Security "Bits"

Cloud Access Security Broker Proxy Architectures

By Rich Campagna | September 1, 2014 at 5:37 AM

Definitive_Guide_to_CASBsThis is post #9 in our series on Cloud Access Security Brokers (Post #1#2#3, #4, #5, #6, #7, #8). This post is abbreviated - a more complete description of proxy types is available in The Definitive Guide to Cloud Access Security Brokers.

CASB architectures vary from one vendor to the next. Most vendors have a primary proxy mechanism upon which their architecture is built—either a forward proxy or a reverse proxy, though many rely on both types of proxies, depending on the use case.

It is important to consider how each architecture is deployed and managed, as it can have a big impact on the application and device types that can be supported, and on the amount of operational overhead associated with managing the system. 

Also keep in mind that web/HTTPS traffic is only a piece of the overall puzzle. For example, a cloud-based email system like Office 365 can be accessed via the web, but also via Microsoft Outlook, Mac OS X Mail, and just about every smartphone and tablet via Activesync. If your CASB can’t secure these alternative access types, your coverage is incomplete.

Forward Proxy for Cloud Applications

  • Can be used for all application types, including client-server apps with hard- coded hostnames.


  • Difficult to deploy in a distributed environment with a mobile workforce.
  • Reduced end-user privacy—both personal and corporate traffic are captured and inspected by the proxy.
  • Requires installation and user- acceptance of self-signed digital certificates at each point of use. 

Reverse Proxy for Cloud Applications


  • Accessible from any device or location, making it suitable for a mobile workforce.
  • End-user privacy—only corporate traffic is sent via proxy. Users may access a personal version of a cloud application directly. e.g., corporate Gmail is proxied but not personal Gmail.
  • Simple to deploy and use, no configuration on mobile devices or firewalls required.


  • Not applicable to client-server applications with hard-coded hostnames. 


Use of a reverse proxy architecture is the superior choice for proxying cloud applications, and should be employed wherever feasible. In specific use cases where deploying a reverse proxy might be technically infeasible, a forward proxy may be used. Specifically, client/ server application such as native mobile applications with hard-coded hostnames may require a forward proxy. 

To help provide more color on what CASBs do, we have created The Definitive Guide to Cloud Access Security Brokers. We're providing the entire document via a series of posts on this blog. Of course, if you prefer to binge read your Definitive Guides much like you binge watched Breaking Bad on Netflix, you can download the whole thing immediately, right here. 

Download the Definitive Guide



see all