TECH CHOICES

March 29, 2004

Forrester Wave™: XML Security

Gateways
by Randy Heffner

Helping Business Thrive On Technology Change

TECH CHOICES
March 29, 2004
Forrester Wave™: XML Security Gateways
A Question Of Exit Strategy
by Randy Heffner
with Ted Schadler and Carey E. Schwaber

EXECUT I V E S U M MA RY
Growing Web services adoption is driving demand for secure Web services. XML security gateways offer
a quick-hit solution — perfect for high-priority projects operating on a tight schedule. But it is critical to
look at the early market in the broader context of application security architecture. Within three or four
years, XML security gateways will disappear into firewalls and identity management. In the meantime,
users can benefit from their integrated package of attack protection, trust enablement, and message
processing acceleration. Forum Systems and DataPower Technology hold a slight edge, but others have
unique value-add that may tip a buyer’s decision in their favor. Don’t be afraid to buy in, but start with a
clear understanding of your application security requirements and architecture.

TABLE O F CO N T E N TS N OT E S & R E S O U R C E S
2 Serious Web Services Need Security Forrester interviewed 15 vendor and user
Architecture companies, including: Aeroplan, AmberPoint,
XML Security Gateways Are A Fast-Path Solution Blue Titan Software, Entrust, Government of
British Columbia, Oblix, and the seven XML
It’s An Early Market For XML Security Gateways
security gateway vendors included in the
5 A Quantitative Assessment Of XML Security evaluation.
Gateways
Two Early Leaders Have A Slight Edge On The Related Research Documents
Pack . . . “Watch Out! X-Malware Is Real”
… But Every Vendor Has Some Unique March 9, 2004, Quick Take
Value-Add “Secure Web Services: Current and Future
8 Future View: What Is The Exit Strategy? Architectures”
XML Firewall And Gateway Packaging Will Split January 8, 2004, Planning Assumption
Identity And Firewall Vendors Split The Spoils “Secure Web Services: Functional Design
RECOMMENDATIONS
Priorities”
11 Take A Tactical Decision Stance January 8, 2004, Planning Assumption
Don’t Fear Less-Established Vendors “Market Overview 2004: Web Services Solutions”
11 Have A Clear View of Security Requirements December 22, 2003, Planning Assumption

For Heavy Application Security Requirements “Market Overview 2003: Application Security
Architecture”
For Broadly Accessible External Web Services
September 25, 2003, Planning Assumption
Remember Friendly Fire
13 Supplemental Material

© 2004, Forrester Research, Inc. All rights reserved. Forrester, Forrester Oval Program, Forrester Wave, WholeView 2, Technographics, and
TechRankings are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Forrester
clients may make one attributed copy or slide of each figure contained herein. Additional reproduction is strictly prohibited. For additional
reproduction rights and usage information, go to www.forrester.com. Information is based on best available resources. Opinions reflect
judgment at the time and are subject to change. To purchase reprints of this document, please email reprints@forrester.com.
2 Tech Choices | Forrester Wave™: XML Security Gateways

SERIOUS WEB SERVICES NEED SECURITY ARCHITECTURE

Application developers building new Web services too often approach security with
a limited mindset focused on their immediate requirements rather than on the broader
context of application security architecture (see Figure 1).1 But these new Web services
applications are really only creating a new access channel. After all, the underlying business
services will also be accessed via Web applications, rich-client applications, interactive
voice response systems, mobile applications, and any number of other interaction channels.
That means that IT should secure the Web services channel within a broader security
context to achieve:

· Unified, consistent access policy for business services. Inconsistencies can easily
arise when access policy for Web services is managed separately from access policy
for other channels. This is especially troublesome when a given user base accesses the
same underlying services through a variety of interaction channels.

· Stronger access control for business services. A separate secure Web services
architecture may not integrate well with the security features of the underlying
application platform on which services run. This may require that the underlying
application platforms run business services in a relatively open access mode, relying
entirely on the secure Web services layer for its security, while also having a separate
security architecture for every other access channel.

· Better planning for evolving security solutions. Even if cost or product maturity
issues drive tactical compromises on access policy management or access control,
planning current implementations within a broad application security architecture
enables today’s product and design decisions to evolve more cleanly into a future
strategic security architecture.

