Cloud apps now represent 53% of all secure web gateway traffic, and the traditional SWG has no idea what’s going on out there
There used to be a clear demarcation between the role of the enterprise network and that of the internet. Network architects built their own private networks, interconnecting with the internet at specific, clearly marked gateways or ports. And these were patrolled by security in the guise of a Secure Web Gateway (SWG). Within the perimeter, data safely resided. And the SWG policed what came in off the big bad wild west of the internet. When enterprise data needed to venture out to a remote worker or branch office, the network team architected tunnels in a range of ways, all intended to extend the safety of the private network and keep the data within the perimeter.
And then came cloud.
The emergence of SaaS and IaaS started to undermine this clear definition – the data that needed protection was no longer within the perimeter – and now that cloud applications dominate, such historical boundary lines are almost entirely academic.
Predictions put cloud applications on track to make up 80% of enterprise workloads by 2025, leaving no room to dispute that applications have broken free of the old dependence on private infrastructure. Yet security has remained frustratingly tied to the old model. For the vast majority of organisations, security policies still demand that cloud traffic route back through appliances stacked in data centres within the old and crumbling ‘perimeter’. This means illogical routing, creating trade-offs between security and performance.
Worse still, despite these bizarre routing requirements, the security appliances are not actually effective anymore, either for data or threat protection.
To effectively secure cloud use you need a much more granular, context-aware view of what is going on within cloud applications. If the organisation uses GSuite then you can’t block GoogleDrive – but how do you stop personal instances being used to exfiltrate sensitive data? Data and threat protection cannot be something that happens at a set location within the perimeter anymore – it needs to follow the data. To put it bluntly, the SWG is a useless lump of metal when faced with modern cloud architectures.
Thankfully, we are seeing an intelligent rethink of the old approach. The Secure Access Service Edge (SASE) has emerged as an important conceptual model to describe how to protect users and applications that operate beyond the traditional network perimeter. SASE is a model that recognises that the location of both users and applications can no longer be thought of as fixed (and is unlikely to be within your private architecture).
What exactly is SASE?
SASE is a concept of cloud security architecture, and the name was coined by Gartner in a 2019 report. Gartner defines SASE as “an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS and ZTNA) to support the dynamic secure access needs of digital enterprises.”
Gartner sees SASE as an inversion of the old network/security model which was focused on a data centre surrounded by many users consuming data centre hosted services. This new model has the user at its centre, which leads to a completely different architectural approach to security.
SASE is:
- Distributed – it sees security expand beyond the confines of the traditional data centre and allows organisations to move security functionality into the cloud.
- Cloud-native – SASE isn’t about legacy security kit being repackaged as SaaS offerings. Workflows are different within the cloud, and so too are data protection and cyber threats. SASE solutions are built around the convergence of security functions, bringing together the functionality of CASB, NG-SWG, SD-WAN, DLP, AI/ML, and much more under one cloud-native solution.
- API-based – Since most of the old security stack was invented, APIs have emerged as the new language of the web. APIs allow different solutions and applications to communicate at the code level, which – for security policies – provides context that can’t be communicated through a simple interpretation of HTTP/S protocols and looking at URLs. Without this context, businesses can only see who is talking to whom, not what they are talking about or what they are doing. API visibility is key to SASE solutions
- Open and explainable – motivated by the open and connected nature of the environment that it serves, SASE has interoperability, open interfaces, and ‘explainability’ at its core. This is the only way to ensure its various parts interact as intended, and is critical to its role in data protection compliance.
It’s time for network and security teams to collaborate to rethink the old, established ways that we route and secure enterprise data. SASE relieves burdens on network performance while simultaneously allowing for improved visibility, security and compliance.
Take the Netskope Prove It challenge to find out just how little your SWG is protecting you….