Security & Compliance

  • 5 min read

CASB Deployment Modes (And How to Choose?)

Chaithanya Yambari

20th July, 2022

SHARE ON:

Cloud access security brokers (CASBs) help address organizations with cloud security concerns. According to a study report, 89% of the IT companies are already using CASB services, as CASBs offer better visibility into cloud services, encrypted data, shadow IT, and bolster monitoring.

A cloud access security broker (CASB) is an intermediate between a cloud provider and a cloud consumer to enforce an organization's security policies for cloud application access and usage. CASBs comes in both form–software and hardware. 

As organizations continue to evolve and add cloud applications to their network, securing access to cloud applications and their use is critical to daily operations. Attackers can use cloud apps to hack into company systems and track sensitive data.

Companies use CASB to monitor user behavior, protect sensitive data, and monitor third-party connected apps to protect the users and data.

CASB services fill security holes across cloud administrations, including Infrastructure as a service (IaaS) and Platform as a service (PaaS). CASB offers complete cloud visibility into approved and non-IT-approved cloud utilizations.

They capture and scrutinize traffic between the corporate system and cloud stage, help with consistent issues, offers information security arrangement and authorization, and forestall unapproved gadgets and applications.

Considerations While Choosing CASB

User security: A CASB solution can provide significant visibility into user activity across all of the SaaS applications employees access. CASBs can automate threat alerts and responses to achieve robust and agile user security.

Data security: A CASB solution can limit access points to significant data. Controlling access to sensitive data can be very effective; CASB also provides visibility into telemetry data to understand where the access policies need to be enforced.

App security: Adopting CASB will be beneficial because it provides discovery and visibility of third-party connected apps and enables the IT admins to disconnect from risky or inappropriate apps.

CASB solutions can also leverage the data from community trust ratings to help identify the risk related to a certain application. 

CASB also helps in discovering and identifying risky applications. If an app is classified as safe and beneficial and the permissions are appropriate, it will be left alone. If the application is classified as a threat, it will be disabled.

Proxy and API Deployment Modes

There are two types of CABS deployment modes, one is proxy, and the other is API. 

Proxy Deployment

Proxying is the first mode of operation for many CASB tools. The CASB deployment mode operates as an HTTP proxy. It is located between connections among users and the remote SaaS provider. 

The CASB has visibility into the traffic as it passes through the proxy. The position of the proxy enables CASBs to make changes to the application data stream to add additional controls. These controls can be encryption as well as recording and monitoring events that happen within the application, such as access attempts, logins, or use of the functionality. 

Advantages of Proxy-based CASB

Flexibility is a primary advantage of a proxy mode. It can service even SaaS applications that it might never have encountered previously because CASB operates on the underlying data stream directly.

Through integration with a SAML-based Identify Provider, CASB provides agent-less security to both IT organizations and personal devices based on their context.

CASB reverse proxy provides real-time, inline security for cloud services preventing access to functionality and sensitive data based on the context of the device and user.

Disadvantages of Proxy-based CASB

In some cases, it may happen that user passwords, browser websites, or any secured data can easily be viewed by the proxy service provider. There can be several free or shared options for proxies online, but they come with a lot of security threats.

Although using encrypted connections or networks, the user data or information can be leaked using the TLS and SSL connection.

While using unencrypted connections with a proxy server, the server can change/modify the responses user gets.

Two Modes of Proxy Deployment

There are two fundamental modes for Proxy deployments: forward proxy mode and reverse proxy mode.

Forward proxy

A forward proxy mode is known to the user agent, the browser. The agent is configured to relay traffic to the CASB proxy.

In forward proxy, the proxy sits in front of users and acts as a mediator between users and the web servers they access. This means that the user's request goes through the forward proxy first and then to the webpage. When the data from the internet is retrieved, it is then sent to a proxy server, redirecting it back to the requester. 

From the perspective of the internet server, the request is not made by the user but by the proxy server itself. The forward proxy can also cache information and use it to process future requests.

Types of forward proxies

There are different types of forward proxies. The most common ones are classified by their origin. There are two common proxies used - residential proxies and data center proxies.

Residential proxies - In this, a real IP address is provided by an Internet Service Provider (ISP) with a physical location.

Datacenter proxies - These proxies aren't affiliated with an ISP because the IP addresses come from secondary sources like data centers.

Reverse proxy

In contrast to forwarding proxy mode, reverse proxy intercepts traffic bound to a particular destination, acting as a proxy transparently. The browser does not know about the interception.

The Reverse Proxy server resides in front of a backend server and transfers user requests to the servers. Reverse proxies are generally adopted to boost protection, speed, and reliability. 

In Reverse proxy, the proxy gets a request from the user, which is then passed to another server and then forwarded back to the user, making it appear as if the initial proxy server processed it. These proxies don't allow the users to reach the origin server directly, providing anonymity to the webserver. 

Reverse proxy servers may be of no use to consumers and regular people but are a good fit for service providers and websites with frequent visitors. These proxies can protect web servers, increase website performance, and avoid overloading. 

Types of reverse proxies 

Functionality-wise, all reverse proxies are more or less the same. However, two main types of reverse proxies are based on their features. These are regular reverse proxies and load balancers.

Regular reverse proxies

This proxy intercepts the request from a user, directs it to the server to process it, and then sends it back to the user. This is mainly used for security purposes.

Load balancers

This proxy is a reverse proxy subtype that leads to more than one backend instance. It can distribute the traffic among multiple other servers and manage user-server communication between all of them. 

Load balancers proxy is tailored to distribute the load evenly among different servers, hence increasing the performance and speed.

Forward proxy vs. Reverse proxy 

The main difference between a forward proxy and a reverse proxy is that a forward proxy is used by a user, for example, an employee inside a private network, while a reverse proxy is used by an Internet server. A forward proxy can be located in the private network with the user, and it can also be online.

Forward proxies make sure that the website never communicates directly with the user, while reverse proxies ensure that the users don't communicate directly with the back and server.

API deployment

Another alternative to CASB deployment mode is API. In this case, the CASB adds desired security functionality directly into the SaaS using the SaaS's own development API. 

API-based CASB centralized location from which administrators can view all the data of the company, which is stored in the cloud. This CASB platform is the most powerful and modern approach to instantiating a CASB. 

APIs are application programming interfaces that are user/server architecture based. These are stateless, and they have uniform interfaces. APIs don't rely on any requirement of state information being shared between the server and user. APIs are programmatic endpoints that allow the users to interact with the software by sending requests or commands to the endpoints.

Advantages of API-based CASB

API-based CASB does not change the user experience, such as adding latency or breakage of application behavior. The deployment usually takes hours to set these up. 

API base solutions cover the user-to-could traffic and also provide coverage to cloud-to-cloud traffic. Also, when cloud adoption increases in organizations, cloud-to-cloud traffic becomes a significant portion of cloud usage in IT organizations. 

API-based deployment can only apply changes in security policies for new traffic. It also allows users to retrospectively apply the policies for all data at rest and also the new traffic.

Disadvantages of API-based CASB

API-based CASB disadvantages are that there can be a split-second delay in some security functionalities. 

API solutions cannot stop outgoing emails after they are sent because there is no appliance between application and user access.

Applications only with an API server can adopt this CASB deployment mode, hence isn't compatible with all applications.  

About the author

Chaithanya Yambari

Chaithanya Yambari is one of the co-founders of Zluri. A post-grad from BITS Pilani, he oversees the product and technology roadmap at Zluri. Before Zluri, he was part of the founding team at KNOLSKAPE, heading the engineering team.
An avid tech enthusiast, he is often found testing various softwares and smart devices or attending conferences to update his knowledge and expertise.

When not exuding his passion for technology, Chaithanya is an avid traveler, having traveled to over 28 countries across the globe already. Being professionally trained in baking, he spends his weekends trying to dabble a new recipe.