Proxy vs. API CASB: An Overlooked Choice in Cloud Security

Choosing The Right Cabs Architecture Is Critical In Securing Your Company’s Data

By Katie Fritchen, Director of Content Marketing, ManagedMethods

The availability of cloud computing and SaaS applications have pushed us into a new era of computing. These solutions have allowed teams to achieve greater efficiency and collaboration. They’ve also enabled globally dispersed teams and unshackled us from traditional desk-jockeying.

Cloud computing, however, has also created unique challenges for data security, personal privacy and the professionals responsible for securing IT infrastructures. For most organizations, cloud security is no longer a luxury, it’s a necessity.

The cloud has effectively killed the perimeter. Without a perimeter, traditional cybersecurity solutions, such as firewalls, are rendered nearly useless. A firewall is designed to prevent unauthorized access (typically from the public internet) to a private network, but as companies move toward cloud computing through the use of SaaS apps in the public cloud, data is no longer stored in the private network.

Why is Cloud Security Important?

Companies that moved to the cloud without evolving their IT security strategy lost the ability to control access to sensitive data. Without proper security configurations and monitoring, information can be improperly shared with the public. An account takeover can wreak havoc for weeks or months and compliance restrictions go ignored.

Cybersecurity leaders need to shift their focus from defending the perimeter to protecting data itself. In reality, this should have been the focus all along.

Cloud security evolved to solve these issues by providing functionalities such as automating data loss prevention, 24/7 account monitoring and the ability to revoke access manually. The most important questions now revolve around not if you need cloud security, but what type of CASB solution you should choose.

Proxy CASB Architecture

To secure cloud access in the early years of cloud security, perimeter security technology was basically repurposed and then lobbed up into the cloud. This partially explains the inclusion of the word “broker” in the industry segment dubbed by Gartner as cloud access security broker.

A proxy-based CASB architecture fits more comfortably in the cloud access security broker term. A proxy-based CASB places a proxy, agent or broker (some use browser extensions and call themselves “agentless”) between the user and the cloud application. On a basic level, the proxy checks for known users and devices as they attempt to access the cloud resource and either approves or denies access.

The main benefit of a proxy CASB is that it provides a greater level of control over outgoing traffic and can take security action in real time. The downside is that it significantly reduces network speed and duplicates the functionality of your firewall without providing significant added protection. Further, both Google and Microsoft, the most commonly used cloud applications, have published recommendations against using proxy-based CASB technology for cloud security, mainly because they can’t guarantee that third party technology will be able to keep up with continual updates in product technology.

API CASB Architecture

API-based CASB architecture was developed as an alternative solution to the drawbacks of using legacy technology to solve a modern security problem. The API CASB security solution uses each cloud application’s native APIs to secure access and data stored in the cloud. This approach creates a cloud security solution that works almost as though it is a native function of the application.

The benefits of an API-based CASB solution are that it secures and monitors information within the cloud application itself, rather than attempting to put up a perimeter. It also doesn’t have any impact on network speed and is much easier to install and activate. Additionally, API-based CASBs provide a symbiotic relationship with existing firewalls and gateways to create an additive, rather than a duplicative, security layer. The main pitfall is that inspection and remediation don’t happen in real time, but rather when the API hit is fired—usually within seconds.

Both CASB architecture types have benefits and pitfalls. Choosing the right one for your organization is an important decision that is often overlooked. Understanding the differences between the two main types of CASBs will help you determine which solution is best for your organization’s needs and budget.

About the Author

Katie Fritchen is the Director of Content Marketing at ManagedMethods, the fastest growing cloud application security platform for SMBs, educational and government institutions, and nonprofits. She is passionate about creating educational content focusing on the issues Information Security professionals face at the intersection of cloud computing and data security. With ManagedMethods, organizations gain data security from internal and external breaches, threat protection from malware and phishing schemes, and full control over account behavior. ManagedMethods is easy to use, affordable and requires no special training for administrators. Best of all, it has no impact on network speed or end users. Katie can be reached online at [email protected] and on Twitter @managedmethods.