Whitepaper: How to Enhance your Blue Coat with Zscaler Security

How To Enhance Your Blue Coat with Zscaler Security
How to Enhance your Blue Coat
with Zscaler Security
© 2011 Zscaler. All Rights Reserved.
Page 1
How To Enhance Your Blue Coat with Zscaler Security
Traditional security appliances – like Blue Coat’s ProxySG –
leverage URL filtering to provide security in a Web 1.0 world of
Blue Coat must
deliver on its SWG-as-
static content and threats. Today, the web is dynamic and ever
a-service offering and
changing, and threats are moving faster than signature patches
demonstrate that it
and updates can hope to keep up with.
can compete against
The only way to stay ahead of today’s advanced threats is with a
security services from
dynamic, real-time security enforcement tool that stops threats
other cloud based
inline, and scans for all kinds of malicious content. Appliances
services, many of which
global cloud has the power and scale to secure against today’s
advanced web threats.
Even the established security vendors of yesterday are moving
to the cloud for enforcement – often halfheartedly – with “cloudassisted” and “Hybrid” security being the catchphrases used to
mask an incomplete or not-yet-ready cloud approach to security.
Some vendors, including Blue Coat, have attempted to rack and
were never designed for the security needs of today – only a
have a head start of two
years or more.
-Gartner, April 2011
Zscaler moves into
the Leader’s Quadrant
stack a number of appliances in global data centers to build a
in 2011 due to the
cloud security solution. But analysts and customers agree – these
demonstrated success of
solutions are not ready for global enterprise deployment. Zscaler
Cloud Security has years of maturity, and secures over 2.5 billion
transactions per day, across millions of global customers. With
its unique architecture,
rapid feature
over 40 data centers worldwide, Zscaler has the largest cloud
development, global
security deployment of any vendor, by far.
rollout of enforcement
While Blue Coat provides a good proxy appliance, its security,
nodes, and impressive
management and reporting features leave a lot of gaps. Many
growth in numerous
large enterprise customers, realizing the gaps in their existing
global markets among
Blue Coat deployment, have migrated to Zscaler. Others prefer to
small and very large
“proxy chain” their Blue Coat appliances to the Zscaler cloud for
enterprise clients.
describe salient benefits of Zscaler’s cloud security solution and
how legacy proxy appliances, such as Blue Coat, can benefit
improved security and real-time reporting. The following sections
-Gartner, April 2011
from it.
© 2011 Zscaler. All Rights Reserved.
Page 2
How To Enhance Your Blue Coat with Zscaler Security
Table of Contents
1. Eliminate Patches and Downloads to Provide Gap-Free Security
2. Secure all Traffic from all Locations
3. Agile, Scalable Deployment for Tomorrow’s Security
4. Less Complexity More Security
5. Add Security to Your Blue Coat
© 2011 Zscaler. All Rights Reserved.
Page 3
How To Enhance Your Blue Coat with Zscaler Security
Blue Coat enterprise security, delivered via ProxySG and ProxyAV,
requires regular updates to both threat signatures and URL filtering
databases. As well, as the appliance software has to be kept up-to-date
in order to provide protection against constantly evolving threats.
Yesterday’s security: patches, updates and gaps in intelligence
The patching model was effective in the world of static web content and
threats. However, this model is reactive and can entail significant latency
between the time a security event is discovered and when protection
is made available for users. Since ProxySG is a “cloud-assisted” model,
only new or unknown URLs are scanned in the cloud in real time, and
all else are rated via local databases. These local databases are, by their
nature, out of date as soon as they are installed. As new vulnerabilities
are discovered, database patches and signature updates are created, and
a cumbersome process of distributing and updating individual appliances
Zscaler offers
two levels of security
protection. In
addition to using
several signature and
blacklist-based filters,
Zscaler has numerous
advanced security
checks, including
page analysis, URL
reputation and script
Eliminate Patches and Downloads to Provide Gap-Free
-Gartner, May 2011
follows. This results in significant gaps in security coverage.
