Building a Firewall for the Facebook Generation
For the past 15 years or so, security pros have relied on the trusty firewall and other hardware to keep bad guys from running amok on corporate networks. For the most part this has meant blocking tainted e-mails and keeping workers away from harmful websites. The latest wave of Web services—Skype, Google Docs, WebEx, Salesforce, etc.—has introduced fresh problems. They can make workers more productive, but they also transfer files, store data, and allow remote computer access in ways that can’t be easily patrolled by the standard sentinels, most of which were developed before these services even existed. Many companies either hope for the best or block the services they can’t control.
Nir Zuk has another option. He’s a veteran of the traditional firewall and security industry who struck out on his own six years ago to create a product for today’s Web. The company he founded, Palo Alto Networks, sells a next-generation firewall that makes modern Web services safe for the workplace and gives companies precise control over how their employees can use them. Instead of the all-or-nothing approach, a company with a Palo Alto Networks box can let workers access, say, the updates on a social network, but not click on links or share sensitive information. “Our customers don’t want to block Facebook,” Zuk says. “They want to use it, but they also want some control.”
As interest in Web-based software has surged, so too have Palo Alto’s sales. The company has hopped from office to yet bigger offices since its birth at Zuk’s Palo Alto house in 2005. This year the company moved into a giant new headquarters in nearby Santa Clara. The building includes a showroom where specialized data center machines, costing $5,000 to $140,000 each, sit under spotlights. A year ago, Palo Alto claimed 1,000 customers; today it has 4,500, including Qualcomm, the city of Seattle, and EBay. Sales will exceed $200 million this year, according to Zuk, who adds that the company is gearing up for an initial public offering in the not-too-distant future.
Zuk, 40, says Palo Alto Networks owes much of its success to modern computing habits, which require more sophistication than what’s provided by traditional security products. Older firewalls are designed to monitor one-way traffic. E-mails and data from websites pour in, and the security products look for suspicious patterns; for the most part, they treat all websites the same. Yet threats can snake their way through a network in various ways: A worker might go to Facebook, click on a nefarious link, and download a virus. Soon enough, he’s using software from enterprise cloud computing company Salesforce.com to upload those infected sales data files and send them to colleagues. “Most security groups used to focus on blocking apps like Skype or GoToMyPC but now are often required to allow them to be used,” says John Pescatore, an analyst at the research firm Gartner. “That’s why firewalls needed to evolve.”
Palo Alto gives each Web service its own signature. This means that Palo Alto’s systems know when employees are using Skype or Salesforce.com, and have a general idea of what they’re doing there. Customers can set policies for how an application is used so that, for example, all employees can view Google Docs files, but only some can actually create new ones.
Keeping track of all the traffic flowing through a corporate network requires a lot of computing horsepower, and part of Palo Alto’s secret sauce is a homegrown chip that chews through data quickly. A Palo Alto system can even peer into encrypted traffic: It’s fast enough to decrypt packets of information, check whether they’re safe, and then pass them on to the employee who requested them, all without much lag.
Norm Fjeldheim, the chief information officer at chipmaker Qualcomm, says the Palo Alto systems he bought replaced not just firewalls but also things such as intrusion detection hardware and other types of security systems. “They are doing the work that was done by multiple things in the past,” says Fjeldheim. “They watch over everything.” Qualcomm now gives its employees access to a variety of Web services—something workers had been demanding—while regulating how they’re used. “We have detected lots of attacks that we would otherwise not be able to see,” Fjeldheim says.
Before founding Palo Alto, Zuk spent years working on security at companies such as Check Point Software Technologies and Juniper Networks. “I tried to fix these problems at my previous employers,” Zuk says. “But they would not let me.” He broke off on his own and spent 18 months writing the initial code for Palo Alto Networks, which has raised a total of $65 million to date. In August, Palo Alto lured Mark D. McLaughlin away from his role as CEO of VeriSign to run the young company and prepare it for an IPO. “I don’t think we’ve ever seen an enterprise technology company grow as quickly,” says Jim Goetz, a partner at venture capital firm and Palo Alto Networks investor Sequoia Capital.
Many competitors—and former Zuk employers—have started selling rival products. Juniper credits Palo Alto with pioneering the market for these types of products but plans on using its market heft and engineering expertise to outflank the upstart. The company plans to counter threats by gathering “even more intelligence for the type of device someone is using, their location and any other information you can pull in,” says Karim Toubba, vice-president of security strategy and product marketing at Juniper. Gartner estimates that by the end of 2014, about 60 percent of firewall-type purchases will be for these next-generation products. Zuk says his engineers, a who’s who of security pros, will help the company stay ahead. “Nir is bombastic at times and guilty of dropping the F-bomb and all that,” says Goetz. “But I think the incumbents underestimated his ambition and the ability to build this kind of team.”