You Won’t Get Anywhere in SASE Without the Right Next-Gen SWG

There’s a world of difference between a next-gen SWG and products and services that claim to offer “full SWG capabilities.”

istock 1019006240
Melpomenem

A true Secure Access Service Edge (SASE) architecture includes all of the capabilities of a next-generation Secure Web Gateway (SWG). But there’s a world of difference between a next-gen SWG and products and services that claim to offer “full SWG capabilities,” whether they’re known by “web filtering” or “cloud proxy” or any other descriptors.

Here’s a look at the most important use cases to address for your SWG, followed by a checklist to discuss with your vendor and team when it’s time to make the right decision.

Monitor and assess risk with cloud app and web usage

For an average organization, approximately 53% of web traffic is now related to the 2,415 apps and cloud services they use. A next-gen SWG needs to provide monitoring and visibility of activity-level user behavior when accessing websites and cloud apps. Given that more than 98% of cloud apps are outside the administrative control of IT, risk ratings for tens of thousands of apps are also required.

Granular control of unmanaged cloud apps

Instead of disrupting the business by blocking the potentially thousands of cloud apps not managed by IT, safely enable the cloud by applying granular controls and targeting risky activities. A next-gen SWG needs to provide the granular control required to stop the bad and safely enable the good.

Provide web filtering and coach users on acceptable use–including apps     

Web filtering is a well-known security control with URL categories, custom categories, and dynamic web page ratings for new sites, pages, or content. With 53% of web traffic being cloud, a next-gen SWG needs to also cover acceptable use policies for the potentially thousands of cloud apps in use.

Protect against malware and apply multi-layer threat detection

Increasingly, web threats abuse cloud apps and social media to both opportunistically and directly target victims. Cloud storage also plays an important role to deliver payloads where it often bypasses legacy defenses not inspecting TLS encrypted traffic for managed and unmanaged apps. Scripts and macros more frequently within Office files may start a web threat kill chain as the use of portable executables (PEs) decrease in comparison. So, while sandboxing PEs is advised, pre-execution script and macro analysis with heuristics become an important part of a multi-layer defense alongside machine learning anomaly detection.

Provide advanced data protection across the cloud and web   

 As apps and data move to the cloud, it only makes sense that security defenses should move to the cloud as well. Protecting data and data privacy are leading cloud adoption concerns—and for good reason, given the ease of use to post, share, and download data. A next-gen SWG needs to have advanced cloud Data Loss Prevention (DLP) capabilities with both content and context applied to granular policy controls.

Provide direct-to-Internet coverage for remote offices and remote workers

Driven by digital transformation, company networks are changing from a hub-and-spoke architecture, where remote offices backhaul data over costly dedicated links, to having direct-to-internet access. A next-gen SWG needs to provide infrastructure and capabilities that deliver fast and secure access to the cloud and web from anywhere.

With those use cases in mind, here is a list of questions to help sharpen your search for the right next-gen SWG.

  • Can I have consistent inspection and policy enforcement among users anywhere and data anywhere?
  • Do I have visibility of all SaaS and IaaS (including shadow IT) in use by all users, anywhere in my environment?
  • Can I determine how my users are using the data including what actions are they taking, via which apps and/or services?
  • Can I determine the data’s sensitivity both at rest and in transit?
  • Do I understand the security posture of IaaS and PaaS?
  • Can I qualify the risk of the SaaS and web-based applications being used throughout my environment?
  • Can I control how data is transferred, used, manipulated, or accessed via cloud and web-based applications and services, including instances of these services or applications?
  • Am I sure users are who they say they are, and there hasn’t been any credential compromise?
  • Can I easily integrate incident response and forensics capabilities for SaaS- and web-based activity?
  • Is my user experience performance-driven, frictionless, and transparent?
  • Can I determine risk based on user behavior, data sensitivity and criticality, and application characteristics?
  • Can I inspect and apply policy without “hairpinning” (i.e., routing back) to the data center, thus preserving the performance and experience of my cloud services?

Your Secure Web Gateway is blind to more than 50% of your traffic and we can Prove It. Click here to experience the Netskope transformation today.

Related:

Copyright © 2021 IDG Communications, Inc.