Glass Class - API vs Proxy
Hello again. I'm Mike from Product Management at Bitglass and I want to talk today about securing cloud applications. There's a number of different approaches. I want to demystify some of the myths.
We have various cloud applications: things like Salesforce and Office 365 and there's multiple components to these applications. Office 365 is a whole productivity suite with things like email, and OneDrive for file management. Whereas Salesforce is associated with things like CRM.
I have this cloud and I have various different types of devices over here. I have things like BYO, actual Laptops. I have things like managed iPads and computers as well. There's different types of things you can do to secure these devices. One of the things you want in general is to have visibility into what's going on in this cloud.
There's a number of different solutions out there on the market that are known as Cloud Access Security Brokers, or CASBs for short. There's different approaches as to how they see what's going on in the cloud. One of them is an API.
You connect an API up to these cloud apps and what you get is visibility into the events and the things that are stored in the cloud. I know about data at rest and I can do things like scan the files against potential compliance issues. Things like DLP Patterns to know that there's a problem. I know that someone’s sharing a file that contains a HIPAA Violation out to a public link. Where someone can download it and see it, which would cause me to get a fine.
With the API I can do a lot of things that allow me to do reports. I have some graphs and some charts over here and I can do a report. I can also react, but the reaction is a little bit slow and it lags, for a number of reasons. One is that the CASB's always seeing file after you -- or content in general -- after you upload it to the cloud.
Which is a problem, because after I see it I may not want to take additional action on it, like block it or change the share permissions. At that point it's already been up there and I have a periodic basis where I can re-scan the things at rest and that has issues in general.
Another approach is to sit in front of the actual application with a proxy. There's two different types of approaches you can take for proxies. There's something called a reverse proxy and there's something called a forward proxy. From a reverse proxy perspective what you get is the ability to actually see the traffic without installing agents. So no agents or certificates; and be able to do things like monitor even a login from a hotel kiosk and be able to control the data that's going on there and see what's happening.
From a forward proxy perspective there's different advantages. There's advantages for things like determining that something’s a managed device from an unmanaged device and setting appropriate policies for protection. There's also capabilities to proxy apps that are hard coded to talk to particular URLs. Things like the Salesforce One app, that talks to Salesforce directly; or things like the OneDrive Sync Client app that's hard coded there to talk to Office 365. With a Forward Proxy you can protect that and you can control that.
From a CASB perspective there's somewhat of a religious war going on these days where people say, "Oh you need to do the API because it's out of band and that's much better because it doesn't affect users." Other approaches are, "I want to use reverse proxies or forward proxies to protect my data or protect my traffic."
In reality what you want is all three, what you can do is combine things like seeing a file be uploaded through one of these proxies and automatically scanning the file. Which gives you a lot of more efficiencies. In general, at Bitglass, we try to avoid things like these religious wars and instead provide solutions that are a combination of everything you might need to protect the use case that you're trying to solve.
Thanks again, this has been another successful Bitglass Glass Class.