magic quadrant for secure web gateways

G00249600

Magic Quadrant for Secure Web GatewaysPublished: 28 May 2013

Analyst(s): Lawrence Orans, Peter Firstbrook

Malware detection and cloud services are two areas of continuing disparityamong SWG vendors. Our market analysis of the vendors highlights keydifferences in these capabilities and other key functions.

Market Definition/DescriptionSecure Web gateways (SWGs) utilize URL filtering, malware detection and application controltechnology to protect organizations and enforce Internet policy compliance. SWGs are delivered ason-premises appliances (hardware and virtual) or cloud-based services.

We estimate that the combined SWG revenue of the Magic Quadrant participants in 2012 was $1.18billion (which includes on-premises and cloud-based offerings). Revenue from solutions that lack fullSWG functionality has been excluded (for example, URL filtering only or proxies sold without anti-malware protection). The market grew approximately 15% over 2011, which is in line with ourestimate from the 2012 report. We anticipate that the market will grow 13% to 15% in 2013.

Eight of the 13 vendors in this analysis now offer a multitenant cloud service. However, the marketis still dominated by on-premises solutions (86% share, based on revenue), with SWG as a servicerepresenting the remainder of the market (14%). Gartner's market share and growth rate estimate ofthe broader market for SWG proxy and URL filtering software can be found in "Market Share:Security Software, Worldwide, 2012."

The market is segmented between large enterprises and small or midsize businesses (SMBs). SMBsolutions are designed for ease of use, cost-effectiveness and basic security protection. Largeenterprise solutions protect against more-advanced threats, including the capability to detecttargeted attacks.

Vendors are increasingly integrating content-aware data loss prevention (DLP) to monitor sensitivedata. Cloud services are being driven by the need to protect mobile devices and secure remote-office connections.

Magic QuadrantFigure 1. Magic Quadrant for Secure Web Gateways

Source: Gartner (May 2013)

Vendor Strengths and Cautions

Barracuda Networks

Barracuda Networks, which is based in Campbell, California, offers the Barracuda Web Filterappliance (hardware and virtual) and the cloud-based Barracuda Web Security Service. Barracudacustomers typically implement its appliances in transparent bridge mode to view all network traffic,but the appliances can also be implemented in proxy mode. Barracuda Web Filter appliances aregood candidates for SMBs and selected large enterprises (especially in the education andgovernment vertical industries), particularly those that are budget-constrained.

Strengths

■ Barracuda offers a low-cost solution that is easy to use with very competitive functionality.

■ A partnership with Malwarebytes provides malware cleanup capabilities that can be initiatedfrom the gateway.

of 24 Gartner, Inc. | G00249600

■ Application controls provide heuristic detection across all ports and protocols, with optionalendpoint agents or in-line deployments.

■ Social media controls, including optional archiving capabilities, are very complete.

■ For mobile users, Barracuda offers several options for traffic redirection and authentication,including endpoint agents for recent versions of Windows and Mac OS X, and a safe browseroption for Apple iOS.

Cautions

■ Barracuda does not offer a choice of antivirus engines. Open-source ClamAV is the only option.Barracuda adds internally developed signatures, although its malware research team isrelatively small.

■ The Barracuda Web Filter appliance lacks dynamic URL categorization.

■ Some enterprise-class capabilities for management and reporting are absent. For example, thedashboard is not customizable, and it only provides limited drill-down into logs or reports.

■ The cloud-based service is also missing a number of enterprise features. For example, it lacksIPsec support for traffic redirection, and it requires an authentication appliance for directoryintegration.

Blue Coat Systems

Blue Coat is in its second year as a privately held company, after private equity firm Thoma Bravoacquired it in February 2012. In December 2012, Blue Coat acquired Crossbeam Systems, a blade-server platform that integrates firewall, intrusion prevention system (IPS) and other securitycomponents. Blue Coat plans to port its SWG solution to the Crossbeam platform (no set date hasbeen provided), and will continue to offer its dedicated hardware appliances and virtual appliances.The company also operates a cloud-based SWG service. In May 2013, Blue Coat acquired the SSLappliance product line from Netronome. Also in May 2013, Blue Coat announced its intent toacquire Solera Networks. Blue Coat is a very good candidate for most large enterprise customers.

Strengths

■ Blue Coat's ProxySG remains the strongest proxy in the market in terms of breadth of protocolsand the number of advanced features. It supports a long list of protocols (including SOCKS),extensive authentication and directory integration options, and the Online Certificate StatusProtocol (OCSP).

■ Blue Coat's cloud offering includes multitenant IPsec gateways, which enable it to support awide range of mobile devices. Blue Coat agents are available for Windows, Mac OS X andApple iOS.

■ Blue Coat provides some integrated features with its cloud and on-premises solutions. ItsUnified Reporting feature allows logs from the cloud service to be rolled up into an on-premises

Gartner, Inc. | G00249600 of 24

Blue Coat Reporter console. Its Unified Policy feature allows policy developed in the cloud to besynchronized with its on-premises appliances.

