The web has had a profound impact on business opportunities around the globe, and a critical part of managing internet connectivity is acknowledging and addressing web-related risks. Looking beyond traditional network security controls, secure web gateways play an increasingly important role in minimizing security risks associated with website vulnerabilities, user behaviors and endpoint weaknesses.
The security controls provided by secure web gateways (SWGs) are diverse. They help enforce policies and provide in-depth visibility into web usage and threat activity. They also protect users from themselves and ensure the security of traditional endpoints, including desktops, laptops and mobile devices.
When managing IT and information security, it's one thing to rely on policies, user awareness and training, but quite another to set up users, IT staff and the business for success. This article profiles two leaders in the secure web gateway market and their products, Symantec Web Security Service and Zscaler Internet Access, and discusses modern web-related risks and the role secure web gateways play in keeping the network in check, including various aspects of the business that must be considered when integrating SWG technology as part of an overall security governance program.
Symantec and Zscaler offer cloud-based secure web gateways that minimize the need for multiple traditional network security controls. The Symantec and Zscaler SWGs have the following similar features and benefits:
- A single cloud-based console for the enforcement of security policies, regardless of where and how users connect to the internet. This centralized control allows changes to be pushed enterprise-wide, in real time and, in the case of Symantec, to ensure consistency across its on-premises and cloud-based controls.
- In-depth threat intelligence and analytics.
- SSL/Transport Layer Security traffic inspection to detect and block threats in encrypted traffic streams.
- Cloud sandboxing to help prevent malicious content from ever reaching end users.
- Real-time risk mitigation for both traditional threats and shadow IT.
- Mobile device support to protect web usage on both iOS and Android devices.
- WAN connectivity reduction or elimination by making the internet the default gateway and central point of access for everything, including security oversight.
- Office 365 integration for authentication, access control and oversight.
- Security information and event management integration to assist with the incident response oversight, which can enhance visibility and help reduce network event response times.
- Data residency controls for storing logs in designated regions to help with retention and compliance requirements.
The Symantec and Zscaler products both target medium to large businesses but can work with smaller network environments -- budget and in-house resources permitting. The features and considerations of both products should be included in a secure web gateway evaluation.
Symantec Web Security Service
Symantec Web Security Service (WSS) is part of the Symantec Secure Web Gateway family that includes the ProxySG appliance. Derived from its Blue Coat Systems acquisition and its Cloud Web Security Service, Symantec has the largest secure web gateway market share, according to Gartner. WSS uses SD-WAN technology -- SD-Cloud Connector -- to provide connectivity from enterprise headquarters and remote office locations to the WSS cloud.
Touted by Symantec as the largest civilian operation of its kind, the company's Global Intelligence Network combines insight from more than 3,000 researchers and engineers combined with 175 million users across 15,000 enterprises. This intelligence is sourced from more than 1 billion web requests and 2 billion emails scanned within the Symantec cloud each day.
Features include multiple layers of threat inspection, including advanced machine learning and two antimalware engines. Existing Symantec Endpoint Protection users can achieve WSS connectivity with a local configuration change with no additional agents required.
Symantec Web Security Service integrates with Symantec Data Loss Prevention and the company's cloud access security broker (CASB), CloudSOC -- both of which are industry-leading products in their respective categories.
Web browser isolation sends images of questionable pages to the user's endpoint system rather than sending raw web content to prevent local system abuse.
Both web and email security can be integrated into a single-vendor product.
Symantec recently announced a partnership with Fortinet to integrate its next-generation firewall with the WSS platform.
When it comes to pricing, reporting and management consoles are additional costs. The list price for a base user subscription for a Symantec Web Security Service license starts at $66.50 per user, per year and decreases with volume. Add-on features are available for an additional cost.
Zscaler Internet Access
Zscaler Internet Access was one of the original cloud-based secure web gateway products. This SaaS-only philosophy resonates well with many organizations looking to simplify their network infrastructure and security architecture.
Web access control ensures outdated versions of browsers and plug-ins are kept current and compliant. The add-on Zscaler Data Loss Prevention product allows for inline scanning for confidential information leaving the network.
Features include more than 60 third-party threat feeds that come from open source, commercial and private resources.
Threats detected anywhere inside the Zscaler cloud are immediately blocked for all customers.
Zscaler Private Access -- an optional service for Zscaler Internet Access -- eliminates the need for VPNs and can provide user-based access to cloud-based applications.
McAfee Skyhigh Networks and Microsoft Cloud App Security can be integrated for CASB support.
Cloud-based firewall, data loss prevention, bandwidth control, web access control and CASB services are add-ons that are only available on higher-tiered packages.
Zscaler does not provide pricing information.
Ask secure web gateway vendors the tough questions
Many security decisions come down to price, and while that's certainly good for the bottom line, it doesn't necessarily represent the ideal system for the business. Talk is cheap in marketing circles. Regardless of which secure web gateway vendor an organization chooses, it's important to ask prospective vendors the tough questions, such as the following:
- Do you fully understand what our organization needs?
- How can you help our organization protect its network?
- Why is your product the best fit for our organization?
- How will your product save our business time, money and effort?
- Can you provide reference accounts in our industry? (Be sure to call those references to hear the real story.)
The majority of organizations -- both large and small -- share the same security challenges when it comes to web usage. Click-happy users browsing areas of the internet they shouldn't, misunderstood or unenforced security policies, and of course, the continued growth of mobile computing all add up to tangible vulnerabilities and subsequent business risks the organization must address.
Symantec and Zscaler are certainly leaders in the secure web gateway market, but other options are also available. It's critical for the organization to fully understand its business needs and requirements, and then use a measured approach to evaluate the best-fit secure web gateway product. This will help ensure the company's time, effort and money are being spent wisely. The result will be that user-centric web security threats, vulnerabilities and risks are acknowledged, and stakeholders can demonstrate to management that forward progress is being made.