With the exponential growth of the cloud in recent years, many enterprises are finding themselves in need of customized security tools to protect their data and applications in the cloud. For this reason, many organizations are deploying cloud access security brokers (CASBs) to meet their specific security and compliance requirements for SaaS, IaaS, and custom-built applications.

However, when enterprises embark on a cloud security project, they quickly discover that there are multiple ways to deploy a CASB, each with it’s own capabilities and limitations, benefits and costs. Deciding on the right architecture for a project is one of the most important decisions a company can make since it impacts what CASB features apply to which users, devices, and services and under what conditions.

The enforcement point in the on-premises era was clear – it was at the network edge. In the cloud era, the perimeter is undefined. When deploying a CASB, how do organizations ensure they can enforce security controls across all cloud services, users and devices?

This eBook (download a free copy here) outlines the various CASB deployment modes and then describes the 20 most common CASB use cases, revealing which deployment mode best supports each of the use cases.

Get the Full eBook

Download this ebook that outlines the recommended deployment architectures that support the top 20 CASB use cases.

Download Now

CASB Deployment Modes

There are 4 primary CASB deployment modes that cover all CASB use cases:

  • Log Collection
  • API
  • Reverse Proxy
  • Forward Proxy

Log collection

In this mode, a CASB collects event logs generated by existing infrastructure such as firewalls and secure web gateways. Generally, logs capture user activity but not content. A CASB uses an on-premises connector which runs on a virtual machine to collect log files from firewalls and web proxies, or from SIEMs where these logs have already been collected and aggregated from multiple devices.

API

Enterprise-grade cloud services offer APIs that support visibility and policy enforcement by a CASB. Generally, these APIs support audit trails of user activity, content inspection, and scanning user privileges, sharing permissions on files and folders, and application security settings. Of course, API-based capabilities vary for each cloud service provider.

Reverse proxy

A CASB in reverse proxy mode proxies all traffic to and from a specific cloud provider. Unlike a forward proxy, the endpoint or network does not need to be managed. Instead, the identity solution (IDM) routes traffic through the reverse proxy following authentication. In this way, all traffic bound for a cloud service is seamlessly and pervasively steered to the proxy.

Forward proxy

A CASB in forward proxy mode routes all cloud traffic via the user’s endpoint device. There are two ways to deploy forward proxy. First, if you have an existing secure web gateway, you can configure proxy chaining to the upstream CASB forward proxy. If no secure web gateway exists, you can also deploy an endpoint agent to route cloud traffic through the forward proxy.

Recommended deployment modes for the top 20 CASB use cases

Securing shadow cloud services
Log collection API Reverse proxy Forward proxy
Discover cloud services in use

.

Assess cloud service risk

.

Apply cloud governance (acceptable use) policies

.

Detect data exfiltration and proxy leakage

.

Gain granular visibility and enforce activity-level controls

.

Securing sanctioned cloud services
Log collection API  Reverse proxy Forward proxy
Enforce DLP policies for data stored in the cloud

.

Enforce policies from on-premises DLP solutions

.

Enforce collaboration policies on data shared from cloud services

.

Capture an audit trail of all user activity for forensic investigations

.

Detect threats from compromised accounts, insiders, and privileged users

.

.

Encrypt data stored in the cloud

.

Enforce access control policies

.

Protect data downloaded to unmanaged devices

.

Detect and remediate malware

.

Apply rights management to cloud data

.

.

Securing IaaS services and custom apps
Log collection API Reverse proxy Forward proxy
IaaS security configuration audit

.

Understand provisioned user risk (over-provisioned, inactive)

.

Capture user activity log within custom apps

.

Activity monitoring & threat protection

.

.

Data loss prevention on data in custom applications

.