■ Blue Coat offers strong reporting capabilities for its on-premises and its cloud-based services.Both solutions provided multiple canned reports and the ability to create custom reports.

Cautions

■ The ProxySG appliance lacks on-box malware detection. Customers that want antivirus engineprotection must purchase a separate appliance (ProxyAV). Malware protection is also providedby Blue Coat's "cloud assist" WebPulse service.

■ The ProxyAV lacks advanced malware techniques, such as code emulation. Instead, it utilizessignature-based detection delivered by Blue Coat partners (a choice of four antivirus engines).

■ Blue Coat cannot monitor all network traffic (which is helpful for detecting outbound malware) inits most commonly deployed proxy mode (known as explicit proxy), but it can be configured inother modes to monitor all traffic.

■ Unlike several other vendors that offer cloud-based services and on-premises appliances, BlueCoat does not offer a "single SKU" price model that allows the option to mix and match cloudand on-premises Web-filtering licenses.

Cisco

Cisco, which is based in San Jose, California, offers an appliance-based SWG and a cloud-basedSWG service. In 2012, Cisco rebranded these solutions. The appliance-based product is nownamed Web Security Appliance (formerly IronPort) and the cloud-based service is now namedCloud Web Security (formerly ScanSafe). The Web Security Appliances (WSAs) are implemented asproxies.

In February 2013, Cisco acquired Cognitive Security, a startup company based in the CzechRepublic. Cognitive analyzes NetFlow traffic and other data to detect advanced threats. Cisco plansto utilize Cognitive's technology in its Security Intelligence Operations, a threat and vulnerabilityanalysis center that distributes security updates and reputation data to a range of Cisco productsand services, including its SWG offerings.

Cisco's WSA products are very good candidates for most midsize and large enterprises, while theCloud Web Security service is a good candidate for all enterprises.

Strengths

■ Cisco has integrated a traffic redirection feature — a critical component of any cloud service —into some of its on-premises equipment. The ASA firewall, ISR G2 router and WSA all supportCisco's "connector" software, which directs traffic to the Cloud Web Security service. Theconfiguration is enabled via a menu item on these appliances.


■ Cisco provides several options for authenticating users to the Cloud Web Security service,including SAML. The connector implementations (noted above) also transport user credentialsto the cloud.

■ Mobile support is a strength of Cisco's cloud offering. The AnyConnect client supportsWindows, OS X, Apple iOS, Android, Windows Phone 8 and BlackBerry. However, Cisco'scloud lacks support for IPsec, which is widely supported on mobile devices.

■ In addition to Cisco's reputation database, the WSA provides three choices for on-boxsignature databases (McAfee, Sophos and Webroot), all of which can be supportedsimultaneously. Adaptive scanning utilizes the anti-malware engine that is best suited for thecontent type.

■ Cisco provides a very granular application control capability. The Cisco appliance includes aSwitched Port Analyzer (Span) port to monitor and block outbound malicious traffic that evadesthe proxy.

Cautions

■ Reports and dashboards do not provide sufficient information on outbound malware detectionto enable prioritized remediation.

■ Some customer references noted that reporting could be improved. Advanced reportingrequires a Cisco version of Splunk at an extra cost.

■ Cisco lacks a unified management console for its on-premises WSA appliances and its CloudWeb Security service to ease the management of hybrid deployments.

■ Some customer references highlighted that Cisco needs to improve its Content SecurityManagement Appliance's ability to centrally manage and control individual proxies.

ContentKeeper Technologies

ContentKeeper Technologies is based in Australia, where it has many large government andcommercial customers. It offers a family of SWG appliances that deploys in transparent bridgemode, and it also offers a hosted cloud-based service. In 2012, ContentKeeper opened a new officein North America in Orange Country, California. It also rebranded its family of appliances with thenames Web Filter Pro and ContentKeeper Secure Internet Gateway (CK-SIG). ContentKeeper is acandidate for K-12 schools and for most enterprise customers.

Strengths

■ The Behavioral Analysis Engine (a feature of CK-SIG) provides real-time and near-real-timeanalysis of Web objects using browser code emulation.

■ ContentKeeper has developed "sandboxing" technology to analyze suspicious files andexecutables in a virtualized Windows environment. The solution produces detailed reports foreach item that is analyzed. The sandboxing technology can be configured as a hosted service,


or it can be run locally on an appliance. It comes as a standard feature in CK-SIG and may alsobe configured as a feature of Web Filter Pro.

■ A bring your own device (BYOD) feature enables Web Filter Pro and CK-SIG to enforce accesspolicies for mobile devices and users. Policies could include blocking Internet access orblocking applications (by filtering network traffic). Agents are available for off-network mobiledevices. Supported operating systems include Windows, OS X, iOS, Linux and Android.

■ ContentKeeper appliances support the ability to proxy and analyze Secure Sockets Layer (SSL)traffic. Antivirus protection and basic IPS are provided through a combination of third-party andinternally developed signatures.

