RSAC 2019: A Security Gateway War is Brewing

When it comes to predicting the future of cloud security for unmanaged devices, Nico Popp made it simple: You don’t need a crystal ball to know that the answer will come down to picking the right gateway.

Popp, Symantec’s senior vice-president of Information Protection, spoke as part of the Cloud Security Alliance Summit, a one-day event held inside the RSA Conference taking place this week in San Francisco.

Offering an expansive overview of the current state of the union around cloud security, Popp said that the money is in the “older” technology Cloud Access Security Broker technology – where, he said, five years is a veritable eternity. Though a proponent of CASB, Popp also spoke about the need to adopt a forward-looking approach to cloud security for all unmanaged devices running any and all applications. We are now well past the days of shadow IT posing the greatest risks, he cautioned.

API-based CASB deployment is the new norm and we are about to enter the age of the security gateway. In fact, “a security Gateway War is brewing," Popp said. But which security approach will win? Will it be the traditional web security gateway that protects a very large set of web applications? The CASB gateway that provides the finest grain controls? Or perhaps the new kid on the block - the software defined perimeter gateway that can obfuscate our own cloud apps from the bad guys?

These security gateways will converge for sure, he said. Whichever one wins, however, the challenge remains how to protect unmanaged devices accessing cloud applications.           

 Popp, offering the audience a quick look at the landscape – call it Gateway 101 - on using a cloud proxy, focused attention on two types:

• Forward proxy: This provides the broadest coverage when it comes to SaaS apps, but requires an agent to funnel the traffic through the security gateway. This works best for managed devices but not for situations where organizations let their employees bring their devices to work (BYOD.)
• Reverse proxy: This works great for BYOD and unmanaged device since it does not require any agent. However, the reverse proxy must rewrite all application URLs to keep the user in the security gateway. Since SaaS apps change of the time, it is hard to achieve breadth of coverage with a reverse proxy.

Popp predicts that a new gateway innovation is required to complement today’s reverse and forward proxy technology . It's called a Mirror Gateway. It's the third and latest proxy option from Symantec, and it can save the day. With a Mirror Gateway you don't need an agent and you don't have to rewrite URLs.

A Mirror Gateway uses web isolation in a new way. Isolation runs your web browser in the cloud to protect you against web threats. In a Mirror gateway, we turn the web isolation technology inward to protect IT applications in the cloud. A Mirror Gateway renders the web page in the cloud and returns a mirror image to the end user machine. Since the browser is running in the cloud, user activity can be monitored, data can be protected, and threats can be stopped. In this way, the user experience isn't slowed, and the gateway is able to manage a larger volume of traffic monitoring than we've seen to date on other gateways. So, which security "gateway will end up ruling them all,” asks Popp.  It is everyone’s bet, he said, but one thing is sure: isolation and mirroring will be a critical part of the solution.