Web security in an always-on world

My habits are not dissimilar to those of many others. In the morning, my first act is to collect my phone from beside the bed, check my email accounts and then look to see who has posted what on Facebook and Twitter. All these services are based in the cloud, accessed directly via the internet. But web-based services have become the preferred way for criminals to disseminate malware, with the intention of harvesting information that can be used for financial gain. As well as this, mobile devices are becoming an increasingly attractive target for hackers and issues surrounding smartphone usage are now being seen as a major issue for organisations looking to protect their sensitive data from loss or misuse. 

Where organisations once looked to limit or block the use of mobile devices and web collaboration and social media tools, many have now come to realise the value of such devices and applications as they enable greater flexibility and productivity. According to research by technology vendor Clearswift, 61% of respondents to a survey conducted in the UK in 2010 stated that their organisations are encouraging or allowing the use of collaborative and social media tools, and more than half say that their use is critical to the business. For social networking site Facebook, the greatest growth is being seen among the 35-plus age group. The use of mobile devices is also seen as critical and research shows that smartphone shipments will overtake those of PCs in 2011. And new tablet computers are proving to be a runaway success. 

The technology tide cannot be turned back. Rather, the onus is on organisations not just to allow the use of such tools, but to ensure that in doing so they are not adding to the security risks that they face. Since so much malware is delivered via web applications and users connect to web-based applications directly via an internet browser, an organisation must ensure that it can control what applications users can access to avoid them visiting sites that are riddled with malware or that contain inappropriate content that could harm the organisation’s reputation. They must also be able to control what information can be downloaded from or uploaded to web applications, from whatever device is being used. 

Traditionally, web security controls have been delivered via an appliance, installed within the organisation’s four walls and administered and managed locally. That works fine for large organisations where employees generally work from the office, but is generally too expensive an option for smaller resource-strapped organisations, or those with large numbers of mobile workers, for which VPN technologies would also have to be purchased to provide a secure connection to the appliance. 

The advent of cloud-based computing opens up the playing field. It allows users to connect directly to resources, providing always-on, instant access from anywhere at any time and is particularly suited to smaller organisations—especially those that are looking to benefit from the economies offered by software-as-a-service applications—and for those with large numbers of mobile workers or geographically dispersed operations. 

In order to ensure the security of those applications and to control access to the data they contain, specialised cloud computing vendors began to develop web security services based in the cloud, backed up by global threat intelligence networks that look to stop malware in the cloud, before it can even reach end users. Such specialised vendors in the market include Webroot, which added to its capabilities with the acquisitions of BrightCloud and Prevx in 2010; Clearswift, which recently expanded the capabilities of its products and services; and Websense, which has combined its web security protection with outbound DLP for content control. 

There are also specialised vendors that have been acquired by larger security or networking players. These include Cisco, which acquired ScanSafe, McAfee, with its MX Logic acquisition; Symantec, which acquired MessageLabs and MI5 Security; and M86 Security, which recently acquired web security capabilities from Finjan. All of these are building out their cloud-based web security offerings, looking to extend their presence in the SME sector and to cater to mobility trends. The newest entrant to the market is network security and management company Blue Coat Systems, which has just unveiled its new cloud-based web security offerings. All of these vendors have also announced that they are unveiling hybrid options to allow organisations to combine the use of appliances deployed on-premise with cloud-based services for those that need them. 

With threats emanating over the internet a constantly growing problem, more organisations should evaluate the developments being made in web security offerings—especially since research from the Computer Security Institute shows that just three-fifths of organisations are using any web security controls, such as URL filtering. A survey conducted during Infosec in London in April 2010 found that 62% of organisations with 500 or more employees and 43% of smaller organisations had experienced virus and other malware infections in the past year—up from just 14% of organisations of any size in the 2008 survey. 

There is a pressing need for organisations to pay greater attention to web security since web applications are a prime vector of attack and growing more so. And the time is right to do so. All the vendors mentioned in this article continue to build out their capabilities and there is something suited to every organisation—from the smallest microfirm to multinational enterprises.