XML Security Gateways Are A Fast-Path Solution

But Web services are a new access channel with a new set of technologies that require new
solutions focused on securing XML messages and Web services endpoints. New vendors
have stepped into this vacuum with dedicated products that Forrester calls XML security
gateways. Ranging in cost from $30,000 to $55,000, these products provide:

· Attack protection. XML-based applications are vulnerable to attacks based on

message rates (such as a flood of messages in a denial of service attack), message flow
(such as a message replay attack), and X-Malware (malicious or malformed XML
messages).2 Attack protection features inspect incoming messages for these attacks and
reject messages or block message senders. The term “XML firewall” applies only to
these features, not to the rest of an XML security gateway’s features.

March 29, 2004 © 2004, Forrester Research, Inc. Reproduction Prohibited

 Tech Choices | Forrester Wave™: XML Security Gateways 3

Figure 1 Understanding Application Security Architecture Solutions

1-1 Application security architecture solution space

Application security firewalls and gateways

Access infrastructure and SSO

Enterprise application
Application security integration Application
platform platform
A Code security B

Security libraries and frameworks

1-2 Application security architecture -- major market segments

Market segment Descriptions Sample vendors

Access Ensures that an incoming request Application platforms: BEA Systems, IBM,
infrastructure and does not get to an application Microsoft
single sign-on unless it is an authorized request Web SSO: CA, Entrust, Netegrity, Novell, Oblix, RSA
from an authenticated user Security

Application Prevents malformed or malicious Web application firewalls: KaVaDo,

firewalls and requests from reaching the NetContinuum, Sanctum, Teros
security gateways application; may also serve as XML security gateways: DataPower, Forum, Layer
access infrastructure 7, Reactivity, Sarvega, Vordel, Westbridge

Enterprise Brokers security functions across BEA Systems, Quadrasis

application security diverse application security
integration technologies (e.g., between
Java and Microsoft platforms

Code security Tools and technologies to either Aspose, Cenzic, eEye, Foundstone, KaVaDo,
identify application vulnerabilities Nessus (open source), Parasoft, PreEmptive
or to make an application more Solutions, Sanctum, SPI Dynamics
difficult to compromise

Libraries and For application-level Certicom, Entrust, Phaos Technology, RSA Security
frameworks implementation of various
customized security features
and capabilities

Source: Forrester Research, Inc.

© 2004, Forrester Research, Inc. Reproduction Prohibited March 29, 2004

4 Tech Choices | Forrester Wave™: XML Security Gateways

· Trust enablement. If one describes attack protection as “keeping the bad guys out,”
then trust enablement is “letting the good guys in.” Authentication of the requester’s
identity is first, then authorization of the request. Other major trust features are
administration, audit/logging, and security integration.

· Cryptographic and XML acceleration. Cryptography is a major element of

XML and Web services security, and it is a heavy processing load to place on an
application server. XML security gateways reduce the load in two ways. First, they
provide an adjunct processor to remove the load from the server.3 Second, they
may include cryptographic hardware to reduce processing time. Similar arguments
go for acceleration of XML processing such as Extensible Stylesheet Language
Transformations (XSLT) transforms and evaluation of XPath expressions.

XML gateways can integrate to varying degrees with existing security infrastructure, but
they can also be deployed in a standalone mode, providing a relatively simple drop-in
solution (see Figure 2). Thus, with the right planning and product selection, you can get up
and running quickly with a standalone deployment, and over time integrate more deeply
with your application security architecture.

It’s An Early Market For XML Security Gateways

The market for XML security gateways is only now starting to build momentum. So, even
though deployment of an XML security gateway can be either tactical or strategic (that is,
standalone or integrated), any purchase of an XML gateway must be viewed as a tactical
decision. This is clear when you consider that:

· There are no big players. All of the vendors are startups and few have more than
a handful of paying customers. Each has a particular product focus, all are rapidly
expanding their product’s features and functions, and it is not yet clear which features
buyers will consider most important. Some vendors are showing early product or
market strengths, but this could change quickly as the market develops.

· The market segment itself is not well established. As a market segment, XML
security gateways will face future questions as to their relationship to several other
product categories — portions of their functionality and deployment modes overlap
with or are similar to Web application firewalls, network firewalls, Web services
management, Web single sign-on (SSO), and application platforms. There are
already vendor moves that blur the lines of these segments, and much more change
is yet to come.

March 29, 2004 © 2004, Forrester Research, Inc. Reproduction Prohibited

 Tech Choices | Forrester Wave™: XML Security Gateways 5

Figure 2 XML Security Gateway Deployment: Standalone Versus Integrated

Standalone

Web service Standalone Protected

client XML security Web service
gateway

Users Policy

Integrated

Existing
users
Integrated
Web service XML Security Protected
client security context Web service
gateway
Existing
policy

Source: Forrester Research, Inc.

