When the use of cloud-based services and applications goes beyond the view of IT, organizational data is no longer bound by the governance, risk, and compliance policies of the organization. This is called shadow IT and emphasizes the need for cloud security. Companies have to find a solution to enforce strict security policies and protect sensitive data when it is being shared in cloud applications. Cloud access security broker (CASB) solutions—proxy-based, API-based, or both—can help organizations gain visibility and control over the cloud applications that their employees access.
A CASB is a policy control and cloud visibility mechanism that sits between the cloud service users and the cloud applications. Whether deployed in the cloud or on-premises, CASBs provide visibility into the use of cloud applications, control access to cloud-based services and data, help meet compliance regulations, prevent data loss, detect and remediate threats with UEBA technology, and more. With the help of a CASB solution, employees can use cloud services without risking the security of the organization. Authentication, authorization, encryption, single sign-on, tokenization, and device profiling are some examples of security policies that can be implemented using CASBs. SOC teams can derive effective insights on security incidents if their CASB tool is integrated with their SIEM solution. To learn more, read: Why a cloud access security broker should be part of your SIEM.
CASBs can be deployed in two modes: proxy-based and API-based. Proxy-based CASBs are also called as inline CASBs and the API-based CASBs are referred to as out-of-band CASBs. The main difference between the two is that an inline CASB sits directly between the user and the cloud application—acting as a gateway—inspecting and controlling data in real time; whereas an out-of-band CASB operates outside the direct traffic path and integrates with cloud service providers via APIs, monitoring cloud activity post-event.
In this page, we'll focus on the inline or proxy-based deployment mode of CASBs.
What is proxy-based CASB deployment?
Proxy-based deployment is often called inline deployment as it sits between the user and SaaS application traffic. Inline CASBs work as intermediaries, inspecting all data traffic flowing to and from cloud services and applying security policies in real time to control access. This means that they sit directly in the network path, intercepting and evaluating requests and responses for malicious activity, policy violations, or sensitive data exposure. For example, proxy-based CASBs can block user traffic to cloud applications, stop a file upload to a SaaS application, block a file download to an unmanaged device, and more. Because of the various functionalities and coverage provided, this deployment mode is often used in various CASB tools.
Let's take a look at how a proxy-based CASB monitors and exercises control over cloud traffic. When users try to access a cloud application, they initiate an access request. Before the request is addressed by the cloud service provider, the traffic is first directed to the proxy. This proxy—i.e., the CASB tool—knows the users' requirements and details. At this point, the CASB tool can exercise control and add security-relevant functionality, such as blocking the users' access or preventing them from performing certain actions.
Proxy-based CASB tools use two different modes of deployment: forward proxy and reverse proxy. Depending upon the deployment mode, proxy-based CASBs can provide benefits such as comprehensive threat protection and data security, granular access control, visibility into cloud usage, shadow IT detection, and compliance with regulatory mandates, as well as secure work environments, regardless of a BYOD, remote, or hybrid setup.
Forward proxy deployment
In this mode, the proxy sits closer to the user. Forward proxy is configured on the user’s device or network, where all outbound traffic to the cloud is routed through the CASB. It allows organizations to inspect and secure user-initiated cloud access requests, even if the cloud application is not managed by IT. The traffic (user's requests) can be directed to the forward-proxy through:
- PAC files: A proxy auto-configuration (PAC) file determines whether a web request goes directly to the destination or is forwarded to the forward proxy. When forward proxy CASB deployment is implemented, the users' browsers or agents deployed in the devices are configured with proxy PAC files that route cloud traffic to the CASB forward proxy. One drawback of using PAC files for forward proxy rerouting is that these files can be bypassed easily by users.
- DNS URL redirect: In this method, the user's DNS is configured with a special traffic forward zone for selected cloud services so that all traffic requests to those cloud services are rerouted to the CASB forward proxy. However, this method isn't usually preferred because users are often hesitant to modify the DNS entries in their environment. Plus, in most enterprises, DNS is managed by an outsourced third-party vendor.
- Agents: In this method, an agent is deployed in the users' endpoints and reroutes traffic to the CASB forward proxy using a secure VPN tunnel. Managing agents is the downside of this deployment method.
A forward proxy CASB implemented by configuring PAC files or by deploying agents cannot monitor unmanaged devices. On the other hand, a forward proxy CASB implemented by configuring the customer's DNS can monitor both managed and unmanaged devices.
A forward proxy CASB deployment can:
- Analyze content between the user's endpoint and cloud applications to spot malicious activity and data leakage.
- Enforce context-based access control depending on the user's source device, network, time of request, and more.
- Provide visibility into shadow IT and list the use of unsanctioned applications by a user or group of users.
- Encrypt and tokenize field-level data.
Reverse proxy deployment
In this mode, the proxy sits closer to the cloud service providers. The cloud service or resource routes the traffic to the CASB reverse proxy.
Being more seamless than forward proxy technology, reverse proxy CASB can integrate with the Identity as a Service (IDaaS) used by the organization, authenticate users, and reroute traffic from SaaS applications to users.
Also, unlike forward proxy, you don't need to deploy agents to reroute the traffic. However, the drawback with reverse proxy technology is that it does not offer visibility into shadow IT.
A reverse proxy CASB deployment can:
- Control access from both managed and unmanaged devices, though it is more suited for unmanaged devices compared to other modes of deployment.
- Encrypt data that is in transit to the cloud.
- Monitor user activities and discover insider threats and compromised accounts.
- Implement DLP in real time, including inspecting data in transit and taking appropriate prevention or remediation actions in case of threats.
- Prevent users from bypassing it.
Which mode of CASB deployment should you adopt for your organization?
It is imperative to choose a CASB solution that is best suited for your organization's requirements. Each approach has its pros and cons. A preferable option would be a hybrid approach: a blend of API and proxy modes of deployment. A hybrid solution can provide more flexibility, access control, visibility, and coverage of use cases. ManageEngine Log360 is a CASB-integrated SIEM solution that can protect your hybrid cloud environment. To evaluate how Log360 can satisfy your organization's security needs, sign up for a personalized demo.