Cloud security gateways sit between users and their internet destinations, enforcing corporate and regulatory security policies. They differ from legacy secure web gateways (SWGs) in that they offer a complete security stack delivered as a service. All filtering, inspection, and policy enforcement happen in the cloud, so there’s no need for on-premises physical appliances.
By moving security out of data centers and regional gateways to a globally distributed cloud, cloud security gateways bring services close to the user for a fast, seamless experience without traffic backhauling over slow, expensive private networks. Moreover, with a cloud security gateway, organizations can easily scale threat protection to all mobile users and all offices via local internet breakouts, simplifying their network and security infrastructures.
Cloud Security Gateway Features
Cloud security gateways are effectively an amalgam of security services designed to enforce policy in the cloud, including but not limited to:
Authentication and authorization
Single sign-on (SSO)
These services are typically provided as point products and, as such, offer little to no visibility into your environment, especially when it comes to the cloud. But with a cloud security gateway, you get all of these services in one, deployed as one, without having to concern yourself with the array of possible vulnerabilities that would come with deploying each service individually.
This seems like reason enough to consider switching to a cloud security gateway, but its reason for existing goes deeper than that.
By not backhauling our traffic, but directly using the internet, we expect we can drive down costs by 70%.
Frederik Janssen, VP Global IT Infrastructure Portfolio, Siemens
Why Shift to a Cloud Security Gateway?
The traditional security perimeter is broken. When applications in an enterprise data center were the center of everything, it made sense to direct all enterprise traffic to the data center over a hub-and-spoke network. Even as more traffic was directed to the internet and threats became more complex, you could still protect your perimeter and users with stacks of gateway appliances.
However, applications and services have moved to the cloud for good through the use of SaaS and other models, and users have left the network to work from home, on the road—just about anywhere but the office.
This means their traffic goes straight to their cloud apps over the internet, bypassing the network perimeter and appliances altogether. As a result, the network where business takes place is now simply the internet. The move to cloud and work from anywhere is great for building an agile digital business, but it has broken the traditional network security model.
Despite massive appliance investments, many organizations still struggle to provide consistent cybersecurity, with all the latest breaches serving as evidence. Even when safely browsing trusted websites, users continue to fall victim to a host of internet-based threats.
With the rise of SSL-encrypted traffic, in which malware and other threats frequently hide, organizations need an integrated approach that inspects all traffic, including SSL. Capacity-limited hardware appliances often ignore “trusted” content from CDNs and let SSL traffic pass uninspected. Additionally, multiple service-chained appliances can’t share or correlate threat intelligence quickly enough to properly respond to developing threats. All these issues limit an organization’s visibility and ability to prevent attacks.
A cloud security gateway lets your security team see farther into the abyss that is network traffic, with functionality that inspects TLS/SSL-encrypted traffic. This improves data protection and data security as your organization leverages the new corporate network—the internet.
What Are the Benefits of a Cloud Security Gateway?
A cloud security gateway delivers the complete security stack as a service, with in-depth protection against malware, advanced threats, phishing, browser exploits, malicious URLs, botnets, and more. A cloud native security gateway is a shift from traditional appliance models and offers a range of benefits:
Provides secure direct-to-cloud connections for all offices and users, eliminating appliances and reducing reliance on costly WAN infrastructure
Delivers the entire outbound gateway security stack as a service from the cloud, with always-on security whenever and wherever users connect
Elastically scales your capacity requirements as traffic demands increase—no more hardware capacity limitations
Enables every user to connect directly to the internet with all security enforced in the cloud—no backhauling across hub-and-spoke architectures for inspection
Distributes all services cloud-wide to provide fast, local connections for users everywhere
Easily scales to handle the bandwidth demands of cloud applications and latency-sensitive apps, such as Microsoft Teams and Zoom
Unified Policies and Reporting
Policies follow users wherever they connect so they get consistent security and access controls from day one
Uses one console to enforce a unified user or group policy across the entire security stack
Provides real-time reporting and centralized analytics that improve threat context and visibility across all users
Instead of forcing (via ‘tromboning’) various entities’ traffic to inspection engines entombed in boxes in the data center, we need to invert our thinking to bring the inspection engines and algorithms closest to where the entities are located.
Gartner, The Future of Network Security is in the Cloud, August 2019
Where to Get Started with a Cloud Security Gateway
Start with seeking out a completely cloud native security solution from a trusted, market-leading security service provider. Many vendors claim to offer a solution designed for the cloud, but they often rely heavily on VM instances housed in public cloud services, which have the same limitations as their hardware counterparts in the data center, requiring you to spin up new VMs as bandwidth needs increase.
Furthermore, a fast user experience requires services to be as close to users as possible—at the “edge” of the network—so that traffic doesn’t have to travel far to reach its destination. With a public cloud service like AWS, you have no control over where your security is housed, so your users’ traffic may have to traverse quite a distance for inspection on its way to and from cloud destinations.
For a cloud security gateway, go with a vendor that builds its security in the cloud, for the cloud. Go with Zscaler.
Cloud Security Gateway with Zscaler
With Zscaler, there is no hardware to deploy or manage, and services are provided based on users, not usage, so you never have to worry about capacity. By simply making the Zscaler cloud your next hop to the internet, you’ll immediately enjoy increased security and compliance and your users will appreciate a faster experience as they access applications and services in the cloud.
Zscaler built and operates the world’s largest zero trust security platform for the cloud. It’s based on the secure access service edge (SASE) framework, which simplifies IT, reduces risk, protects sensitive data, and optimizes traffic routing to provide the best user experience. As a globally distributed platform, with services delivered through more than 150 data centers globally, users are always a short hop from their applications. Through peering with hundreds of partners in major internet exchanges around the world, Zscaler ensures optimal performance and reliability for all of your users.
With Zscaler, you can start with services that close security gaps for remote users, and then easily add services as demand grows or as you phase out legacy appliances.