The Internet is the attack vector of choice for malware developers and data thieves of all stripes because the HTTP protocol constitutes a big, gaping hole in your defenses. While some users bring grief on themselves by browsing inappropriate and risky pages, criminals target legitimate sites to distribute malware through corrupted banner ads, Web redirects, and other nefarious techniques.

You can't close the hole because end users rely on the Web for business tools. What you can do, however, is purchase border enforcement to cover your assets. These Web-security-as-a-service suites, like the on-premises software and appliances sold by competitors, provide a slate of capabilities, including Web filters to block users from surfing inappropriate or compromised sites; malware filters to pluck viruses, Trojans, and spyware from inbound content; and data loss prevention tools to stop sensitive information from leaking out of the organization.

But is outsourcing Web security to the Web a smart career move?

The service model has three advantages over traditional on-premises products: lower capital costs, faster deployment of the application, and a reduced management burden on in-house IT staff. Service-based Web security can also help protect remote users when they're off the corporate network. And you've got a range of choices in providers, from upstarts like Purewire, ScanSafe, and Zscaler to established vendors such as Kaspersky, McAfee, Symantec, and Websense.

Sounds good in theory, but latency could derail adoption.

Caught In The Slow Lane?

The theory behind doing Web security in the cloud is relatively simple: Redirect all of your outbound internet traffic to a Web security infrastructure hosted by your vendor of choice. Pick the security services to which you want to subscribe. Develop and enable your policy through a Web management interface. Last, point your client browsers to the vendor's Web security gateway, and you're done.

As is usually the case, however, theory and reality differ. With an on-premises Web security system, users traverse your Internet router and are protected within the LAN environment at wire speed, reducing the potential for latency. With off-site, provider-based Web security, you're adding an additional hop to a proxy over the Internet itself, and that introduces the possibility of slowdowns. The question is, how much latency is too much? End users won't get much sympathy from IT if they complain that Hulu is jittery at work, but line-of-business managers will kick down your door if Salesforce or online meeting apps start to wobble.

"The concern about additional latency is one of the first questions we are asked by every potential customer," says Paul Judge, co-founder and CTO of Purewire. As you'd expect, Judge says the latency from his service is imperceptible.

Luckily for IT, it's simple enough to put vendor claims to the test. Most let potential customers create an evaluation account to put the service through its paces. If a potential partner balks at this, walk away.

Overall user experience depends on a host of variables, such as whether a cached copy of the content requested is available either locally or from another source. It's important that network engineers understand a few factors when choosing a provider. Primary among them is a firm grasp of your users' Web behavior, where the provider's proxy servers are physically located, and whether the provider can also supply a caching appliance to minimize latency.

Before signing on, be confident that the provider will be able to scale its infrastructure as it adds customers. And as with any service, you'll need to get details on the provider's service-level agreements.

Web Security Services' Benefits And Drawbacks
5 Benefits Low capital cost to deploy Reduces management burden on infrastructure staff Can consolidate massive logs on provider's storage Value-adds like data loss prevention often included in the base package Protects remote users from advanced Web-based security threats		5 Drawbacks Additional network latency added TCO may not greatly favor provider IT must distribute config changes to every client using the service May shift support calls from infrastructure team to help desk Variables related to captive portals and firewalls at hotels may affect service