated
Market Responsiveness/Record Medium
Marketing Execution Medium
Customer Experience Medium
Operations Not Rated
Completeness of Vision
Market understanding: This is the SWG vendor's ability to understand buyers' needs and
translate them into products and services.
Sales strategy: This is the vendor's strategy for selling to its target audience, and includes an
analysis of the appropriate mix of direct and indirect sales channels.
Offering (product) strategy: This is an evaluation of the vendor's strategic product direction
and its roadmap for SWG. The product strategy should address trends that are reflected in
Gartner's client inquiries.
Innovation: This criterion includes product leadership and the ability to deliver features and
functions that distinguish the vendor from its competitors. Innovation in areas such as
advanced threat defense and cloud-based services was rated highly because these
capabilities are evolving quickly and are highly differentiated among the vendors.
Geographic strategy: This is the vendor's strategy for penetrating geographies outside its
home or native market.
Table 2. Completeness of Vision
Evaluation Criteria
Evaluation Criteria Weighting
Market Understanding Medium
Marketing Strategy Not Rated
Sales Strategy Medium
Offering (Product) Strategy High
Business Model Not Rated
Vertical/Industry Strategy Not Rated
Innovation High
Geographic Strategy Low
Quadrant Descriptions
Leaders
Leaders are high-momentum vendors (based on sales and mind share growth) with established

track records in SWGs, as well as with vision and business investments indicating that they are
well-positioned for the future. In addition to offering strong SWG products and/or services,
Leaders have built effective sales and distribution channels for their entire product portfolio.
Leaders that offer on-premises and cloud services have recognized the strategic importance of a
two-pronged sales and distribution channel. They have established a traditional VAR channel to
sell on-premises appliances, and they have also demonstrated the ability, usually through
partnerships with ISPs and carriers, to sell cloud services.
Challengers
Challengers are established vendors that offer SWG products. Challengers' products perform well
for a significant market segment, but may not show feature richness or particular innovation. In
the SWG market, Challengers may also lack an established distribution channel to optimally target
customers for cloud-based services. Buyers of Challengers' products and services typically have
less complex requirements and/or are motivated by strategic relationships with these vendors
rather than requirements.
Visionaries
Visionaries are distinguished by technical and/or product innovation, but have not yet achieved
the record of execution in the SWG market to give them the high visibility of Leaders — or they
lack the corporate resources of Challengers. Buyers should expect state-of-the-art technology
from Visionaries, but be wary of a strategic reliance on these vendors and closely monitor their
viability. Visionaries represent good acquisition candidates. Challengers that may have neglected
technology innovation and/or vendors in related markets are likely buyers of Visionaries' products.
Thus, these vendors represent a slightly higher risk of business disruptions.
Niche Players
Niche Players' products typically are solid solutions for one of the three primary SWG requirements
— URL filtering, malware and application control — but they lack the comprehensive features of
Visionaries and the market presence or resources of Challengers. Customers that are aligned
with the focus of a Niche Players vendor often find such provider's offerings to be "best of need"
solutions. Niche Players may also have a strong presence in a specific geographic region, but lack
a worldwide presence.
Context
The URL filtering aspect of SWGs has become a commodity, and enterprises are now focusing on
security features as important criteria in vendor selection. Because of these market trends, this
2015 Magic Quadrant places a strong emphasis on malware detection, particularly advanced
threat detection. Implementation options are another important consideration when selecting
vendors. For example, enterprises that expect to remain completely with on-premises appliances
can select from the largest set of vendors. Enterprises that expect to migrate completely to an all-
cloud service option have a slightly smaller set of choices. Enterprises that expect to require a
hybrid approach have the smallest set of options because few vendors have truly integrated their
on-premises products with their cloud-based services.
Market Overview
Although cloud-based SWG services are a source of innovation and rapid growth, the overall SWG
market is still dominated by the sale of on-premises appliances. Gartner estimates that, in 2014,
72% of the revenue in the $1.44 billion market was attributed to appliances, and the other 28%
was attributed to cloud services. In 2013, Gartner estimates that the 77% of the market was
attributed to appliances and 23% was attributed to cloud services. The overall market grew
approximately 10% during 2014, and we anticipate that the market will grow 8% to 10% in 2015.
This year, the Visionaries quadrant remains empty again. Because of the growth in cloud-based
SWG services, we heavily weighted these services when scoring the Completeness of Vision
criteria. Vendors that have a strong strategy for their cloud service and that also have a cloud-
focused sales and distribution channel scored well in Completeness of Vision. Strategies for SWG
cloud services need to include a cloud-based advanced threat defense service. Successful sales
and distribution channels include carriers and ISPs because they have proven to be effective
partners in selling cloud SWG services. It's challenging for vendors to develop a strong cloud
service strategy and a strong cloud sales and distribution channel. None of the Niche Players in
the 2014 version of the Magic Quadrant improved enough in Completeness of Vision scoring to
move into the Visionaries quadrant this year.
© 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be
reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to access this publication, your use of it is subject to the
Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable.
Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies
in such information. This publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions
expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal
advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that
have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research
is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the
independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity.”
About Gartner | Careers | Newsroom | Policies | Site Index | IT Glossary | Contact Gartner

G05.2015 Secure Web Gateways

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to G05.2015 Secure Web Gateways

Similar to G05.2015 Secure Web Gateways (20)

More from Satya Harish

More from Satya Harish (20)

Recently uploaded

Recently uploaded (20)

G05.2015 Secure Web Gateways