Highlights:

  • The secure web gateway is a crucial component of the security stack, and a robust cybersecurity stance requires that all access to internet-based web applications pass through the secure web gateway.
  • All traffic must be routed through a robust security stack. The only option to accomplish the goal without backhauling is with Zero Trust security deployed and delivered as an edge service.

Backhauling traffic destroys performance and much more. However, in a traditional security deployment model, both the options of either allowing some access to not go through the security stack or backhauling all traffic to the security stack present a lose-lose situation. In this modern world where cyberattacks are rampant and can cause enormous damage, allowing some accesses to not go through the security stack is not an option. All traffic must be routed through a strong security stack. The only alternative to accomplish the goal without backhauling is with Zero Trust security deployed and delivered as an edge service.

The case of employees accessing internet-based web applications is a good example to consider when investigating the traditional deployment model more deeply. Such applications could be web applications used in a work context, SaaS applications that are necessary for work, or other web applications used for personal activities. Securing these traffic flows requires a Secure Web Gateway (SWG).

SWG ensures that acceptable use policies are being enforced, such as malware not being downloaded onto the employee’s device, or an employee not trying to access phishing sites accidentally. The SWG is a crucial component of the security stack, and a robust cybersecurity stance requires all access to internet-based web applications to pass through the SWG.

However, the traditional SWG deployment model requires backhauling because, the SWG is deployed as a virtual appliance or an appliance in one or a few locations in this model. Backhauling can be bypassed if SWG locations are chosen to be in or near offices where all employees are working or if employees are working in a limited number of office locations. This scenario existed for several enterprises even a few years ago. Still, after the COVID-19 pandemic, it’s safe to say that this scenario no longer applies to enterprises today or in the future.

At present, employees are frequently working remotely, so the traffic must be backhauled to an SWG using a remote-access Virtual Private Network (VPN), leading to the deterioration of performance and other scaling problems. Even when employees are in a satellite office, the traffic must be backhauled to an SWG by means of dedicated inter-office telecommunications links (e.g., MPLS), which is an expensive process.

Backhauling traffic negatively impacts performance

SWG is not the only crucial component of the security stack. A robust cybersecurity posture demands that all traffic, not just those internet-bound flows that go through the SWG, should flow through access control and inspection. This is a fundamental tenet of Zero Trust.

Employees accessing corporate-owned internal applications deployed in the cloud or a corporate data center can be considered a specific case. These traffic flows must also go through a component often referred to as Zero Trust Network Access, which essentially is the security stack. This component is an Identity-Aware Proxy. Its job is to ensure that each application can be accessed and seen only by users who have already been effectively authenticated and authorized to access that particular application.

All traffic flows must go through the security stack in a Zero Trust security posture. This requirement forces backhauling in the traditional deployment model, which in turn causes all the associated problems. Backhauling is costly and damages performance, but it gets even worse when the considered traffic could be attack traffic.

Dealing with attack traffic is one of the functions of the security stack, but it is impossible to discern which traffic is attack traffic till it gets to the security stack. Backhauling offers attack traffic even more opportunity to interact with network links and devices and opens doors to more damage, possibly removing critical upstream links and rendering the whole security stack inaccessible.

Instead of backhauling traffic to the security stack, the solution here can be to deploy the security stack at the edge because that is where the traffic is. A whole Zero Trust security stack is supplied as a service that runs on edge infrastructure under this paradigm. Due to this, it is accessible to all users/employees, regardless of whether they work in an office, at home, or from anywhere. It’s also close to all apps, whether deployed in a data center, the cloud, or under someone’s desk.

Edge placement of security eliminates the need of backhauling 

The security stack is precisely where it’s needed, right where the traffic is, with no need for backhauling, at the edge, near the users and applications. Furthermore, because the security stack is located near any attackers, whether compromised corporate systems or bots, attack traffic can be prevented near its source before it has a chance to cause harm.

All traffic flows can be secured without backhauling using a Zero Trust security stack as an edge service.