3 “The first successful in-the-cloud secure #1 SaaS Web Security Solution“The first successful in-the-cloud secureWeb gateway service”Industry’s most mature platform20 Billion web requests per month1,000’s of customers across 80 countries200 Million Blocks per MonthGlobal network operations in 4 continentsSLA backed % service uptimeCustomers
4 Web Security – A Big Market Where Cisco is #1 Web Security MarketLarge: Overall market $2.5B by 2013Broad across size, industry, geographyGrowing: Market Growth at 12.3% CAGR; But 46.5% CAGR for SaaS segment
5 Web Security – Market Shift to SaaS SaaS is growing much faster than legacy software/hardware as it delivers lower TCO and effective security. Ideal for customers with distributed networks and mobile workersCisco ScanSafe is the dominant provider in SaaS, with 35% market share or 5x nearest competitor according to latest IDC research
6 Solution OverviewSo looking at the ScanSafe solution from a high level, you can see the key elements:For integration and user granularityIntegrated management and reporting that covers all aspects of the solutionConsistent policy and security for all users, regardless of location – this includes BlackBerry mobile devicesNumerous ways to integrate with existing network infrastructure and authentication servicesFor filtering policyBi-directional content based policy enforcementDynamic content classificationControl over HTTP & HTTPS communicationsFor securityAccurate zero-day threat protectionBased on the world’s largest Web usage dataset – billions of Web requests a dayAll security extended to remote and roaming users as well as on-premise usersAnd so overall, ScanSafe offers consistent, enforceable, high-performance Web security and policy, regardless of where or how users access the Internet.
7 FREE EVAL FOR 30 DAYS – NO OBLIGATION TO PURCHASE PositioningRequired Information:-Overview of Prospect i.e. Seats/Locations/GatewaysCustomer Project or ProblemBusiness Drivers – Compelling MechanismTimescalesBudgetWhy ScanSafe:-We do it cheaper, by saving time on cleaning infected PC’s & by managing the software on a day to day basisWe are more secure, 200 million malware blocks a month – spyware/malware/virusesWe are a complete solution – Internal users & External users are controlled via the same serviceFREE EVAL FOR 30 DAYS – NO OBLIGATION TO PURCHASECapEx to OpEx = many customers would prefer to know the fixed amount they are paying each year and budgeting it.
8 Competitive Outlook Today 12 months Very significant market/vendor consolidation in past 2 yearsKey Competitors:Websense – incumbent in large % of deals. Focus on renewal unless pushed. Increase in development in SaaS platform. Continued move to try and position as a security vendorBlue Coat – incumbent in large % of deals. Not that security focused. Rarely lose new business dealsMessageLabs – focus on security with web security offered for completeness. Low cost, low functionalityZscaler – small and relatively new, v. aggressive, may be acquired. Partnership with Microsoft. Less success in larger Enterprise customers.Today12 months1. Websense2. Blue Coat3.MessageLabs4. Zscaler1. Websense2. MessageLabs3. Blue Coat4. Microsoft (?)