Blue Coat’s appliance based Web security does not have real-time
signature updates like the Zscaler cloud. Individual appliances have to
sync up new threat signatures periodically. Every appliance exists in
it’s own ecosystem and unlike the cloud, there is no global visibility.
Further, Web security with Blue Coat is a two-box solution. Anti-virus
is delivered via a ProxyAV appliance, which must connect via ICAP to
a ProxySG proxy in each office location. Blue Coat does not provide its
own signatures, but leverages one partner engine form a list of choices
(e.g., Panda, Sophos, Kaspersky, McAfee, etc.) if AV has been chosen as
a bolt-on security measure.
© 2011 Zscaler. All Rights Reserved.
Page 4
How To Enhance Your Blue Coat with Zscaler Security
Zscaler cloud based security eliminates the gap between threat discovery
and protection being available. Unlike the appliance models, there is only
one instance of the product – the cloud. Enterprises leverage the multitenant cloud to get security delivered as a service. Since the cloud sees
traffic from a variety of sources, it has real-time and granular visibility of
new threat outbreaks. When a new vulnerability is discovered, a single
update to the cloud offers instant protection to all users seamlessly. If
one user uncovers a new vulnerability, all others are instantly protected
Blue Coat would
benefit from more
on box malware
detection, as offered
by several of its
Real-time security for real-time threats
Gartner, May 2011
against it.
Zscaler generates its own in-line signatures and uses over a dozen offline
engines to provide real-time and gap free security updates – without any
additional scanning or cumbersome extra steps. Web security is much
more complicated now than just traditional antivirus or anti-spam. While
signature based engines are important, inline inspection of every page
for malicious active code insertion is critical. Information stealing with
bots and Cross Site Scripting (XSS) is an important threat vector that
is not addressed by Blue Coat’s solution. This kind of advanced threat
protection is, however, delivered by Zscaler’s real-time security cloud.
Secure all Traffic from all Locations
A security perimeter that only extends around some of your locations,
or only covers certain endpoints and devices, is hardly a perimeter. With
traditional appliance models like Blue Coat ProxySG, branch offices
and mobile users often don’t receive the same level of security as do
headquarters offices. Enterprise admins have to deploy countless boxes
and servers at every location, or backhaul traffic across the globe – or
both – to enforce security. The cost of backhauling is measured in both
dollars and network performance degradation. When you add in the
complexity required to manage multiple boxes across multiple locations,
not to mention mobile users – it is often too much to manage and leads
to an insecure, inconsistent security perimeter.
© 2011 Zscaler. All Rights Reserved.
Page 5
How To Enhance Your Blue Coat with Zscaler Security
Branch office security without compromise
With Blue Coat ProxySG, an appliance is typically deployed at each
office location. As the number of offices increase, more boxes need to
be deployed and managed. The appliance management problem gets
compounded at smaller branch offices, which may not have IT resources
on-site. Add telecommuters that work from home offices, and the
appliance-based model quickly becomes untenable. As such, enterprises
frequently force users to setup a VPN to headquarters to leverage onpremise security appliances. This leads to unnecessary traffic backhaul
with increased bandwidth cost for the organization and added latency for
Traditional Appliances or Software
Cloud Security-as-a-Service
Aquire, deploy, manage boxes
Regional Office
Simply re-direct traffic to the Cloud
Regional Office
Figure 1: Cloud simplifies deployment and protects the distributed enterprise
Zscaler accepts traffic directly from any location, eliminating backhaul
and the complexity of deploying multiple boxes at every location.
Additionally, Zscaler is the only solution that does not require any clientside agents to be deployed to allow mobile employees to use the cloud.
Regardless of location, employee traffic is automatically directed to the
closest Zscaler Enforcement Node (ZEN). Since security and policy are
© 2011 Zscaler. All Rights Reserved.
Page 6
How To Enhance Your Blue Coat with Zscaler Security
or internet egress points, unnecessary backhaul bandwidth cost and user
service latency are eliminated. Zscaler’s ShadowPolicy™ guarantees that
users’ policies follow them no matter where they are. No other solution
provides this flexibility to all its mobile users. User based policies are
defined by the administrator once; they then get enforced across the
cloud – regardless of user’s location or access device, as illustrated in
Figure 1
With traditional appliance-based approaches, like Blue Coat’s, reporting
is another source of backhaul – as log data has to traverse the network
before it can be aggregated in a Reporter instance. Blue Coat provides
[Zscaler] was
the first vendor to
offer authenticated
redirection to the cloud
without a software client.
It already has the largest
global footprint of data
centers (by far)...
enforced by local ZENs, rather than backhauling to corporate datacenters
Gartner, May 2011
reporting in two ways, which each have drawbacks. Customers must
manage and maintain separate reporting instances by deploying
Reporter servers in each location, or they must transfer large log files
across the WAN/Internet. Zscaler NanoLog aggregates all log data in the
cloud, where it is guaranteed by SLA to be available within 10 seconds,
regardless of where the transaction occurred and without the hassles
of managing additional reporting appliances or paying for backhaul
Enable true mobility, from any device, without agents or backhauling
The adoption of smartphones and tablets by consumers and enterprises
is happening at a staggering rate. In the fourth quarter of 2010,
smartphones out-shipped PCs for the very first time. According to
Morgan Stanley, the worldwide annual shipment of smartphones will
exceed that of desktops and laptops combined by 2012. Analyst firm
Gartner estimates that by 2013, mobile phones will overtake PCs as the
most common web access device worldwide.
Employees frequently bring their own smartphones and tablets to work.
With the proliferation of mobile devices like iPads and iPhones within
the enterprise, IT administrators can no longer ignore these devices as
outside their scope of responsibility.
With a Blue Coat deployment, road warriors can have ProxyClient
installed on laptops – but this thick client only works on Windows PCs.
Zscaler’s no-agent-needed approach, coupled with ShadowPolicy™,
© 2011 Zscaler. All Rights Reserved.
Page 7
How To Enhance Your Blue Coat with Zscaler Security
smartphones – at all times – without deploying any agents on endpoints.
Zscaler’s patented traffic forwarding and authentication mechanisms
allow an enterprise to flexibly send Web traffic to Zscaler using GRE
tunnels, proxy forwarding, or firewall rules. User traffic is simply
forwarded to the cloud for security enforcement and logging, eliminating
the need for backhauling, and separate management appliances, and
ensuring security across devices and locations.
Zscaler allows IT administrators to define a consistent policy for any
user and have that policy seamlessly enforced, regardless of the device
with which the user is connecting, or the user’s location. Administrators
no longer have to deal with multiple point products to secure PCs,
smartphones and tablets. Unlike traditional mobile security solutions that
Web gateway SaaS
provides opportunities
to protect roaming
devices, such as mobile
devices and laptops
that typically are not
protected by onpremises gateways
without heavy clients.
allows road warriors to be fully protected across laptops, tablets and
Gartner, April 2011
require platform-specific apps to be installed on every device, Zscaler
works seamlessly across a variety of mobile platforms. Mobile security
is missing in the Blue Coat solution. Only when the mobile device is
connected to the enterprise network, that funnels its traffic through the
proxy, does filtering and policy enforcement occur.
Agile, Scalable Deployment for Tomorrow’s Security, as
Well as Today’s
Rolling out Blue Coat appliances, re-configuring the network and
synchronizing policies across multiple boxes incurs significant
expenditure of time and resources. Corporate-wide deployments must
be coordinated across various teams within a business, and can easily
take months after a deal is signed. “Time to Value,” measured by a
complete deployment of the solution, can easily take months for Blue
Coat, compared to just a week or two for a large enterprise customer
using Zscaler.
Even after boxes have been deployed across locations, the deployment is
often not complete. Since appliances cannot scale, deployment is often
a never-ending process of adding boxes or replacing them with newer,
more powerful hardware as enterprises grow. The alternative is to
over-buy to ensure headroom for growth, but that’s a costly option that
doesn’t ensure the correct amount of scale.