A QUANTITATIVE ASSESSMENT OF XML SECURITY GATEWAYS

Forrester evaluated the seven major players in the XML security gateway space using the
Forrester Wave™ methodology (see Figure 3).4

Two Early Leaders Have A Slight Edge On The Pack . . .

Although no vendor has an across-the-board lead on current offering, future strategy, and
market presence, Forum Systems and DataPower Technology have a slight lead over the
others. Both claim to have more than 15 customers for their gateways, which qualifies as a
lot in this market. Other ways in which they distinguish themselves include:

· Forum Systems has the best product packaging strategy. While some gateways are
offered in appliance and software-only form factors, Forum adds a third form factor,
PCI card, and it packages its XML firewall as a separate product, XWall, from its XML
security gateway, Sentry. Both support acceleration, and the two can be delivered
together in an integrated package.5 Forum also has a third product, Presidio, an
Open Pretty Good Privacy (OpenPGP) security gateway. Multiple products and form
factors provide flexibility for user deployment and for Forum’s adaptation to future
market changes. In addition, Forum has competitive functionality across most of our
evaluation criteria.

© 2004, Forrester Research, Inc. Reproduction Prohibited March 29, 2004

6 Tech Choices | Forrester Wave™: XML Security Gateways

· DataPower has strong integration for security and management. Although

DataPower has only an appliance form factor, it has invested heavily to integrate
its gateway with existing infrastructure. For security integration, DataPower’s XS40
can delegate authentication and authorization decisions to Web SSO and identity
management products like Netegrity SiteMinder, Tivoli Access Manager, and Sun
Identity Server. It has full APIs for custom integration and an SNMP implementation
that is complete with standard and DataPower-specific management information
bases (MIBs). It also integrates with upstream devices, such as load balancers, to block
malicious traffic before it even gets to the gateway. All of this adds up to the strongest
overall current feature set.

. . . But Every Vendor Has Some Unique Value-Add

XML security gateway vendors are showing their creativity in the breadth of features and
functions that they are implementing. This gives you the opportunity to find a product that
closely matches the specific requirements of your environment and applications. Since the
market will be evolving rapidly in the next two to three years, there is a large risk that any
purchase will soon be obsolete, so you may well have to change products no matter what
you buy. The major ways in which the other gateway vendors distinguish themselves are:

· Westbridge Technology balances attack protection, trust, and management.

Westbridge’s XML Message Server has one of the strongest current offerings in terms
of all around balanced feature-function. In addition to strong attack protection
and comprehensive trust enablement features, Westbridge has basic Web services
management (WSM) capabilities, which may prevent having to buy a separate WSM
product. Other highlights include highly flexible logging, strong decision delegation,
software-only and appliance form factors, the ability to define multiple views over a
single underlying service (“service views” as Westbridge calls them), and a plug-in for
secure Web services access from Microsoft Excel. Service views and the Excel plug-in
are features unique to Westbridge.

· Vordel understands deep application security integration. VordelSecure features

an agent-based architecture and agent API that enables deep security integration
between the gateway and Web services endpoints. For sensitive services or when a
service is accessed through multiple channels, it is not acceptable to leave security
entirely up to a front-end gateway — the application platform underlying the service
must know the requestor’s identity and perform its own authorization checks. Using
Vordel’s agent API, you can more easily maintain a continuous security context
between your Web services channel and the native security of your underlying
application platform. Vordel focuses more heavily on trust enablement but provides
basic attack protection as well.

March 29, 2004 © 2004, Forrester Research, Inc. Reproduction Prohibited

 Tech Choices | Forrester Wave™: XML Security Gateways 7

Figure 3 Forrester Wave™: XML Security Gateways, Q1 ‘04

The spreadsheet detailing this Forrester Wave™ is available online.
Risky Strong
Bets Contenders Performers Leaders
Strong Market presence

Reactivity DataPower Technology

Westbridge Technology Forum Systems

Current Sarvega
offering
Vordel
Layer 7 Technologies

Weak

Weak Strategy Strong

Source: Forrester Research, Inc.

