In 1995 a small security reseller in Southfield, Michigan, introduced possibly the first “cloud” based firewall: Check Point FW1 running on Sun Netra boxes in their small data center. Netrex would configure T1 connections from their customers’ routers to their data center and manage all of the firewall policies for them.
As they developed their management interface they pivoted away from providing these  “clean pipes” to what is now the traditional MSSP service of remotely managing customer devices on premise.
Netrex sold to ISS and its managed services are now the basis of IBM’s MSSP offering. It is worth noting that when Netrex was still a reseller they competed with an Atlanta based security services company called SecureIT, founded by Jay Chaudhry. SecureIT sold to VeriSign and Jay went on to found multiple security companies including Core Harbor Inc., AirDefense, Air2Web, CipherTrust, and Zscaler.
Zscaler today announced a cloud-based firewall into a market that is finally ready for a clean pipes offering. Not in the press release is the fact that they hired iPolicy founder Pankaj Parekh to take the project forward.
In addition to conceiving the first single pass multifunction gateway security device, Pankaj has experience with massively scaled infrastructure which he gained while he was at Microsoft.
Here is why I think Zscaler is going to succeed with a cloud firewall.
Two industry segments, content URL filtering, and firewalls have been dancing around each other for a decade. BlueCoat, nee Cache Flow, and Websense first went to market with URL filtering when it was not even considered a security solution.
Rather, it was an employee behavior enforcement tool (and, unfortunately, a nation state censorship tool). Enterprises used content filtering to restrict access to pornography, hate sites, and entertainment that would detract from productivity. Only with the rise of phishing and watering hole attacks did content filtering evolve into web security.
BlueCoat and Websense were very expensive tools. Most organizations could only afford to deploy them at headquarters and thus backhaul remote office traffic so it could be controlled.
Firewalls began to add more and more capability as first VPN concentrators and IPS were collapsed into one gateway device. The addition of content URL filtering to the suite of tools was the killer app in what became known as UTM. (Gartner has its own term, NGFW, but in practice all modern firewalls, from SonicWall, to Palo Alto Networks, to Fortinet are UTM.)
Important to the story is that one of the only vendors to go to market with a completely architected all-in-one solution was iPolicy. But iPolicy was too early. While it was quickly deployed by large service providers such as AT&T, it never achieved critical mass and ended up being sold to WaPro in India.
When the founders of Zscaler recognized the move to mobile devices and the trend towards pushing security out of the central office to the distributed enterprise, they devised a cloud delivered content URL filtering service.
Hosting a massive proxy environment in key network data centers close to Internet exchanges they were able to extend corporate content policies to mobile users while creating a competitive alternative to deploying expensive BlueCoat devices in small offices.
Meanwhile, BlueCoat missed an opportunity to fend off the UTM vendors by opting not to introduce a firewall for remote offices. Websense pivoted to DLP with the acquisition of PortAuthority.
Both ended up in the lethargic hands of Private Equity firms. Zscaler told Security Current that they have grown to 6,000 customers, close to the same number BlueCoat had when they were taken private and twice the number that FireEye had when it IPO’d.
After building the global cloud required to offer secure web browsing for millions of endpoints and networks it is a logical step for Zscaler to introduce a firewall. The combined features create the first cloud UTM offering with all of the benefit’s of a managed service.
They will be able to see attack traffic across a wide swathe of customers and deploy new defenses as needed. No software updates, versioning support issues, or even software licensing and maintenance. This is a significant threat to traditional MSSP services, the stand-alone content filtering vendors such as BlueCoat (which is being spun off to Bain Capital in the hopes that it can re-IPO), and even appliance based UTM vendors like Palo Alto Networks and Fortinet.

Leave a Reply