© 2011 Zscaler. All Rights Reserved.
Page 8
How To Enhance Your Blue Coat with Zscaler Security
need for on-premise software deployment and maintenance, Zscaler’s
security-as-a-service eliminates the need for on-premise hardware and
software. Eliminating additional hardware automatically cuts down
any rack-space, power, cooling and asset management requirements.
Additionally, since Zscaler was purpose built for scalability, customers
pay from only what they need, and can grow and scale as needed – with
no re-architecture, no downtime, and no upgrades.
With Zscaler, enterprise IT simply needs to configure their edge routers
to redirect traffic to the cloud. Traffic redirection is accomplished using
Zscaler’s unique
architecture and highly
scalable purpose-built
enforcement nodes
enable fast global
Just as cloud based software-as-a-service offerings have eliminated the
Gartner, May 2011
a variety of available techniques – GRE tunnels, VPN, proxy chaining,
port forwarding, etc. This typically involves simple configuration changes
on routers and firewalls. When user-based policies are desired, the
enterprise needs only to sync their Active Directory with Zscaler.
Less Complexity, More Security
As security threats become more complex, protection costs rise.
Appliances are typically dedicated to a particular security feature. If an
enterprise wants to protect its users on the web, filter email spam and
implement a Data Loss Prevention (DLP) system, they would have to
deploy four separate appliances from Blue Coat. There is significant
CapEx involved and OpEx scales as IT resources need to be trained to
manage, maintain and correlate alerts from separate appliances.
Zscaler offer consolidated security – enterprises can enable features
on-demand. There is no upfront CapEx for new security features.
OpEx is reduced thanks to an integrated management console and
the elimination of hardware maintenance. The TCO for a Blue Coat
deployment at an enterprise with 3,000 employees across headquarters
and three branch offices is about 3X higher than Zscaler. Since Blue Coat
does not provide any email security solution, this TCO comparison is only
for Web security.
© 2011 Zscaler. All Rights Reserved.
Page 9
How To Enhance Your Blue Coat with Zscaler Security
Add Security to Your Blue Coat
ProxySG is a fine proxy appliance, with a strong implementation among
large enterprise customers. Unfortunately, today’s threat landscape
requires a real-time approach to security, and many of those customers
are looking for a better solution. Appliances, by their nature, cannot
provide real-time intelligence and enforcement like cloud solutions can.
Only Zscaler can provide seamless security, across locations and devices,
to ensure a truly borderless security perimeter. Add the ability to block
advanced threats like XSS, cookie theft, malicious active content and
more, and it becomes clear that Zscaler provides better security with less
complexity than any appliance-based deployment.
SaaS secure Web
and e-mail gateways
frequently provide
efficiency and cost
advantages, and a
growing number of
offerings are delivering
an improved level of
security that exceeds
what most organizations
can achieve with onpremises software or
Gartner, April 2011
© 2011 Zscaler. All Rights Reserved.
Page 10
How To Enhance Your Blue Coat with Zscaler Security
About Zscaler: The Cloud Security Company™
Zscaler enforces business policy, mitigates risk and provides twice
the functionality at a fraction of the cost of current solutions, utilizing
a multi-tenant, globally-deployed infrastructure. Zscaler’s integrated,
cloud-delivered security services include Web Security, Mobile Security,
Email Security and DLP. Zscaler services enable organizations to provide
the right access to the right users, from any place and on any device—all
while empowering the end-user with a rich Internet experience.
About Zscaler ThreatLabZ™
ThreatLabZ is the global security research team for Zscaler. Leveraging
an aggregate view of billions of daily web transaction, from millions of
users across the globe, ThreatLabZ identifies new and emerging threats
as they occur, and deploys protections across the Zscaler Security Cloud
in real time to protect customers from advanced threats.
For more information, visit www.zscaler.com.
© 2011 Zscaler. All Rights Reserved.
Page 11