Magic Quadrant for Secure Web Gateways

28 May 2015 ID:G00267241

Analyst(s): Lawrence Orans, Peter Firstbrook

VIEW SUMMARY
EVALUATION CRITERIA DEFINITIONS
The market for SW G solutions is still dominated by traditional on-premises appliances. But, the
use of cloud-based services is grow ing rapidly, and advanced threat protection functionality Ability to Execute
remains an important differentiator. Product/Service: Core goods and services
offered by the vendor for the defined m ark et.
This includes current product/service capabilities,
quality, feature sets, sk ills and so on, whether
offered natively or through O EM
Market Definition/Description agreem ents/partnerships as defined in the
m ark et definition and detailed in the subcriteria.
Secure W eb gatew ays (SW Gs) utilize URL filtering, advanced threat defense, legacy malw are Overall Viability: Viability includes an assessm ent
protection and application control technologies to defend users from Internet-borne threats and of the overall organization's financial health, the
to help enterprises enforce Internet policy compliance. SW Gs are implemented as on-premises financial and practical success of the business
appliances (hardw are and virtual), cloud-based services or in hybrid mode (combined on-premises unit, and the lik elihood that the individual
appliances and cloud-based services). Vendors continue to differ greatly in the maturity and business unit will continue investing in the
product, will continue offering the product and will
features of their cloud-based services and in their ability to protect enterprises from advanced
advance the state of the art within the
threats. organization's portfolio of products.

As highlighted in "Market Guide for Netw ork Sandboxing," SW G vendors are competing against Sales Execution/Pricing: The vendor's capabilities
in all presales activities and the structure that
firew all, intrusion prevention system (IPS) and unified threat management (UTM) vendors that supports them . This includes deal m anagem ent,
also sell sandboxing as an optional feature. The firew all vendors, Palo Alto Netw orks in particular, pricing and negotiation, presales support, and the
have benefited from an early mover advantage in netw ork sandboxing. In 2015, Gartner expects overall effectiveness of the sales channel.
that SW G vendors w ill compete more aggressively against the firew all/IPS/UTM vendors, and Market Responsiveness/Record: Ability to
against stand-alone sandboxing solutions, as more vendors offer netw ork sandboxing solutions respond, change direction, be flex ible and
that integrate w ith SW Gs. achieve com petitive success as opportunities
develop, com petitors act, custom er needs evolve
Organizations that are considering a move to SW G-based cloud services have many options, but and m ark et dynam ics change. This criterion also
w ill find significant differences during the sales process. Some vendors, such as Blue Coat and considers the vendor's history of responsiveness.
Zscaler, have strong partnerships w ith carriers and ISPs, w hich has proven to be a successful go- Marketing Execution: The clarity, quality,
to-market strategy because service providers can upsell secure Internet access w ith bandw idth creativity and efficacy of program s designed to
contracts. Other vendors, such as Barracuda Netw orks and Intel Security, have still not deliver the organization's m essage to influence
the m ark et, prom ote the brand and business,
demonstrated the vision in building an effective sales channel for cloud services. The traditional
increase awareness of the products, and establish
value-added reseller (VAR) channel that many vendors rely upon for SW G appliance sales has a positive identification with the product/brand
been largely ineffective in selling cloud-based services. and organization in the m inds of buyers. This
"m ind share" can be driven by a com bination of
Because of the requirement to defend against advanced threats, it is no longer enough for a publicity, prom otional initiatives, thought
cloud-based SW G to only offer the traditional SW G services (for example, URL filtering and basic leadership, word of m outh and sales activities.
malw are detection). Enterprises that connect remote offices (and headquarters offices) directly to Customer Experience: Relationships, products
the Internet, w ithout backhauling traffic to a centralized data center, w ill need cloud-based and services/program s that enable clients to be
advanced threat services. Vendors that offer cloud-based SW Gs, and only offer on-premises successful with the products evaluated.
appliance-based advanced threat products, need to quickly port their advanced threat offerings Specifically, this includes the ways custom ers
receive technical support or account support. This
to a cloud platform and deliver this functionality as a service. Vendors such as Blue Coat, Intel
can also include ancillary tools, custom er support
Security and others fall into this category. program s (and the quality thereof), availability of
user groups, service-level agreem ents and so on.
Magic Quadrant Operations: The ability of the organization to
m eet its goals and com m itm ents. Factors include
the quality of the organizational structure,
Figure 1. Magic Quadrant for Secure W eb Gatew ays including sk ills, ex periences, program s, system s
and other vehicles that enable the organization to
operate effectively and efficiently on an ongoing
basis.
Completeness of Vision
Market Understanding: Ability of the vendor to
understand buyers' wants and needs and to
translate those into products and services.
Vendors that show the highest degree of vision
listen to and understand buyers' wants and
needs, and can shape or enhance those with their
added vision.
Marketing Strategy: A clear, differentiated set of
m essages consistently com m unicated throughout
the organization and ex ternalized through the
website, advertising, custom er program s and
positioning statem ents.
Sales Strategy: The strategy for selling products
that uses the appropriate network of direct and
indirect sales, m ark eting, service, and
com m unication affiliates that ex tend the scope
and depth of m ark et reach, sk ills, ex pertise,
technologies, services and the custom er base.
Offering (Product) Strategy: The vendor's

