How a secure web gateway fits the SASE triangle
Article by Bitglass product marketing manager Will Houcheime.
In today’s workforce, the enterprise attack surface is larger than ever before, with cloud apps, personal devices, on-premises resources, web destinations and more. As a result, organisations require a context-aware solution that can enforce policies wherever data goes.
Fortunately, a secure access service edge (SASE) provides organisations with just that. A perfect SASE triangle includes security for managed SaaS and IaaS, and the next essential piece: a secure web gateway (SWG), that secures the web and shadow IT.
How do SWGs work?
Originally, SWG architectures were made to secure web traffic initiated on-premises through a hardware appliance that decrypted and inspected traffic. These SWGs require the use of virtual private network (VPN) so that remote users’ traffic can be filtered through the SWG appliance on-premises.
However, these appliances are costly to buy and manage, and VPNs harm the user experience by decreasing organisational efficiency. Additionally, scaling with these appliances is largely a reactive approach in which organisations are forced to rack and stack more or better boxes to add capacity.
Another approach is to deploy a cloud proxy SWG to bring down the high costs of appliances. Yet latency continues to be a factor with this approach because it requires a network hop to a cloud proxy each time a user is accessing the web. Additionally, it invades user privacy because all user traffic is inspected at the proxy, including login credentials.
This leaves a single option: an on-device secure web gateway in which traffic is decrypted and inspected directly on users’ devices and only security events are logged and uploaded to the cloud — preserving user privacy.
What’s more, latency is no longer a factor because there is no network hop to an appliance or cloud proxy. This approach allows employees to access the internet and use unmanaged apps while still enabling their employer to have full data and threat protection.
Users often waste time on websites that are unrelated to their responsibilities during work hours. Fortunately, certain vendors allow administrators to block unproductive websites to ensure that users are working on business-related tasks.
For example, during office hours, Amy, a sales representative, streams YouTube videos to catch up on news and her favourite TV shows. Pre-set policies automatically filter relevant URLs and shadow IT, allowing or blocking them for specific user groups, device types or geographical locations.
Content can be contextually controlled based on category (e.g. malware sites, gambling, streaming, and more), from a simple drop-down menu.
Defending against threats
Defending against malware on the web is crucially important, given the high number of breaches caused by threats. Let’s say that Brian, a marketer, visits a certain website that doesn’t present any security risks during one of his breaks.
While scrolling, Brian finds an ad that captures his interest and clicks on it. At that point, there is an attempt to direct him to a new website that will infect his device with malware. Fortunately, a capable SWG provides full-strength threat protection to prevent access to these kinds of websites, as well as those used in phishing schemes.
Preventing leakage on the web
The web can easily serve as an avenue for data leakage. For example, employees accessing websites such as Yahoo.com can upload sensitive files and share them via their email accounts.
With a selected SWG in place, sensitive data patterns, such as credit card numbers or other forms of personally identifiable information can be detected and protected automatically. Uploads to inappropriate web destinations can be blocked in real-time.
Secure web gateways are indispensable tools for web security and are now integral parts of SASE platforms.