Glass Class - API vs. Proxy
Hi guys. This is Mike from Product, and I wanted to talk about protecting data. This is really about data that's sensitive to an organization. There are different types of places data can be stored - in cloud applications there's also different types. An enterprise file sync and share app like Box is different than something than Office 365, which is different than something like Salesforce, but they all can contain very sensitive information that you'd want to inspect and protect. A lot of times, people think about things like files, but structured data is also possible in CRM apps like Salesforce and whatnot.
One concern is data in the cloud. Other types of concerns are data on devices. So, if I have a PC down here and let's say I have a Surface and an iPhone, these connect up to the cloud applications and they can either create content locally on those applications or they can take content from the cloud and you pull it down. From a managed-device perspective, if I gave them the device and I have control over this, then there's a different type of approach that you do from a data protection solution.
Typically, things involve two factors. One is a proxy, to proxy data and control the upload and download of content. The other are APIs, and what those allow you to do is detect content inside of cloud applications and control them. A good example of that is if I have this file in Office 365 in OneDrive, and I take it and I share it externally somewhere. That might be okay, but that might not be okay also. That could contain some PCI information that you may want to block, or PII that would be a violation of your corporate policy.
You want a solution that combines both this proxy component as well as the API integration to give you something that we call a hybrid CASB, and Gartner calls it something like a multimode CASB. Those two solutions are different though.
From an API perspective, the API is basically taking things from Salesforce or Office 365, waiting for it to tell the solution about that, and then taking action on it. If I share this file, it takes a little bit of time for that CASB to understand that the file shared, and then they go and take an action on this and actually perform the block. It's more of a reactive type solution, but it's required for things that happen after the fact. After I uploaded the content and it was fine, then I did a share, so I need an API to protect against that.
From a proxy perspective, you protect things more in line, so I protect this file going up to the cloud or going down from the cloud to the PC. A lot of times, from a sensitivity perspective, you're looking at things like sync clients, so Outlook, for example, which syncs the number one app, which is email. Sync clients, like the Box sync client, you'd only want installed on a managed PC that you own.
From a solution perspective with a proxy, there's two approaches. One is that I have something like an agent that I install on the PC. Because it's managed, I can do that and whatnot, so I'm able to do so. There are also approaches where I configure the device. Again, that's something that I would do on a managed PC or on a network. I take and I install, let's say, a firewall here to do some sort of proxying and controls there, like a secure web gateway. So, I could do that there, too, but that doesn't really apply for devices that are more BYO.
If I bring my own device, a lot of times users don't want software installed on those devices, and so this forward proxy approach with configuration and whatnot, doesn't really apply over here. What you want on that side is something that is an agentless solution that can protect unmanaged PCs. So, when you look at a CASB, you really want three things.
One is to protect your managed devices, another is to be able to protect your unmanaged devices without installing any software or any configuration, and then third, you also want to protect against data that's already in the cloud or that happens after the fact. Solution-wise, you should be looking for a multimode or hybrid CASB, and we'd love to tell you more. Thank you.