converted by W eb2PDFConvert.com
 approach to product developm ent and delivery
that em phasizes differentiation, functionality,
m ethodology and feature sets as they m ap to
current and future requirem ents.
Business Model: The soundness and logic of the
vendor's underlying business proposition.
Vertical/Industry Strategy: The vendor's
strategy to direct resources, sk ills and offerings to
m eet the specific needs of individual m ark et
segm ents, including vertical m ark ets.
Innovation: Direct, related, com plem entary and
synergistic layouts of resources, ex pertise or
capital for investm ent, consolidation, defensive or
pre-em ptive purposes.
Geographic Strategy: The vendor's strategy to
direct resources, sk ills and offerings to m eet the
specific needs of geographies outside the "hom e"
or native geography, either directly or through
partners, channels and subsidiaries as
appropriate for that geography and m ark et.

Source: Gartner (May 2015)

Vendor Strengths and Cautions

Barracuda Networks
Based in Campbell, California, Barracuda provides a broad array of cost-effective netw ork and
application security products, as w ell as storage and productivity solutions. Barracuda's W eb Filter
appliances are complemented by its cloud-based proxy service (W eb Security Service). Barracuda
customers typically implement its appliances in transparent bridge mode to view all netw ork
traffic, but the appliances can also be implemented in proxy mode. Barracuda is transitioning the
policy enforcement model of its cloud service from cloud-based enforcement to agent-based
enforcement (based on a cloud lookup mechanism). Barracuda licenses Lastline's cloud-based
sandbox technology and has integrated the solution w ith its firew all products. Integration w ith
Barracuda's SW G products w ill be delivered later in 2015. This year, Barracuda moves from the
Challengers quadrant to the Niche Players quadrant, due in part to its stagnant market share. Its
2009 acquisition of cloud-based SW G services vendor Purew ire has added only marginal revenue
grow th. Barracuda's W eb Filter appliances are good candidates for SMBs and cost-conscious
enterprises.

Strengths
Barracuda's Instant Replacement program, w hich provides next-business-day shipping of
replacement units, includes a free appliance replacement unit every four years.
Application control is comprehensive and includes granular social media controls and social
media archiving. In-line deployments of Barracuda's SW G enable it to filter all ports and
protocols.
Barracuda provides a free, lightw eight mobile data management capability to simplify the
deployment of its safe brow ser and the management of policies on mobile devices running
Apple iOS and Android.
Barracuda references commented favorably regarding the ease of deployment and
management of the W eb Filter appliances.

Cautions
Dedicated focus on SMBs typically results in solutions that are missing features favored by
large-enterprise customers. Lack of support for authentication via Security Assertion Markup
Language (SAML) is an example of this trade-off.
At the time of this w riting, malw are detection techniques on Barracuda's SW G appliances are
primarily signature-based. There is very little real-time analysis of W eb content, such as
static code analysis.
Barracuda's advanced threat defense strategy is heavily dependent on the technology that
it has licensed from Lastline, w hich is a small company. If Lastline gets acquired by another
security vendor, then Barracuda may need to revisit its advanced threat defense strategy.

Blue Coat
Based in Sunnyvale, California, Blue Coat offers appliance-based SW Gs and a cloud-based SW G

converted by W eb2PDFConvert.com
service. In addition to its SW G solutions, Blue Coat also offers these appliance-based products: a
netw ork sandbox (Malw are Analysis Appliance), a netw ork forensics tool (Security Analytics
Platform), and a malw are detection appliance (Content Analysis System) that analyzes traffic
forw arded to it by Blue Coat proxies. A partnership w ith AT&T enables the carrier to resell Blue
Coat's cloud-based SW G service. In May 2015, private equity firm Bain Capital completed its
acquisition of Blue Coat from Thoma Bravo (also a private equity firm) for $2.4 billion. Bain
Capital's stated intent is to prepare Blue Coat for a return to public markets. Blue Coat's
appliances are good candidates for most large-enterprise customers, particularly those requiring
highly scalable SW Gs. Blue Coat's cloud service is a good option for most enterprises.

Strengths
The ProxySG is the strongest proxy in the market in terms of breadth of protocols and the
number of advanced features. It supports a broad set of protocols as w ell as extensive
authentication and directory integration options.
Blue Coat's hybrid offering (cloud service and on-premises appliances) enables operations
teams to manage policies from a single console (although policies can be pushed only in one
direction — from the cloud to on-premises appliances).
By integrating the detection capabilities of the Malw are Analysis Appliance w ith the forensics
capabilities of the Security Analytics Platform, Blue Coat gives security operations teams the
ability to shorten the incident response w indow .
Blue Coat provides strong support for SSL. All ProxySG models include SSL hardw are assist
to offload processing from the main CPU. The stand-alone SSL Visibility Appliance can be
used to decrypt SSL traffic and feed it to Blue Coat and non-Blue Coat security solutions (for
example, data loss prevention [DLP] and netw ork sandboxes).

