Brought to you by:
Enterprise Strategy Group  |  Getting to the Bigger Truth™


Modernize Your Secure Web Gateway with SASE

By John Grady, ESG Senior Analyst

Executive Summary

Today’s enterprise must ensure that users are consistently protected and have secure access to the resources they require to do their jobs, regardless of where they work. Traditional security models reliant on siloed on-premises appliances create operational inefficiencies, poor user experiences, and inconsistent security. Secure web gateway (SWG) is a good example of this. It is an important component of any organization’s security strategy, but one that in and of itself cannot meet modern demands.
Secure access service edge (SASE) architectures seek to provide consistent, distributed enforcement and unified management of previously siloed security capabilities but require a significant rearchitecting of the network and security infrastructure. Many organizations are prioritizing the security side of SASE, and focusing on converging secure web gateway, zero trust network access, and cloud access security broker tools as a first step. As part of Palo Alto Networks’ Prisma Access Platform, Cloud SWG protects all application traffic, including web app traffic, and now enables organizations using legacy, proxy-based solutions to easily migrate towards a modern, converged, cloud-delivered SASE architecture.

The Growing Network Security Gap

Today’s enterprise is in a state of digital transformation, with many organizations squeezing years of change into a matter of months. Cloud migration initiatives have accelerated in order to increase enterprise resiliency and improve organizational agility. Specifically, ESG research has found that 95% of organizations now use software-as-a-service (SaaS) or infrastructure-as-a-service (IaaS) applications. 1
At the same time, while workers have begun to return to the office, many are doing so via a hybrid model that ESG research respondents expect to continue for at the least the next 24 months (see Figure 1).2 To support these changes, many businesses have prioritized network infrastructure updates, including the adoption of SD-WAN technologies. However, updating security strategies to better address these changing dynamics remains a work in progress for many organizations.
Figure 1. Percentage of Employees Working Remotely, Hybrid, Or in Offices

To the best of your knowledge, what is the current breakdown of how your employees work and what do you expect that percentage to be in 24 months, under the assumption that all COVID related work-from-home government mandates are lifted? (Mean, N=613)

Source: Enterprise Strategy Group

Legacy Web Security and Secure Access Approaches Do Not Address Current Dynamics and Create Additional Challenges

Traditional network security approaches have been predicated on a well-defined, static perimeter, with traffic backhauled from branch offices and remote users to a centralized on-premises security stack for inspection. As enterprise resources and users began to slowly migrate out of physical corporate locations, many organizations began to layer on cloud-delivered solutions to support certain use cases and protect specific threat vectors. However, the inefficiency of this model has become clear, and the incremental impact of siloed point tools has created a number of problems for the enterprise (see Figure 2).3 Specifically:
• Operational inefficiency. The cybersecurity skills and staffing gap is well known. The result is that security and network teams are increasingly overworked and stretched thin. Yet they are asked to continuously deploy and manage a myriad of point tools via separate consoles, though often with some level of duplicative policies. This is not only inefficient but can result in human error and increase risk to the organization.
• Poor user experience. The hub and spoke model reliant on backhauling traffic to a central location where traffic is sequentially scanned across multiple security tools can introduce latency and impact application performance for users. Additionally, traditional VPN models requiring employees to connect to specific gateways to access specific resources are burdensome to users and can result in them disabling or circumventing security tools when possible.
• Inconsistent security. Whether they are IaaS-based and introduced by internal developers, or unknown SaaS applications accessed by users, the speed with which new applications appear in the environment is staggering. There is often no single point of truth providing clear visibility into what’s running on the network to help administrators accurately identify applications, correctly apply policy, and prioritize alerts as they arise.
Figure 2. Biggest Challenges with Network Security Tools

What are the biggest challenges your organization faces relative to access control and management network security tools? (Percent of respondents, N=265, three responses accepted)

Source: Enterprise Strategy Group

The secure web gateway (SWG), or web proxy, is a perfect example of these trends. Organizations initially adopted appliance-based web proxies to protect users accessing internet-based resources. Yet while cloud-based SWGs have risen in prominence to reduce the need to backhaul traffic in some instances, most organizations continue to support on-premises SWGs as well. In fact, while 96% of ESG research respondents report using appliance-based secure web gateways or web proxy solutions, 93% say their organization uses a cloud-based secure web gateway.4 This level of overlap illustrates the piecemeal approach many organizations have taken with shifting security controls to the cloud.
The changing composition of enterprise traffic adds an additional consideration with regards to SWG. Rather than generally using the web, users now spend much of their time accessing cloud-based applications. While web proxies can provide coarse-grained control for HTTP applications, the lack of full port and protocol visibility means they are blind to non-web applications. Cloud access security brokers (CASB) and zero trust network access (ZTNA) tools have arisen as a result, in order to facilitate secure access to public SaaS and private data center or IaaS applications. Yet the overlap between these tools often leads to duplicative policy and configuration management, resulting in the challenges discussed earlier. As a result, many organizations are open to a new approach to secure web gateway, with only 8% of ESG research respondents indicating they are very satisfied with their current solution and not planning to change any time soon.5

