Whitepaper: How to Enhance your Blue Coat with Zscaler Security
How To Enhance Your Blue Coat with Zscaler Security Whitepaper: How to Enhance your Blue Coat with Zscaler Security © 2011 Zscaler. All Rights Reserved. Page 1 How To Enhance Your Blue Coat with Zscaler Security Overview Traditional security appliances – like Blue Coat’s ProxySG – leverage URL filtering to provide security in a Web 1.0 world of “ Blue Coat must deliver on its SWG-as- static content and threats. Today, the web is dynamic and ever a-service offering and changing, and threats are moving faster than signature patches demonstrate that it and updates can hope to keep up with. can compete against The only way to stay ahead of today’s advanced threats is with a security services from dynamic, real-time security enforcement tool that stops threats other cloud based inline, and scans for all kinds of malicious content. Appliances services, many of which global cloud has the power and scale to secure against today’s advanced web threats. Even the established security vendors of yesterday are moving to the cloud for enforcement – often halfheartedly – with “cloudassisted” and “Hybrid” security being the catchphrases used to mask an incomplete or not-yet-ready cloud approach to security. Some vendors, including Blue Coat, have attempted to rack and “ were never designed for the security needs of today – only a have a head start of two years or more. -Gartner, April 2011 “ Zscaler moves into the Leader’s Quadrant stack a number of appliances in global data centers to build a in 2011 due to the cloud security solution. But analysts and customers agree – these demonstrated success of solutions are not ready for global enterprise deployment. Zscaler Cloud Security has years of maturity, and secures over 2.5 billion transactions per day, across millions of global customers. With its unique architecture, rapid feature over 40 data centers worldwide, Zscaler has the largest cloud development, global security deployment of any vendor, by far. rollout of enforcement While Blue Coat provides a good proxy appliance, its security, nodes, and impressive management and reporting features leave a lot of gaps. Many growth in numerous large enterprise customers, realizing the gaps in their existing global markets among Blue Coat deployment, have migrated to Zscaler. Others prefer to small and very large “proxy chain” their Blue Coat appliances to the Zscaler cloud for enterprise clients. describe salient benefits of Zscaler’s cloud security solution and how legacy proxy appliances, such as Blue Coat, can benefit “ improved security and real-time reporting. The following sections -Gartner, April 2011 from it. © 2011 Zscaler. All Rights Reserved. Page 2 How To Enhance Your Blue Coat with Zscaler Security Table of Contents 1. Eliminate Patches and Downloads to Provide Gap-Free Security 4 2. Secure all Traffic from all Locations 5 3. Agile, Scalable Deployment for Tomorrow’s Security 8 4. Less Complexity More Security 9 5. Add Security to Your Blue Coat 10 © 2011 Zscaler. All Rights Reserved. Page 3 How To Enhance Your Blue Coat with Zscaler Security Blue Coat enterprise security, delivered via ProxySG and ProxyAV, requires regular updates to both threat signatures and URL filtering databases. As well, as the appliance software has to be kept up-to-date in order to provide protection against constantly evolving threats. Yesterday’s security: patches, updates and gaps in intelligence The patching model was effective in the world of static web content and threats. However, this model is reactive and can entail significant latency between the time a security event is discovered and when protection is made available for users. Since ProxySG is a “cloud-assisted” model, only new or unknown URLs are scanned in the cloud in real time, and all else are rated via local databases. These local databases are, by their nature, out of date as soon as they are installed. As new vulnerabilities are discovered, database patches and signature updates are created, and a cumbersome process of distributing and updating individual appliances “ Zscaler offers two levels of security protection. In addition to using several signature and blacklist-based filters, Zscaler has numerous advanced security checks, including page analysis, URL reputation and script analysis. “ Eliminate Patches and Downloads to Provide Gap-Free Security -Gartner, May 2011 follows. This results in significant gaps in security coverage. Blue Coat’s appliance based Web security does not have real-time signature updates like the Zscaler cloud. Individual appliances have to sync up new threat signatures periodically. Every appliance exists in it’s own ecosystem and unlike the cloud, there is no global visibility. Further, Web security with Blue Coat is a two-box solution. Anti-virus is delivered via a ProxyAV appliance, which must connect via ICAP to a ProxySG proxy in each office location. Blue Coat does not provide its own signatures, but leverages one partner engine form a list of choices (e.g., Panda, Sophos, Kaspersky, McAfee, etc.) if AV has been chosen as a bolt-on security measure. © 2011 Zscaler. All Rights Reserved. Page 4 How To Enhance Your Blue Coat with Zscaler Security Zscaler cloud based security eliminates the gap between threat discovery and protection being available. Unlike the appliance models, there is only one instance of the product – the cloud. Enterprises leverage the multitenant cloud to get security delivered as a service. Since the cloud sees traffic from a variety of sources, it has real-time and granular visibility of new threat outbreaks. When a new vulnerability is discovered, a single update to the cloud offers instant protection to all users seamlessly. If one user uncovers a new vulnerability, all others are instantly protected “ Blue Coat would benefit from more on box malware detection, as offered by several of its competitors. “ Real-time security for real-time threats Gartner, May 2011 against it. Zscaler generates its own in-line signatures and uses over a dozen offline engines to provide real-time