Cautions
Because Blue Coat's advanced threat defense solution requires multiple components, it is
expensive. The ProxySG does not deposit suspicious files directly into the Malw are Analysis
Appliance. Customers must purchase the Content Analysis System if they w ant to
automatically detect suspicious files and analyze them in the Malw are Analysis Appliance.
Blue Coat lacks a cloud-based sandbox. Customers that have migrated to a complete Blue
Coat cloud-based SW G (no on-premises SW Gs) are unable to use netw ork sandboxing
technology to detect threats and targeted attacks.
The ProxySG cannot monitor all netw ork traffic (w hich is useful for detecting outbound
malw are) w hen implemented in explicit proxy mode, w hich is how it is most commonly
deployed.

Cisco
Cisco, based in San Jose, California, is a leading supplier of netw orking infrastructure to large
enterprises. It offers on-premises appliances, the W eb Security Appliance (W SA) and a cloud-
based service, Cloud W eb Security (CW S). Recent acquisitions include Sourcefire (2013), Cognitive
Security (2013) and ThreatGRID (2014). Sourcefire's primary focus w as on intrusion prevention.
Cognitive's focus w as on threat analytics, and ThreatGRID w as offering a cloud-based sandbox.
This year, Cisco moved from the Leaders quadrant into the Challengers quadrant, due in part to
its slow progress in developing a hybrid (on-premises equipment and cloud-based services)
strategy. By not offering a true hybrid solution, Cisco is missing an opportunity to help its W SA
customers selectively add cloud services and to provide a smooth transition to a hybrid or all-
cloud offering. Cisco also lost Completeness of Vision points due to nonuniform threat detection
capabilities betw een its on-premises and cloud-based services. As noted in the Cautions section,
Cognitive Threat Analytics (CTA) is integrated only w ith Cisco's cloud service. It has not yet been
integrated w ith Cisco's appliances, even though Cisco acquired Cognitive Security in February
2013. Cisco's W SA is a good solution for most midsize or large enterprises, w hile the CW S service
is a good option for most enterprises.

Strengths
The W SA provides multiple security layers on a single appliance. Adaptive scanning directs
suspicious content to the anti-malw are engine that is best optimized to scan the content.
Advanced Malw are Protection (AMP) technology from Sourcefire provides file reputation, file
analysis and retrospective alerts (to receive maximum value from AMP, Cisco recommends
installing the FireAMP Connector agent on endpoints). The ThreatGRID technology w ill
improve AMP's sandboxing capability once it has been fully integrated.
The Layer 4 Traffic Monitor feature on the W SA enables visibility across all ports and
protocols by connecting to a Sw itched Port Analyzer (SPAN) mirrored port on a LAN sw itch. By
monitoring all traffic (not just W eb traffic), Cisco improves its malw are detection capability.
The CW S service benefits from a number of traffic redirection options that are integrated into
existing Cisco products. The Adaptive Security Appliance (ASA) firew all, Integrated Services
Router (ISR) Generation 2 and W SA all support Cisco's "connector" softw are, w hich directs
traffic to the CW S service.
Mobile platform support is a strength of the CW S service for customers that have already
implemented Cisco's popular AnyConnect client. The cloud service supports W indow s, Mac OS
X, Apple iOS, Android, W indow s Phone 8 and BlackBerry.

Cautions
Despite its obvious netw ork expertise and relationships, Cisco has not demonstrated
significant focus on the SW G market. Overall market share (on-premises appliances and
cloud services) has been flat since 2009, the year that Cisco acquired ScanSafe. Cisco's cloud
service has a surprisingly small global footprint (15 countries) given Cisco's resources and
the number of years it has been in the SW G market. New er rivals have been more
aggressive in global expansion.
Cisco has been slow to integrate its cloud-based SW G w ith its on-premises SW G (IronPort

converted by W eb2PDFConvert.com
 acquisition in 2007). Customers seeking a hybrid cloud/on-premises solution w ill need tw o
consoles. The consoles lack automated policy synchronization (to share policies betw een
cloud and on-premises users).
The CTA service, w hich detects threats based on W eb log analysis, is not available to W SA
customers. Only CW S customers can use the CTA functionality.

ContentKeeper
ContentKeeper is based in Australia, w here it has many large government, education and
commercial customers. It offers a family of SW G appliances, w hich deploy in transparent bridge
mode, and it also provides a hosted cloud-based service. ContentKeeper's advanced threat
solutions can be implemented on-premises or in its hosted cloud service. ContentKeeper has
been expanding its presence in North America. Its solutions are a good option for midsize or large
organizations and for K-12 schools in supported geographies.

Strengths
The bridge-based Secure Internet Gatew ay has been designed for high throughput.
Reference customers report throughput up to 5 Gbps.
Strong support for mobile devices enables ContentKeeper to appeal to K-12 school districts
and other organizations that issue tablets to end users.
ContentKeeper appliances support the ability to inspect SSL traffic.
Reference customers commented favorably on ContentKeeper's service and support.

Cautions
ContentKeeper lacks a shared, multitenant, IPsec-based cloud SW G service. It provides a
hosted cloud offering, w here customers run virtual appliances hosted in Amazon's cloud
service (and in some ContentKeeper-managed data centers). Hosted offerings do not scale
as dynamically as shared multitenant clouds.
ContentKeeper has yet to earn recognition as a leading advanced threat defense company.
Prospective customers should carefully test the efficacy of its advanced threat capabilities
against competing solutions.
The w orkflow tools for responding to malw are incidents need improvement. The lack of
severity indicators on ContentKeeper's dashboard makes it difficult to prioritize malw are
alerts.

iboss
Iboss is a privately held company based in San Diego, California. It offers a family of appliance-
based platforms, w hich are typically deployed in transparent bridge mode. It also offers a cloud-
based service. In 2014, iboss announced FireSphere, an internally developed cloud-based service
for malw are detection. Iboss is a good option for midsize or large enterprises and for K-12
schools in supported geographies.

