This week we came upon a pharma customer who had G Suite (aka Google Apps) deployed enterprise-wide. They were shopping for CASB, and were debating the pros and cons of agent-based CASB vs agentless CASB for G Suite.
In order to inspect traffic, agent-based CASB must configure proxy agents and fake certificates for Google on every device. This means that in addition to inspecting corporate G Suite traffic, they inspect and log personal G Mail, and worse yet, Google searches. Every search from every employee, on every device - corporate or BYOD - is inspected and logged in the CASB. Next time an employee researches a health condition, that will be inspected and logged. Employee researching divorce? Inspected and logged in the CASB. Employee emailing friends, family, doctor or attorney on personal Gmail? Inspected and logged.
In contrast, agentless CASB inspects only corporate data on corporate applications, ensuring privacy for employees on any device. Bitglass is the only CASB that has agentless support for Google Apps, by virtue of our AJAX-VM technology. As a result, we have many customers who have deployed Bitglass with GSuite for several years.
As we noted prior, inspecting personal communication on personally owned devices is subject to the federal wiretapping laws. Perhaps the most private digital communication in our daily lives is our search queries. Agent-based CASB is essentially wire-tapping, and on Google Apps, guaranteed to get IT security folks in hot water.