2020 … dawn or dusk of internet gateways?
COVID19 has accelerated the digital transformation of enterprises on a “if you think it’s impossible, give it to someone who doesn’t know that.”. Therefore, companies forced to change the way they carry out business operations switched to the remote work model almost overnight. In the context of security, this usually means employees connecting via VPN to gateways or firewalls in the organization and further to the Internet. Or directly to the Internet, which multiplies the number of vectors which attackers (hackers or automated software) can rxploit and pass malware to the end user’s computer.
As of now most companies rely on Secure Web Gateway (SWG) solutions for portection, i.e. a secure Internet gateway – characterized by a flexible, hybrid implementation model, deep analysis and “understanding” of the application layer, and built-in solid business intelligence. However, as organizations move to the cloud and remote work becomes the norm, traditional SWGs based on locally installed appliances are bottlenecks and slow down your work. They are unable to scale to the workload of remote users, and the purchase of additional appliances is expensive and often limited to a few options.
This does not make you optimistic when you see an increasing number of:
- The application is moving towards the SaaS model
- Proxies are moved to the cloud
- Companies adopt a cloud-first approach
- Cloud providers increase the attractiveness of their offers (despite the oligopoly)
The change has long started, 2020 is just a catalyst. Currently, the key aspect, which determines the choice of a SWG class solution, is the ability to protect users connecting outside the company network. This could mean a home network, an airport network, a McDonalds network, a library, or a municipal network. However, with the current state of affairs … rather a home network.
But does anyone believe in the return of rigid office rules as they are? The need to secure all Internet activity, the need to accept traffic from all locations (mainly remote workers and mobile workers) and the ability to integrate with critical network functions such as SD-WAN – these are the key aspects that constitute the value of a secure proxy now.
However, it is worth mentioning the foundations:
- The main task of the SWG is to control network traffic by monitoring all ports and protocols – mainly IP and DNS. DNS is key as it prevents threats over any port or protocol, not just HTTP and HTTPS traffic. The proxy also decrypts SSL/TLS traffic.
- SWG also checks downloaded files using anti-virus (AV) engines and behavioral analysis – it is worth noting that thanks to the flexibility of cloud-based implementation, leading manufacturers are able to include more than one AV engine in their SWG (as was usually the case with traditional solutions).
- And enables detailed data analysis – SWG is undoubtedly the most effective tool that gives insight into the content of network traffic. It provides details such as domain attributes, e.g. WHOIS records, ASN, Domain co-occurrences, geolocation and information whether the domain has already hosted malware or even if it was founded by a human or Domain Generation Algorithm. It is worth adding that it is the reporting functionality that is often the advantage of SWG over firewall solutions (when it comes to the criterion of network traffic protection).
Along with the cloud revolution, which allowed for potentially unlimited access to resources – pioneers emerged with their cloud native secure web gateway. Cloud-hosted proxies from the outset.
At first, they had advantages strictly related to the implementation model:
- Endpoint Agent – for mobile and desktop devices, it allows to redirect traffic through cloud proxies and provides protection for unmanaged devices.
- Real-time access to the manufacturer’s knowledge base – it probably doesn’t need to be explained, all updates are uploaded on a regular basis. When choosing our cloud proxy, we should pay attention to the Gartnerian dimension of “Abilty to Execute” – theoretically, the more customers a manufacturer has, the more diverse data it receives and the better algorithms it produces.
- „Invisible installation” – by setting the redirection, installing the agent remotely (eg via GPO or MDM).
- Scalability – no need to conform to “box” constraints.
However, currently leading manufacturers, especially those offering cloud-native proxies, have incorporated additional categories of functionality into their solutions in response to the growing use of software in the SaaS model.
These are mainly elements borrowed from:
- Cloud NextGen Firewall – Provides visibility and control of outbound Internet traffic on all ports and protocols. Logs all activity and blocks unwanted outbound traffic using IP, port and protocol (layer 3/4 firewall) as well as application visibility and control (layer 7 firewall). Traffic is sent to the cloud through the IPSec tunnel from any network device. Why is a cloud firewall necessary? Example of MS Teams: SWG can block or allow application traffic, and firewall can refine this and block e.g. audio or video.
- Cloud Access Security Broker – to detect, decode and inspect cloud traffic, as well as cloud applications unauthorized by the IT department, used on company equipment.
- Cloud Sandboxing – along with the increasingly complex structure of malware, the demand for advanced analysis mechanisms is growing. Having a secure test environment is a must-have for organizations with sensitive resources, thankfully manufacturers have noticed this.
In summary, traditional SWGs are no longer effective in securing users of web and cloud applications.
Phishing attacks on SaaS and Internet mail are the fastest growing group of threats, while malware distributed and shared via communication channels remains the most popular of them.
According to Gartner, more than 90% of the data created in the cloud happened in the last two years, while the number of mobile users continues to grow. The ability to transfer data between corporate and personal instances of managed applications in the cloud or to another personal instance of the application in the cloud, as well as using webmail and sharing links is an easy task for any user today.
The digital transformation to the cloud and mobile devices is to flip the old security stack to the cloud to better protect the growing base of remote workers. Older SWG devices force the a VPN to central data centers, which is no longer enough. Zero Network Trust (ZTNA) and Secure Service Access (SASE) architectures are the future, and are based on the SWG-native cloud. In this new model, any user, any location, on any device is protected with minimal impact on performance.