Having Web security software or appliances on the corporate network is great, but all that effort can be undone by just one user whose corporate laptop gets infected with a Trojan when she was casually surfing at the airport while waiting for a flight home.
Service-based Web security can ensure that end user Web traffic is always routed through the provider's filters. They do this by having administrators configure users' browsers to send them directly to the provider's proxy servers.
Of course, latency is just as much of an issue for road warriors as office staff. Referencing a proxy server 3,000 miles away over a slow Internet link isn't an efficient way to balance Web security and usability. To address that, many Web security providers use third-party geolocation databases to home in on a user's physical location as he executes a DNS query, and point him to the provider's nearest point of presence.
A compelling argument for any service is low capital costs. We've done some back-of-the-napkin calculations to compare on-premises vs. Web security service options. Let's assume your business has a single office with 500 employees. For around $25,000, you can purchase a Web proxy appliance with a 500-user license and a one-year license for a URL filter. If you want antivirus and malware prevention, you'll need another appliance. Our favorite reseller quoted us around $6,700 for a BlueCoat ProxyAV appliance with a 500 user license. A one-year subscription to the MacAfee A/V engine will cost you another $3,000. Don't forget to add in around $5,000 in maintenance per year for both.
By our math, capital expenses are just under $35,000.
Let's compare that with the service option. Purewire gave us ballpark pricing of $30 per user, per year for its Web security service. For a 500-user shop, all of your licensing costs are operating expenses; the bill comes in at $15,000 per year ($30 times 500 users).
Here's where the decision gets tougher. While the capital expense may be greater for an on-premises package, the ongoing costs will drop considerably in subsequent years, while the service costs generally will remain the same or rise. Over three to five years, it's likely there will be very little difference in the total cost of ownership between the two options.
Thus, the decision will have to include other variables, such as the extra features you could get with hosted Web security tools, like application control, data loss prevention, and consolidated logging/reporting. Security requirements mandate that some organizations store Web access logs for years. Any level of detailed logging on a large scale is sure to generate gigabytes of data. Hosted log management is a value-add that many Web security service providers are touting.
By contrast, the potential for business-critical Web apps to be impeded by slowdowns could quickly overwhelm any benefits you might see in a cloud option. Web security services will live or die on how well they can keep latency down. We'll be watching.
Randy George is an industry analyst covering security and infrastructure topics.