In order to keep employees from accessing inappropriate Web sites, Lanco International used to enter the URLs of some banned sites into its Internet Security and Acceleration server filters, but that was a cumbersome process that didn't nearly cover the vast number of inappropriate sites.
The Hazel Crest, Ill., heavy-equipment company lacked tools to centrally filter Web sites and to impose gateway security measures such as antivirus and antispyware software.
The company's MIS director read about services that could address these needs and settled on a cloud-based security service from Zscaler that locks out entire categories of inappropriate Web sites as well as filtering traffic for viruses and other malware, says Jerry Wasowski, the MIS director. "It allows us to make sure our bandwidth is being used primarily for business transactional activity," Wasowski says.
The URL-filtering service applies policies only to outbound Internet traffic and its antimalware services can eliminate the need for multiple single-function devices at the edge of corporate networks, such as gateway security appliances, he says.
In addition to the Microsoft ISA-server method being cumbersome, it set a single universal policy, which wasn't appropriate for the business, Wasowski says. "The Zscaler lets you get more granular," he says. "We can go down to a group level or even an individual level and identify what access a group or an individual needs to have. The marketing department may have some specific need to hit some sites that we aren't going to make available to the enterprise."
Through a management interface, the company built its rule set by checking off what groups would face what restrictions by checking boxes to enable certain categories of filters. And the interface allows inclusion of exceptions. "You may not want to enable a particular category, but you may need to enable certain URLs within that category."
The service includes access to records of what sites what users have attempted to access and deliver that data within a minute of the attempt, he says. The service can turn this data into reports for department managers who want to know what sites are being hit and what attempts are being made, he says.
In addition to outbound screening, the service checks inbound traffic for viruses, spyware and other malware. For example, Lanco can define whether it wants the service to block attachments coming in or going out. Remote workers outside of corporate facilities used only desktop security software. "We needed an enterprise solution," he says. The company has about 40 locations.
Lanco has a proxy server at its headquarters site that diverts Internet-bound traffic from the corporate LAN, WAN and VPN to Zscaler's proxy site at distributed Zscaler data centers. Individual workers accessing the Internet from hotels or other non-corporate locations have a browser setting that directs their traffic directly to the nearest Zscaler data center, says Jason Morris, Lanco's technical support operations supervisor.
Lanco says the URL blocking has freed up bandwidth, but can't say how much. But based on log searches, historically workers went to sites that are now filtered, so based on that, Wasowski concludes that bandwidth has been freed up for productive traffic. The company hasn't discovered a hard return on investment for the service, but "we knew we had to do something to protect our environment," Wasowski says.
Before determining what sites to block, the IT team called in human resource and legal departments to make sure the filters didn't violate corporate Internet usage policies, he says. They also helped set up a process for individuals to request exceptions to the policies that apply to them. "We didn't want to make those decisions on our own just based on an MIS perspective," he says. "It was good for them to see that now we have these controls in place."
The IT department at Lanco tested the service before it went live to the corporation as a whole, and just before that MIS sent a reminder of what the relevant corporate policies were. There was no end-user training because use of the service requires no change in end-user behavior. Delay caused by traffic being diverted to Zscaler's data center is 1-2 milliseconds, Morris says. He says he can't quantify how much time the actual filtering uses up, but that it isn't generally noticeable.
"I wanted to make this as much of a non-event as possible, and I think we accomplished that," he says.