Secure Web Gateway (SWG) Security – SASE Part 3

How does it all work? First, it starts out with knowing your users and environment. By deploying sensors and integrating with common SaaS apps directly such as Microsoft Office, Google Workspace and many Identity Providers (Azure AD, Active Directory, Okta, etc.), a profile is built around the user and environment. This profile, made up of user and application behavior, can determine risk to the organization and suggest access control policies.

Traffic from the ZTNA is then automatically forwarded over a SWG. Going further, CASB functionality allows you to not only restrict access to the SaaS app, but also the functions they can perform within the app. For example, they may visit Twitter for research purposes but may not post a tweet. The CASB functionality also gives the organizations full profiles regarding the Cloud Apps and what risk they may introduce.

Furthermore, within the SASE architecture, ZTNA protects organizationally owned resource access, while SWG security block threats from inbound and outbound web traffic and content not owned by the organization. This completes the coverage for the different ways that users access various resources, providing holistic protection and control.

Firewall vs SWG

A common question is what is the different between a firewall and a SWG since they seemingly perform similar tasks.

Firewalls inspect the incoming data packets and compare it against a signature of known threats (the “blocklist”) at the network level only. While this helps enterprises ensure basic security, firewalls don’t provide the visibility needed for monitoring and reporting risky user behavior.

In comparison, SWG security operates at the application level, where they inspect traffic, set and enforce rules for users, and can block or allow connections based on corporate policies. This is done by block lists or allow lists that specify connections and keywords or functionality within specific applications. For example, if an organization sets a file size limit on internet file uploads, this could help to prevent data exfiltration beyond what’s needed to complete day-to-day business. Such limitations can be set at a system-wide or user-by-user level.

Next Generation Firewalls (NGFW) are the modern version of firewalls, which run DLP, IPS, VPN connector, and SWG as sub-apps. Larger enterprises often take the “build your own” NGFW approach to avoid high costs and reduce single points of failure through vendor diversity

The challenge with operating a NGFW with all the apps running is overall performance can suffer. Careful review of the total throughput capacity with all the required apps running is essential.

Tips for evaluating SASE technology

To maximize the benefits of SWG security solutions and the SASE architecture, here are key considerations when choosing your modern secure web gateway provider:

Deployment strategy
More organizations are opting for cloud gateways instead of physical on-prem appliances. Since most organizations use more than one cloud, ensuring that the SWG solution operates effectively across hybrid- and multi-cloud environments is important and provides a solid foundation for your security architecture.

Threat feeds
The power of SWG security comes from the quality of threat intelligence that’s feeding it. Many SWG components with NGFW will operate on open-source lists, which are non-curated and oftentimes not up to date, which leads to many false positives. Furthermore, removing and importing new open-source lists is a time-consuming task for already over-burdened IT teams.

Look for a vendor with a strong record of global threat intelligence and an established, automated process to curate and update threat feed data for SWGs. The more collection points a vendor can obtain threat intelligence from, the more globally and regionally accurate the data will be, resulting in better protection and less false positives for security teams to chase down.

Furthermore, looking for a vendor with in-house research teams across the globe dedicated to curating and updating lists ensures real-time threat detections based on regionally nuanced and updated information, instead of stale, vague entries.

Performance, scalability, and availability
When operating in the cloud, the performance is only as good as the closeness to the gateway. If a vendor has broad availability through multiple Points of Presence (POP), it increases the likelihood a cloud gateway will be close to the user, enabling a faster connection. Furthermore, if the network load increases, auto-scale capabilities will ensure performance will not be impacted.

Platform approach to cybersecurity
Lastly, whether you decide to diversify your security stack or not, make sure you don’t end up with disconnected point products. Look for a unified cybersecurity platform with broad third-party integration that provides high-resolution visibility and reporting capabilities across your attack surface. A platform with extended detection and response (XDR) capabilities enables a single-pane-of-glass to threat data, increasing effectiveness and reducing costs associated with security administration.

Next steps

Convergence is key for stronger security. While SWG security can run independently or part of a NGFW, it’s stronger when applied to a SASE architecture. Integrating SWG with ZTNA and CASB leads to more streamlined, powerful security across the attack surface.

For more information on SASE and cyber risk management, check out the following resources:

Read More HERE