Glass Class - 007: To Agent or Not to Agent
In today's Glass Class, we're going to be talking about particular use cases where installing a forward proxy agent on a user's managed device might be beneficial or useful during the deployment of your CASB.
One of the most common use cases is to identify between a managed and an unmanaged device in order to provide greater contextual access controls. Let's say you have a cloud application with lots of sensitive information in it, or maybe you're using an IaaS system that you want to make sure that the devices the users are connecting from are secure. In this case, you have a managed device trying to connect to the cloud app. When they go through Bitglass, we identify that they have a forward proxy agent on the device, so they are identified as a managed device and thus granted access to the application. When a user attempts to connect from an unmanaged device, over here, they go through Bitglass again. We see that they do not have the forward proxy agent installed, we identify them as an unmanaged device, and then we prevent their access.
Another one is to enable the use of thick client applications on your managed device. So, let's say you have a user with a managed corporate computer and they want to be able to use Outlook, or maybe they have a Dropbox or Box sync client. We can identify that they have the forward proxy agent installed, identify them as a managed device, and allow these applications to connect.
Finally, one of the most unique use cases is to be able to control those shadow IT apps. Let's say you have users who are using personal or unmanaged applications that you have no oversight over. So, let's say Box, over here. When a user attempts to connect to Box, you can actually control that by redirecting them to a block page where they are denied access, or you can redirect them to a coaching page which alerts them that they are using an unmanaged application. At this point, you can either allow them to continue on because they've received the coaching already and they are using it for personal means, or, if they need to upload actual corporate information, redirect them to your properly sanctioned application, such as Dropbox, over here.
Another cool thing that we can do with a forward proxy agent is, let's say you want to allow them to use those personal shadow IT apps but you want to prevent their ability to upload or potentially leak sensitive information. They can still connect, but we can prevent their ability to upload any information, thus turning the application read only.
So, remember, when you are assessing your CASBs, it's best to consider one that can protect any application and any device anywhere.