The alphabet soup of SASE: SWG vs CASB, FWaaS, more

SASE solutions offer cloud-delivered security services.

---

SWG. CASB. FWaaS. Get your decoder ring ready, because the cyber security landscape is bursting with acronyms. These acronyms may seem like alphabet soup at first glance, but they are instrumental in strengthening an organisation's defences against security threats – and each is designed to address specific challenges and vulnerabilities in today's interconnected digital environment.

When making network security decisions such as choosing between SWG versus CASB to protect users, enterprises should aim to find a solution tailor-made to fit their unique network architecture. And while the elusive decoder ring might not exist, here’s some background on what these acronyms mean and how they can help those working to build a bespoke security stack.

Before diving into the individual pieces of today’s cyber security landscape, it’s important to note that security technologies are evolving to integrate with enterprise network security solutions, creating (you guessed it) another key acronym: SASE. Secure access service edge is a potent combination of software-defined wide area network (SD-WAN) capabilities and cloud-native security technologies such as firewall as a service (FWaaS), secure web gateway (SWG), cloud access security broker (CASB), zero trust network access (ZTNA) and more.

Based on enterprise compliance policies, SASE solutions offer cloud-delivered security services to protect users, applications, branch offices and IOT devices. Adding this layer of security to an SD-WAN solution facilitates more secure communications and helps optimise the flow of data by enabling traffic prioritisation. 

SWG and CASB are two security technologies that provide data and threat protection as cloud-based proxies, but still have a few key differences worth mentioning.

What is a secure web gateway?

A secure web gateway functions as a protective barrier positioned between the end-user and the internet. Whenever a web request is initiated, the SWG scrutinises it to ensure it aligns with the established policies within an organisation. If the request raises any red flags or appears linked to suspicious or malicious websites and applications, the gateway promptly intervenes by returning a warning or outright blocking user access.

This means any time a user types a link into their browser, clicks on a link from an e-mail or website, or uploads photos and files to the internet, the SWG will serve as a traffic checkpoint to provide secure internet access, protecting the user and their data. This proactive approach significantly diminishes the potential risks of visiting a malicious site leading to data breaches and leaks. This can materialise because of malware or other web-based threats.

What is a cloud access security broker?

A cloud access security broker is a software or hardware solution that acts as an intermediary between end-users and a cloud service provider. This enables comprehensive security policies across the entire network infrastructure for both on-premises and cloud-based data, bridging potential gaps between the organisation and its data residing in the cloud.

A CASB safeguards cloud applications by giving organisations the ability to identify and prevent unauthorised access. As more enterprises use cloud services such as Microsoft 365 to store their data, using a CASB is becoming more important than ever.

By bringing CASB and SWG capabilities together in a single solution, enterprises can effectively safeguard users, their devices and cloud-based applications. However, SWG and CASB are not the sole security technologies available within the SASE package.

Uncover valuable insights for protecting your business from cyber threats through our security webpage and e-book.

What are some other key SASE security features?

The security side of SASE, also known as security service edge (SSE), includes various technologies that assist in creating a secure network. These include:

Remote browser isolation

Remote browser isolation is a security measure that separates users' devices from the act of internet browsing by hosting and running all browsing activity in a remote, isolated cloud-based container. In other words, when a site isn’t explicitly approved or denied – perhaps because it’s a new or unknown site or a zero-day attack not yet classified – the request is sent to be executed in a safe sandbox environment where any active scripts containing malware, malicious code or macros can be stripped out before the safe rendering is sent to the user. 

RBI provides critical protection for attacks such as zero-day threats, which SWG may not block because they are still unclassified.

Web application isolation

Web application isolation protects against web-based threats or unmanaged users that could target web-based applications.

The technology behind WAI is essentially the same as what’s used for RBI, only in reverse. Instead of protecting users from malicious websites, it prevents hackers from being able to attack and breach corporate web or cloud applications.

Data loss prevention 

Data loss prevention detects and prevents the loss, leakage or misuse of private, sensitive data through breaches, ex-filtration transmissions and unauthorised use. 

If an employee or third party forwards an e-mail against company policy, or uploads proprietary data to a file-sharing application such as Google Docs or even to generative AI websites, the upload would be blocked. DLP can also block users from using USB thumb drives for unauthorised copying.

Firewall as a service

Firewall as a service takes a different approach than most other types of firewalls by moving security functionality to the cloud. Instead of relying on physical firewall appliances or on-premises software, FWaaS leverages cloud infrastructure to deliver firewall capabilities as a service. 

This means organisations can protect devices anywhere in the world using cloud firewall capabilities instead of requiring local firewalls in all locations. They can then manage and configure their firewall policies using a centralised cloud-based management tool, eliminating the need for physical hardware maintenance and reducing the complexity of managing distributed firewall deployments.

Using security technologies from multiple vendors can pose significant challenges because it often leads to complex, fragmented and potentially incompatible systems. A more effective approach is a SASE solution from a single vendor, where one management platform is used for all security technologies. This reduces complexity by providing features and functionalities in one platform for single-pane-of-glass visibility and simplified network management.

With companies incorporating ubiquitous 4G LTE and 5G cellular service into WAN architecture, 5G SASE, or 5G-optimised SASE, is the next logical step and marks the combination of SD-WAN systems and cloud-based security platforms with highly flexible 5G cellular connectivity. The resulting solution provides streamlined protection for organisations across sites, vehicles and IOT from a single vendor.