9 ScanSafe Competitive Differentiation Clear market leadership position (~34% market share)More customers than any other cloud Web security solutionScanSafe sees more real-world Web traffic than any other solutionLeading content visibility & zero-day threat protectionLarge database of Web content used to “train” security engineUses combination of static & dynamic analysisProven to block >25% more malware than signature solutionsProven reliabilityWeb is now business critical communication100% uptime for 7 yearsSuperior reportingComplete flexibility into reporting criteriaAllows end users to define exactly what data is important
11 Data Flow with ScanSafe Web requestsAllowed trafficFiltered traffic
12 Scalability & Reliability 15 Data Centers spanning four continentsTop tier certificationThousands of devices deployed100% availability, automated monitoring, full redundancySan FranciscoDallasMiamiNew YorkChicagoLondon (2)ParisCopenhagenFrankfurtTokyoHong KongSydney (2)SingaporeAdditional Data Centers plannedMoving on to scalability and reliability - I don’t know a customer or prospect out there who isn’t looking for a solution that is both scalable and reliable. This is really one criteria that’s universal!When thinking about scalability, there’s really a multiple things to consider:Scale for total end users globallyScale for large customers with hundreds of thousands of users in a single organization with a single policyScale globally – or maybe you’d call it global reachDoing all this while maintaining a high performance serviceScanSafe hits all these points. Every day, our service scans billions of Web requests, and to give you a sense of the scale of that, it’s similar to the number of Web requests that Google handles every day. Every single one of those requests is scanned in real-time to ensure policy and security are maintained – that’s millions of end users around the world. In order to ensure that our customers maintain the highest levels of performance ScanSafe - all this real-time analysis, using our proprietary analysis engine Outbreak Intelligence, (which we’ll talk about later in this presentation) is carried out in parallel using the vast amount of resources that we have in place around the world. This enables maximized security with maximized performance. On average the scanning, analysis, security and policy enforcement offered by the ScanSafe solution takes less than 50ms which is not perceivable to end-users.Looking at where our customer base is located, ScanSafe has customers in over 100 countries, most of the globe! This is really the testament to the high performance that we enable for our customers regardless of their geographical location. The chances are that in whatever country you might want to access the Internet, we have existing customers there using our service already.ScanSafe has very clear data around the proof points for scalability and our customers feel secure that their service will be of the highest standard and performance.Thinking about reliability - we know that every time a solution that impacts Web access goes down there are severe repercussions – no Internet access means lost revenue, unhappy customers, confused business partners, more work. That’s why at ScanSafe we designed our solution with the highest levels of resilience so that our customers don’t have to suffer the pain of lost Internet access. Again going back to offering proof of our capabilities, we are very proud that over the past 6 years, ScanSafe has maintained 100% continuous uptime. Our customers have had no downtime whatsoever – there aren’t many companies who can say that.So how did we do this? We built the highest quality solution that we could. We used only top tier data centers around the world, data centers that matched the SLAs that we offer to our customers and data centers that are formally certified for the highest levels of service and security such as ISO27001, SAS 70 Type II. Then we connected all those data centers with high bandwidth connectivity – 10 gigabits per second - so that we can use all our resources with the absolute minimum of latency.Once we had this top tier, high speed network in place, we ensured that every single piece was being monitored, so that in the unlikely event of a failure, our architecture will be immediately re-routed and the issue resolved. Coupled with this, all ScanSafe customers are assigned routes to multiple data centers, so if an entire data center were to disappear, their service would remain unaffected and their Web traffic would remain secure – this is true for remote or roaming employees as well as for those that work in an office.ScalabilityBillions of Web requests/dayHighly Parallel processingMulti-tenant architecture: average <50 ms latency10Gb connectivityRedundant network providers
14 Outbreak Intelligence - The Results GumblarMultiple injection attacksPercentage of malware blocksZeus Botnet / LuckysploitSo I’ve described how Outbreak Intelligence works – here we can see details of the results that Outbreak Intelligence has had in The blue slide in this chart is the percentage of blocks that are zero-day blocks made by Outbreak Intelligence, or, to put it another way, the threats that would have evaded traditional list based security systems.You can see that on some days, directly linked to the release of a new zero-day threat, the number of blocks made by Outbreak Intelligence is well over 80% - in 2008 we had numerous days when it was over 90% of all blocks. This is the real benefit – effective protection from zero-day threats.At ScanSafe we can prove to our prospects that our solution works, and works better than the competition. 27% of all malware blocks in 2009 were as a result of Outbreak Intelligence – zero-day threats that evaded signature based security solutions.
15 ScanCenter - Management Multiple rules and schedules for User/Group granularityBi-directional content based policy enforcementDynamic content classificationControl over HTTP & HTTPS communications
16 Web Intelligence Reporting Over 24,000 report combinations covering more than 80 attributes in 11 reporting categoriesCumulative, trending and search driven forensic reports, comprehensive drill down analysisBased on data warehouse infrastructure for performanceScheduled reports can be sent securely to defined usersGranular reporting enables actionable remedies to issues and unrivalled visibility into resource usageAnd finally on to the Management aspect. I’ll take you on a walk through our management interface – ScanCenter – in a minute, but before we get there I wanted to point out some of the highlights of our reporting solution. This has been designed specifically to allow our customers clearer visibility, not only into Web usage, the who has gone where, but also how IT and network resources are being utilized. That’s why we offer the ability to report on over 80 different attributes – as well as the regular ones such as user, category, host etc, we also give customers reporting capabilities on factors such as the Referring domain, browser used, content type requested, queries entered into search engines to name but a few. All of this additional information extends the use of the reporting capabilities to be used beyond just looking at Web security related details, and enables thousands of different drill down reports for numerous groups within an organization.As well as reporting on what content is entering your network, you can also understand what information has left – or has been prevented from leaving by the outbound content control policy so you et a holistic view of what your Internet connectivity is being used for.As well as reporting on what is happening on the network, you can, of course, define a policy for all Web traffic, HTTP and SSL encrypted traffic, prevent that malicious and inappropriate content from entering your network AND help prevent confidential data from leaving your network. You can have peace of mind knowing that all the security aspects of your Web usage are taken care of – we covered that in the Security section of this presentation.All of that is managed from a single, web-based portal which also integrates all reporting for your solution.You can see some examples of WIRe here – in different output graphs. WIRe is an integrated part of our offering for all customers, and being in the cloud, there is nothing for the customer to install in order to start benefitting from WIRe from day one.