· Sarvega has strong features and a strong commitment to standards. Sarvega is

among the vendors most willing to implement standards early and to make firm
statements about the emerging standards it will support. It is currently shipping early
implementations of WS-Addressing and WS-Routing, and it is committed to future
implementation of Kerberos, XML Key Management Specification (XKMS), and
Liberty Web Services Framework, as well as WS-Policy, WS-SecurityPolicy, and the
rest of the IBM-Microsoft WS-Security road map. Sarvega’s XML Guardian Security
Gateway provides message transformation and routing, complete APIs for custom
integration, cluster-aware configuration, and prebuilt management integration with
Unicenter and Tivoli. Future releases will strengthen Sarvega’s decision delegation and
credential propagation features.

© 2004, Forrester Research, Inc. Reproduction Prohibited March 29, 2004

8 Tech Choices | Forrester Wave™: XML Security Gateways

· Reactivity has the best attack protection. Reactivity’s design has focused heavily on
attack protection — and its XML Firewall features multiple ways to detect a denial
of service attack and it can automatically update attack processing logic. Reactivity’s
integration of Tarari’s XML acceleration hardware will likely be the first to make it
to market in an XML security gateway. Other notable strengths include authorization,
administration tools, and flexible, secure logging. Future releases will include a
software development kit for custom product extensions and decision delegation
to Web SSO and identity management products.

· Layer 7 Technologies excels for end-to-end integration scenarios. One of the

challenges of secure Web services is that the client and server must be configured to
use the same security connection policies. The emerging WS-Policy standard will
provide a protocol for negotiating connection parameters, but even then both sides
must support a common set of connection capabilities and polices. Layer 7’s trust
enablement features support a broader vision around secure end-to-end integration,
so it tackles this problem head-on. SecureSpan provides a client-side agent that
communicates with the gateway to maintain consistent connection policy. This
provides strong trust for situations where you have influence over both ends of an
integration connection. As the most recent vendor to enter the market, Layer 7 is
still early in its product development.

FUTURE VIEW: WHAT IS THE EXIT STRATEGY?

For venture-funded startup companies, the question for venture capitalists is always,
“What will be our exit strategy?” VCs want to know how they will extract the financial
value the company has built. For the XML security gateway space, the question goes
beyond a VC’s financial view to reflect a critical question about the future of the market
segment itself. Because of overlapping and similar features and deployment models
between XML gateways and other market segments, and because each new infrastructure
device adds complexity to the data center environment, XML security vendors are wise
to ask, “What will be our exit strategy as the XML security gateway market dissolves into
other segments?”

XML Firewall And Gateway Packaging Will Split

The three major functions of XML gateways, attack protection, trust enablement, and
acceleration, are all important functions that require XML-specific product functionality.
This makes it a sure thing that these functions will remain. It also argues that the intellectual
property being created by the gateway vendors has real market value over the long term.
But it doesn’t mean that XML gateway vendors’ current go-to-market product packaging of
these functions is the right one for the long term.

March 29, 2004 © 2004, Forrester Research, Inc. Reproduction Prohibited

 Tech Choices | Forrester Wave™: XML Security Gateways 9

Within three or four years, the XML security gateway market will not exist in its current
form. The current overriding need for a quick solution to secure Web services will give way
to longer-term demands for integrated application security architecture and infrastructure.
As IT seeks security unification and infrastructure simplification, the attack and trust
functions of XML gateways will be pulled apart. From the user side, this will happen
because:

· Trust features have affinity with users and applications. Trust requires knowing
users’ identities and must be closely integrated with application policy. To achieve
unified identity and trust management across all users and application access channels,
XML trust enablement functions must be closely integrated with identity management
and application platforms.

· Attack protection features have affinity with infrastructure. Attack protection

is anonymous by its very nature, and it is best handled before a malicious request
reaches an application. Thus, it is natural for XML attack protection capabilities to be
integrated with network and infrastructure security.

Therefore, as users pursue integration and unification, they will move to pull XML security
into their existing architectures for application-level and infrastructure-level security,
rather than segregating XML security into its own separate top-to-bottom domain.

Identity And Firewall Vendors Split The Spoils

From the vendor side, the same forces are at work because:

· Firewall vendors are looking for new territory. Attack protection has long been the
domain of network firewall and intrusion detection vendors — XML presents a new
opportunity for them, as it does for Web application firewall vendors. Not that it is
simple for them to take on X-Malware protection — XML attack checking is notably
different from their traditional strengths — but network firewalls are already reaching
up to the application layer, Web application firewalls are already reaching into XML,
and more is yet to come.

