Secure Web Gateway Defined and Explored

While Secure Web Gateway (SWG) is undergoing a rapid evolution. As users conduct their day-to-day activities directly with the Internet, SWGs have evolved to become a core component to securing users. 

Against this backdrop, secure web gateways have evolved how they offer protection against online security threats by enforcing company security policies and filtering malicious internet traffic in real time. At a minimum, a secure web gateway offers URL filtering, application controls for web applications and the detection and filtering of malicious code. Data leak prevention features are also essential. Leading SWGs are parts of SASE platforms where they are integrated with technology like cloud access security brokers (CASBs) for consistent, comprehensive protection. 


Secure Web Gateway Defined

As defined by Gartner, “Secure Web gateway solutions protect Web-surfing PCs from infection and enforce company policies. A secure Web gateway filters unwanted malware from user-initiated Internet traffic and enforces corporate and regulatory policy compliance. These gateways must, at a minimum, include URL filtering, malicious-code detection and filtering, and application controls for popular Web-based applications, such as instant messaging (IM) and Skype. Native or integrated data leak prevention is also increasingly included.

Secure Web Gateways Requirements

A secure web gateway inspects web traffic in real-time, analyzing content against corporate policies and ensuring any content that is inappropriate or which contravenes company policy is blocked. The majority of secure web gateway solutions allow administrators to enforce common security policy templates straight off the shelf and also configure policies that are suited to their business model or compliance requirements.

Content Filtering

As users navigate the web, they may access inappropriate content or unproductive websites that distract them from their job duties. SWGs provide granular controls, filtering web destinations by user group, device, and location. Content can also be controlled based on category (e.g. malware sites, gambling, pornography, racism, and dozens more) as well as by risk scores that may be available for a website.

Threat Protection 

The web is filled with malicious threats that can compromise the security of any enterprise. SWG increasingly incorporates zero-day threat protection for malware sites, anonymizers, phishing sites, and command-and-control destinations.  

Remote Browser Isolation

Browser isolation separates browsing activity from endpoint hardware. When a user accesses a web page or web application, the content and apps are executed on a remote browser that then renders the web page or web app to the user. Because no execution occurs on the endpoint and no active content is downloaded, it puts a distance between malware and an infected device. Typically, remote browser isolation is a policy-based option deployed as part of a broader set of policy actions.

Data Loss Prevention

The web is a convenient avenue for users to steal or unknowingly expose sensitive data. SWGs will typically include data pattern-based filters to identify. When users attempt to upload sensitive files to unmanaged apps such as personal email or social media, SWGs can automatically block the upload in real time. 

Appliance Architectures

Two trends are chaning how SWGs are deployed and architected:

  • Enterprises are rearchitecting their WANs so that web traffic from remote offices flows directly to the Internet instead of backhauling over expensive links; 
  • Increasingly remote and mobile users that operate outside of traditional perimeters

One approach is to use cloud proxies. This option decrypts and inspects traffic via a proxy that is delivered through a cloud infrastructure; often designed as a private cloud deployment. It eliminates the use of costly appliances and removes the dependency on VPNs. However, this approach still creates an extra hop that creates latency and often becomes its own bottleneck.

The second approach places the SWG functionality onto the end device. On-device SWGs decrypt and inspects traffic locally on each device, forgoing the need for on-premises appliances, VPNs, network hops, and cloud proxies. This approach ensures enhanced performance, scalability, cost savings, and user experience. Some implementations serve as certificate authority and provides secure key management on each endpoint to prevent man-in-the-middle attacks.

Cloud-Delivered Architecture

Only when underlying architectures are cloud based can SASE offerings be called true cloud security platforms that scale to firms’ needs.

  • SASE solutions that use hardware appliances or private clouds fail to scale and perform
  • Platforms deployed in the public cloud exhibit the highest uptime and performance
  • Cloud-based architectures scale to your needs proactively rather than reactively
  • The worldwide public cloud enables security and usability anywhere in the world

Comparing Secure Web Gateways: Time for a Reboot at the Edge