19 Agenda No User Granularity Required User / Group Granularity Required Connector-less SolutionsRoaming & Remote Users
20 ScanSafe Deployment Options Module # – Name of ModuleScanSafe Deployment OptionsNo User Granularity Required
21 Port Forwarding / Transparent Proxy Firewall directs port 80 traffic to web security service via Transparent Proxy / Port Forward (no browser changes required)Available with certain perimeter devices that have the ability to forward traffic based on port or protocol (BlueCoat, ISA, CheckPoint, Watchguard, SonicWall, Netgate etc…)Provides Site/External IP granularityNOTE: Many Cisco devices are not capable of port forwarding
22 Browser Redirection via GPO / PAC file Proxy Settings are pushed to browsers via Active Directory GPOBrowsers connect through Firewall on port 8080 to Web Security ServiceFirewall blocks all other GET requestsProvides Site/External IP granularity
23 PAC File DeploymentThrough GPO, Desktop Users are configured to reference a PAC file with each browser sessionA global PAC file can point to different ScanSafe towers dependant on internal IPWeb requests are sent directly to the ScanSafe towers
24 Deployment - AD Group Policy Can be targeted to the AD site, domain or individual OUs.Supports various OS platforms:Windows 2000Windows 2k3 ServerWindows XPWindows VistaWindows 7Sometimes it is an inconvience or impractical to set-up all the users’ web-browsers manually. In this case the proxy change can be rolled out via Active Directory group policy which can be targetted to AD sites, domains or individual OUs.[CLICK]Here you can see how easy it is to push the ScanSafe service to any number of users with just a few clicks.Centrify offer GPO control to Mac OSX using DirectControl software.
25 ScanSafe Deployment Options Module # – Name of ModuleScanSafe Deployment OptionsUser / Group Granularity Required
26 Standalone ConnectorProxy Settings are pushed to browsers via AD,GPO or PAC fileForwards web traffic to ScanSafe on port 8080/443 to the Cloud based TowerConnector receives Client info and queries Active Directory Server for Group Information, then proxies to ScanSafe upstreamSet Firewall to block all other GET requestsProvides IP/End User/Group granularity
27 Enterprise Connector - Inline ISA Web Security Service is configured as upstream proxy on currently installed proxy deviceCurrent proxy device communicates with Connector ICAP (on box) to provide IP/User/Group information (5,500 Users max recommended)Browser traffic is directed to existing Proxy via GPO or PAC filesSet firewall to block all other GET requestsProvides IP/End User/Group granularity
28 Enterprise Connector - ICAP Web Security Service is configured as upstream proxy on currently installed proxy deviceCurrent proxy device communicates with Connector via ICAP to provide IP/User/Group informationRequires no further Client configurationSet firewall to block all other GET requestsProvides IP/End User/Group granularity
29 ScanSafe Deployment Options Module # – Name of ModuleScanSafe Deployment OptionsConnector-less Solutions
30 BlueCoat Integration - Connector-less Provides AD user and group granularity.BCAAA must be installed and configured within the Active Directory environment.To also send internal IP address to the ScanSafe Scanning towers, Blue Coat must be configured to include x-forwarded-for headers.BC can run in transparent or explicit proxy modeSet firewall to block all other GET requestsProvides End User/Group (possible IP granularity)
31 PIM - Passive Identity Management Proxy Settings are pushed to browsers via Active Directory GPO or PAC file OR PIM can be run in transparent mode with ISA / BluecoatLogin Script (or GPO etc) runs the PIM.EXE with required switchesRequires no client installationFirewall blocks all other GET requestsProvides End User/Group granularity
32 Why PIM?There are many customers that do not want to deploy proxy servers yet still want granular policy control. This can be because of the shear number of sites they have to manage or for other technical reasonsDeploying a small number of proxy servers to where many different locations tunnel, negates a lot of the advantages of modern MPLS networks and increases latency and bandwidth costs