· Identity and application platforms need deep trust features. Web SSO vendors long
ago extended their authentication and authorization architectures to go beyond
protecting HTTP requests to integrate deeply with J2EE application servers — XML
presents enticing new territory for them, as exemplified by Netegrity’s
TransactionMinder and Oblix’s recent purchase of Confluent. Java and Microsoft
application platforms are already providing early implementations of secure Web
services standards to extend their built-in trust features to cover XML.

© 2004, Forrester Research, Inc. Reproduction Prohibited March 29, 2004

10 Tech Choices | Forrester Wave™: XML Security Gateways

· Acceleration will be available everywhere. Although cryptography acceleration

and XML acceleration vendors are not about to encroach on XML gateway vendors’
territory, they are happy to enable their chips to be deployed into as many different
devices as possible. This lessens the value of a separate XML security device because,
wherever XML and cryptographic processing occur, a chip will be available to
accelerate it.

Viewing the XML security gateway segment from the split between attack protection and
trust enablement functions, the potential future alignments among market segments
becomes clearer. XML security gateway vendors split into two groups of acquisition targets
(see Figure 4):

· Firewall acquisition targets. Vendors with a strong focus on attack protection

become interesting targets for acquisition by network firewall vendors or merger with
Web application firewall vendors. In this category are Forum Systems, DataPower,
Reactivity, Sarvega, and Westbridge.

· Identity management acquisition targets. Vendors with a heavy focus on security

integration and core trust features become interesting targets for identity management
vendors. In this category are DataPower, Forum Systems, Layer 7, Vordel, and
Westbridge.

Westbridge, as the vendor that has pursued the greatest amount of functionality beyond
secure Web services (such as WSM and its service views) may find additional market
opportunities.

Figure 4 Identity Management And Firewall Vendors Split The XML Security Spoils

Firewall vendors Identity management vendors

DataPower
Reactivity Vordel
Strong on Forum Systems Strong on
attack protection trust enablement
Sarvega Layer 7
Westbridge

Source: Forrester Research, Inc.

March 29, 2004 © 2004, Forrester Research, Inc. Reproduction Prohibited

 Tech Choices | Forrester Wave™: XML Security Gateways 11

R E C O M M E N D AT I O N S

TAKE A TACTICAL DECISION STANCE

Any purchase of an XML security gateway should be viewed as a tactical step. Forrester
recommends a 12-month payback target (or 24-month at most). The coming churn in the
market segment will sideline some vendors and find others refactoring their products
and integrating them with other product types. In any case, there is a strong possibility
that the vendor’s direction and your future needs will diverge, and you don’t want to get
caught having to toss a solution out before it has paid for itself.

Don’t Fear Less-Established Vendors

Although Forum Systems and DataPower Technology have a slight lead, none of the
vendors are beyond the high-risk startup stage — so any decision is to go with a
less-established vendor. Considering the above recommendation to stay tactical, you
are more likely to pay for a solution quickly if it has a strong match with your unique
requirements. If your vendor fails in a year, a migration to another vendor will have some
pain to it, but by then other vendors are likely to have implemented the special features
that drove you to your first vendor.

HAVE A CLEAR VIEW OF SECURITY REQUIREMENTS

Secure Web services is only one part of the complete security requirements of your
applications. Slapping an XML security gateway product in front of an application will
not ensure adequate or appropriate application security. Your current and future plans
for your Web services and your applications will have a major impact on your XML
security gateway decision.

For Heavy Application Security Requirements

The accountability requirements and sensitivity of the underlying services drive the
depth of application security architecture you should implement. In addition, it is
important to consider whether the services will be accessible only through Web services
or through other channels as well. High sensitivity, stringent accountability requirements,
and multichannel access all drive the need for an application platform’s native security
to be operative, so that it can closely and consistently control application security. If
the application platform’s security is supplanted by a drop-in XML gateway solution, it
is more difficult to construct a clean audit trail and enforce policy consistently across
multiple channels. If you have heavy security requirements:

· You’ll have to map XML security contexts to native security contexts. To allow
your application platform’s native security to be operative, the security token from

© 2004, Forrester Research, Inc. Reproduction Prohibited March 29, 2004

12 Tech Choices | Forrester Wave™: XML Security Gateways

an incoming message must be mapped to native security contexts (for example,

mapping an X.509 certificate to an EJB session context). This may require custom
integration work.
· Consider XML security gateways with strong security integration. Vordel has
the best feature set for deep application platform integration, but even it does not
provide a complete solution. DataPower, Forum Systems, and Reactivity all have
strong credential mapping features that may help as well, although you will have to
write all of your own agent code.