Cautions

■ ContentKeeper lacks a shared, multitenant, cloud-based SWG service. It provides a hostedcloud offering, where customers run virtual appliances hosted in Amazon's cloud service (andsome ContentKeeper-managed data centers). Hosted offerings are not as flexible (for example,dynamic ability to scale) as shared multitenant clouds.

■ While the vendor has made good progress in developing malware detection tools, thesesolutions are new, and ContentKeeper has yet to earn recognition as a leading malwareresearch and product company. Prospective customers should carefully test ContentKeeper'santi-malware capabilities.

■ Some customer references requested improvements to the solution's graphical user interface(GUI). In January 2013, ContentKeeper released an updated interface, although the console stilllacks malware severity indicators for enabling prioritized remediation.

McAfee

McAfee, a subsidiary of Intel, offers a family of on-premises SWG appliances (McAfee WebGateway [MWG]) and a cloud-based SWG service (SaaS Web Protection). The SWG appliances aremost commonly implemented as proxies, although they can be deployed in other modes, includingin-line transparent bridges. In February 2013, McAfee announced its acquisition of ValidEdge, whichmakes a sandboxing appliance for detecting advanced malware and targeted attacks. McAfee'ssolutions are good candidates for most enterprise customers, particularly those that are alreadyMcAfee ePolicy Orchestrator users.

Strengths

■ MWG has strong malware protection due to its on-box browser code emulation capabilities.The solution provides the ability to adjust the sensitivity of malware detection. A rule-basedpolicy engine enables flexible policy creation.

■ The SaaS Web Protection cloud service supports SAML for authenticating users.

■ McAfee has integrated DLP technology across its product lines. MWG ships with a number ofpreformatted dictionaries.


■ Application control is very strong. HTTP manipulation allows organizations to remove selectedfunctions from Web applications (for example, blocking posts to social media sites).

■ A single SKU pricing model gives customers the flexibility to purchase a single Web gatewaylicense, and to mix and match on-premises and cloud-based service models.

Cautions

■ The SaaS Web Protection cloud service is missing an important traffic redirection option by notsupporting IPsec.

■ McAfee's mobility strategy needs improvement. It does not offer an endpoint client for Mac OSX. Its McAfee Client Proxy for Windows is a strong solution, but it has been late to supportWindows 8 (a June 2013 release is planned). The lack of IPsec support in the cloud is also animpediment to supporting mobile devices.

■ The cloud solution does not have the same level of policy granularity that is available with theon-premises appliance.

Phantom Technologies-iboss Security

Phantom Technologies is a privately held company based in San Diego. It offers a family ofappliance-based platforms (iboss) that is typically deployed in transparent bridge mode. It alsooffers a cloud-based URL filtering solution for mobile users. Phantom is a candidate fororganizations that are based in North America (more than 90% of its customers are in NorthAmerica).

Strengths

■ Support for features aimed at the K-12 market has helped Phantom develop a strong installedbase in the education market (approximately one-third of its revenue is from the K-12 verticalindustry). For example, the iboss SWG Web filter enables schools to easily allow access toYouTube's educational site, while blocking access to the main YouTube site.

■ Full SSL content inspection is provided utilizing an agent-based solution on endpoints. This is ascalable approach that relieves the iboss appliance of the burden of managing certificates, andof terminating and decrypting SSL traffic.

■ Bandwidth controls are very flexible. For example, bandwidth quotas can be applied to aspecific organizational unit in Active Directory, and they can also be assigned to a specificdomain.

■ The iboss appliance uses DLP technology to identify high-risk behavior.

■ Iboss includes a unique autorecord feature (up to three minutes) that enables a playback for asequence of events. This feature is often used to confirm intentional versus unintentional userviolations.


Cautions

■ Phantom's cloud offering is limited to URL filtering decisions. It lacks a multitenant cloud-basedservice that analyzes traffic and Web objects to detect malware. An on-premises appliance isrequired to handle policy management and reporting.

■ Malware detection capabilities are limited. Phantom has only limited resources (a small team ofresearchers) to develop its own signatures. Choices for antivirus engines are limited toBitdefender or ClamAV (both can be combined with Snort rules).

■ Uncategorized URLs are not classified in real time.

Sangfor

Sangfor is a network equipment vendor based in China. Approximately half of its revenue comesfrom its SWG products, and the remaining revenue comes from its VPN, WAN optimizationcontrollers and application delivery controller products. Sangfor's SWG comes in a hardwareappliance form factor, and it is usually implemented as an in-line transparent bridge. The companyoffers two versions of its SWG product: one aimed at the Chinese market, and one aimed atEnglish-speaking countries. Nearly all the company's revenue comes from the Asia/Pacific region.Sangfor is a candidate for organizations that are based in China and in supported countries in theAsia/Pacific region.

Strengths

■ Sangfor has strong application control features. It can apply granular policies to Facebook andother Web-based applications, and it has also developed network signatures to block port-evasive applications like BitTorrent and Skype.

■ Sangfor's in-line transparent bridge mode enables flexible and granular bandwidth controlcapabilities. Bandwidth utilization parameters can be specified for uplink and downlink traffic.

