As defined by Gartner, “Secure Web gateway solutions protect Web-surfing PCs from infection and enforce company policies. A secure Web gateway is a solution that filters unwanted software/malware from user-initiated Web/Internet traffic and enforces corporate and regulatory policy compliance. These gateways must, at a minimum, include URL filtering, malicious-code detection and filtering, and application controls for popular Web-based applications, such as instant messaging (IM) and Skype. Native or integrated data leak prevention is also increasingly included.”
A secure web gateway inspects web traffic in real-time, analyzing content against corporate policies and ensuring any content that is inappropriate or which contravenes company policy is blocked. The majority of secure web gateway solutions allow administrators to enforce common security policy templates straight off the shelf and also configure policies that are suited to their business model or compliance requirements.
As users navigate the web, they may access inappropriate content or unproductive websites that distract them from their job duties. SWGs provide granular controls, filtering web destinations by user group, device, and location. Content can also be controlled based on category (e.g. malware sites, gambling, pornography, racism, and dozens more) as well as by risk scores that may be available for a website.
The web is filled with malicious threats that can compromise the security of any enterprise. SWG increasingly incorporates zero-day threat protection for malware sites, anonymizers, phishing sites, and command-and-control destinations.
Remote Browser Isolation
Browser isolation separates browsing activity from endpoint hardware. When a user accesses a web page or web application, the content and apps are executed on a remote browser that then renders the web page or web app to the user. Because no execution occurs on the endpoint and no active content is downloaded, it puts a distance between malware and an infected device. Typically, remote browser isolation is a policy-based option deployed as part of a broader set of policy actions.
Data Loss Prevention
The web is a convenient avenue for users to steal or unknowingly expose sensitive data. SWGs will typically include data pattern-based filters to identify. When users attempt to upload sensitive files to unmanaged apps such as personal email or social media, SWGs can automatically block the upload in real time.
Technical Briefs and Data Sheets
Blogs and Glass Class
Data Loss Prevention
Two trends have driven a change how SWGs are deployed and architected:
One approach is to use cloud proxies. This option decrypts and inspects traffic via a proxy that is delivered through a cloud infrastructure; often designed as a private cloud deployment. It eliminates the use of costly appliances and removes the dependency on VPNs. However, this approach still creates an extra hop that creates latency and often becomes its own bottleneck.
The second approach places the SWG functionality onto the end device. On-device SWGs decrypt and inspects traffic locally on each device, forgoing the need for on-premises appliances, VPNs, network hops, and cloud proxies. This approach ensures enhanced performance, scalability, cost savings, and user experience. Some implementations serve as certificate authority and provides secure key management on each endpoint to prevent man-in-the-middle attacks.