By Michael Schneider
Senior Manager, Product Management, Skyhigh Security


In conversations with customers, prospects, and new and existing customers who are running Secure Web Gateway (SWG) appliances, a critical topic comes up about the sheer cost of migration to the cloud: apart from the product price, customers must also factor in the cost of migration. This is critical in case they are doing a rip and replace in the event their current vendor doesn’t offer the cloud SWG of choice or is unable to take them to the cloud easily.

After talking with a prospect with 25,000 users, we found that they factored in a cost of ~$1,000,000 USD to replace their current SWG. That money is spent on changing networking routing, reconfiguring servers, rewriting Proxy Auto-Configuration (PAC) files, reconfiguring firewalls, etc.

This SWG-replacement budget must be factored into the overall price of the project in addition to the price of the new SWG, but it is often forgotten. Bottom line, it is paramount that any new vendor be able to quickly replace the current solution and get into the cloud without delay, as these are the main cost drivers.

To keep costs and efforts under control, customers should look for a vendor that doesn’t require them to do massive changes to their current layout, while taking them into a cloud native deployment. Going to the cloud without disrupting anything and not applying huge changes may sound difficult, but it is possible! Let us detail out how we at Skyhigh Security can help make customers’ move to the cloud easier and quicker, all while minimizing huge overhead costs that other vendors might introduce.

The on-prem SWG

Customers running on-prem SWG often leverage certain infrastructure capabilities of a SWG, such as handling older protocols, SOCKS, or proxying other traffic like Transmission Control Protocol (TCP). Often, the SWG performs local caching or bandwidth optimizations, load balancing or ISP link failover. While replacing these with a cloud solution is possible in some instances, it often requires re-architecture of the network design. In larger transformation projects this is usually taken under consideration, whereas in SWG-only projects it is often an unwelcome circumstance. The customers looking to their SWG for infrastructure rather than security will have difficulty adopting a SWGaaS rapidly and need either to make difficult compromises or plan for additional investment.

How Skyhigh Security can help

At Skyhigh Security we understand our customer’s concerns and needs when it comes to deploying a SWG, regardless of its deployment on premise or in the cloud. We have been developing SWGs since 1999; with our expertise, coupled with a commitment to listening to customers and prospects, we have created an architecture that will take you to the cloud rapidly while avoiding the huge rip-and-replace costs incurred when switching vendors. All our Security Service Edge (SSE) suites are licensed for a hybrid deployment. That means you are entitled to use virtual appliances, with hardware appliances as an option, plus the cloud service.

For existing customers

Existing on-prem SWG customers can extend their on-prem policy to the cloud with the click of a button, as well as run the same policy in the cloud and on their appliances; their remote sites or mobile users can now connect to the cloud and continue to be secured in the same manner instead of backhauling the traffic to central hubs or dedicated proxy appliances. In larger sites, where the SWG makes sense due to infrastructure reasons, the on-prem SWG is kept and manages the policies for the remaining SWGs and those in the cloud. We have created flexible options and simplified the process to make it easy for our customers to achieve their cloud transformation initiatives. With remote sites moving to the cloud, savings on costly MPLS or VPN connections are realized instantly.

Additionally, the remaining appliance footprint can be drastically reduced by executing only relevant parts of the policy on the appliance; for example, a global allow or block list, URL Filtering or some caching, bandwidth optimization rules or authentication against a local directory. The majority of the filtering is performed in the cloud containing the appliance’s forwarded traffic, while also authenticating the local user against the cloud service. With that step, the appliance footprint can be drastically reduced. If today ten appliances are necessary, that number can subsequently be reduced to two, including one failover node. This model of cloud transition does not require any changes to the network layout and keeps the network intact.

For new customers

New customers looking to replace their existing proxy and wanting to keep on premise proxies can follow the same approach, while additionally replacing their on-premises proxies with Skyhigh Security’s SWG. If done well, proxy DNS names can be kept and a smooth transition maintained, as there is no disruption of traffic flow, no need to rewrite PACs, and the traffic is handled by the new proxies and safely redirected to the cloud service where the policy is applied.

This deployment variant is an elegant utilization of premise proxies and the cloud service. It reduces migration cost and enables a quick migration to the cloud simply by using the cloud service as policy engine and using appliances as “redirectors” to the cloud.

The Goal

The final goal is the use of cloud native deployment instead of on-premise solutions. But, as mentioned previously, in many cases the path there can be made bumpy by the rip-and-replace approach, or it can be made smooth by phasing out on-premise equipment with a synergistic solution optimized to enable the transformation while minimizing disruption.

When replacing an on-prem SWG, vendors will tell you that on-prem SWGs aren’t needed. This is true, but the key question is, can you afford the rip-and-replace procedures these vendors force on you?

Learn more about Skyhigh Security’s and Skyhigh Security’s Secure Web Gateway and Security Service Edge, Also, review the “Moving to the Cloud is Easier than You Think” workshop.