shutterstock_553333903-4.jpg

Secure Web Gateway Architectures

The success of a secure web gateway deployment is highly dependent on its architecture. There are three common architectural options: an appliance-based SWG, a backhaul cloud proxy SWG, and an on-device SWG. Architecture becomes a critical factor when comparing Secure Web Gateways. Additionally, the ideal SWG will be a part of a SASE platform and integrated with CASB technology

 

On Premise Secure Web Gateway and VPN

On-Premises Hardware

 

This option relies on on-premises hardware appliances for traffic decryption and inspection. Unfortunately, purchasing and maintaining appliances is not only expensive, but their fixed capacity cannot scale with organizations as they add more users or as their load profiles shift--customers are relegated to reactive upgrades and installing more appliances to increase capacity. Additionally, when users are off premises, they have to use VPNs to access the network before they can traverse the web. Not only does the latency degrade user experience, but there are countless examples of companies where VPNs failed because they couldn’t keep up with surges in the remote workforce.
Cloud Proxy Secure Web Gateway

Cloud Proxy

This option decrypts and inspects traffic via a proxy that is delivered through a cloud infrastructure; often designed as a private cloud deployment. It eliminates the use of costly appliances and removes the dependency on VPNs. However, this approach comes with its own set of challenges.

  • User traffic has to move to the cloud proxy before it can move on to its destination. This network hop causes noticeable latency that harms the user experience and impedes productivity.
  • Since all traffic is decrypted at the cloud proxy, sensitive personal information can be exposed and stored by the vendor.
  • It doesn’t eliminate the bottleneck problem. Many are still built on private clouds where the vendor must still “rack and stack” appliances as loads shift or surge. In many cases, vendors are unable to maintain pace.
Bitglass Secure Web Gateway

On-Device

 

By pushing decryption and inspection to the edge (to users’ devices themselves), an on-device architecture does not introduce network-based latency; it also forgoes the use of appliances and VPNs while eliminating the scale limitations of cloud proxies. This saves money, ensures enhanced performance, and provides far greater scalability without limiting user privacy. Additionally, on-device SWGs automatically manage the creation, storage, and revocation of certificates on each device. This prevents man-in-the-middle attacks and saves time for admins who would otherwise have to manage certificates manually.

Want to learn about Bitglass' SmartEdge Secure Web Gateway? 

Download the SmartEdge SWG Data Sheet below

 

Download Now