Strengths
The FireSphere service combines multiple malw are detection capabilities, including NetFlow
analysis and sandboxing technology.
Full SSL content inspection is provided agentless at the gatew ay, or w ith an optional agent-
based solution on endpoints. The agent is a scalable approach that relieves the iboss
appliance of the burden of managing certificates and of terminating and decrypting SSL
traffic.
Bandw idth controls are very flexible. For example, bandw idth quotas can be applied to a
specific organizational unit in Active Directory, and they also can be assigned to a specific
domain.
Iboss customers commented on the strength of its reporting capabilities.

Cautions
Prospective customers of iboss' cloud-based SW G service should test it carefully. Gartner
rarely sees customers adopting iboss as a pure-play cloud service. Most implementations of
the iboss cloud service are in hybrid mode (deployed in conjunction w ith an iboss appliance).
The iboss cloud-based service lacks support for SAML, a popular authentication technique
that many enterprises already have adopted to authenticate users to SaaS applications.
Iboss has only a limited set of customers outside North America. Prospective customers
outside North America should validate that iboss partners are qualified to provide sales and
technical support.

Intel Security (McAfee)

Intel Security, based in Santa Clara, California, offers a family of on-premises SW G appliances
(McAfee W eb Protection) and cloud-based SW G services (McAfee SaaS W eb Protection). The SW G
appliances are most commonly implemented as proxies, although they also can be deployed in
other modes, including in-line transparent bridges. Intel Security also offers an appliance-based
sandbox (McAfee Advanced Threat Defense). This year, Intel Security moved from the Leaders
quadrant into the Challengers quadrant, due in part to its lack of Completeness of Vision in
building a strong sales and distribution channel for its cloud-based service. For example, it lacks
strong partnerships w ith carriers and Internet service providers (ISPs), w hich have proved to be
highly effective sales channels for cloud-based SW G services. Intel Security also lost
Completeness of Vision points because it has been slow to emphasize netw ork-based traffic
redirection to its cloud, w hile focusing more strongly on endpoint-based redirection (via the
McAfee Client Proxy agent). The industry trend is the opposite: The primary driver of cloud-based
SW G services is for enabling direct-to-net connectivity from remote offices (via netw ork-based
redirection), w hereas protecting mobile devices is a distant secondary driver. Intel Security's

converted by W eb2PDFConvert.com
appliance solutions are good candidates for most enterprise customers, particularly those that
are already McAfee ePolicy Orchestrator users. Prospective customers of the cloud service should
test it carefully.

Strengths
The McAfee W eb Protection appliance integrates w ith the Advanced Threat Defense
appliance. It automatically deposits suspicious files in the sandbox for analysis.
McAfee W eb Protection has strong malw are protection due to its on-box brow ser code
emulation capabilities. The solution provides the ability to adjust the sensitivity of malw are
detection. A rule-based policy engine enables flexible policy creation.
Intel Security has a good implementation of a hybrid cloud/on-premises solution. W hile policy
synchronization is only unidirectional (from on-premises to the cloud), flexible controls enable
some policies to be synced, w hereas others are not. Log file synchronization can be
configured in specified time intervals.
Intel Security provides strong support for scanning SSL traffic w ith its McAfee W eb Protection
appliance and its cloud-based service. For example, the solutions can be configured to
automatically enforce SSL certificate decisions so that end users don't have the option to
accept an unknow n or expired certificate.

Cautions
Intel Security lacks a cloud-based sandbox. Customers that have migrated completely to an
all-cloud-based service (no on-premises SW Gs) are unable to use Intel Security's netw ork
sandboxing technology to detect threats and targeted attacks.
Some of Intel Security's reference customers reported dissatisfaction w ith its cloud service.
Adoption of the service has been slow due to Intel Security being late w ith key features,
such as IPsec support (available since January 2015). Intel Security also has been slow to
grow its global footprint (13 data centers as of 2014).
Intel Security's preferred approach for protecting Apple iOS and Android devices via its cloud
service uses proxy settings. This approach can be easily defeated by know ledgeable users.
The lack of a strong partnership w ith a leading ISP or telecom carrier limits Intel Security's
ability to target large enterprises w ith its cloud-based service.

Sangfor
Sangfor is a netw ork optimization and security vendor based in China. Approximately half of its
revenue comes from its SW G products; the remaining revenue comes from its next-generation
firew all, VPN, W AN optimization controllers and application delivery controller products. Sangfor's
SW G comes in a hardw are appliance form factor, and it is implemented as an in-line transparent
bridge. In 2014, Sangfor enhanced its SW G by adding DLP support and w ireless netw orking
functions and enhanced its application recognition capabilities. The company offers tw o versions
of its SW G product: one aimed at the Chinese market, and one aimed at English-speaking
countries. Nearly all the company's revenue comes from the Asia/Pacific region. Sangfor is a
candidate for organizations that are based in China and in supported countries in the Asia/Pacific
region.

Strengths
Sangfor has strong application control features. It can apply granular policies to W eibo,
Facebook and other W eb-based applications, and it also has developed netw ork signatures
to block port-evasive applications like BitTorrent and Skype.
Sangfor's SW G includes a w ireless controller, w hich is capable of managing Sangfor w ireless
access points. The controller includes a feature to detect and block unauthorized W i-Fi hot
spots in an enterprise w ireless environment.
Sangfor offers a cloud-based sandbox. Sangfor's SW G automatically feeds suspicious objects
to the sandbox.
Sangfor's in-line transparent bridge mode enables flexible and granular bandw idth control
capabilities. Bandw idth utilization parameters can be specified for uplink and dow nlink traffic.

Cautions
Sangfor does not offer a cloud-based SW G service.
The console dashboard for malw are detection is basic and lacks severity indicators to
prioritize alerts.

Sophos
Based in the U.K., Sophos provides a broad range of netw ork and application gatew ays and an
endpoint protection platform that it is converging into a unified security solution aimed primarily at
small or midmarket enterprises. The Sophos W eb Appliance (SW A) can be deployed in proxy or
transparent in-line bridge mode, and Sophos offers SW G functionality integrated into its UTM
appliances. Sophos' acquisition of Mojave Netw orks (2014) forms the basis of its multitenant cloud
W eb filtering service. Midsize organizations, particularly those that are Sophos desktop
customers, should consider Sophos' SW G solutions.

Strengths
Ease of use is a key design criterion for Sophos. Features include automated netw ork and
directory discovery, contextual help functions, and simple policy configuration.
Sophos is an established player in the malw are detection market. The SW A uses Sophos-
developed technology to perform a pre-execution analysis of all dow nloaded code, including
binary files and JavaScript. The appliance also provides outbound command and control
(C&C) traffic detection w ith linkage to know n malw are-removal tools.
Sophos places strong emphasis on service and support. It optionally monitors customers'

converted by W eb2PDFConvert.com
 appliances and provides alerts for critical hardw are conditions, such as high temperatures or
faulty disk drives.
Mobile users w ho are running the Sophos endpoint protection platform benefit from DNS-
based enforcement of URL filtering policy and logging w hen clients are off-LAN. The Mojave
acquisition provides Sophos w ith a dedicated cloud-filtering netw ork.

Cautions
Sophos' focus on ease of use and out-of-the-box functionality can be limiting for large-
enterprise customers that value more granular controls. For example, the Mojave cloud is
capable of integrating only w ith a single directory, and reference customers noted that
advanced reporting and multidestination syslog support w ere lacking.
Sophos is in midtransition to a more unified offering. Capabilities are vastly different
betw een the three primary offerings (UTM, cloud and SW G appliances), and integration is still
in development. For example, proxy appliances and cloud offerings are incapable of
inspecting nonproxied traffic, w hile UTM appliances can inspect all ports and protocols, but
have few er advanced SW G functions.
Sophos does not yet offer a sandboxing solution for advanced targeted threats.

Symantec
Symantec is based in Mountain View , California. It has tw o offerings in the SW G market: (1) the
Symantec.cloud service; and (2) the Symantec W eb Gatew ay appliance, w hich may be deployed
as an in-line transparent bridge, as a proxy or in SPAN mode. Symantec continues to w ork tow ard
delivering the advanced threat protection product and service suite that it announced in May
2014. In September 2014, Symantec announced the appointment of Michael A. Brow n as the
company's CEO (he had been serving as interim CEO). In October 2014, Symantec announced
that it w ill split into tw o publicly traded companies — one selling security softw are, and the other
providing data management. The security company w ill retain the Symantec name, and Brow n w ill
continue to lead it. Symantec's cloud-based SW G offering is a good option for SMBs that do not
need a hybrid approach. Although the appliance may be appropriate for some SMBs, it has
significant limitations for large enterprises.

Strengths
Symantec.cloud provides strong DLP support (a separate license is required) w ith the ability
to configure flexible policies.
Support for multiple languages broadens Symantec.cloud's appeal in many non-English-
speaking countries.
Symantec's SW G offerings benefit from its strong malw are research labs and its Insight file
reputation engine.

Cautions
Symantec has not integrated its cloud-based SW G (MessageLabs acquisition of 2008) w ith
its on-premises SW G (Mi5 Netw orks acquisition of 2009). Customers seeking a hybrid
cloud/on-premises solution w ill need tw o consoles, and the consoles lack policy
synchronization and log synchronization.
Symantec lacks a netw ork sandbox and other technologies for detecting advanced threats
and targeted attacks.
Symantec's cloud service does not support IPsec or Generic Routing Encapsulation (GRE)
tunnels, the tw o most common techniques for redirecting traffic from remote offices to an
SW G cloud service.
Symantec's strategy for supporting mobile devices needs improvement. Its Smart Connect
agent is a strong solution for W indow s laptops, but Symantec does not offer a similar agent
for Mac OS X. Proxy autoconfiguration (PAC) files, w hich know ledgeable users can easily
subvert, are needed to redirect traffic from Apple iOS, Android and Mac OS X devices to the
Symantec.cloud SW G service.

