Two acquisitions announced in the last week underline the battle to gain market share and technical superiority in the web security market and continue the debate about how content security is best delivered—at the edge of the network or in the cloud using the software-as-a-service (SaaS) model.

First, on 28 October, Cisco announced it was buying ScanSafe, a UK company that had established a strong position in SaaS-based web security, and today, M86 Security (formerly Marshal) announced it was buying the Israeli firm Finjan, a specialist in real-time web threat analysis.

These acquisitions are the latest in a continuum of such deals, marking the near end of consolidation of the web security sector that has taken place over the last few years, as there are few small specialists left. Most are now part of the broad portfolios of large security vendors, which is, in Quocirca's view, no bad thing as it stabilises the market and provides new sales channels for the strongest products. The same sort of consolidation happened at an earlier stage in the email security market.

For example, the overall leader in web security, Websense, shook the market in 2007 when it bought one of its main rivals, SurfControl. This strengthened its market share, but was also part of a broader strategy to widen its portfolio, as SurfControl had other assets including email security. Websense had already acquired Port Authority—a data loss prevention vendor—and has since acquired Defensio to strengthen its spam filtering.

McAfee followed with the purchase of Secure Computing in late 2008. Its rivals Symantec and Trend Micro are also in the web security market—the former through its 2008 MessageLabs acquisition (this SaaS-based email security vendor was already developing web security technology) and the latter through a couple of technology acquisitions as long ago as 2005, and in-house development.

When considering which approach to take for web security—network-edge or SaaS—latency is often of primary concern—more so than with email security—as any security technology that slows down web access frustrates users and damages productivity. Network edge vendors claim a performance advantage, but there are two factors that further complicate issues.

First, web security policies that control the web use inside the firewall need to be extended to those working remotely; this is more easily achieved with a SaaS-based service. Second, web-based business processes often span multiple organisations, making the network edge much vaguer than it used to be and content security policy often needs to be extended to external users.

It is interesting that Cisco bought ScanSafe, a pioneer in the delivery of SaaS-based web security. In the past Cisco has stuck to hardware appliances to be deployed at the network edge for security, for example IronPort, which it acquired in 2007 for email security. Perhaps Cisco is recognising that the only way to control disparate web users is with a SaaS-based system, giving customers confidence to use the web for communication and collaboration wherever they are, including the use of web-based voice, video and web conferencing tools. Cisco's only other foray into SaaS so far was its 2008 acquisition of web conferencing vendor WebEx.

M86 Security's acquisition of Finjan tackles the latency issue. M86 Security was already in the web security market with its WebMarshal software aimed at small businesses and its 8e6 appliance for URL filtering that became part of its portfolio when it merged with 8e6 Technologies—leading to the new name. The Finjan acquisition adds real-time web threat monitoring, ensuring all web traffic is inspected for malware with minimal degradation of performance. It also adds some SaaS capability as Finjan was already in the process of extending its gateway-based web security to the cloud.

There are still plenty of choices even though consolidation has meant web security is now mainly in the realm of broad-based one-stop-shop security suppliers. Vendors are increasingly offering both network edge and cloud-based offerings, in some cases a hybrid of both, allowing customers to achieve a balance between performance and reach. Some buyers still regard cloud-based offerings with suspicion, especially when it comes to security, but such offerings are performing better and better, so many are accepting that outsourcing security to experts makes sense.

The web is an essential tool for all businesses. Making its use as safe as possible while ensuring users remain focused on the benefits it brings, knowledge acquisition and communication, while avoiding its many distractions, is the aim of all these products. With the right tools it is possible to ensure the web is a largely safe and productive environment. Happy surfing.