33 How Does PIM Work?PIM adds -XS headers to the browser’s user agent stringIncluded in this string is a unique hash that identifies the user in our Scanning towerThis detail is encryptedUpon logon, PIM sends an out-of-bound request to the scanning tower and uploads the group information for that userThese groups are automatically created in ScanCenterFollowing registration, each time a request to the Web is made, only the hash is sent to us along with the request and we can indentify the user and apply the correct policy according to the relevant group/s
34 PIM Data Flow Directory Sync request (Registration) Internet request (Browsing)Client runningPIM(IE/FireFox)CorporateFirewallCisco/ScanSafeDataCentre(s)The Internet
35 ScanSafe Deployment Options Module # – Name of ModuleScanSafe Deployment OptionsRoaming / Remote Users
36 Roaming Users (Anywhere+) Installs a Network Driver which binds to all connections (LAN, Wireless , 3G)Automatic Peering Identifies nearest ScanSafe Datacenter and whether a connection is possible.AD information can be remembered from when the user was last on the corporate network using the Gpresult API (group policy)
37 How Does it Work?Authenticates and directs your external client Web traffic to our scanning infrastructure Numerous datacenters are located all over the world ensuring that users are never too far from our in-the- cloud scanning services SSL encryption of all Web traffic sent improves security over public networks37
38 Anywhere+ True Roaming Support FeatureKnown Environment(Remote)Anywhere+(True Roaming)Access ScanSafe services from outside of corporate LANSuitable for home workersWorks with a VPNWorks through another proxyTransparent to end userWorks at a network which requires payment (e.g. Hotspot)Encrypts all web traffic to prevent eavesdroppingTamper resistantLocation Aware (reduces latency)And when considering remote and roaming users, they require additional functionality that on-premise workers don’t, but first I’d like to clear up a difference between remote workers and roaming workers. Remote workers are those that occasionally or normally work from home. They probably connect through a cable or DSL connection and VPN into the office. It is these users that the majority of vendors cater to with their remote user product.If you start to look outside this very defined individual use case, there are many different factors to consider as you can see in this table here.Connection through another proxy – maybe a contractor working at a client location. Many remote worker solutions fall over when an additional proxy is introduced – the ports that they need to communicate are closed, or it just doesn’t know how to communicate through a different proxy device.Transparency – the method of authentication for many other remote user solutions is manual – enter your username and password…for every Web browser session. This impacts the user experience and creates a frustrating cycle for end users.Operation at locations that require payment or acceptance of Terms & Conditions – while it might seem obvious that this would be a key requirement for just about any hotel, airport or coffee shop, many solutions are not designed adequately to work with these options, hit or miss is the best you could hope for.Security through encryption – if you are sending information such as user and group identification over the Internet, it’s an excellent idea to encrypt it for security. Many solution however, as they are designed for workers sitting behind a VPN, do not offer this capability, at best this is a security hole, at worst, a lawsuit or other claim if information is used to access your organization and steal data.Tamper resistant – How easy is it for a user to circumvent the controls that are put in place? Can they change the settings? Can they disable the service? You are putting in a process to eliminate the security weak-link, however many solutions provide no protection against a user just turning off the control.Performance Optimization – Let’s say you get on a plane in New York, and get off in Sydney. You turn on your laptop and – lets assume everything works – you are routing all your traffic through a data center in the US. That’s going to add significant latency and reduce your productivity. Again, the solution many vendors offer will do exactly that, they have no capability to re-route your traffic dependent on your location.Anywhere+ is the only solution for remote and roaming users that covers all of these capabilities, to work wherever you are, however you connect to the Internet and to offer a secure, high performance Web security service.38
39 ScanSafe Deployment Options Module # – Name of ModuleScanSafe Deployment OptionsQ&A