When deploying a cloud access security broker (CASB) to secure sanctioned cloud services, such as Office 365, the first question enterprises must answer is ‘which deployment mode(s) to select in order to address their security use cases?’ There are two principal deployment modes to consider, and you can read about the advantages and disadvantages of each deployment mode here: Out-of-band using direct API integration with the cloud service provider or inline via a reverse or a forward proxy.

  • API – Direct integration of the CASB solution with Office 365
  • Reverse proxy – Inline deployment between the endpoint and Office 365 in which the identity provider integrates with a CASB to route traffic to the CASB proxy
  • Forward proxy – Inline deployment between the endpoint and Office 365 in which the device or network routes all traffic (including traffic bound for Office 365) to the CASB proxy

Earlier this year Microsoft published a blog post presenting their guidance and recommendation to Office 365 customers “who plan to use advanced network solutions that run active decryption, filtering, inspection functions and other protocol-level or content-level action on Office 365 user traffic.”

“Microsoft… does not recommend using third-party… traffic redirection or inspection devices, or any other network solutions that decrypt, inspect, or take protocol-level or content-level action on Office 365 user traffic.”

Using third-party network devices or solutions on Office 365 traffic, Microsoft.com

7 reasons why Microsoft warns against proxying traffic to Office 365:

1) Application breakage may become common

Microsoft does not test CASB solutions that intermediate Office 365 traffic for compatibility, interoperability, or performance.

2) Availability and performance may degrade

CASBs deployed inline introduce availability issues and may hinder a user’s ability to optimize Office 365 connectivity.

3) Terms of use may be violated

CASBs that intercept and decrypt network requests cause changes to Office 365 protocols and data streams which may lead to violation of Office 365 terms of use.

4) No guarantee of future compatibility

Microsoft reserves the right to only inform third parties about changes they make when those changes impact public Office 365 APIs. In other words, Microsoft may alter any detail of their app protocol, authentication method, etc., without informing CASB vendors who proxy Office 365 traffic.

Cloud-Native: Securing Data with McAfee Skyhigh Security Cloud

Download the whitepaper to learn more about McAfee’s approach to securing enterprise data in the cloud

Download Now

5) Application outages may become common when Office 365 is updated

Microsoft will never delay innovative updates to Office 365 to allow CASB vendors to update their own proxy-based solutions in order to prevent outages. For the customer, this means they may experience frequent Office 365 outages with every update that impacts proxy-based CASB deployments.

6) Microsoft will provide limited or no customer support

Microsoft requires all Office 365 customers who request customer support to disclose existence of any and all proxy based-solutions deployed in the path of users and Office 365. In addition, in order for Microsoft to provide any form of support, customers must first turn off proxy solutions.

7) Office 365 issues arising from use of proxies is a customer issue

Microsoft only provides user help and support for services and components under its direct control. If there are issues arising in Office 365 that are caused by a CASB that’s intermediating traffic, Microsoft is under no obligation to provide any level of help or support to resolve the customer issue.

You can read the full blog post here