■ Sangfor has a good Wi-Fi guest network feature. The SWG supports a guest registration portal,and it sends credentials to guests via SMS. It uses these credentials to monitor and report onguests' Internet behavior. At the time of this writing, this Wi-Fi guest feature is only available onthe Chinese version of the product.

Cautions

■ Mobility is a weak point for Sangfor. It does not offer a cloud-based service.

■ The solution lacks some enterprise-class features. The ICAP is not supported, thereby limitingthe SWG's capability to send content to third-party scanners (such as DLP sensors or antivirusscanners).

■ The English version of the product does not dynamically classify uncategorized URLs (however,the Chinese version has this capability).


■ Malware protection is basic and lacks advanced features for detecting new malware andtargeted attacks. The solution relies heavily on a signature database from Sangfor's antiviruspartner. Sangfor's malware research team also maintains its own signature database, althoughit does not have a strong reputation for anti-malware research.

Sophos

Sophos has executive offices in the U.K. and Massachusetts. Best known for its endpointprotection platform (EPP), it has a broad range of network gateways through native developmentand its acquisition of Astaro in 2011. The Sophos Web Appliance (SWA) can be deployed in proxyor transparent in-line bridge mode. Sophos provides an option for its customers to run virtualinstances of its SWG in Amazon's EC2 cloud. Sophos' endpoint client is tethered to SWA for policymanagement and logging when off-LAN. Sophos is a candidate for midsize customers and forenterprises that are already using its EPP solution.

Strengths

■ Sophos is an established player in the malware detection market. SWA uses Sophos-developedtechnology to perform a pre-execution analysis of all downloaded code, including binary filesand JavaScript.

■ Several Sophos reference customers commented on the solution's ease of use. Featuresinclude automated network and directory discovery, contextual help functions and simple policyconfiguration.

■ Sophos has a strong reputation for support and service. It optionally monitors customers'appliances and provides proactive assistance for critical conditions.

Cautions

■ Sophos' cloud offering is limited to URL filtering decisions. It lacks a multitenant cloud-basedservice that analyzes traffic and Web objects to detect malware. Software on laptops andmobile devices sends URL requests to the Sophos cloud, which categorizes the URL and sendsa response to the Sophos client on the endpoint so it can enforce the policy.

■ Social media controls are lacking. SWA does not provide a GUI to easily configure granularpolicies for Facebook.

■ SWA is missing some enterprise-class features, such as dashboard customization, bandwidthmanagement, time quotas (for Web surfing), ICAP support, and advanced reporting andanalytics.

■ The URL-filtering feature does not provide dynamic classification of uncategorized websites.

■ Reporting on compromised endpoints is not hyperlinked to Sophos' threat research.


Symantec

Symantec, which is based in Mountain View, California, has two offerings in the SWG market: (1) theSymantec.cloud service; and (2) the Symantec Web Gateway appliance, which may be deployed asan in-line transparent bridge, as a proxy, or in Span or test access point (TAP) mode. Symantecbundles a virtual version of its Web Gateway appliance with a suite offering that includes email andendpoint protection. Symantec is a good candidate for most enterprise customers.

Strengths

■ Symantec.cloud service and Symantec Web Gateway benefit from Symantec's strong malwareresearch labs and its Insight file reputation engine.

■ The Web Gateway appliance has strong reporting capabilities and provides valuable informationon malware-compromised endpoints. Reports indicate the type of threat and its severity. It alsoprovides quick access to more detail, such as geolocation data, search terms, filenames andtypes, removal information and a malware encyclopedia.

■ Symantec Web Gateway can be implemented quickly (in Span/TAP mode), which has enabledSymantec to develop a strong value-added reseller (VAR) partnership program. VARs deploythe appliance on customers' premises to run Symantec's Malicious Activity Assessment.

Cautions

■ Symantec.cloud lacks some enterprise-class features and has been late in supporting others. Itdoesn't support IPsec for traffic redirection, and it doesn't support SAML or cookies for userauthentication. Symantec.cloud did not support inspecting SSL traffic until 2Q13, and it lacksDLP support (which is planned for 3Q13). Because these are new features, enterprises shouldtest them carefully.

■ Symantec's mobility strategy needs improvement. Its Smart Connect is a strong solution forWindows endpoints, but it is not available for Mac OS X. The lack of IPsec support in the cloudis also an impediment to supporting mobile devices. The Remote Connect client (for non-Windows devices) uses proxy autoconfiguration (PAC) settings to redirect traffic to the cloud,but PAC settings can be easily modified by users.

■ Neither Symantec Web Gateway nor Symantec.cloud support dynamic classification ofunknown URLs.

■ There is very little integration between Symantec Web Gateway and Symantec.cloud, and thevendor does not offer a single SKU pricing model to mix and match licenses from the twoofferings.

