At a minimum, a secure Web gateway (SWG) must include URL filtering, content filtering, application controls or...
whitelisting, email security, antimalware and malicious code detection. These core features provide security controls for the most common and frequently abused Web services. While research shows that only a few SWG users enable every single SWG feature, it's nice to know the capabilities exist should you need them in the future. Think of it this way: If you want to add application whitelisting down the line, simply request a new license from your vendor. There is no additional proof-of-concept or evaluation procedure, just a simple adjustment to the configuration. Your organization will also avoid another evaluation process, meaning you'll be able to save money through bundled pricing. The convenience also creates a degree of "stickiness," making it much more likely that you will stay with a particular vendor once you've made your initial selection.
Research shows that only a few SWG users enable every single SWG feature, but it's nice to know the capabilities exist should you need them in the future.
Ease of use is a significant issue for many users of SWGs. With features bolted on, not all capabilities are fully integrated. In some cases, it can mean several products with several administrative interfaces. In other cases, enterprises have a single Web interface to set policies and configuration, but the user interface is half-baked and designed by technical people for technical people, making it more difficult to use for those without expertise.
It's really hard to weed out potential vendors based on the normal request for proposal (RFP) or request for information (RFI) documents. It often only becomes clear which vendors have their act together the first time you get your hands on their products and have to set them up in a real environment.
It is critical to remember that each SWG product does a few things -- but not everything -- well.
While there is a veritable smorgasbord of features in every product, customer requirements are often siloed into a handful of threats that have been deemed most critical to their businesses. Again, gauging the effectiveness of the features that are critical to you is not easy to ascertain with an RFP or RFI. A majority of organizations view Web threats differently from peer organizations, and they have distinct expectations from their users, with some choosing to address risks to their organization with a slightly contrasting mix of controls. It's this fractured demand -- coupled with the fact that each vendor has specific strengths -- that allows for more than 15 vendors to compete in this security market.
Vendors keep adding features, both to differentiate their products and give them a degree of "stickiness" in providing add-on features as their customers' security needs change. But again, it is critical to remember that each SWG product does a few things -- but not everything -- well. What matters most is finding which product performs best for what your enterprise requires.
About the author:
Adrian Lane is CTO of Phoenix-based analyst firm Securosis. Adrian specializes in database security, data security and software development. He is a former executive at security and software companies such as Ingres, Oracle, Unisys and IPLocks, and is a frequent presenter at industry events. Adrian is a graduate of the University of California at Berkeley with post-graduate work in operating systems at Stanford University. Reach Adrian via email at firstname.lastname@example.org.