Chenxi Wang Cloud security service is hot, hot, hot. My last blog post highlighted the acquisition of Purewire by Barracuda earlier this month. Today, Cisco Systems announced the intention to acquire ScanSafe, another Web security services company. Cisco’s entering this space shows that Web security services are now on the radar screen of enterprises.

At Forrester we are seeing a definite rise in interest in Web security services, partially fueled by the general interest level in cloud services. Many IT managers told me that they are being asked by their management, “Why not consider cloud services (to fulfill this IT function)?”

Is cloud Web security service for you? A good answer to the “Why not consider cloud services?” question requires examining the pros and cons of outsourcing to the cloud, which should cover, at a minimum, the following decision points:

  • Cloud benefits: Outsourcing to the cloud comes with the common benefits, which include self-servicing features, lower upfront investment, lower ongoing management overhead, and easy scaling to demand. You need to understand how important these aspects are to your organization.
  • Total cost of ownership: In terms of TCO, however, it is not always a clear-cut argument. In fact, sometimes a three-year term with a cloud solution may cost you more (in total) than an on-premise product. You must tradeoff TCO with the other cloud benefits, such as lower upfront investment, to make an informed decision.
  • Compliance: For folks who have rigorous compliance requirements, using cloud services can be a complex decision. For example, if you are using someone like Akamai to accelerate your content, and if the content contains regulated data (e.g., customer login info, credit card data), you need to not only ensure that Akamai is compliant, but also the numerous third-party data centers that Akamai uses to host their servers. If you are a global player, this could amount to examining over 100 datacenters around the world — a truly complex undertaking. The same goes for Web filtering service offerings.
  • Cloud vendor’s security/privacy practices: In addition to what’s required in meeting your compliance goals, you need to understand how the cloud vendors handle various security and privacy issues. See my “How secure is your cloud” report for more details on this discussion.

What does this mean for Cisco? Cisco already has its own email filtering services in the cloud. Getting into Web security services is the natural next step. This is another signal that Cisco is stepping away from the on-premise-only security vendor image and casting itself as a “we have all the form factors you can possibly want” vendor.

This is a move that Cisco needs to make. Look at their competitors: Symantec has MessageLabs. McAfee has their own Web filtering services, in addition to MxLogic. Their SMB competitor Barracuda now has Purewire. Websense, the Behemoth in the Web security space, has its own hosted offering. To stay healthy in the Web security market, Cisco needs to show their conviction in the service space. Acquiring ScanSafe, the most mature player in Web security service, is the quickest way to do so.

What will happen to ScanSafe’s partners/customers? ScanSafe is arguably the first company in this space; they were the only company in this space for a number of years before it became a hot new market. ScanSafe has a relationship with Google as well as a number of large Internet service providers—they OEM ScanSafe’s services. The word from Cisco is that they will maintain the existing partner relationships, at least for the foreseeable future. In the short term, I don’t anticipate any changes in ScanSafe’s existing relationships. However, I would not be surprised that in a year or so, Cisco will re-assess the terms of these partnerships. The word from Google is that they are not doing nearly as much on the Web security services front as they are on the email side. This acquisition will undoubtedly change the dynamics of the relationship. I don’t see Google actively reselling Cisco services, do you?

The only pure play Web security services vendor left is Zscalar, another startup from the former CipherTrust folks. How long do you think they’ll last as an independent company? I’d be interested to know what you think. Leave me a comment here or write me a note at  

This post is cross-posted to Chenxi's blog: