Beyond SWGs (Part 1): Cybersecurity in the Cloud

Enterprises have long relied on secure web gateway (SWG) appliances to enforce appropriate use policies and protect staff and their endpoints from malware. In recent years, however, the SWG market has struggled to cope with cybersecurity issues cloud computing and mobility roiling the IT environment. For SWGs, the world is getting complicated.

Clear and Present Danger
Most malware these days is web-borne. Some varieties spread slowly, like ebola in a village. Others race through communities like an autumn flu. Open a link, or just watch a video – you really don’t know whether the content is good or if it’s malware-tainted. As individual security pros, many of us have learned we can never be sure our computers aren’t infected, and therefore may see two factor authentication as our best hope.

But great authentication isn’t enough to protect an enterprise from a compromised employee endpoint. Enterprises need BOTH defense in depth and good frontline security for their endpoints. SWG’s are supposed to protect endpoints from infection and enforce company policies by filtering user-initiated browser sessions. But many SWGs have been falling down on the job and letting too much advanced malware through.

As a result, many enterprises have been forced to deploy special “sandboxing” appliances as a gap filler for SWGs (and email security gateways). Sandboxing appliances became so popular in 2013 that the market leader – FireEye – saw its IPO take in $303.5 million at a valuation of more than $2.3 billion and the company’s growth shows no sign of slowing yet. Multiple SWG vendors are racing to deploy their own sandboxes, and new pure play sandbox vendors such as Cyphort continue entering the market.

Not Your Father’s SWGs
In recent years “web” traffic has expanded beyond simple browsing to involve additional ports for applications, applications tunneling within HTTP, and extensive staff use of cloud computing services for work. In addition, the browser used to access the organization’s data and do its work may not reside on a corporate device, but on an employee-owned (or BYOD) device.

Meanwhile, malware authors continue their arms race, weaponizing zero day exploits and playing hide and go seek with security vendors amidst fast flux botnets or on legitimate sites. You may call them “advanced persistent threats” (APTs) if you like, but telling the critics after a breach that “an APT ate my homework” won’t cut it. Regulatory pressures to protect personally identifying information (PII) and other secrets or services are growing.

A premise-based SWG enforcing appropriate use and checking for malware using static URL lists and signatures won’t cut it either. Web security has become a more complex cybersecurity problem. Enterprises must protect their employees from malware, and their data and services from compromised employee devices. This requires more dynamic advanced detection mechanisms, authentication, data leakage prevention (DLP) and mobile support to name just a few.

Gartner describes the requirements for a modern SWG in its “Magic Quadrant for Secure Web Gateways.” You can find a free MQ reprint at this link (registration required). And you may also be able to check out a related report I wrote while still at Gartner called “Selecting and Deploying Secure Web Gateway Solutions” which goes into some more depth. Just search for it or ask me in the comments if you want that link.

SWGs in the Cloud
Gartner’s latest MQ says that “77% of SWG implementations were on-premises and 23% were cloud-based. Comparing these values to those from 2012 (86% on-premises and 14% cloud) indicates that cloud-based services are growing more quickly than on-premises appliances.”

Architecturally, cloud-based and premise-based SWGs have similarities and differences. What is the same is that all proxies, wherever they’re hosted, need cloud-based threat intelligence and reputation systems feeds. What is different is whether the actual gateways, or proxies themselves and the management systems for them are premise-based, or cloud-based. The table below compares the respective architectural advantages of the proxy deployment location.

Cloud-Based Proxy                                   Premise-Based Proxy
Scalability                                                          Large site(s) co-location                                                             
Global distribution                                          Hands-on control
Proxy co-located w/intelligence feeds

The more distributed the enterprise geographical footprint, the more favorable the cloud-based proxy alternative. With premise-based proxies, an enterprise with many sites would either have to acquire many physical proxy appliances, or backhaul web traffic to a proxy at a distant site before the traffic can go to the Internet. On the other hand, a globally distributed cloud proxy is favorable for enterprises seeking to drive small site and mobile users to a nearby point of presence. As cloud-based web security services become more distributed, they’re better able to support mobile users. Finally, some customers prefer to buy services on a pay-as-you-go basis from CSPs. Among the vendors in the SWG category, Zscaler was the first to deploy a global cloud-based proxy fabric.

The advantages of premise-based gateways accrue primarily to enterprises with large sites and/or extensive private networks that can be served by a few very high capacity proxy appliances. Another advantage some IT security departments may value is having hands-on control of the proxy infrastructure. Among other things, hands-on control may be seen as a plus for the privacy and confidentiality of the proxy as an aggregation point where many streams of web traffic are collected, decrypted if necessary, analyzed and (in some cases) logged without full anonymization.

Hybrid Solutions

No cloud-vs-premise discussion would be complete without noting that there is a “hybrid” alternative which some of the major SWG vendors support. Hybrid SWGs enable customers to use cloud- and premise-based proxies deployment to their best advantage, for example, having an onsite gateway for their large site but routing the smaller sites’ traffic to a vendor’s cloud-based proxies. The trick is to select an offering that enables centralized policy management despite the diversity of proxy formats.

Websense was the first vendor to build a hybrid SWG solution. Most of the other vendors are somewhere in the process of getting to hybrid, but some are struggling, both because the deployment is more complex and (in some cases) they need to integrate a more recently acquired cloud-based product with a longer-standing premise-based SWG.

To recap, we’ve reviewed some of the basic functions of SWGs, hooked you up with a free copy of the Magic Quadrant, and explained why the balance of the SWG market is shifting towards a cloud-based proxy format.

It turns out there’s much more to say about SWGs, cloud, mobility and cybersecurity. In next week’s post, I’ll continue with “Beyond SWGs (Part 2): Cybersecurity in the Cloud.

Subscribe to Blog Notifications...  HERE