Sponsored by NordLayer

What to look out for when securing your cloud environment with a secure web gateway

Cloud in Hand
(Image credit: Natali _ Mis / Shutterstock)

When someone mentions a secure web gateway (SWG), there’s a sense of confidence attached to the conversation regarding cloud security. After all, the word ‘secure’ is right there in the name, so things should be a-ok, right?

Sort of.

Acting as a smart, cloud-native checkpoint between your users and the internet, an SWG inspects outbound web traffic in real time to enforce company policies and block threats before they ever reach an endpoint. But, not all are crafted equally. If you choose the wrong one, you risk introducing bottlenecks for your remote workers or burying your IT team under a mountain of configuration headaches.

What you need to look out for when evaluating a secure web gateway is:

NordLayer Annual Plans
NordLayer Annual Plans: at NordLayer

Logging into work accounts while traveling increases the risk of business access being intercepted or exposed. This opens the door to phishing and unauthorized login attempts. NordLayer helps teams stay protected wherever work happens – now with up to 20% OFF annual plans during the Summer Sale.

Apply your discount using coupon code: nl-summer-26

Breadth of core capabilities

A secure web gateway worth your investment should operate as an intelligent security filter. For that, it’ll have to offer dynamic, category-based URL filtering. This means the vendor maintains an automated and constantly updated database that groups millions of websites into specific risk and content categories such as gambling, adult content, known malware distribution hubs, and high-risk file-sharing sites.

As a business, you should be able to simply flip a switch in order to block entire categories across specific teams. For instance, you might want to block file-sharing categories for casual users to prevent data exfiltration, while leaving standard productivity tools wide open.

Now, your business operations will require exceptions to the rule from time to time, even if automated categories do most of the heavy lifting. That’s why a great SWG will provide you with granular control over your traffic through custom rules.

Your primary concern here is to check how easy you can configure custom domain blacklists and whitelists.

Let’s say a trusted partner uses a legacy portal that your automated system flags as uncategorized. Your internal IT team needs an option to immediately whitelist that specific domain or IP address globally. On the other hand, if you notice a highly niche website draining team productivity or presenting a localized phishing threat, you must be able to blacklist it at that very moment.

This brings us to deep traffic visibility and real-time logging.

The fact remains you can’t secure what you (or, more precisely, your system) can’t see, which is why comprehensive visibility into outbound web activity is a must. It should generate clear, real-time logs detailing precise user activity and system performance (including security enforcement).

These should display which exact timestamp and action users are accessing, which domains, cloud service, or application is being used, the volume of data being transferred, the distinct content category, and any security blocks that were triggered, to name just a few things.

This telemetry data is vital for identifying patterns (e.g., an endpoint making repeated, background connections to an iffy domain) so that isolated web requests provide certain real-time context for the larger security puzzle, from the baseline for normal behavior all the way to categorizing shadow IT and policy creep.

Type of architecture

When shopping for an SWG, one of the more important responsibilities is to be highly critical of how your vendor of choice processes your data. See, it’s not at all unheard of for some legacy providers to host their standard, old-school proxy servers in a cloud environment and slap a ‘secure web gateway’ sticker on them.

Those kinds of shenanigans would work if cyber threats were less sophisticated than they are. A basic web proxy redirects traffic and checks the destination IP address against a static list, letting the IP pass if it’s not on the blacklist. Of course, cyber threats don't sit on static IPs, since they prefer things like compromised AWS buckets and similar cloud infrastructure.

A true SWG performs deep content inspection (DCI). It looks beyond the IP address and scans the web page elements, archives, scripts, and file downloads for malicious code in real time, which results in caught zero-day threats that a basic proxy would wave right through.

Then, there is the matter of speed. The vast majority of global web traffic is encrypted, primarily using the HTTPS/TLS protocols. This is great for privacy-conscious users, but not for the security part of the equation, since attackers encrypt their malware and phishing payloads. So, in case your secure web gateway can’t quite decrypt and inspect HTTPS traffic, it’s basically blind to nearly all web threats.

As you can imagine, decrypting, scanning, and re-encrypting data on the fly takes considerable computational power that not every SWG provider can handle. Their underlying network infrastructure must be evenly distributed; otherwise, the process adds too much latency.

And how much is too much? Even a 20% drop in internet speed every time your employees turn on their security connection will lead to dropped video calls, laggy cloud applications, slow file transfers, and assorted frustrations of operational delays.

Such performance drain can affect employee productivity and customer loyalty, so it’s paramount to make sure the prospective vendor runs on a high-performance, cloud-native edge network that can manage heavy cryptographic processing without throttling end-user bandwidth.

In the event your organization needs to enforce compliance and prevent advanced web-based attacks, a full web inspection will do the trick. It does its bidding on the application layer through URL filtering, malware scanning, application controls, and Data Loss Prevention (DLP).

Where DCI focuses exclusively on the data payload inside the session, full web inspection looks at the big picture by identifying what the file is. In doing so, it uncovers a malicious code hiding deep inside a trusted website before it hits your browser.

Operational delivery

When all is said and done, a security tool is only as good as its deployment. Ideally, you want a solution built on a cloud-native Security Service Edge (SSE) model. It eliminates the inefficiencies of legacy web gateways (which used to route all remote worker traffic to a server room before sending it out to the internet) by deploying edge nodes worldwide. As a result, your remote workers connect directly to the closest local node and keep their experience as seamless as possible.

This is exactly where agile, cloud-native platforms like NordLayer shine: packaging these secure web gateway features into a lightweight framework that handles dynamic category blocking, threat protection, custom domain rules at the network edge, and more, as the end-users remain blissfully unaware and unaffected.

Finally, consider management simplicity. Your internal IT administrators should be able to roll out the gateway agent across hundreds of remote devices simultaneously using standard MDM tools, and thus manage all outbound web policies from an intuitive centralized cloud dashboard rather than messing with complex network scripts.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.