The Bitglass SASE Triangle: SWG for Securing Web Traffic


In today’s modern workforce, the enterprise attack surface is larger than ever before; with cloud apps, personal devices, on-premises resources, web destinations, and more. As a result, organizations are in need of a context-aware solution that can enforce policies wherever data goes. Fortunately, Bitglass’ secure access service edge (SASE) offering provides organizations with just that. Now that we’ve covered security for managed SaaS and IaaS in the first part of this series, we’ll move on to the next vital piece of the SASE triangle: our SmartEdge Secure Web Gateway (SWG), which secures the web and shadow IT. 

How Do SWGs Work?

Originally, SWG architectures were made to secure web traffic initiated on-premises through a hardware appliance that decrypted and inspected traffic. These SWGs require the use of VPN (virtual private network) for remote users so their traffic can be filtered through the SWG appliance on premises. However, these appliances are costly to purchase and manage, and VPN harms the user experience, decreasing organizational efficiency. Additionally, scaling with these appliances is largely a reactive approach whereby organizations are forced to rack and stack more or better boxes to add capacity. 

Another approach is to deploy a cloud proxy SWG to bring down the heavy costs of appliances. However, latency continues to be a factor with this approach because it requires a network hop to a cloud proxy each time a user is accessing the web. Additionally, it invades user privacy because all user traffic is inspected at the proxy, including login credentials. 

This leaves one last option, the on-device secure web gateway, available only in the form of Bitglass’ SmartEdge SWG. With this approach, traffic is decrypted and inspected directly on users’ devices and only security events are logged and uploaded to the cloud–preserving user privacy. Furthermore, latency is no longer a factor because there is no network hop to an appliance or cloud proxy. This approach allows employees to access the internet and use unmanaged apps while still enabling his employer to have full data and threat protection. 

A few common use cases customers address with Bitglass can be found below. 

Content Filtering

Users often waste time on websites that are unrelated to their responsibilities during work hours. Fortunately, with Bitglass, administrators can block unproductive websites to ensure that users are working on business-related tasks. For example, during office hours, Amy, a sales representative, streams YouTube videos to catch up on news and her favorite TV shows. Preset policies, like the ones in the screenshot below, automatically filter relevant URLs and shadow IT, allowing or blocking them for specific user groups, device types, and geographical locations.

Content can be contextually controlled based on category (e.g. malware sites, gambling, streaming, and more), from a simple drop-down menu like the one shown below.

Defending Against Threats

Defending against malware on the web is highly important given the large number of breaches caused by threats. Let’s say that Brian, a marketer, visits a certain website that doesn’t present any security risks during one of his breaks. However, while scrolling, Brian finds an ad that captures his interest and clicks on it. At that point, there is an attempt to direct him to a new website that will infect his device with malware. Fortunately, Bitglass’ SmartEdge SWG provides full strength threat protection to prevent access to these kinds of websites, as well as those used in phishing schemes. Below, you will find an example of the needed configuration in the Bitglass dashboard.


Preventing Leakage on the Web

The web can easily serve as an avenue for data leakage. For example, employees accessing websites such as can upload sensitive files and share them via their personal email accounts. With the SmartEdge SWG in place, sensitive data patterns, such as credit card numbers, Social Security numbers, or other forms of personally identifiable information can be detected and protected automatically–uploads to inappropriate web destinations can be blocked in real time. 

Secure web gateways are indispensable tools for web security and are now integral parts of SASE platforms. In the next blog, we will discuss zero trust network access (ZTNA), the third component of SASE, and how you can secure access to on-premises resources.

Want to learn more while you wait for the final part of this blog series? Download Top SASE Use Cases below. 

Download Now

*** This is a Security Bloggers Network syndicated blog from Bitglass Blog authored by Will Houcheime. Read the original post at:

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)