A cloud access security broker (CASB) implementation can be done in three ways: forward proxy, reverse proxy, and API scanning. The architecture for the three CASB implementation methods are different and address different use cases. However, each implementation method can complement each other to holistically fortify cloud environments.
In this guide, we break down the complexities surrounding forward proxy, reverse proxy, and API scanning CASB deployments. We'll also delve into the intricate workings of a CASB architecture, explore their components, and working mechanisms.
Forward proxy architecture
The architecture of a forward proxy CASB deployment revolves around intercepting outbound traffic, conducting deep packet inspection, managing SSL/TLS certificates, and applying filtering or blocking mechanisms to enforce security policies and protect sensitive data.
The core component of a forward proxy CASB architecture is the gateway server, which is configured on premises on the client's side. It acts as a proxy server, positioned between the organization's internal network and the internet, through which all outbound traffic flows. The gateway server performs the following functions:
Deep packet inspection (DPI): The forward proxy CASB employs DPI to inspect the contents of HTTPS network packets passing through it. This enables the CASB to analyze traffic at a granular level and examines data payloads for signs of sensitive information or policy violations.
Certificate management: The CASB manages SSL/TLS certificates to facilitate the DPI of encrypted traffic (HTTPS).. It acts as a man-in-the-middle (MITM), decrypting inbound traffic from users, inspecting it, and then re-encrypting it before forwarding it to its destination. This requires the CASB to generate and manage SSL/TLS certificates for each user session.
Filtering/blocking: Within the forward proxy CASB, filtering and blocking mechanisms are applied based on predefined security policies by the CASB solution. These policies may include URL filtering to block access to malicious or unauthorized websites, application controls to regulate the use of specific cloud services, or data loss prevention (DLP) policies to prevent the transmission of sensitive information.
The gateway server can be configured and managed from the CASB solution's console. CASB communicates with the gateway server to sync configurations periodically and collect audit data. The server’s proxy settings can be configured manually on an individual endpoint or configured in bulk via Group Policy Objects (GPOs).
Forward proxy CASB implementations will help you monitor all cloud applications accessed, and download and upload activities outgoing from an managed enterprise network. Forward proxy is best suited for the following scenarios:
- Discover and monitor shadow applications, sanctioned applications, unsanctioned and safe applications, and unsanctioned and unsafe applications
- Official and personal cloud account activities
- Analyze data-in-transit
- Managed devices
Forward proxy CASB Use case
An employee is using a managed device connected to the company network to upload massive amounts of sensitive data to their personal cloud account.
Figure 1: Forward proxy CASB architecture diagram
Reverse proxy architecture
The reverse proxy CASB implementation is done on a application-by-application basis, i.e., reverse proxy configuration is applied individually to each required sanctioned application, rather than being applied universally at the organization's perimeter. The supported cloud applications are configured to route all incoming traffic through a CASB reverse proxy server (CRPS), and this is done with the help of the identity provider authentication service (SSO). This works only for official enterprise cloud accounts that have authentication service configured. Anytime an employee accesses their official cloud accounts, whether initiated from managed or unmanaged devices, and whether accessed from on-premises or remote locations, the reverse proxy CASB is able to audit activities and set control policies. Users can configure the reverse proxy server, set and manage control policies, and audit user activities from the CASB solution's console.
The major components that form the reverse proxy CASB architecture are the CRPS and the SSO integration through an identity provider.
Proxy Server (CRPS): The CRPS intercepts and reroutes all client requests to access cloud applications. It sits between the clients and the cloud service providers, serving as an intermediary for traffic. The CRPS is responsible for enforcing security policies, such as DLP, access controls, and threat detection, before allowing requests to reach the cloud applications.
Single sign-on: SSO integration facilitates seamless user authentication and access control. When clients initiate requests, SSO protocols are employed to authenticate users, ensuring secure access to sanctioned cloud applications. By integrating SSO with the reverse proxy CASB architecture, organizations can streamline user access management and enhance security through centralized authentication.
Here's how reverse proxy CASB works in three steps:
- Request routing: When clients attempt to access cloud applications, their requests are intercepted by the reverse proxy server (CRPS) deployed in the architecture. Instead of directly reaching the cloud service providers, these requests are rerouted through the CRPS.
- Authentication and access control: Upon receiving the requests, the CRPS employs SSO mechanisms to authenticate users. Once authenticated, access control policies defined by the organization are enforced. This ensures that only authorized users with proper credentials and permissions can access the cloud applications.
- Policy enforcement and audit logging: The CRPS executes core CASB functionalities, such as policy enforcement and audit logging, in real-time. Security policies defined through the CASB application are applied to the incoming traffic, allowing the CRPS to detect and prevent data breaches, enforce compliance regulations, and mitigate security risks. Additionally, audit logs are generated to provide a detailed record of user activities and security events for compliance and forensic analysis.
Reverse proxy CASB is best suited for the following scenarios:
- Official cloud accounts activities
- Analyze data in transit
- Managed and unmanaged devices from both the enterprise and remote network
Reverse proxy CASB Use case
A user logs onto their official cloud account and uses their home network to download private files to their personal device.
Figure 2: Reverse proxy CASB architecture diagram
API Scanning CASB Architecture
In an API scanning CASB architecture, the implementation begins with the integration of the CASB with the APIs of cloud service providers. Unlike proxy-based CASB solutions, which intercept and redirect traffic through a proxy server, API-based CASB directly integrates with the APIs of cloud applications. This integration allows the CASB to monitor and control data interactions between an organization's users and cloud applications without the need for network traffic redirection.
The components of an API scanning CASB architecture include the CASB itself, and the APIs of cloud service providers. Working within this architecture involves continuous monitoring of API calls by the CASB. Each API call made by users to access, or manipulate data, within cloud applications is intercepted and analyzed by the CASB. This analysis includes inspecting files and data at rest via periodic scans to ensure they comply with security policies and are free from security threats or sensitive information. Unlike proxy-based CASB solutions, which primarily focus on traffic passing through network proxies, API-based CASB solutions can also monitor data at rest within cloud storage.
The CASB enforces security measures such as access controls, encryption, and DLP via API traffic to mitigate security risks. Access controls ensure that only authorized users can access specific data or perform certain actions within cloud applications. Encryption protects data while during transit or when stored, preventing unauthorized access or interception. Additionally, DLP measures are applied to prevent the unauthorized sharing or leakage of sensitive information.
API Scanning CASB is best-suited for the following scenarios:
- Analyze data at rest in cloud accounts
- Control data access and sharing within cloud applications
- Detect sensitive data(PII, customer data, and patent) within cloud environments and prevent data exfiltration and leakage by encryption
API Scanning use case
A user stores a file containing customer PII data on his official cloud storage account with open share access. The data in the file can be discovered with regular API scans and access restricted.
Figure 3: API scanning CASB architecture diagram