Trend Micro

Trend Micro is based in Tokyo, and its U.S. headquarters is located in Dallas. It offers an applianceversion (hardware and software), InterScan Web Security (IWS), and a new cloud service (launchingin the second half of 2013). IWS can be implemented as a transparent bridge or a proxy. Trend


Micro is a candidate primarily for organizations that already have a strategic relationship with thecompany.

Strengths

■ Malware detection is provided by Trend Micro's signature database, script analysis and areputation service (fed by the company's cloud-based Smart Protection Network). TrendMicro's Damage Cleanup Services can provide remote client remediation for known threats.IWS also blocks communication to known botnet command-and-control centers.

■ Trend Micro recently launched "Deep Discovery," a complementary solution providing acentralized sandboxing engine that executes suspect code in a virtual machine to detectmalicious behavior. Trend Micro products, including the IWS gateway, integrate to deliversuspect code to the Deep Discovery solution for advanced detection.

■ Integrated DLP, with common compliance templates, was recently added to IWS.

■ Application Control includes more than 850 Internet applications, including some peer-to-peerand IM traffic types that are detected by network signatures. Browsers, browser versions andplug-ins can be blocked by policy. Application Control also offers time of day as well as timeand bandwidth quota policy options.

Cautions

■ At the time of this writing, Trend Micro's cloud is not generally available. The vendor plans tolaunch the service in Japan and the Asia/Pacific region in the second half of 2013, and it istargeting a North American launch for 2014.

■ Reporting on compromised endpoints (outbound malware detection) does not provide drill-down information about threat details, and lacks severity indicators to help security teamsprioritize remediation efforts.

■ Policies are not consistent between the cloud service (once it becomes available) and IWS. Forexample, the cloud service does not block posts to Facebook, but IWS does.

■ IWS and the cloud service do not offer dynamic classification of uncategorized URLs.

Trustwave

Trustwave, based in Chicago, offers a diversified security portfolio, although its primary focus is asa PCI Qualified Security Assessor (QSA) and managed service company. Its Secure Web Gatewayappliance (gained via the 2012 acquisition of M86 Security) is a proxy-based gateway thatspecializes in real-time malware detection. The solution is available in hardware and virtualinstances. Trustwave also provides an option for its customers to run virtual instances of SecureWeb Gateway in Amazon's EC2 cloud. Trustwave is a good candidate for security-consciousorganizations, or those looking for a managed security service.


Strengths

■ Trustwave has strong real-time browser code emulation, which enables it to detect new threatsand targeted attacks.

■ Social media controls are strong. The Secure Web Gateway has a "zero post" policy option thatenables read-only access to selected websites or Web categories to prevent posting to socialmedia websites.

■ Trustwave has integrated its Secure Web Gateway with its DLP solution to enable contentsecurity and control.

■ Trustwave has integrated its Secure Web Gateway with its network access control (NAC), DLP,and security information and event management (SIEM) products to support automatedresponses for BYOD and mobile devices. For example, endpoints that trigger SWG alerts canbe removed from the network by NAC.

Cautions

■ Support for mobile workers is weak due to Trustwave's lack of a multitenant cloud-based SWGservice.

■ The dashboard console, which is restricted to only three panels, is weaker than manycompeting offerings.

■ The Secure Web Gateway does not dynamically categorize unknown URLs.

■ The Secure Web Gateway lacks the ability to block port-evasive applications, such asBitTorrent.

Websense

Websense, based in San Diego, offers appliances (hardware and software) and a cloud-basedservice. In January 2013, the company's CEO announced his retirement, and Websense filled thepost by promoting its president to be the new CEO. In May 2013, Websense announced that it hadentered into a definitive agreement to be acquired by Vista Equity Partners, a private equity firm.Websense is a very good candidate for most enterprise customers.

Strengths

■ Websense has a strong offering for organizations interested in a hybrid SWG strategy (on-premises and cloud-based). Its Triton management console provides a common point for policymanagement and reporting in hybrid environments. The company offers a single SKU hybridpricing model. Customers can purchase a single license and implement it in a mix-and-matchscenario (on-premises or cloud-based users).

■ The Websense cloud service supports multiple options for traffic redirection (including IPsec)and multiple options for user authentication (including SAML).


■ The Websense Web Security Gateway provides strong malware detection technology, includingbrowser code emulation and network traffic analysis. Websense provides a cloud-assistsandboxing analysis with its ThreatScope offering. Objects must be submitted manually toThreatScope, although Websense has plans to automate the process.

■ Websense has strong DLP technology that is integrated (on box) with its solutions (fullenterprise DLP requires an additional license). It uses the deep packet inspection capabilities ofits DLP technology to inspect outbound traffic for malware behavior (this feature does notrequire a DLP license).

Cautions

■ Websense lacks a proven large-scale appliance. In January 2012, it announced the X10G bladeserver platform. Gartner very rarely sees the X10G in price bids. Organizations that areconsidering the X10G should test it thoroughly in the lab and carefully check references.

■ Websense's pricing model is outdated. It licenses its service per IP address, and in this era ofBYOD, many customers find that they are rapidly approaching or exceeding their contractedlimit of IP addresses. However, Websense has shown flexibility in contract negotiations with itscustomers.