SASE as an Avenue Towards Secure Web Gateway Modernization

The idea of secure access service edge (SASE) has garnered significant interest as a way to address many of the challenges discussed earlier. SASE converges previously siloed network tools and security controls into a comprehensive, cloud-delivered architecture providing consistent, distributed enforcement for users at the edge, with unified management for administrators. While this represents a needed evolution, and one that is relevant for organizations of all types and sizes, the reality is that the breadth of a SASE initiative necessitates a phased approach. ESG research has found that most organizations agree on this point, with nearly half of respondents (48%) saying their organization will prioritize the security aspects of SASE first (see Figure 3).6
Figure 3. Initial Approaches to SASE

Which of the following statements best describes, or do you think will describe, your organization’s initial approach to SASE? (Percent of respondents, N=589)

Source: Enterprise Strategy Group

Converging Secure Access to the Web, Public Apps, and Private Apps Is a Logical Starting Point for SASE

Security architectures built out over many years are difficult to comprehensively update overnight. So, while identifying security as the priority is a good start, the focus must be narrowed further as even within the security side of SASE there are many options to consider.
Increasing the consistency with which users are protected regardless of where they are or what they are accessing should be a priority for nearly every organization. Given this, it should come as no surprise that 69% of ESG research respondents indicated secure web gateway (SWG) will be the starting point or a secondary consideration for their SASE implementation.7
To users, the process of accessing a website, a SaaS application, or a private application is often the same: open a browser and call up the resource. This experience should remain consistent without the user having to consider what they are accessing or where they are accessing it from.
To users, the process of accessing a website, a SaaS application, or a private application is often the same: open a browser and call up the resource. This experience should remain consistent without the user having to consider what they are accessing or where they are accessing it from. Having to connect to specific VPN gateways for access to certain resources is cumbersome for employees, difficult to support on unmanaged devices, and can reduce security effectiveness when users decide to bypass the VPN. As a result, converging secure web gateway, CASB, and ZTNA will make sense for many organizations. Further, ESG research has found that these tools were most often cited as most critical to procure from a single vendor in support of SASE (see Figure 4).8
Figure 4. Top 10 SASE Tools to Procure from a Single Vendor

What are the most critical SASE supporting tools that your organization would want to procure from a single vendor? (Percent of respondents, N=582, five responses accepted)

Source: Enterprise Strategy Group

Key Considerations for Selecting a Modern SWG as Part of a SASE Architecture
When considering vendors to work with for a SASE initiative initially focused on SWG, CASB, and ZTNA, organizations should consider these key questions:
• What does the migration path look like for switching users from the existing SWG to the new solution? Requirements for additional agents or policy-based routing changes create additional overhead and can slow the transition. The potential complexity of switching is what has kept some organizations using legacy SWGs for as long as they have. Leveraging existing agents or already deployed proxy auto-configuration (PAC) files can make the transition much easier and faster.
• Does the vendor have additional SASE capabilities to support different use cases over time? A SASE initiative will often focus initially on a particular use case, such as protecting remote employees. However, most organizations will look to expand SASE over time. With regards to the initial consolidation of SWG, CASB, and ZTNA, users should confirm that vendors under consideration can support a wide range of access scenarios across managed, unmanaged, and mobile devices being used by both employees and third parties. More broadly, vendors that can support a SASE architecture inclusive of protecting IoT devices or incorporating networking and SD-WAN functionality will provide long-term flexibility to extend the initiative over time.
• Is policy management and visibility across the different SASE capabilities unified? Simply having a broad portfolio of SASE capabilities is not enough. Unified management is a key component of the architecture to eliminate the operational inefficiencies discussed earlier. GUI-based management that streamlines policy creation across overlapping SASE components and reduces human error is critical. Further, centralized visibility across all users and locations within a single pane-of-glass dashboard can help security teams more efficiently identify issues and prioritize response actions.
• What is the vendor’s network footprint and connectivity infrastructure? SASE solutions must be scalable and highly reliable. This requires a global, resilient network. A globally distributed network with points of presence in all major geographies and significant peering relationships are critical to ensure strong performance and a positive user experience. Some providers partner with cloud service providers to leverage their private backbones for private connectivity to ensure traffic does not flow over the public internet, reducing the chance that web congestion will impact performance.

