Proxy-based security: a pillar of the cloud-first architecture
The term “proxy” means “in place of.” A typical example is political, such as public official who represents or carries out the wishes of electors. A proxy can also convey information for an organization, such as a media spokesperson or social influencer. And for IT, proxy is a concept that’s often associated with VPNs and anonymous web browsing.
But that’s not the whole story. For security, a proxy-based architecture like Zscaler’s is central to the ability to enforce policies equally on all cloud traffic at all locations and for all users. This is the end goal for transforming branches with direct-to-internet traffic, and only a proxy architecture can do it well.
As an intermediary, a proxy’s value to security is in its ability to shield users from direct access to or from bad actors. A proxy allows an enterprise to inspect all traffic, identify and isolate threats, and prevent the execution of malicious code. Proxies are buffers that help keep apps and data safe from harm.
There are historic reasons for some skepticism around using proxies for security. Proxies must be inline and are usually served by appliances — a scenario guaranteed to create significant latency and a poor user experience. Proxies via physical or virtual appliances often pose compatibility issues, especially for rich web-based apps. Such proxies are also expensive; using them to inspect encrypted traffic (SSL/TLS) at each internet breakout may require up to eight times the number of appliances. Ouch!
We argue that proxies are worth a close look for security, but only if they are served in the cloud. By deploying as a cloud-based service, the proxy-based architecture eliminates the expense of appliances, and scales by user to meet evolving traffic demands. But the number one reason to consider a proxy-based architecture is the issue of inspecting encrypted traffic.
Encryption is malware’s best friend. About 54 percent of advanced threats hide inside encrypted packets, according to Zscaler’s analysis of global customer traffic. It’s the perfect place to hide because just 30 percent of enterprises look there for threats.
Related risk exposure is enormous. Currently, HTTPS is used by about 65 percent of all pages loaded with Firefox, 80 percent with Chrome, and nearly 100 percent of traffic across Google is encrypted. You simply cannot afford NOT to scan encrypted traffic!
A cloud-based proxy architecture lets you easily scan all—that’s 100 percent—encrypted traffic without extra cost or degradation to performance, which ultimately results in reduced latency and an improved user experience.
In addition to inspecting HTTP and HTTPS traffic, Zscaler cloud firewall examines other protocols such as FTP and DNS, TDS, and other binary traffic embedded within encrypted packets. Unlike appliances, the proxy-based cloud firewall allows a tight handoff of packets after SSL decryption for advanced deep packet inspection with no performance degradation.
With legacy appliance-based SSL/TLS inspection, the enterprise-sized costs, complexity, and sluggish performance present huge obstacles to security. With a cloud-based proxy architecture, all encrypted traffic is scanned. Zscaler ensures there is no place for malware to hide.
To learn more about Zscaler’s proxy-based architecture, check out our white paper, The Definitive Guide to Branch Transformation. And stay tuned for more in the coming weeks as we continue blogging about the five critical elements of branch transformation.
Read all the blogs in this series on the five key requirements for branch transformation:
Jen Toscano is Sr. Product Marketing Manager at Zscaler.