and gap free security updates – without any additional scanning or cumbersome extra steps. Web security is much more complicated now than just traditional antivirus or anti-spam. While signature based engines are important, inline inspection of every page for malicious active code insertion is critical. Information stealing with bots and Cross Site Scripting (XSS) is an important threat vector that is not addressed by Blue Coat’s solution. This kind of advanced threat protection is, however, delivered by Zscaler’s real-time security cloud. Secure all Traffic from all Locations A security perimeter that only extends around some of your locations, or only covers certain endpoints and devices, is hardly a perimeter. With traditional appliance models like Blue Coat ProxySG, branch offices and mobile users often don’t receive the same level of security as do headquarters offices. Enterprise admins have to deploy countless boxes and servers at every location, or backhaul traffic across the globe – or both – to enforce security. The cost of backhauling is measured in both dollars and network performance degradation. When you add in the complexity required to manage multiple boxes across multiple locations, not to mention mobile users – it is often too much to manage and leads to an insecure, inconsistent security perimeter. © 2011 Zscaler. All Rights Reserved. Page 5 How To Enhance Your Blue Coat with Zscaler Security Branch office security without compromise With Blue Coat ProxySG, an appliance is typically deployed at each office location. As the number of offices increase, more boxes need to be deployed and managed. The appliance management problem gets compounded at smaller branch offices, which may not have IT resources on-site. Add telecommuters that work from home offices, and the appliance-based model quickly becomes untenable. As such, enterprises frequently force users to setup a VPN to headquarters to leverage onpremise security appliances. This leads to unnecessary traffic backhaul with increased bandwidth cost for the organization and added latency for users. Traditional Appliances or Software Cloud Security-as-a-Service Aquire, deploy, manage boxes Regional Office Simply re-direct traffic to the Cloud Regional Office Email Gateway Internet Internet Web Gateway Headquarters Home Hotel Headquarters Airport Phone Home Hotel Airport Phone Figure 1: Cloud simplifies deployment and protects the distributed enterprise Zscaler accepts traffic directly from any location, eliminating backhaul and the complexity of deploying multiple boxes at every location. Additionally, Zscaler is the only solution that does not require any clientside agents to be deployed to allow mobile employees to use the cloud. Regardless of location, employee traffic is automatically directed to the closest Zscaler Enforcement Node (ZEN). Since security and policy are © 2011 Zscaler. All Rights Reserved. Page 6 How To Enhance Your Blue Coat with Zscaler Security or internet egress points, unnecessary backhaul bandwidth cost and user service latency are eliminated. Zscaler’s ShadowPolicy™ guarantees that users’ policies follow them no matter where they are. No other solution provides this flexibility to all its mobile users. User based policies are defined by the administrator once; they then get enforced across the cloud – regardless of user’s location or access device, as illustrated in Figure 1 With traditional appliance-based approaches, like Blue Coat’s, reporting is another source of backhaul – as log data has to traverse the network before it can be aggregated in a Reporter instance. Blue Coat provides “ [Zscaler] was the first vendor to offer authenticated redirection to the cloud without a software client. It already has the largest global footprint of data centers (by far)... “ enforced by local ZENs, rather than backhauling to corporate datacenters Gartner, May 2011 reporting in two ways, which each have drawbacks. Customers must manage and maintain separate reporting instances by deploying Reporter servers in each location, or they must transfer large log files across the WAN/Internet. Zscaler NanoLog aggregates all log data in the cloud, where it is guaranteed by SLA to be available within 10 seconds, regardless of where the transaction occurred and without the hassles of managing additional reporting appliances or paying for backhaul bandwidth. Enable true mobility, from any device, without agents or backhauling The adoption of smartphones and tablets by consumers and enterprises is happening at a staggering rate. In the fourth quarter of 2010, smartphones out-shipped PCs for the very first time. According to Morgan Stanley, the worldwide annual shipment of smartphones will exceed that of desktops and laptops combined by 2012. Analyst firm Gartner estimates that by 2013, mobile phones will overtake PCs as the most common web access device worldwide. Employees frequently bring their own smartphones and tablets to work. With the proliferation of mobile devices like iPads and iPhones within the enterprise, IT administrators can no longer ignore these devices as outside their scope of responsibility. With a Blue Coat deployment, road warriors can have ProxyClient installed on laptops – but this thick client only works on Windows PCs. Zscaler’s no-agent-needed approach, coupled with ShadowPolicy™, © 2011 Zscaler. All Rights Reserved. Page 7 How To Enhance Your Blue Coat with Zscaler Security smartphones – at all times – without deploying any agents on endpoints. Zscaler’s patented traffic forwarding and authentication mechanisms allow an enterprise to flexibly send Web traffic to Zscaler using GRE tunnels, proxy forwarding, or firewall rules. User traffic is simply forwarded to the cloud for security enforcement and logging, eliminating the need for backhauling, and separate management appliances, and ensuring security across devices and locations. Zscaler allows IT administrators to define a consistent policy for any user and have that policy seamlessly enforced, regardless of the device with which the user is connecting, or the user’s