With organizations increasingly turning towards cloud-based services, the need for cloud security has never been more important. When the use of cloud applications goes beyond the view of IT, organizational data is no longer bound by the governance, risk, and compliance policies of the organization. Companies have to find a solution to enforce strict security policies and protect sensitive data when it is being shared in cloud applications. Cloud access security broker (CASB) solutions can help organizations gain visibility and control over the cloud applications that their employees access.

Whether deployed in the cloud or on premises, CASBs provide visibility into the use of cloud applications, control access to cloud applications and data, help meet compliance regulations, prevent data loss, detect and remediate threats with UEBA technology, and more. With the help of a CASB solution, employees can use cloud services without risking the security of the organization. Authentication, authorization, encryption, single sign-on, tokenization, and device profiling are some examples of security policies that can be implemented using CASBs.

CASBs can be deployed in two modes: proxy-based and API-based. This article explains the proxy-based deployment mode of CASBs.

What is proxy-based CASB deployment?

Proxy-based deployment is often called inline deployment as it sits between the user and SaaS application traffic. This deployment mode inspects content to and from the cloud and enforces real-time security policies to control access. It can block user traffic to cloud applications, stop a file upload to a SaaS application, block a file download to an unmanaged device, and more. Because of the various functionalities and coverage provided, this deployment mode is often used in various CASB tools.

Let's take a look at how a proxy-based CASB monitors and exercises control over cloud traffic. When users try to access a cloud application, they initiate an access request. Before the request is addressed by the cloud service provider, the traffic is first directed to the proxy. This proxy, i.e., CASB tool, knows the users' requirements and details. At this point, the CASB tool can exercise control and add security-relevant functionality, such as blocking the users' access or preventing them from performing certain actions.

Proxy-based CASB tools use two different modes of proxy deployment: forward proxy and reverse proxy.

Forward proxy deployment

In this mode, the proxy sits closer to the user. The user's device or network routes the traffic to the proxy. The forward proxy uses SSL man-in-the middle techniques to route the user's traffic to CASB proxy. This traffic route is initiated through:

• PAC files: A proxy auto-configuration (PAC) file determines whether a web request goes directly to the destination or is forwarded to the forward proxy. When forward proxy CASB deployment is implemented, the users' browsers or agents deployed in the devices are configured with proxy PAC files that route cloud traffic to the CASB forward proxy. One drawback of using PAC files for forward proxy rerouting is that these files can be bypassed easily by users.
• DNS URL redirect: In this method, the user's DNS is configured with a special traffic forward zone for selected cloud services so that all traffic requests to those cloud services are rerouted to the CASB forward proxy. However, this method isn't usually preferred because users are often hesitant to modify the DNS entries in their environment. Plus, in most enterprises, DNS is managed by an outsourced third-party vendor.
• Agents: In this method, an agent is deployed in the users' endpoints and reroutes traffic to the CASB forward proxy using a secure VPN tunnel. Managing agents is the downside of this deployment method.

A forward proxy CASB implemented by configuring PAC files or by deploying agents cannot monitor unmanaged devices. On the other hand, a forward proxy CASB implemented by configuring the customer's DNS can monitor both managed and unmanaged devices.

A forward proxy CASB deployment can:

• Analyze content between the user's endpoint and cloud applications to spot malicious activity and data leakage.
• Enforce context-based access control depending on the user's source device, network, time of request, and more.
• Provide visibility into shadow IT and list the use of unsanctioned applications by a user or group of users.
• Encrypt and tokenize field-level data.

Reverse proxy deployment

Normally called the last mile technology, in this mode, the proxy sits closer to the cloud service providers. The cloud service or resource routes the traffic to the CASB proxy.

Being more seamless than forward proxy technology, it can integrate with Identity as a Service (IDaaS) used by the organization, authenticate users, and reroute traffic from SaaS applications to users.

Also, unlike forward proxy, you will not have to worry about security concerns related to SSL man-in-the-middle techniques. You also needn't deploy any agents to reroute the traffic.

However, reverse proxy technology does not offer visibility into shadow IT.

A reverse proxy CASB deployment can:

• Control access from both managed and unmanaged devices, though it is more suited for unmanaged devices compared to other modes of deployment.
• Encrypt data that is in transit to the cloud.
• Monitor user activities and discover insider threats and compromised accounts.
• Implement DLP in real time, including inspecting data in transit and taking appropriate prevention or remediation actions in case of threats.
• Prevent users from bypassing it.

Which mode of CASB deployment should you adopt for your organization?

It is imperative to choose the CASB solution that is best-suited for your organization's requirements. Each approach has its pros and cons. A preferable option would be a hybrid approach: a blend of API and modes of proxy deployment. A hybrid solution can provide more flexibility, access control, visibility, and coverage of use cases.