Trend Micro
Based in Tokyo, Trend Micro ("Trend") is a provider of endpoint protection, content protection and
application gatew ay solutions. Trend offers an on-premises virtual appliance solution (InterScan
W eb Security Virtual Appliance [IW SVA]) and a cloud service (InterScan W eb Security as a Service
[IW SaaS]). IW S can be implemented as a transparent bridge or a proxy, and can be optionally
enhanced by Trend Micro's Deep Discovery netw ork sandbox. Trend Micro is a candidate primarily
for organizations that already have a strategic relationship w ith the company.

Strengths
The IW SVA and IW SaaS solutions are strengthened by Trend Micro's global threat
intelligence, script analyzer capabilities and botnet detection. Optional offerings include the
Deep Discovery sandbox for on-premises malw are analysis and the Damage Cleanup
Services for remediation of compromised endpoints.
A single licensing model allow s customers to mix cloud and on-premises solutions, and a
specific hybrid console provides an integration point for synchronizing policies and reporting
for cloud and on-premises users.
Application control is strong w ith IW SVA, and includes the ability to set time-of-day and
bandw idth quota policies.
Trend Micro's cloud-based SW G service has good geographic coverage for the Asia/Pacific
region.

Cautions
The IW SaaS cloud service is missing some enterprise-class features, such as cloud-based

converted by W eb2PDFConvert.com
 malw are sandboxing, security information and event management (SIEM) integration and
DLP support. Data centers are limited to nine countries.
Outbound malw are detection lacks detailed information on threats.
Trend Micro has three consoles for its SW G offerings: an on-premises-only console for
IW SVA, a cloud-only console for IW SaaS and a separate console for the hybrid offering. This
approach adds operational complexity as enterprises grow and evolve w ith the Trend Micro
offering.

Trustwave
Trustw ave is based in Chicago. It offers a diversified security product and managed security
services portfolio, including application security, DLP, email security, W eb application firew all, SIEM
and netw ork access control. In addition, it offers numerous managed security services, including
incident response and penetration testing. Its Secure W eb Gatew ay appliance is a proxy-based
gatew ay that specializes in real-time malw are detection. Trustw ave's SW G solutions are good
options for customers that already have one or more Trustw ave products or services, or for those
that are seeking an SW G-managed service. In April 2015, Singtel announced its intent to acquire
Trustw ave and operate it as a stand-alone business. As of May 2015, the deal is pending
regulatory approval.

Strengths
The Trustw ave Managed Anti-Malw are Service provides deployment, policy management,
security monitoring and alerting as a service for on-premises SW G installations.
Research and insight from incident response investigations and penetration tests enhance
Trustw ave's strong real-time brow ser code emulation, w hich is the primary technology in its
malw are detection strategy.
Application control support for instant messaging (IM) and social media allow s granular policy
options. Application control support for Dropbox, Google Drive, Microsoft OneDrive, Apple
iCloud Drive and Box enables granular policy controls for uploading, dow nloading, sharing,
and deleting files and folders.
Trustw ave's DLP engine is fully integrated w ith its Secure W eb Gatew ay product.

Cautions
Trustw ave does not offer a cloud-only SW G service.
Trustw ave lacks the netw ork sandboxing capabilities that many SW G vendors offer as
optional features.
Support for mobile devices (iOS and Android) is w eak due to Trustw ave's lack of an IPsec-
based multitenant gatew ay in its hybrid service offering.
The dashboard console is w eaker than many competing offerings. It lacks severity indicators
to prioritize malw are alerts. Dashboard panels provide only limited customization.
The Secure W eb Gatew ay product lacks the ability to block port-evasive applications, such as
BitTorrent and Skype. Port-evasive outbound traffic to command-and-control centers cannot
be blocked either.

Websense
W ebsense, w hich is based in Austin, Texas, is ow ned by private equity firm Vista Equity Partners.
W ebsense offers SW G appliances (hardw are and softw are) and a cloud-based service. It also
offers a cloud-based netw ork sandboxing solution, know n as the W eb Sandbox Module, w hich
w as developed in-house. W ebsense appliances are good options for midsize enterprises, and its
cloud service is a good option for most enterprises. In April 2015, Raytheon entered into a
definitive agreement w ith Vista Equity Partners to form a new company, combining W ebsense
w ith its Raytheon Cyber Products business unit. At the time of this w riting, the deal is pending
regulatory approval.

Strengths
W ebsense has a strong offering for organizations that are interested in a hybrid SW G
strategy (on-premises and cloud-based). Its Triton management console provides a common
point for policy management, reporting and logging in hybrid environments.
W ebsense's Triton AP-W eb automatically deposits suspicious files in the cloud-based W eb
Sandbox Module.
W ebsense uses its DLP technology in its appliances and cloud service to inspect suspicious
outbound traffic patterns. This feature uses deep packet inspection, and it does not require
an additional licensing fee.
W ebsense has a good strategy for mobile support. A W ebsense client for W indow s and Mac
OS X endpoints handles traffic redirection and authentication to the W ebsense cloud service.
AirW atch customers w ill benefit from an integration w ith W ebsense that provisions
certificates on mobile devices (Apple iOS and Android) and directs traffic to the W ebsense
cloud (via IPsec) w hen the user generates W eb traffic.