Palo Alto Network Provides a Flexible Secure Web Gateway Approach Through Prisma Access

Palo Alto Networks is well known for its next-generation firewall products, but for years companies have used the layer 7 visibility and control Palo Alto offers on these tools for web security when proxy architectures were not needed or desired. With hybrid cloud strategies and flexible work-from-anywhere models becoming the norm, organizations are increasingly turning to cloud-delivered solutions to secure all their applications across all ports, protocols, and users. While Prisma Access has helped organizations secure their application traffic, including web app traffic, since its launch, the migration from legacy proxy-based SWG tools previously required major network architecture changes. To help organizations more seamlessly transition, Palo Alto has added explicit proxy to their Prisma Access Cloud SWG, which enables customers to easily migrate from legacy proxy-based solutions to a complete cloud-delivered security platform, without the need for network architecture changes.
Palo Alto Networks’ Prisma Access delivers Cloud SWG (see Figure 5). It provides flexible connectivity options for different user scenarios. Managed mobile devices can continue to connect to Prisma Access through the GlobalProtect agent as can unmanaged devices through Palo Alto’s clientless VPN option. Similarly, branch offices can connect to Prisma Access via IPSec VPN. Finally, through the explicit proxy deployment, customers can more easily migrate from legacy web proxy tools without the need for network architecture changes. Existing proxy auto-configuration (PAC) files can be updated to point web traffic to the Prisma Access explicit cloud proxy enabling organizations to quickly start down the path to a modern SASE architecture.
Figure 5. Prisma Access Secure Web Gateway

Source: Palo Alto Networks

Cloud SWG’s inclusion in the Prisma Access platform provides users with several advantages, of which the most critical are:
1. A clear roadmap to a modern, comprehensive SASE. Prisma Access is a fully integrated cloud-native security platform, meaning that Cloud SWG works seamlessly with Palo Alto’s firewall-as-a-service (FWaaS), CASB, and ZTNA capabilities to help customers begin their SASE journey. Autonomous digital experience management (ADEM) is available to help organizations ensure a consistent user experience across branch and remote locations and troubleshoot more efficiently when issues do arise. Native integrations with Prisma SD-WAN support a fully converged network and security architecture. Further, Prisma Access offers unified management in one of two ways: via a unified Prisma Access cloud console to streamline configuration management and onboarding, or through Panorama network security management to make it easier for existing next-generation firewall customers to deploy and manage Prisma Access.
2. Strong, multi-layer security. Prisma Access provides complete visibility across all ports and protocols. Whereas web proxies see only web traffic, the inclusion of CASB and ZTNA provides granular application visibility while FWaaS protects users from non-web-based threats. Layered threat prevention includes intrusion prevention, URL filtering, and DNS security. Further, Palo Alto couples its Wildfire malware analysis engine with ML-based signatureless threat prevention to ensure zero-day and other advanced threats are blocked in real time. This threat intelligence is then immediately distributed to all Palo Alto customers, with Palo Alto stating they deliver over 4.3 million unique security updates per day. Finally, integrations with Enterprise DLP provides consistent visibility into the content users are accessing and sharing, allowing organizations to regain control over sensitive data.
3. Cloud service provider-level performance. Prisma Access runs on the Google Cloud Platform (GCP) and uses that private backbone for private connectivity between Prisma Access locations. The platform is built on more than 100 PoPs in 77 countries. As a result, Palo Alto Networks offers 5 nines availability (99.999%) and under 10ms processing latency guarantee, as well as a SaaS application latency SLA. The platform uses a multi-tenant management plane coupled with a single tenant data plane and single pass scanning architecture to ensure performance and security.
4. Consolidation for more efficient, consistent security. Through a consolidated approach with Prisma Access, organizations can benefit from more consistent security, better operational efficiency, and better user experiences. Consistent protection against both web and non-web threats along with a single pane of glass management dashboard helps reduce the risk of security incidents. IT staff efficiency is improved through quicker time to detection and response, as well as reduced costs associated with learning, managing, and maintaining multiple point products. Finally, a distributed, single pass scanning engine that puts protection closer to users and resources provides a positive user experience by eliminating the need to backhaul traffic to the data center for inspection by an assortment of multi-vendor tools.

The Bigger Truth

The adage that points out the futility in doing the same thing again and again and expecting different results is especially relevant to cybersecurity. Security strategies may have evolved somewhat over the years, but the foundation has remained essentially unchanged. Yet even before the massive shifts that most organizations are now navigating with regards to applications and users, these strategies were coming up short in protecting the organization, enabling the business, and empowering users. So, with digital acceleration increasing, why should we expect these security strategies to work today? In short, we shouldn’t.
SASE is a critical initiative all organizations should be planning for in order to shift from a perimeter-based security mindset to a cloud-delivered, distributed enforcement model to ensure more consistent security, improved operational efficiency, and better user experiences. The logical starting point for this project will often be converging secure access to the web, public applications, and private applications, which requires a modern approach to secure web gateways incorporating CASB and ZTNA capabilities. Prisma Access not only satisfies this initial use case by helping organizations migrate away from legacy web proxies, but also provides the foundation for a full SASE implementation inclusive of FWaaS, CASB, ZTNA, ADEM, and SD-WAN.
Cloud Secure Web Gateway

This ESG White Paper was commissioned by Palo Alto Networks and is distributed under license from ESG.

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.

Enterprise Strategy Group | Getting to the Bigger Truth™

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.