■ Price-sensitive SMB customers may find Websense's subscription-based pricing to be tooexpensive. Competitors that offer per-site pricing or per-appliance pricing are typically lessexpensive than Websense.

■ Some Websense customers have reported dissatisfaction with the quality and responsivenessof Websense's support organization. In the second half of 2012, Websense took steps toaddress these issues and hired a new executive to run its service and support organization.Prospective Websense customers and those that have experienced support issues should askWebsense to outline the changes in its support organization.

Zscaler

Zscaler, which is based in San Jose, California, is a pure-play provider of cloud-based SWGservices. The company continues to be one of the fastest-growing vendors in this market. Its strongCompleteness of Vision score is due to its rapid product development and innovation. Zscaler is avery good candidate provider for most enterprises.

Strengths

■ Zscaler has the largest global footprint for SWG vendors, with enforcement nodes in 28countries. It is one of the few vendors to have an extensive presence in the Middle East andSouth America.

■ Zscaler provides flexible implementation options by offering the broadest set of choices fortraffic redirection (including IPsec) and authentication (including SAML). Flash cookies enableagentless authentication for mobile users on supported devices.


■ Zscaler provides strong content inspection capabilities to develop vulnerability shields thataddress specific Common Vulnerabilities and Exposures (CVEs) for Microsoft and otherapplications. Suspicious files are analyzed in a sandbox environment. All traffic is scannedevery time regardless of site reputation.

■ Policy controls are flexible for bandwidth control and social media sites. Strong SSL supportenables granular controls for DLP policies and content inspection.

■ A unique streaming log service provides near-real-time import of logs from the cloud to on-premises servers, where they can be analyzed by a SIEM solution.

Cautions

■ Compared with some of its larger competitors, Zscaler has only a limited number of dedicatedmalware researchers. This is evident in the lack of detail provided for compromised endpoints,and in the absence of threat prioritization and correlation information.

■ In keeping with its agentless approach, Zscaler encourages the use of PAC files for Windowsand Mac OS X systems for mobile employees. Knowledgeable users can subvert PAC file trafficredirection. Also, port-evasive applications, such as Skype, BitTorrent and some malware, willnot be forwarded to the Zscaler network from endpoints that rely only on PAC files. Customersthat prefer endpoint agents can use Zscaler's eZ Agent for local enforcement on Windowssystems; however, they will be disappointed by Zscaler's lack of an agent for OS X.

■ Its DLP capability could be improved with more predefined templates and workflow.

■ Some customers have reported dissatisfaction with the quality and responsiveness of Zscaler'sservice and support organization.

Vendors Added or Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as marketschange. As a result of these adjustments, the mix of vendors in any Magic Quadrant orMarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope oneyear and not the next does not necessarily indicate that we have changed our opinion of thatvendor. This may be a reflection of a change in the market and, therefore, changed evaluationcriteria, or a change of focus by a vendor.

Added■ None

Dropped

The following vendors did not meet the revenue threshold as outlined in the Inclusion Criteriasection below:

■ EdgeWave


■ Optenet

Other Vendors We Considered

Check Point Software Technologies markets an SWG stand-alone product that it introduced in2012. This new product does not yet meet our revenue threshold criterion for inclusion. The solutionis comparable to unified threat management (UTM) because it ships with an embedded firewall thatcan be enabled free of charge. Check Point also offers an SWG blade for its firewalls. We willmonitor how Check Point develops its stand-alone SWG and re-evaluate it for the 2014 update tothis Magic Quadrant.

As a next-generation firewall, Palo Alto Networks offers some SWG functionality. However, as notedabove, this analysis excludes solutions that are primarily firewalls. In "Next-Generation Firewalls andSecure Web Gateways Will Not Converge Before 2015," Gartner predicts that the evolution ofcomplex threats will drive the need for separate network firewall and Web security gateway controlsfor most organizations through 2015.

Inclusion and Exclusion Criteria

Inclusion Criteria

These criteria must be met for vendors to be included in this Magic Quadrant:

■ Vendors must provide all three components of an SWG:

■ URL filtering

■ Anti-malware protection

■ Application control capabilities

■ Pure-play URL filtering solutions have been excluded.

■ Vendors' URL filtering components must be primarily focused on categorizing English languagewebsites.

■ Vendors must have at least $15 million in SWG product revenue in their latest complete fiscalyear.

■ Vendors must have an installed base of at least 2,000 customers, or aggregate endpointcoverage of at least 3 million seats.

Exclusion Criteria

The following categories of vendors have been excluded from this Magic Quadrant:


■ UTM and next-generation firewall vendors — these solutions are optimized for port/protocolfiltering and lack the content analysis focus of SWG offerings.

■ URL-filtering-only vendors that lack malware detection capabilities.

■ Vendors that license complete SWG products and services from other vendors — for example,ISPs and other service providers that "white label" cloud-based SWG services from othervendors.