Cautions
The console for the cloud-only service (Cloud Triton Manager) is different from the console
that is used to manage the hybrid and on-premises solutions (Triton Manager). Customers
that begin w ith a cloud-only service and add V-Series appliances later w ould need to sw itch
to the Triton Manager console.
Gartner rarely sees W ebsense's X10G, a blade-server appliance aimed at large enterprises,
in competitive bids. Enterprises that are considering the X10G should carefully check
references.
The lack of a strong partnership w ith an ISP or telecom carrier limits W ebsense's ability to
target large enterprises w ith its cloud-based service.

converted by W eb2PDFConvert.com
 As W ebsense forms a new company and integrates technology from Raytheon, its increased
focus on threat defense may result in reduced focus on its core SW G functionality.

Zscaler
Zscaler, w hich is based in San Jose, California, is a pure-play provider of cloud-based SW G
services. In 2014, Zscaler added netw ork sandboxing and next-generation firew alling services.
Zscaler also offers a DNS-based W eb filtering service. Zscaler continues to be the fastest-grow ing
vendor in this market, as w ell as one of the most innovative vendors. Zscaler is a good option for
most enterprises that are seeking a cloud-based SW G.

Strengths
Zscaler applies all its malw are detection engines to all content, including SSL traffic that it
decrypts via SSL, regardless of site reputation. This approach yields up-to-date malw are
ratings on w ebsites.
Zscaler has the largest global cloud footprint, w ith more than 100 enforcement nodes in 30
countries.
Zscaler leads the SW G market in several cloud innovations, including colocating and direct
peering w ith popular cloud services (such as Amazon, Microsoft, Salesforce and Akamai) in
order to reduce latency. It provides flexible implementation options by offering a broad set of
choices for traffic redirection and authentication. It w as the first to expose its cloud uptime
and event statistics to the public via its trust.zscaler.com portal.
Zscaler's updated console display (based on HTML5) enables role-based administrative
access. View s can be customized according to administrative rights and privileges.
An optional streaming log service provides near-real-time export of logs from the cloud to on-
premises servers, w here they can be analyzed by a SIEM solution. Enterprises that have
more than one SIEM solution can filter log events from the Zscaler console and direct log
entries to specific SIEM solutions.

Cautions
Zscaler encourages the use of PAC files for W indow s and Mac OS X systems for mobile
employees, but know ledgeable users can subvert PAC file traffic redirection. Also, port-
evasive applications (such as Skype, BitTorrent and some malw are) w ill not be forw arded to
the Zscaler netw ork from endpoints that rely only on PAC files.
The management console lacks severity indicators to prioritize outbound malw are alerts.
Also, information to aid in remediation is lacking.
Zscaler offers a cloud-based next-generation firew all as an add-on to its SW G service. The
firew all service is not intended to replace enterprise firew alls protecting corporate data
centers. It is primarily suitable for branch and remote offices and roaming laptops.

Vendors Added and Dropped

W e review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets
change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or
MarketScope may change over time. A vendor's appearance in a Magic Quadrant or MarketScope
one year and not the next does not necessarily indicate that w e have changed our opinion of that
vendor. It may be a reflection of a change in the market and, therefore, changed evaluation
criteria, or of a change of focus by that vendor.

Added
None

Dropped
None

Inclusion and Exclusion Criteria

These criteria must be met for vendors to be included in this Magic Quadrant:

Vendors must provide all three components of an SW G:

URL filtering
Anti-malw are protection
W eb application control capabilities
Pure-play URL filtering solutions have been excluded.
The vendor's URL filtering component must be primarily focused on categorizing English-
language w ebsites.
Vendors must have at least $15 million in SW G product revenue in their latest complete fiscal
years.
Vendors must have an installed base of at least 2,000 customers or aggregate endpoint
coverage of at least 5 million seats.

UTM devices and next-generation firew all devices that offer URL filtering and malw are protection
have been excluded. This Magic Quadrant analyzes solutions that are optimized for SW G
functionality.

Vendors that license complete SW G products and services from other vendors have been
excluded. For example, ISPs and other service providers that offer cloud-based SW G services
licensed from other providers have been excluded.

converted by W eb2PDFConvert.com
Evaluation Criteria
Ability to Execute
Product or service: This is an evaluation of the features and functions of the vendor's SW G
solution. Malw are detection and advanced threat defense functionality w ill be w eighted
heavily to reflect the significance that enterprises place on these capabilities.
Overall viability: This includes an assessment of the overall organization's financial health, the
financial and practical success of the business unit, and the likelihood that the business unit
w ill continue to invest in the product.
Sales execution/pricing: This is a comparison of pricing relative to the market.
Market responsiveness/record: This criterion reflects how quickly the vendor has spotted a
market shift and produced a product that potential customers are looking for; it is also the
size of the vendor's installed base relative to the amount of time the product has been on
the market.
Marketing execution: This is the effectiveness of the vendor's marketing programs, and its
ability to create aw areness and mind share in the SW G market.
Customer experience: This is the quality of the customer experience based on reference calls
and Gartner client teleconferences.

