RSA Exclusive: Try new products, meet our executive team, and see VIP guests you won't find anywhere else.

July 22, 2020

5 Ways to Ensure Success When Migrating to a Cloud-Based Secure Web Gateway

Wassim Tawbi

Many organizations currently rely on on-premises secure web gateway (SWG) appliances to filter web traffic and enforce policies that block malicious code and inappropriate content. However, the flexibility that cloud-based SWG solutions offer organizations continues to drive interest. In a recent report, Gartner examined how organizations can make this migration successfully. 

Cloud-based secure web gateway (SWG) options offer better performance for remote workers while providing more consistent protection for enterprises. These solutions also provide turnkey scalability and often have more advanced capabilities than on-premises appliances. Turning to a cloud-based SWG simplifies the management of security across multiple locations, reducing operational overhead. And, it can provide significant overall cost savings.

But it’s also true that migrating to a cloud-based SWG can be disruptive, and they may require investments in developing new policies, redirecting traffic, and adjusting operational procedures.

Here are five tips to help you achieve success when migrating to a cloud-based SWG:

No. 1: Validate your authentication strategy before beginning the migration.

Having an identity and access management (IAM) solution that works seamlessly is essential when migrating to a cloud SWG. Your identity repository must be up-to-date and must integrate with your cloud SWG for consistent policy enforcement. Most vendors provide multiple ways to authenticate users. This is done by integrating with an on-premises identity store, leveraging federated identity services, or replicating the contents of an on-premises directory into the cloud. Make sure user groups and extended user attributes can be extended to the SWG for granular blocking and control.

No. 2: Ensure you have adequate bandwidth and an effective way of connecting internal users to your cloud SWG deployment.

There are several different options for connecting internal clients to a cloud SWG. They offer different benefits and add varying levels of complexity to the deployment. If you already have an on-premises SWG appliance, you may be able to use the same method to route on-premises traffic through the cloud SWG.

However, it’s more likely you’ll need a variety of strategies for forwarding remote traffic to the cloud-based proxy. One method is to install agents on all employee devices. Another is to use a cloud-hosted proxy auto-config (PAC) file to direct traffic to the appropriate proxy server. It’s also possible to forward the traffic to the cloud SWG using web cache communication protocol (WCCP) redirection or by altering routing protocols within the network architecture at remote sites.

No. 3: Test policies to ensure the new solution categorizes sites correctly and meets your regulatory compliance and privacy requirements.

If you’re switching vendors, you’ll probably need to start with a new policy set when migrating to the new cloud solution. This is because not all vendors categorize sites similarly. Start by blocking the categories that match the organization’s current security policies. Then, make sure legal requirements and regulatory standards are being met. For example, it may be a violation of local laws to decrypt traffic originating from healthcare or financial industry sites.

No. 4: Take advantage of the cloud solution’s enhanced capabilities to increase your visibility into what’s taking place in your environment.

Many cloud SWG platforms have more extensive capabilities than on-premises appliances. In part, this is because they can leverage the near-limitless processing power available in the cloud to perform resource-intensive activities, such as transport layer security (TLS) decryption, with little to no impact on performance. If you’re planning to decrypt TLS traffic, make sure to install your TLS certificate in the cloud gateway.

Many cloud SWG solutions include limited data loss prevention (DLP) and Cloud access security broker (CASB) functionalities; some integrate with fully-featured DLP and CASB solutions to provide additional control and visibility. Since not all solutions are created equal, the level of integration is worth considering. Finding a cloud-based SWG solution that can take advantage of the data classification model you already have in place saves time while maximizing DLP and CASB investments made by your organization.

No. 5: Plan a gradual rollout strategy to help you identify misconfigured policies and incorrectly proxied traffic.

As mentioned previously, the migration process can be complex, and that means some level of disruption is likely. To minimize impact on operations, start by implementing your base policy and deploy the solution to a small subset of users. This will allow you to identify potential issues and to make necessary adjustments. A fallback plan, like temporarily reverting to a legacy firewall appliance, in a situation where an application failure occurs, for example, also makes sense.

To learn more, read the Gartner report: How to Avoid Failures When Migrating to a Cloud-Based Secure Web Gateway by clicking the link, or by clicking the Read the Report button on the right.

Wassim Tawbi

Wassim Tawbi is the VP of Product Management at Forcepoint. Wassim is responsible for Forcepoint cloud network security product offering. Wassim brings an extensive experience in the networking and security industry.


Before joining Forcepoint, Wassim led the Network Security...

Read more articles by Wassim Tawbi

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.