Evaluation Criteria

Ability to Execute

Vertical positioning on the Ability to Execute axis was determined by evaluating these factors (seeTable 1):

■ Overall viability: Viability includes an assessment of the overall organization's financial health,the financial and practical success of the business unit, and the likelihood that the business unitwill continue to invest in the product.

■ Sales execution/pricing: A comparison of pricing relative to the market.

■ Market responsiveness and track record: The speed at which the vendor has spotted a marketshift and produced a product that potential customers are looking for; as well as the size of thevendor's installed base relative to the amount of time the product has been on the market.

■ Marketing execution: The effectiveness of the vendor's marketing programs and its ability tocreate awareness and mind share in the SWG market.

■ Customer experience: Quality of the customer experience based on reference calls and Gartnerclient teleconferences.


Table 1. Ability to Execute Evaluation Criteria

Evaluation Criteria Weighting

Product/Service No Rating

Overall Viability (Business Unit, Financial, Strategy, Organization) High

Sales Execution/Pricing Standard

Market Responsiveness and Track Record High

Marketing Execution High

Customer Experience Standard

Operations No Rating


Completeness of Vision

The Completeness of Vision axis captures the technical quality and completeness of the productand organizational characteristics, such as how well the vendor understands this market, thevendor's history of innovation, its marketing and sales strategies, and its geographic presence (seeTable 2):

■ Market understanding: Ability of the SWG vendor to understand buyers' needs and translatethem into products and services.

■ Offering (product) strategy: The SWG vendor's approach to product development and deliverythat emphasizes differentiation, functionality, methodology and feature sets as they map tocurrent and future requirements.

■ Innovation: This criterion includes product leadership and the ability to deliver features andfunctions that distinguish the vendor from its competitors. Advanced features — such as astrong cloud service, the ability to perform on-box malware detection of dynamic content (forexample, JavaScript code) and the ability to pinpoint compromised endpoints — were ratedhighly.

■ Geographic strategy: The vendor's strategy for penetrating geographies outside its home ornative market.


Table 2. Completeness of Vision Evaluation Criteria

Evaluation Criteria Weighting

Market Understanding High

Marketing Strategy No Rating

Sales Strategy No Rating

Offering (Product) Strategy High

Business Model No Rating

Vertical/Industry Strategy No Rating

Innovation High

Geographic Strategy Low


Quadrant Descriptions

Leaders

Leaders are high-momentum vendors (based on sales and mind share growth) with establishedtrack records in Web gateway security, as well as vision and business investments indicating thatthey are well-positioned for the future. Leaders do not necessarily offer the best products andservices for every customer project; however, they provide solutions that offer relatively lower risk.

Challengers

Challengers are established vendors that offer SWG products, but do not yet offer stronglydifferentiated products, or their products are in the early stages of development or deployment.Challengers' products perform well for a significant market segment, but may not show featurerichness or particular innovation. Buyers of Challengers' products typically have less complexrequirements and/or are motivated by strategic relationships with these vendors rather thanrequirements.

Visionaries

Visionaries are distinguished by technical and/or product innovation, but have not yet achieved therecord of execution in the SWG market to give them the high visibility of Leaders — or they lack thecorporate resources of Challengers. Buyers should expect state-of-the-art technology fromVisionaries, but be wary of a strategic reliance on these vendors and closely monitor their viability.Visionaries represent good acquisition candidates. Challengers that may have neglected technology


innovation and/or vendors in related markets are likely buyers of Visionaries' products. Thus, thesevendors represent a slightly higher risk of business disruptions.

Niche Players

Niche Players' products typically are solid solutions for one of the three primary SWG requirements— URL filtering, malware and application control — but they lack the comprehensive features ofVisionaries and the market presence or resources of Challengers. Customers that are aligned withthe focus of a Niche Players vendor often find such provider offerings to be "best of need"solutions. Niche Players may also have a strong presence in a specific geographic region, but lack aworldwide presence.

ContextMost enterprises already have an SWG, or at least have implemented URL filtering. Three-yearcontracts are the most common, and the market has changed rapidly since 2010. Cloud serviceshave now reached early mainstream status, and anti-malware technologies continue to evolve tokeep pace with attacks. Enterprises should not blindly renew their existing contracts. Due diligenceis necessary to ensure that SWG solutions match IT road maps in the areas of mobility and security.

Market OverviewMalware protection continues to be the key differentiator and driver of adoption. The market rangesfrom less effective, signature-based approaches to highly effective, signatureless methods that arecapable of detecting targeted attacks (see "Secure Web Gateway Malware Detection Techniques").An important trend is the technique of sandboxing, in which suspicious files, executables and Webobjects are analyzed in an isolated, virtual Windows environment. Several vendors have alreadyadded sandboxing capabilities via their own cloud-based malware research centers, while othersare investing in the technology in 2013 and 2014.

