A secure web gateway (SWG) is a security solution that prevents unsecured internet traffic from entering an organization’s internal network. Enterprises use SWGs to protect employees and users from accessing or being infected by malicious websites and web traffic, internet-borne viruses, malware, and other cyberthreats. It also helps ensure regulatory compliance.
According to Gartner, a secure web gateway must include URL filtering, malicious code detection and filtering, and application controls for popular cloud applications such as Microsoft 365. More recently, Gartner identified CASB as a critical component of a security architecture based on the secure access service edge (SASE) framework, which we’ll get to later.
What Do SWGs Do?
A SWG (often pronounced “swig”) is designed to block access to or from malicious websites and links. By filtering web and internet traffic at the application level, it enforces granular use policies and stops threats from accessing web applications.
How Does a Secure Web Gateway Work?
A SWG acts as a barrier between an organization's private network and the open internet, protecting it from web-based threats and ensuring users comply with web policies. Generally, when a user tries to access a website or web content, the SWG will:
Check the URL against a database of categorized URLs and policies, providing access if the URL is deemed safe and allowed by policy, and blocking access otherwise.
Manage access to web-based applications, providing granular application controls to restrict certain functions (e.g., upload, file sharing) according to policy.
Scan any downloadable files or scripts for malicious content, checking the files against known malware signatures and blocking downloads if malware is detected.
Decrypt and inspect TLS/SSL-encrypted data for hidden threats, and then re-encrypt it for secure transmission if no threats are found.
Parse the content for sensitive data (e.g., payment card numbers, proprietary information), and then block or alert on the discovery according to company policy.
Log user activity, threats, and policy violations for administrators to use for the purposes of monitoring, reporting, forensic analysis, etc.
To support the key functions laid out above, an effective SWG includes capabilities like:
URL filtering to block or allow user access to websites according to policy
Application control to enforce policy on the usage of web-based apps and cloud services
TLS/SSL inspection capabilities to discover threats hiding in encrypted traffic
Advanced threat protection, including anti-malware, antivirus, and anti-phishing measures
Data loss prevention (DLP) to prevent loss or leakage of sensitive data
Bandwidth controls to prevent certain sites or apps from consuming excess bandwidth
Remote user protection to secure users operating outside the network perimeter
Policy management tools to help administrators set and enforce security policies
Why Are SWGs Important?
The days of accessing data and applications solely through the corporate data center are over. Today, employees and their endpoints can work from just about anywhere, and with the apps they’re accessing increasingly in the cloud instead of your data center, they’re out of reach of traditional network security controls. This is where SWGs provide some important benefits.
What Are the Benefits of a SWG?
An effective SWG enables you to:
Restrict or block access to risky or malicious websites and web-based apps
Protect against ransomware, other malware, and phishing in real time
Enforce compliance with company, industry, or government regulatory policies
Support hybrid work models with fast, seamless, and secure connections to web-based resources and SaaS apps
Moving Beyond Traditional Infrastructure
You need a secure web gateway to inspect traffic, identify threats, apply policy for your organization and users, and more. That said, if you keep relying on traditional infrastructure to secure internet-bound traffic, you’ll need to backhaul it to your data center for scanning and inspection, which will slow down traffic and frustrate your users.
Legacy solutions can’t provide adequate security in today’s cloud-based landscape. Cybercriminals are constantly creating new, sophisticated security threats, and by bringing all traffic back to your data center for security, you’re effectively blasting open the gates of your network to the risk of lateral movement, imperiling your data in complete opposition to the key tenets of zero trust.
Ultimately, you need a SWG that’s purpose-built for zero trust and the cloud.
Zscaler’s security functionality keeps users safe regardless of what network they are on, which was great for us as more and more users are working out of the office across all government departments.
Nav Pillai, Director of Digital Transformation, Cenitex
Why Companies Need a SWG
Work-from-anywhere and rapid SaaS adoption have proven the need for cloud native security solutions. Among other things, you need advanced threat protection, anti-malware, sandboxing, a cloud access security broker (CASB), DLP and cloud DLP, browser isolation services, and inspection for all traffic, including TLS/SSL-encrypted traffic.
To effectively secure cloud resources, security solutions must be architected following Gartner’s secure access service edge (SASE) concept. It’s a question of scale, and hardware can’t keep up in today’s fast-paced, dynamic cloud environments. Imagine interconnecting thousands of DVD players and calling it “Netflix”—that’s what it’s like to move on-premises, hardware-based functions (including legacy VPNs and firewalls) to the cloud.
Only a cloud-based SWG offers the same protection no matter where users connect. Sitting inline between users, the web, and SaaS, it can terminate every connection inline, inspect all internet traffic, and apply user-centric security and access policy to eliminate your attack surface, prevent compromise, stop lateral movement, and halt sensitive data loss.
How SASE Helps
SASE’s cloud-delivered architecture combines a host of different networking and security services into one platform, including DNS security, SWG, zero trust network access (ZTNA), and DLP. Additionally, SASE pairs well with an SD-WAN and works for a variety of use cases:
Reducing IT cost and complexity: An effective SASE solution is easy to deploy and manage, enabling digital transformation without the technical debt brought on by legacy architecture.
Delivering a great user experience: SASE brings security policies close to the user to eliminate unnecessary backhauling, provide optimal bandwidth, and ensure low latency.
Lowering risk: With SASE, all connections are inspected and secured in real time, no matter who come from, which app is being accessed, or which encryption method is being used.
Zscaler is the magnum opus of my security stack.
Brad Moldenhauer, Director of Information Security, Steptoe & Johnson LLP
Firewalls and SWGs perform similar tasks, but they’re not one and the same. Firewalls review the contents of incoming packets and compare their findings against a signature of known threats at the network level only. SWGs operate at the application level, and they can block or allow connections or keywords according to an organization’s web use policy.
Is a Web Gateway a Proxy?
Web gateways and proxies have key differences. A proxy server and a gateway both route traffic from a network to the internet, but a proxy server filters which connections are allowed, while a gateway doesn't do any filtering. In this sense, a gateway more closely resembles a door to get to the internet, and a proxy server a wall that bars the inside of the network from being exposed to the internet.
Is a SWG a VPN?
Secure web gateways (SWGs) and virtual private networks (VPNs) both have roles in securing traffic, but they are far from the same technology. SWGs primarily focus on protecting users and devices by preventing web-based threats and enforcing an organization’s web policies, whereas VPNs provide encrypted, private connections over public networks to support remote work, bypass geographical web content restrictions, etc.