- A Secure Access Service Edge (SASE) Guide for Leaders - SASE Part 1
- ZTNA vs VPN: Securing Remote Work & Access - SASE Part 2
- How a Cloud Security Broker Reduces SaaS App Risks - SASE Part 4
- Data Exfiltration Prevention with SASE - Part 5
An expanding attack surface due to the growing remote work and rapid SaaS-adoption introduced security gaps regarding data protection and user experience. It has become difficult for businesses to protect their employees from threats when accessing cloud applications or the internet, especially when they're disconnected from the VPN and exposed to risks.
Businesses often run multiple security point products, which can lead to increased complexity in their security operations and introduce gaps between products and protection. Instead, a new integrated and agile security approach is needed to keep up with evolving business demands and ever more complex environments. Simply put, these traditional security methods are no longer efficient for detecting and responding to today’s threats.
Previously, a web proxy – which sat between the user web browser and the actual website within the corporate network – was enough to protect internet-facing enterprise devices from most threats. But with the explosion internet and SaaS app use, remote work, and cyberattacks, more dynamic control was needed that didn’t impact user experience. Enter: Secure Web Gateway (SWG).
Continuing our dive into SASE, this article will discuss how a SWG security is essential to effectively secure cloud resources and reduce cyber risk across the attack surface.
What is Secure Web Gateway (SWG)?
SWG is one of the main components of the SASE architecture. According to Gartner, “it is a solution that filters unwanted software/malware from user-initiated web/internet traffic and enforces corporate and regulatory policy compliance.”
This solution integrates full SWG security capabilities to provide an end-to-end application traffic management, data security classification, and leak prevention capability for managed and unmanaged devices. With continuous assessment of access flows, the risks related to web/internet traffic are effectively reduced through authenticated and controlled access for all users and devices.
This solution can be delivered on-premises or in the cloud and generally includes essential capabilities such as URL filtering, application control, data loss prevention (DLP), antivirus (AV), and HTTPS inspection.
SWG benefits include:
- Detection and response to threats, including encrypted traffic threats
- Better visibility into which apps users are accessing
- Ability to terminate or block risky traffic by acting as a control point
- Restricting non-essential or risky web sites/apps
- Restricting access to essential web-apps to specific users that need them
- Enforcing enterprise acceptable use policies
- Compliance with regulatory requirements
- Securing remote workers wherever, whenever
SWG & SASE
Typically, SWG is running independently of other security solutions. SASE brings together networking and network security services – including Zerto Trust Network Access (ZTNA), SWG, and Cloud Application Security Broker (CASB) – for holistic, unified, and integrated cloud-delivered protection.
How does it all work? First, it starts out with knowing your users and environment. By deploying sensors and integrating with common SaaS apps directly such as Microsoft Office, Google Workspace and many Identity Providers (Azure AD, Active Directory, Okta, etc.), a profile is built around the user and environment. This profile, made up of user and application behavior, can determine risk to the organization and suggest access control policies.
Traffic from the ZTNA is then automatically forwarded over a SWG. Going further, CASB functionality allows you to not only restrict access to the SaaS app, but also the functions they can perform within the app. For example, they may visit Twitter for research purposes but may not post a tweet. The CASB functionality also gives the organizations full profiles regarding the Cloud Apps and what risk they may introduce.
Furthermore, within the SASE architecture, ZTNA protects organizationally owned resource access, while SWG security block threats from inbound and outbound web traffic and content not owned by the organization. This completes the coverage for the different ways that users access various resources, providing holistic protection and control.
Firewall vs SWG
A common question is what is the different between a firewall and a SWG since they seemingly perform similar tasks.
Firewalls inspect the incoming data packets and compare it against a signature of known threats (the “blocklist”) at the network level only. While this helps enterprises ensure basic security, firewalls don’t provide the visibility needed for monitoring and reporting risky user behavior.
In comparison, SWG security operates at the application level, where they inspect traffic, set and enforce rules for users, and can block or allow connections based on corporate policies. This is done by block lists or allow lists that specify connections and keywords or functionality within specific applications. For example, if an organization sets a file size limit on internet file uploads, this could help to prevent data exfiltration beyond what’s needed to complete day-to-day business. Such limitations can be set at a system-wide or user-by-user level.
Next Generation Firewalls (NGFW) are the modern version of firewalls, which run DLP, IPS, VPN connector, and SWG as sub-apps. Larger enterprises often take the “build your own” NGFW approach to avoid high costs and reduce single points of failure through vendor diversity
The challenge with operating a NGFW with all the apps running is overall performance can suffer. Careful review of the total throughput capacity with all the required apps running is essential.
Tips for evaluating SASE technology
To maximize the benefits of SWG security solutions and the SASE architecture, here are key considerations when choosing your modern secure web gateway provider:
More organizations are opting for cloud gateways instead of physical on-prem appliances. Since most organizations use more than one cloud, ensuring that the SWG solution operates effectively across hybrid- and multi-cloud environments is important and provides a solid foundation for your security architecture.
The power of SWG security comes from the quality of threat intelligence that’s feeding it. Many SWG components with NGFW will operate on open-source lists, which are non-curated and oftentimes not up to date, which leads to many false positives. Furthermore, removing and importing new open-source lists is a time-consuming task for already over-burdened IT teams.
Look for a vendor with a strong record of global threat intelligence and an established, automated process to curate and update threat feed data for SWGs. The more collection points a vendor can obtain threat intelligence from, the more globally and regionally accurate the data will be, resulting in better protection and less false positives for security teams to chase down.
Furthermore, looking for a vendor with in-house research teams across the globe dedicated to curating and updating lists ensures real-time threat detections based on regionally nuanced and updated information, instead of stale, vague entries.
Performance, scalability, and availability
When operating in the cloud, the performance is only as good as the closeness to the gateway. If a vendor has broad availability through multiple Points of Presence (POP), it increases the likelihood a cloud gateway will be close to the user, enabling a faster connection. Furthermore, if the network load increases, auto-scale capabilities will ensure performance will not be impacted.
Platform approach to cybersecurity
Lastly, whether you decide to diversify your security stack or not, make sure you don’t end up with disconnected point products. Look for a unified cybersecurity platform with broad third-party integration that provides high-resolution visibility and reporting capabilities across your attack surface. A platform with extended detection and response (XDR) capabilities enables a single-pane-of-glass to threat data, increasing effectiveness and reducing costs associated with security administration.
Convergence is key for stronger security. While SWG security can run independently or part of a NGFW, it’s stronger when applied to a SASE architecture. Integrating SWG with ZTNA and CASB leads to more streamlined, powerful security across the attack surface.
For more information on SASE and cyber risk management, check out the following resources: