What to Expect from the Next Generation of Secure Web Gateways

By on Jun 22, 2020

After more than a century of technological innovation since the first units rolled off Henry Ford’s assembly lines, automobiles, and transportation bear little in common with the Model T era. This evolution will continue as society finds better ways to achieve the outcome of moving people from point A to point B.

While Secure Web Gateways (SWGs) have operated on a far more compressed timetable, a similarly drastic evolution has taken place. SWGs are still largely focused on ensuring users are protected from unsafe or non-compliant corners of the internet, but the transition to a cloud and remote-working world has created new security challenges that the traditional SWG is no longer equipped to handle. It’s time for the next generation of SWGs that can empower users to thrive safely in an increasingly decentralized and dangerous world.

How We Got Here

The SWG actually started out as a URL filtering solution that enabled organizations to ensure that employees’ web browsing complied with corporate internet access policy.

URL filtering then transitioned to proxy servers sitting behind corporate firewalls. Since proxies terminate traffic coming from users and complete the connection to the desired websites, security experts quickly saw the potential to perform more thorough inspection than just comparing URLs to existing blacklists. By incorporating anti-virus and other security capabilities, the “Secure Web Gateway” became a critical part of modern security architectures. However, the traditional SWG could only play this role if it was the chokepoint for all internet traffic, sitting at the edge of every corporate network perimeter and having remote users “hairpin” back through that network via VPN or MPLS links.

Next-Generation SWG

The transition to a cloud and remote-working world has put new burdens on the traditional perimeter-based SWG. Users can now directly access IT infrastructure and connected resources from virtually any location from a variety of different devices, and many of those resources no longer reside within the network perimeter on corporate servers.

This remarkable transformation also expands the requirements for data and threat protection, leaving security teams to grapple with a number of new sophisticated threats and compliance challenges. Unfortunately, traditional SWGs haven’t been able to keep pace with this evolving threat landscape, resulting in an inefficient architecture that fails to deliver the potential of the distributed workforce.

Just about every major breach now involves sophisticated multi-level web components that can’t be stopped by a static engine. The traditional SWG approach has been to coordinate with other parts of the security infrastructure, including malware sandboxes. But as threats have become more advanced and complex, doing this has resulted in slowing down performance or letting threats get through. This is where Remote Browser Isolation (RBI) brings in a paradigm shift to advanced threat protection. When RBI is implemented as an integral component of SWG traffic inspection, it can deliver real-time, zero-day protection against ransomware, phishing attacks, and other advanced malware so that even the most sophisticated threats can’t get through, without hindering the browsing experience.

Another issue with most traditional SWGs is that they aren’t able to sufficiently protect data as it flows from distributed users to cloud apps, due to lacking advanced data protection and cloud app intelligence. Without Data Loss Prevention (DLP) technology that is advanced enough to understand the nature of cloud apps and to keep up with evolved safety demands, organizations can find data protection gaps in their SWG solutions that keep them vulnerable to risks.

Finally, there is the question of cloud applications. While cloud applications operate on the same internet as traditional websites, they function in a fundamentally different way that traditional SWGs simply can’t understand. Cloud Access Security Brokers (CASBs) are designed to provide visibility and control over cloud applications, and if the SWG doesn’t have access to a comprehensive CASB application database and sophisticated CASB controls, it is effectively blind to the cloud. It’s only a cloud-aware SWG with integrated CASB functionality that can extend data protection to all websites and cloud applications, empowering organizations and their users to be better protected against advanced threats.

What we need from Next-Gen SWGs

Fig. Next Generation Secure Web Gateway Capabilities

A next-gen SWG should help simplify the implementation of Secure Access Service Edge (SASE) architecture and help accelerate secure cloud adoption. At the same time, it needs to provide advanced threat protection, unified data control, and efficiently enable a remote and distributed workforce.

Here are some of the use cases:

  • Enable a remote workforce with a direct-to-cloud architecture that delivers 99.999% availability. As countries and states slowly came out of the shelter-in-place orders, many organizations indicated that supporting a remote and distributed workforce will likely be the new norm. Keeping remote workers productive, data secured, and endpoints protected can be overwhelming at times. A next-gen SWG should provide organizations with the scalability and security to support today’s remote workforce and distributed digital ecosystem. A cloud-native architecture helps ensure availability, lower latency, and maintain user productivity from wherever your team is working. A true cloud-grade service should offer five nines (99.999%) availability consistently.
  • Reduce administrative complexity and lower cost – Today, with increased cloud adoption, more than 80% of traffic is destined for the internet. Backhauling internet traffic to a traditional “Hub and Spoke” architecture which requires expensive MPLS links can be very costly. Network slows to a halt as traffics spikes, and VPN for remote workers have proven to be ineffective. A next-gen SWG should support the SASE framework and provide a direct-to-cloud architecture that lowers the total operating costs by reducing the need for expensive MPLS links. With a SaaS delivery model, next-gen SWGs remove the need to deploy and maintain hardware infrastructure reducing hardware and operating costs, while increasing performance, reliability, and scalability.
  • Lock down your data, not your business – More than 95% of companies today use cloud services, yet only 36% of companies can enforce DLP rules in the cloud at all. Additionally, most traditional SWGs are not able to sufficiently protect data as it flows from distributed users to cloud applications, due to the lack of advanced data protection and cloud app intelligence. A next-gen SWG should offer a more effective way to enforce protection with built-in Data Loss Prevention templates and in-line data protection workflows to prevent restricted data from flowing out of the organization. A device-to-cloud data protection offers comprehensive data visibility and consistent controls across endpoints, users, clouds, and networks. With built-in DLP technology, next-gen SWGs ensure organizations remain compliant with corporate security policies, as well as industry and government regulations.
  • Defend against known and unknown threats – As the web continues to grow and evolve, web-born malware attacks also grow and evolve, beyond the protection that traditional SWGs can provide. Ransomware, phishing, and other advanced web-based threats are putting users and endpoints at risk. A next-gen SWG should feature the most advanced integrated security controls, including global threat intelligence and sandboxing, so that even the most sophisticated threats can’t get through. A next-gen SWG with threat protection solutions that work together is able to ensure consistent policies, data protection, and visibility across isolated and non-isolated traffic. A next-gen SWG should also include integrated Remote Browser Isolation to prevent unknown threats from ever reaching the endpoints.

SWGs have clearly come a long way from just being URL filtering devices to the point where they are essential to furthering the safe and accelerated adoption of the cloud. But we need to push the proverbial envelope a lot further. Digital transformation demands nothing less.

 

About the Author

Sadik Al-Abdulla

As Vice President of Product Management, Sadik is responsible for McAfee’s product strategy, execution, and user experience for the Web, Network, and Hybrid product lines. Sadik is both a former engineer and security consultant, and a tenured business leader. He brings more than 20 years of experience serving customers with their most sophisticated security challenges. ...

Read more posts from Sadik Al-Abdulla

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs