http://www.businessweek.com/magazine/building-a-firewall-for-the-facebook-generation-10202011.html
Palo Alto Networks is updating the corporate firewall to handle modern Web services like social networks, Skype, and Google Docs
For the past 15 years or so, security pros have relied on the trusty firewall and other hardware to keep bad guys from running amok on corporate networks. For the most part this has meant blocking tainted e-mails and keeping workers away from harmful websites. The latest wave of Web services— (MSFT)Skype, (GOOG)Google Docs, (CSCO)WebEx, (CRM)Salesforce, etc.—has introduced fresh problems. They can make workers more productive, but they also transfer files, store data, and allow remote computer access in ways that can’t be easily patrolled by the standard sentinels, most of which were developed before these services even existed. Many companies either hope for the best or block the services they can’t control.
Nir Zuk has another option. He’s a veteran of the traditional firewall and security industry who struck out on his own six years ago to create a product for today’s Web. The company he founded, Palo Alto Networks, sells a next-generation firewall that makes modern Web services safe for the workplace and gives companies precise control over how their employees can use them. Instead of the all-or-nothing approach, a company with a Palo Alto Networks box can let workers access, say, the updates on a social network, but not click on links or share sensitive information. “Our customers don’t want to block Facebook,” Zuk says. “They want to use it, but they also want some control.”
As interest in Web-based software has surged, so too have Palo Alto’s sales. The company has hopped from office to yet bigger offices since its birth at Zuk’s Palo Alto house in 2005. This year the company moved into a giant new headquarters in nearby Santa Clara. The building includes a showroom where specialized data center machines, costing $5,000 to $140,000 each, sit under spotlights. A year ago, Palo Alto claimed 1,000 customers; today it has 4,500, including (QCOM)Qualcomm, the city of Seattle, and (EBAY)EBay. Sales will exceed $200 million this year, according to Zuk, who adds that the company is gearing up for an initial public offering in the not-too-distant future.
Zuk, 40, says Palo Alto Networks owes much of its success to modern computing habits, which require more sophistication than what’s provided by traditional security products. Older firewalls are designed to monitor one-way traffic. E-mails and data from websites pour in, and the security products look for suspicious patterns; for the most part, they treat all websites the same. Yet threats can snake their way through a network in various ways: A worker might go to Facebook, click on a nefarious link, and download a virus. Soon enough, he’s using software from enterprise cloud computing company Salesforce.com to upload those infected sales data files and send them to colleagues. “Most security groups used to focus on blocking apps like Skype or (CTXS)GoToMyPC but now are often required to allow them to be used,” says John Pescatore, an analyst at the research firm (IT)Gartner. “That’s why firewalls needed to evolve.”
Palo Alto gives each Web service its own signature. This means that Palo Alto’s systems know when employees are using Skype or Salesforce.com, and have a general idea of what they’re doing there. Customers can set policies for how an application is used so that, for example, all employees can view Google Docs files, but only some can actually create new ones.
Keeping track of all the traffic flowing through a corporate network requires a lot of computing horsepower, and part of Palo Alto’s secret sauce is a homegrown chip that chews through data quickly. A Palo Alto system can even peer into encrypted traffic: It’s fast enough to decrypt packets of information, check whether they’re safe, and then pass them on to the employee who requested them, all without much lag.
Norm Fjeldheim, the chief information officer at chipmaker Qualcomm, says the Palo Alto systems he bought replaced not just firewalls but also things such as intrusion detection hardware and other types of security systems. “They are doing the work that was done by multiple things in the past,” says Fjeldheim. “They watch over everything.” Qualcomm now gives its employees access to a variety of Web services—something workers had been demanding—while regulating how they’re used. “We have detected lots of attacks that we would otherwise not be able to see,” Fjeldheim says.
Before founding Palo Alto, Zuk spent years working on security at companies such as (CHKP)Check Point Software Technologies and (JNPR)Juniper Networks. “I tried to fix these problems at my previous employers,” Zuk says. “But they would not let me.” He broke off on his own and spent 18 months writing the initial code for Palo Alto Networks, which has raised a total of $65 million to date. In August, Palo Alto lured Mark D. McLaughlin away from his role as CEO of (VRSN)VeriSign to run the young company and prepare it for an IPO. “I don’t think we’ve ever seen an enterprise technology company grow as quickly,” says Jim Goetz, a partner at venture capital firm and Palo Alto Networks investor Sequoia Capital.
Many competitors—and former Zuk employers—have started selling rival products. Juniper credits Palo Alto with pioneering the market for these types of products but plans on using its market heft and engineering expertise to outflank the upstart. The company plans to counter threats by gathering “even more intelligence for the type of device someone is using, their location and any other information you can pull in,” says Karim Toubba, vice-president of security strategy and product marketing at Juniper. Gartner estimates that by the end of 2014, about 60 percent of firewall-type purchases will be for these next-generation products. Zuk says his engineers, a who’s who of security pros, will help the company stay ahead. “Nir is bombastic at times and guilty of dropping the F-bomb and all that,” says Goetz. “But I think the incumbents underestimated his ambition and the ability to build this kind of team.”
The bottom line: Fast-growing Palo Alto Networks has a modified firewall that allows companies to block dangerous activity without blocking whole sites.
Posts
3 comments:
I think this sounds like an awesome product, and I'm glad a solution has been developed for this on-going issue. I always cringe when I hear colleagues at other corporations complain about being completely blocked from social/interactive sites like Facebook and Skype. I think blocking all social sites in this day and age is a bit archaic (perhaps I'm a bit biased since I work in digital marketing). However, I think Palo Alto has developed a smart solution that can allow employees to access these useful online tools, while also giving the company the level of control they need to feel secure. I think it's a brilliant (and long overdue) solution, and am glad to hear big organizations are taking notice.
Traditionally firewalls are policy based on type of traffic, and then exception rules can be applied. It is interesting to see a manufacture challenge legacy thinking. One drawback is that many customers use Cisco and Juniper for their other network components and convincing them to change partners for one device will prove difficult. There are other web appliances on the market, such as Ironport, that have similar features, but this involves investing in addition hardware in addition to a firewall.
wow. I'm really going to recommend that my company look into this type of security software.
Working in the retail store environment, our Nike firewall blocks almost everything. Most of the company computers located in our stores can only take you to company sites and UPS Quantum View. This presents a major problem for communicating and marketing. As far as communication, we rely solely on traditional conference calls instead of some other free document sharing/screen sharing software that could make these calls more meaningful and useful for our fleet. We send out lengthy emails that need to be updated constantly instead of utilizing Google Docs like this article outlines.
As far as Facebook and Twiiter....forget about using any social media to drive local traffic or develop an out of store relationship with local customers. If we used this type of software, stores could connect with their local customer base and keep in touch. Whole Foods does a great job of this (I follow both the corporate site and the local store) and I would love to leverage it for our locations.
Good to know firewalls dont have to be traditional and block everything. Cant believe Nike doesn't have this already!!
Post a Comment