Cloud services are another area in which there is wide variation among vendor offerings. All servicesneed to support traffic redirection (sending traffic from on-premises routers and off-premises mobiledevices) to the cloud and user authentication (identifying users is necessary for policy enforcementand reporting). As outlined in "Decision Framework for Implementing Cloud-Based Secure WebGateway Services," there are multiple options for traffic redirection and authentication, and no clearwinners have emerged in either category. Supporting mobile users is particularly challenging, giventhe architectural differences among Windows, Mac OS X, iOS, Android and Windows Phone 8systems. Apple's Global HTTP Proxy feature in iOS and Samsung's Samsung For Enterprise (Safe)are positive steps from the device manufacturers. However, supporting mobile users is complex,and it is far from being a commodity feature in cloud-based SWGs. Expect continued disparity inthis area throughout 2013 and 2014.


The market for SWG functionality will remain broad through at least 2016. Barriers to entry are lowsince vendors can readily license a URL database and an antivirus engine, package them with basicreporting and some application control, and market the solution as an SWG. These solutions willcontinue to put pricing pressure on the SMB market, but larger enterprises should avoid thetemptation to go with a low-cost provider. Vendors that can demonstrate a strong track record ofmalware research and success in malware prevention will be the ones that succeed in the largeenterprise market.

Recommended ReadingSome documents may not be available as part of your current Gartner subscription.

"Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors Within a Market"

"Analyze Secure Web Gateway Pricing Models to Negotiate a Favorable Contract"

"A Buyer's Guide to Secure Web Gateways"

"Introducing the Secure Web Gateway"

"Pros and Cons of SaaS Secure Web Gateway Solutions"


Acronym Key and Glossary Terms

BYOD bring your own device

DLP data loss prevention

EPP endpoint protection platform

ICAP Internet Content Adaptation Protocol

IP Internet Protocol

IPS intrusion prevention system

NAC network access control

PAC proxy autoconfiguration

SaaS software as a service

SIEM security information and event management

SMB small or midsize business

Span Switched Port Analyzer

SSL Secure Sockets Layer

SWG secure Web gateway

TAP test access point

UTM unified threat management

VAR value-added reseller

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality,feature sets, skills, etc., whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.

Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includesan assessment of the overall organization's financial health, the financial and practical


success of the business unit, and the likelihood of the individual business unit tocontinue investing in the product, to continue offering the product and to advance thestate of the art within the organization's portfolio of products.

Sales Execution/Pricing: The vendor's capabilities in all pre-sales activities and thestructure that supports them. This includes deal management, pricing and negotiation,pre-sales support and the overall effectiveness of the sales channel.

Market Responsiveness and Track Record: Ability to respond, change direction, beflexible and achieve competitive success as opportunities develop, competitors act,customer needs evolve and market dynamics change. This criterion also considers thevendor's history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designedto deliver the organization's message in order to influence the market, promote thebrand and business, increase awareness of the products, and establish a positiveidentification with the product/brand and organization in the minds of buyers. This"mind share" can be driven by a combination of publicity, promotional, thoughtleadership, word-of-mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enableclients to be successful with the products evaluated. Specifically, this includes the wayscustomers receive technical support or account support. This can also include ancillarytools, customer support programs (and the quality thereof), availability of user groups,service-level agreements, etc.

Operations: The ability of the organization to meet its goals and commitments. Factorsinclude the quality of the organizational structure including skills, experiences,programs, systems and other vehicles that enable the organization to operateeffectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers' wants and needsand to translate those into products and services. Vendors that show the highestdegree of vision listen and understand buyers' wants and needs, and can shape orenhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistentlycommunicated throughout the organization and externalized through the website,advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling product that uses the appropriate network ofdirect and indirect sales, marketing, service and communication affiliates that extendthe scope and depth of market reach, skills, expertise, technologies, services and thecustomer base.


Offering (Product) Strategy: The vendor's approach to product development anddelivery that emphasizes differentiation, functionality, methodology and feature set asthey map to current and future requirements.

Business Model: The soundness and logic of the vendor's underlying businessproposition.

Vertical/Industry Strategy: The vendor's strategy to direct resources, skills andofferings to meet the specific needs of individual market segments, including verticals.

Innovation: Direct, related, complementary and synergistic layouts of resources,expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor's strategy to direct resources, skills and offerings tomeet the specific needs of geographies outside the "home" or native geography, eitherdirectly or through partners, channels and subsidiaries as appropriate for thatgeography and market.


GARTNER HEADQUARTERS

Corporate Headquarters56 Top Gallant RoadStamford, CT 06902-7700USA+1 203 964 0096

Regional HeadquartersAUSTRALIABRAZILJAPANUNITED KINGDOM

For a complete list of worldwide locations,visit http://www.gartner.com/technology/about.jsp

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Thispublication may not be reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to accessthis publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information containedin this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy,completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. Thispublication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinionsexpressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues,Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company,and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board ofDirectors may include senior managers of these firms or funds. Gartner research is produced independently by its research organizationwithout input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartnerresearch, see “Guiding Principles on Independence and Objectivity.”


http://www.gartner.com/technology/about.jsp

http://www.gartner.com/technology/about/policies/usage_guidelines.jsp

http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp

magic quadrant for secure web gateways

Documents