location. Administrators no longer have to deal with multiple point products to secure PCs, smartphones and tablets. Unlike traditional mobile security solutions that “ Web gateway SaaS provides opportunities to protect roaming devices, such as mobile devices and laptops that typically are not protected by onpremises gateways without heavy clients. “ allows road warriors to be fully protected across laptops, tablets and Gartner, April 2011 require platform-specific apps to be installed on every device, Zscaler works seamlessly across a variety of mobile platforms. Mobile security is missing in the Blue Coat solution. Only when the mobile device is connected to the enterprise network, that funnels its traffic through the proxy, does filtering and policy enforcement occur. Agile, Scalable Deployment for Tomorrow’s Security, as Well as Today’s Rolling out Blue Coat appliances, re-configuring the network and synchronizing policies across multiple boxes incurs significant expenditure of time and resources. Corporate-wide deployments must be coordinated across various teams within a business, and can easily take months after a deal is signed. “Time to Value,” measured by a complete deployment of the solution, can easily take months for Blue Coat, compared to just a week or two for a large enterprise customer using Zscaler. Even after boxes have been deployed across locations, the deployment is often not complete. Since appliances cannot scale, deployment is often a never-ending process of adding boxes or replacing them with newer, more powerful hardware as enterprises grow. The alternative is to over-buy to ensure headroom for growth, but that’s a costly option that doesn’t ensure the correct amount of scale. © 2011 Zscaler. All Rights Reserved. Page 8 How To Enhance Your Blue Coat with Zscaler Security need for on-premise software deployment and maintenance, Zscaler’s security-as-a-service eliminates the need for on-premise hardware and software. Eliminating additional hardware automatically cuts down any rack-space, power, cooling and asset management requirements. Additionally, since Zscaler was purpose built for scalability, customers pay from only what they need, and can grow and scale as needed – with no re-architecture, no downtime, and no upgrades. With Zscaler, enterprise IT simply needs to configure their edge routers to redirect traffic to the cloud. Traffic redirection is accomplished using “ Zscaler’s unique architecture and highly scalable purpose-built enforcement nodes enable fast global deployments. “ Just as cloud based software-as-a-service offerings have eliminated the Gartner, May 2011 a variety of available techniques – GRE tunnels, VPN, proxy chaining, port forwarding, etc. This typically involves simple configuration changes on routers and firewalls. When user-based policies are desired, the enterprise needs only to sync their Active Directory with Zscaler. Less Complexity, More Security As security threats become more complex, protection costs rise. Appliances are typically dedicated to a particular security feature. If an enterprise wants to protect its users on the web, filter email spam and implement a Data Loss Prevention (DLP) system, they would have to deploy four separate appliances from Blue Coat. There is significant CapEx involved and OpEx scales as IT resources need to be trained to manage, maintain and correlate alerts from separate appliances. Zscaler offer consolidated security – enterprises can enable features on-demand. There is no upfront CapEx for new security features. OpEx is reduced thanks to an integrated management console and the elimination of hardware maintenance. The TCO for a Blue Coat deployment at an enterprise with 3,000 employees across headquarters and three branch offices is about 3X higher than Zscaler. Since Blue Coat does not provide any email security solution, this TCO comparison is only for Web security. © 2011 Zscaler. All Rights Reserved. Page 9 How To Enhance Your Blue Coat with Zscaler Security Add Security to Your Blue Coat ProxySG is a fine proxy appliance, with a strong implementation among large enterprise customers. Unfortunately, today’s threat landscape requires a real-time approach to security, and many of those customers are looking for a better solution. Appliances, by their nature, cannot provide real-time intelligence and enforcement like cloud solutions can. Only Zscaler can provide seamless security, across locations and devices, to ensure a truly borderless security perimeter. Add the ability to block advanced threats like XSS, cookie theft, malicious active content and more, and it becomes clear that Zscaler provides better security with less complexity than any appliance-based deployment. “ SaaS secure Web and e-mail gateways frequently provide efficiency and cost advantages, and a growing number of offerings are delivering an improved level of security that exceeds what most organizations can achieve with onpremises software or appliances. “ Gartner, April 2011 © 2011 Zscaler. All Rights Reserved. Page 10 How To Enhance Your Blue Coat with Zscaler Security About Zscaler: The Cloud Security Company™ Zscaler enforces business policy, mitigates risk and provides twice the functionality at a fraction of the cost of current solutions, utilizing a multi-tenant, globally-deployed infrastructure. Zscaler’s integrated, cloud-delivered security services include Web Security, Mobile Security, Email Security and DLP. Zscaler services enable organizations to provide the right access to the right users, from any place and on any device—all while empowering the end-user with a rich Internet experience. About Zscaler ThreatLabZ™ ThreatLabZ is the global security research team for Zscaler. Leveraging an aggregate view of billions of daily web transaction, from millions of users across the globe, ThreatLabZ identifies new and emerging threats as they occur, and deploys protections across the Zscaler Security Cloud in real time to protect customers from advanced threats. For more information, visit www.zscaler.com. © 2011 Zscaler. All Rights Reserved. Page 11
© Copyright 2024