For Broadly Accessible External Web Services

External Web services are more risky because of the open exposure to potential attackers.
If your external services are exposed to a small set of partners, you can likely exchange
digital certificates with all your partners and use bidirectional SSL authentication as part
of your security strategy. This will prevent unknown attackers from even establishing a
connection (unless, of course, an attacker gets a hold of one of your partners’ certificates
and private keys, which is certainly a possibility). If certificate management presents too
high a cost barrier or if you will have publicly accessible Web services you:

· Must provide strong X-Malware protection. If attackers can establish connections,

they can experiment with any type of X-Malware to see what damage they can do.
· Should favor XML security gateways with strong attack protection. DataPower,
Reactivity, and Westbridge are top of the list here.

Remember Friendly Fire

Even if your Web services are accessible only by internal users and highly trusted
partners, remember that:

· Many attacks come from the inside. Unless Web service requests flow only over
isolated network segments accessible only within a secure data center — and really
even then, too — you should assume that they will come under attack, especially
if they perform high-value transactions. An interesting deployment scenario that
may apply here is to use an XML gateway on both the client and server sides of a
connection.
· An unintentional attack is still an attack. Applications don’t always format
messages properly. Application developers don’t always anticipate the side effects of
their design decisions. The higher the criticality of the service, the more value it is to
have the strong security for it.

March 29, 2004 © 2004, Forrester Research, Inc. Reproduction Prohibited

 Tech Choices | Forrester Wave™: XML Security Gateways 13

SUPPLEMENTAL MATERIAL
Online Resource
Figure 3 is backed by an online spreadsheet that includes seven scorecards, each with
about 40 data points. Readers can use the spreadsheet in their own decision process by:
1) customizing the weightings for personal results; 2) trimming the vendors down to a
shortlist; 3) sharing the results with other team members; and 4) using the criteria set
in RFPs.
Methodology
Forrester conducted this research by starting with creation of Forrester Wave evaluation
criteria for XML security gateways, followed by vendor interviews and documentation
of each vendor’s standing against the criteria. Every vendor was given at least two
opportunities to perform fact checks — reviews of their own evaluation. Users of XML
security gateways were interviewed to supplement and validate assessments.
Companies Interviewed For This Document

Actional Ministry of Attorney General,

Government of British Columbia
Aeroplan
Oblix
AmberPoint
Reactivity
Blue Titan Software
Sarvega
DataPower Technology
Teros
Entrust
Vordel
Forum Systems
Westbridge Technology
Layer 7 Technologies

© 2004, Forrester Research, Inc. Reproduction Prohibited March 29, 2004

14 Tech Choices | Forrester Wave™: XML Security Gateways

ENDNOTES
1
There are five major market segments that provide portions of a comprehensive application
security architecture. See the September 25, 2003, Planning Assumption “Market Overview 2003:
Application Security Architecture.” Of these five segments, XML security gateways provide both
firewall and access control capabilities, and they also provide ties to EASI. See the June 22, 2001
Planning Assumption “Giga’s Model for Enterprise Application Security Integration.”
2
Forrester defines X-Malware as any XML payload that is constructed (intentionally or not) to
confuse XML infrastructure into bypassing security or disrupting processing. See the March 9,
2004, Quick Take “Watch Out! X-Malware Is Real.”
3
Note that confidentiality or data integrity requirements may dictate that a message be encrypted
through its entire path from client application to server application, so offloading of cryptographic
processing is not always the right answer.
4
When Forrester evaluates and ranks the major players in a market, we create a Forrester Wave. It
is a research graphic built on an open methodology and a straightforward algorithm that exposes
vendor scores, key attributes, and weightings in an interactive spreadsheet.
5
It is the integrated package assessed in the scorecards accompanying this report.

March 29, 2004 © 2004, Forrester Research, Inc. Reproduction Prohibited

 H e l p i n g B u s i n e s s T h r i v e O n Te c h n o l o g y C h a n g e

Headquarters Research and Sales Offices

Forrester Research, Inc. Australia Japan
400 Technology Square Austria Korea
Cambridge, MA 02139 USA Brazil The Netherlands
Tel: +1 617/613-6000 Canada Poland
Fax: +1 617/613-5000 France United Kingdom
Email: forrester@forrester.com Germany United States
Nasdaq symbol: FORR Hong Kong Spain
www.forrester.com India Sweden
Israel
For a complete list of worldwide locations
visit www.forrester.com/about.

34101