The success of a secure web gateway deployment is highly dependent on its architecture. There are three common architectural options: an appliance-based SWG, a backhaul cloud proxy SWG, and an on-device SWG.
On-Premises Hardware
This option relies on on-premises hardware appliances for traffic decryption and inspection. Unfortunately, purchasing and maintaining appliances is not only expensive, but their fixed capacity cannot scale with organizations as they add more users or as their load profiles shift--customers are relegated to reactive upgrades and installing more appliances to increase capacity. Additionally, when users are off premises, they have to use VPNs to access the network before they can traverse the web. Not only does the latency degrade user experience, but there are countless examples of companies where VPNs failed because they couldn’t keep up with surges in the remote workforce.
Cloud Proxy
This option decrypts and inspects traffic via a proxy that is delivered through a cloud infrastructure; often designed as a private cloud deployment. It eliminates the use of costly appliances and removes the dependency on VPNs. However, this approach comes with its own set of challenges.
User traffic has to move to the cloud proxy before it can move on to its destination. This network hop causes noticeable latency that harms the user experience and impedes productivity.
Since all traffic is decrypted at the cloud proxy, sensitive personal information can be exposed and stored by the vendor.
It doesn’t eliminate the bottleneck problem. Many are still built on private clouds where the vendor must still “rack and stack” appliances as loads shift or surge. In many cases, vendors are unable to maintain pace.
On-Device
By pushing decryption and inspection to the edge (to users’ devices themselves), an on-device architecture does not introduce network-based latency; it also forgoes the use of appliances and VPNs while eliminating the scale limitations of cloud proxies. This saves money, ensures enhanced performance, and provides far greater scalability without limiting user privacy.
