News

Analysis: Microsoft's Forefront Cuts May Signal Cloud Security Shift

Microsoft's recent decision to discontinue five of its Forefront enterprise security products may be a sign that the company is either exiting that market or venturing further into the cloud-based security space.

One of the products that will not be sold after Dec. 1 is Forefront Threat Management Gateway 2010 (TMG 2010), a server-based secure Web gateway product that evolved from Microsoft's earlier Internet Security and Acceleration (ISA) server product.

TMG 2010's demise was anticipated by Gartner Inc., which explained in its May 24, 2012 "Magic Quadrant for Secure Web Gateways" report that Microsoft had told Gartner that it wasn't planning on shipping another release of the product. Gartner's report speculated that Microsoft may be eying an online service as a replacement for TMG 2010 sometime in the near future.

Gartner defines a secure Web gateway as a traffic-filtering appliance or software solution that's designed to ward off malware encountered by end users. A secure Web gateway will check for malicious code and the reputations of URLs, while also supporting the enforcement of company policies.

TMG 2010 hasn't exactly been topping the list among the secure Web gateway space at large enterprises, according to Rick Holland, a senior analyst at Forrester Research. Still, many companies may have used it because of Microsoft's licensing.

"I would classify it [TMG 2010] as Web content security [product]," Holland said in a phone interview. "From our client base whom I did consulting and inquiries with, it's very, very low on the list. Very few larger Forrester-type client enterprises have adopted that solution. One of the nice stories about Microsoft is that a lot of times you get a product with your licensing agreement…so that may have been the case for some of the adoption we saw in this space, but clearly you don't see it [TMG 2010] in large organizations."

Holland also speculated that Microsoft's discontinuance of the TMG 2010 product could signal a movement to a more cloud-enabled scenario.

"Another thing that may have something to do with it -- maybe more on the three- to five-year horizon -- is the advent of software as a service for this capability," Holland said. "So there are companies out there -- Zscaler, as an example -- where you don't have to have any solution on premises at all and you just go to a cloud environment. Zscaler is a pure play in that area, but even the traditional secure Web gateway providers, like Blue Coat and Websense, they have that capability as well."

Holland added that providing security in mobile scenarios could be a driver to such cloud-based solutions in the next three-to-five years.

"If I'm roaming and I had to work remotely," he explained, "instead of having to backhaul my Internet traffic to the closest Threat Management Gateway, I could connect to a cloud node that maybe is right down the street from me in Dallas, rather than having to connect to the Forrester backhaul in Boston."

Microsoft is also dropping the name "Forefront" from its Forefront Online Protection for Exchange hosted solution, which is currently part of Office 365. With the next service update release, it will be called "Exchange Online Protection."

"Microsoft typically hasn't had the most robust capabilities from an e-mail side -- encryption and DLP [data loss prevention]," Holland said. "So, I know, going forward in the future that that is something they want to strengthen up. I know that it is a focus going forward that they want to enhance those capabilities."

Other hosted solutions that Microsoft will stop selling in December include Forefront Security for Office Communications and Forefront Protection 2010 for SharePoint. Replacement products weren't announced. However, Microsoft's blog announcing the changes indicated that some built-in protections would be available.

"For collaboration protection, SharePoint and Lync Servers will continue to offer the built-in security capabilities that many customers use to protect shared documents," the blog stated. Exchange Online Protection also will have basic built-in malware protection, according to Microsoft.

Gartner's "Magic Quadrant for Endpoint Protection Platforms" publication noted that Forefront Protection for SharePoint and Forefront Protection for Exchange Server don't share a common code base, despite the Forefront branding.

One company that's set to take up the slack following Microsoft's announcements is F5 Networks. In many cases, F5 is already providing solutions to Microsoft's TMG 2010 customers, according to Jeff Bellamy, director of business development at F5 Networks.

"We've had a solution for many years that actually handles all of the functionality that customers need for their publishing of SharePoint, Exchange, Lync and other Microsoft applications," Bellamy said. "Our communications out right now is really an effort to help answer customer questions about, 'What do I do next'."

F5 is a close Microsoft partner, but it plans to reach out to customers following Microsoft's announcement.

"Many, many customers have used complete F5 solutions rather than TMG and even back to the ISA days," Bellamy said. "Now that Microsoft has made an announcement that they are going to discontinue that product, we will be a little more proactive in putting out that message as an alternative."

F5's BIG-IP platform contains optimization for applications, security and a Web application firewall, Bellamy added. It's an application delivery controller appliance device for all applications, which Bellamy described as a "strategic point of control." It also does things like caching and compression, he added.

The difference between TMG and an application delivery controller product is largely associated with the direction of the traffic, although it can be a gray area, according to Holland. TMG serves as a forward proxy. Traffic is forwarded to the TMG for inspection. An example of a reverse proxy is an application delivery controller such as products from F5 or Citrix NetScaler, he explained. Under the reverse-proxy approach, traffic connects to the controller and it decides how to route it. Holland said that typically both approaches are used in IT environments.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured