Learn more about zero trust:
- A Secure Access Service Edge (SASE) Guide for Leaders
- ZTNA vs VPN: Secure Remote Work and Access
- Reduce SaaS App Risks with Cloud Security Broker & Zero Trust
- Data Exfiltration Prevention with Zero Trust
The hybrid world of work and the relentless speed of digital transformation have made securing cloud resources and closing security gaps an ongoing challenge. It has become difficult for businesses to protect their employees from threats when accessing cloud applications or the internet, especially when they're disconnected from the VPN and exposed to inherent internet risks.
Businesses often run multiple security point products, which can lead to increased complexity in their security operations and introduce gaps between products and protection. Instead, a new integrated and agile security approach is needed to keep up with evolving business demands and ever more complex environments. Simply put, these traditional security methods are no longer efficient for detecting and responding to today’s threats.
Previously, a web proxy—which sat between the user web browser and the actual website within the corporate network—was enough to protect internet-facing enterprise devices from most threats. But with the explosion internet and SaaS app use, remote work, and cyberattacks, more dynamic control was needed that didn’t impact user experience. Enter: Secure Web Gateway (SWG).
Continuing our dive into SASE, this article will discuss how a SWG security is essential to effectively secure cloud resources and reduce cyber risk across the attack surface and the role a zero trust strategy can play.
What is Secure Web Gateway (SWG)?
SWG is one of the main components of the SASE architecture. According to Gartner, “it is a solution that filters unwanted software/malware from user-initiated web/internet traffic and enforces corporate and regulatory policy compliance.”
This solution integrates full SWG security capabilities to provide an end-to-end application traffic management, data security classification, and leak prevention capability for managed and unmanaged devices. With continuous assessment of access flows, the risks related to web/internet traffic are effectively reduced through authenticated and controlled access for all users and devices.
This solution can be delivered on-premises or in the cloud and generally includes essential capabilities such as URL filtering, application control, data loss prevention (DLP), anti-malware, and HTTPS inspection.
SWG benefits include:
- Detection and response to threats, including encrypted traffic threats
- Better visibility into apps that users are accessing
- Ability to terminate or block risky traffic by acting as a control point
- Restricting non-essential or risky web sites/apps
- Restricting access to essential web-apps to specific users that need them
- Enforcing enterprise acceptable use policies
- Compliance with regulatory requirements
- Securing remote workers wherever, whenever
SWG and SASE
Typically, SWG is running independently of other security solutions. SASE brings together networking and network security services—including Zero Trust Network Access (ZTNA), SWG, and Cloud Application Security Broker (CASB)—for holistic, unified, and integrated cloud-delivered protection.
SASE architecture
How does it all work? First, it starts out with knowing your users and environment. By deploying sensors and integrating with common SaaS apps directly such as Microsoft 365, Google Workspace™, and many identity providers (including Microsoft Azure AD, Microsoft Active Directory, and Okta), a profile is built around the user and environment. This profile, made up of user and application behavior, can determine risk to the organization and suggest access control policies.
Traffic from the ZTNA is then automatically forwarded over a SWG. Going further, CASB functionality allows you to not only restrict access to the SaaS app, but also the functions they can perform within the app. For example, they may visit Twitter for research purposes but may not post a tweet. The CASB functionality also gives the organizations full profiles regarding the cloud apps and what risk they may introduce.
Furthermore, within the SASE architecture, ZTNA protects organizationally owned resource access, while SWG security block threats from inbound and outbound web traffic and content not owned by the organization. This completes the coverage for the different ways that users access various resources, providing holistic protection and control.
Firewall vs SWG
A common question is what is the different between a firewall and a SWG since they seemingly perform similar tasks.
Firewalls inspect the incoming data packets and compare it against a signature of known threats (the “blocklist”) at the network level only. While this helps enterprises ensure basic security, firewalls don’t provide the visibility needed for monitoring and reporting risky user behavior.
In comparison, SWG security operates at the application level, where they inspect traffic, set and enforce rules for users, and can block or allow connections based on corporate policies. This is done by block lists or allow lists that specify connections and keywords or functionality within specific applications. For example, if an organization sets a file size limit on internet file uploads, this could help to prevent data exfiltration beyond what’s needed to complete day-to-day business. Such limitations can be set at a system-wide or user-by-user level.
Next-generation firewalls (NGFW) are the modern version of firewalls, which run DLP, IPS, VPN connector, and SWG as sub-apps. Larger enterprises often take the “build your own” NGFW approach to avoid high costs and reduce single points of failure through vendor diversity.
The challenge with operating a NGFW with all the apps running is overall performance can suffer. Careful review of the total throughput capacity with all the required apps running is essential.
Tips for evaluating SASE technology
To maximize the benefits of SWG security solutions and the SASE architecture, here are key considerations when choosing your modern secure web gateway provider:
Zero trust capabilities
Zero trust is a security model that assumes all devices and users, including those inside the network perimeter, should be untrusted and therefore must be verified before being granted access to resources.
SASE and zero trust can work together to secure and optimize network connections for users and devices. This is because of zero trust’s is ability to authenticate and authorize access to resources based on the principle of "never trust, always verify." This combination of SASE and zero trust provides a more comprehensive and secure network architecture that can protect against both external and internal threats.
Deployment strategy
More organizations are opting for cloud gateways instead of physical on-premises appliances. Since most organizations use more than one cloud, ensuring that the SWG solution operates effectively across hybrid- and multi-cloud environments is important and provides a solid foundation for your security architecture.
Threat feeds
The power of SWG security comes from the quality of threat intelligence that’s feeding it. Many SWG components with NGFW will operate on open-source lists, which are non-curated and oftentimes not up to date, which leads to many false positives. Furthermore, removing and importing new open-source lists is a time-consuming task for already over-burdened IT teams.
Look for a vendor with a strong record of global threat intelligence and an established, automated process to curate and update threat feed data for SWGs. The more collection points a vendor can obtain threat intelligence from, the more globally and regionally accurate the data will be, resulting in better protection and less false positives for security teams to chase down.
Furthermore, looking for a vendor with in-house research teams across the globe dedicated to curating and updating lists ensures real-time threat detections based on regionally nuanced and updated information, instead of stale, vague entries.
Performance, scalability, and availability
When operating in the cloud, the performance is only as good as the closeness to the gateway. If a vendor has broad availability through multiple points of presence (POP), it increases the likelihood a cloud gateway will be close to the user, enabling a faster connection. Furthermore, if the network load increases, auto-scale capabilities will ensure performance will not be impacted.
Platform approach to cybersecurity
Lastly, whether you decide to diversify your security stack or not, make sure you don’t end up with disconnected point products. Look for a cybersecurity platform with broad third-party integration that provides high-resolution visibility and reporting capabilities across your attack surface. A platform with extended detection and response (XDR) capabilities enables a single-pane-of-glass to threat data, increasing effectiveness and reducing costs associated with security administration.
Next steps
Convergence is key for stronger security. While SWG security can run independently or part of a NGFW, it’s stronger when applied to a SASE architecture working in combination of a zero trust strategy. Integrating SWG with ZTNA and CASB leads to more streamlined, powerful security across the attack surface.