Table 1. Ability to Execute Evaluation

Criteria

Evaluation Criteria Weighting

Product or Service High

Overall Viability High

Sales Execution/Pricing Not Rated

Market Responsiveness/Record Medium

Marketing Execution Medium

C ustomer Experience Medium

Operations Not Rated

Source: Gartner (May 2015)

Completeness of Vision
Market understanding: This is the SW G vendor's ability to understand buyers' needs and
translate them into products and services.
Sales strategy: This is the vendor's strategy for selling to its target audience, and includes an
analysis of the appropriate mix of direct and indirect sales channels.
Offering (product) strategy: This is an evaluation of the vendor's strategic product direction
and its roadmap for SW G. The product strategy should address trends that are reflected in
Gartner's client inquiries.
Innovation: This criterion includes product leadership and the ability to deliver features and
functions that distinguish the vendor from its competitors. Innovation in areas such as
advanced threat defense and cloud-based services w as rated highly because these
capabilities are evolving quickly and are highly differentiated among the vendors.
Geographic strategy: This is the vendor's strategy for penetrating geographies outside its
home or native market.

Table 2. Completeness of Vision

Evaluation Criteria

Evaluation Criteria Weighting

Market Understanding Medium

Marketing Strategy Not Rated

Sales Strategy Medium

Offering (Product) Strategy High

Business Model Not Rated

Vertical/Industry Strategy Not Rated

Innovation High

Geographic Strategy Low

Source: Gartner (May 2015)

Quadrant Descriptions
Leaders
Leaders are high-momentum vendors (based on sales and mind share grow th) w ith established

converted by W eb2PDFConvert.com
track records in SW Gs, as w ell as w ith vision and business investments indicating that they are
w ell-positioned for the future. In addition to offering strong SW G products and/or services,
Leaders have built effective sales and distribution channels for their entire product portfolio.
Leaders that offer on-premises and cloud services have recognized the strategic importance of a
tw o-pronged sales and distribution channel. They have established a traditional VAR channel to
sell on-premises appliances, and they have also demonstrated the ability, usually through
partnerships w ith ISPs and carriers, to sell cloud services.

Challengers
Challengers are established vendors that offer SW G products. Challengers' products perform w ell
for a significant market segment, but may not show feature richness or particular innovation. In
the SW G market, Challengers may also lack an established distribution channel to optimally target
customers for cloud-based services. Buyers of Challengers' products and services typically have
less complex requirements and/or are motivated by strategic relationships w ith these vendors
rather than requirements.

Visionaries
Visionaries are distinguished by technical and/or product innovation, but have not yet achieved
the record of execution in the SW G market to give them the high visibility of Leaders — or they
lack the corporate resources of Challengers. Buyers should expect state-of-the-art technology
from Visionaries, but be w ary of a strategic reliance on these vendors and closely monitor their
viability. Visionaries represent good acquisition candidates. Challengers that may have neglected
technology innovation and/or vendors in related markets are likely buyers of Visionaries' products.
Thus, these vendors represent a slightly higher risk of business disruptions.

Niche Players
Niche Players' products typically are solid solutions for one of the three primary SW G requirements
— URL filtering, malw are and application control — but they lack the comprehensive features of
Visionaries and the market presence or resources of Challengers. Customers that are aligned
w ith the focus of a Niche Players vendor often find such provider's offerings to be "best of need"
solutions. Niche Players may also have a strong presence in a specific geographic region, but lack
a w orldw ide presence.

Context
The URL filtering aspect of SW Gs has become a commodity, and enterprises are now focusing on
security features as important criteria in vendor selection. Because of these market trends, this
2015 Magic Quadrant places a strong emphasis on malw are detection, particularly advanced
threat detection. Implementation options are another important consideration w hen selecting
vendors. For example, enterprises that expect to remain completely w ith on-premises appliances
can select from the largest set of vendors. Enterprises that expect to migrate completely to an all-
cloud service option have a slightly smaller set of choices. Enterprises that expect to require a
hybrid approach have the smallest set of options because few vendors have truly integrated their
on-premises products w ith their cloud-based services.

Market Overview
Although cloud-based SW G services are a source of innovation and rapid grow th, the overall SW G
market is still dominated by the sale of on-premises appliances. Gartner estimates that, in 2014,
72% of the revenue in the $1.44 billion market w as attributed to appliances, and the other 28%
w as attributed to cloud services. In 2013, Gartner estimates that the 77% of the market w as
attributed to appliances and 23% w as attributed to cloud services. The overall market grew
approximately 10% during 2014, and w e anticipate that the market w ill grow 8% to 10% in 2015.

This year, the Visionaries quadrant remains empty again. Because of the grow th in cloud-based
SW G services, w e heavily w eighted these services w hen scoring the Completeness of Vision
criteria. Vendors that have a strong strategy for their cloud service and that also have a cloud-
focused sales and distribution channel scored w ell in Completeness of Vision. Strategies for SW G
cloud services need to include a cloud-based advanced threat defense service. Successful sales
and distribution channels include carriers and ISPs because they have proven to be effective
partners in selling cloud SW G services. It's challenging for vendors to develop a strong cloud
service strategy and a strong cloud sales and distribution channel. None of the Niche Players in
the 2014 version of the Magic Quadrant improved enough in Completeness of Vision scoring to
move into the Visionaries quadrant this year.

© 2015 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be
reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to access this publication, your use of it is subject to the
Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable.
Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies
in such information. This publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions
expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal
advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that
have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research
is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the
independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity.”

About Gartner | C areers | Newsroom | Policies | Site Index | IT Glossary | C ontact Gartner

converted by W eb2PDFConvert.com