Next Gen SWG Use Case #6 – Protecting Users going Direct-to-Internet


This is a series of articles focused on Next Gen SWG use cases. This is the final in a series of six use cases.

In my recent blog about advanced data protection, I covered how data protection requirements have evolved and how the SWG (secure web gateway) needs to also evolve to be effective in protecting data everywhere it goes. The final use case is centered around protecting users that are going direct-to-internet. This is arguably the most important use case I am covering in this blog series. We are at an inflection point where digital transformation, the explosion of cloud apps, and the dramatic rise in mobile workers are rendering the traditional “traffic backhauling” approach ineffective at providing fast and secure access to internet resources.  

It is still common today to backhaul traffic from remote workers and branch offices over expensive MPLS circuits through security appliances located in the data center and then to a cloud or web destination. The obvious intent is to enable branch offices and remote workers to take advantage of the stack of security appliances that are physically located in the data center. There are four core challenges with this legacy approach. 

First, it is very expensive, as you are relying on high-cost MPLS circuits. Second, the user experience suffers because the hub-and-spoke architecture is adding additional latency, impacting user response time and there is typically a VPN connection that needs to be performed for remote workers. Third, the load at the data center is increased. Furthermore, in today’s remote worker dominated world, this is obviously top of mind as users need to be protected as they access the cloud and web while working out of their home office. The recent rise of remote workers is putting a strain on legacy remote access architectures and COVID-19 is amplifying the limitations of old school hub-and-spoke architectures. Last, but certainly not least the security stack sitting in the data center, whether it is a NGFW or SWG, is most likely not built to adequately protect against today’s cloud-enabled threats.

A more modern approach is to deploy a Next Gen SWG, like Netskope’s offering, that is cloud-native and can more effectively cover today’s cloud-enabled and advanced web threats. Deployment is elegant with options ranging from IPSEC/GRE tunnel configuration in the branches to integrating with an existing SD-WAN solution that is providing local internet breakouts. For remote workers, a lightweight steering client can optionally be deployed on managed devices and all the cloud and web traffic for that device is steered to the Netskope Security Cloud for visibility, control, and protection wherever the user goes. Dynamic steering also detects whether that user is in a remote location or in a branch office and will dynamically choose the steering method. The last key point is that the Netskope Security Cloud also runs on Netskope NewEdge, which is one of the world’s largest, fastest, and most reliable security networks. NewEdge overcomes the performance challenges that exist with the public internet to provide fast and secure access to the cloud and web for users connecting direct-to-internet from anywhere.

You can learn more about this Next Gen SWG use case and watch a demo here. Don’t forget to also consider the other use cases and associated requirements covered in this blog series.