Security "Bits"

Double-agent CASB?

By Nat Kausik | October 25, 2016 at 5:27 PM


Last week, we got an interesting inquiry from an enterprise that was testing CASB solutions. One of the vendors they were testing had a forward-proxy architecture that required proxy agents on every device. This requirement proved vexing even in the test lab - specifically, the forward-proxy CASB agent conflicted with the forward-proxy corporate Secure Web Gateway (SWG). This incompatibility is an inherent limitation of agent-based CASB, making them essentially unusable in the vast majority of enterprises. To the astonishment of the customer, the vendor recommended getting rid of the SWG entirely. The customer's puzzled question to us was whether we recommended the same thing?

Of course not! The job of a CASB is to protect your data outside the perimeter, while the job of an SWG is to protect your perimeter.

Requirements for a CASB are: 
  1. Data protection: protect data outside the perimeter, in the cloud, at access and on devices
  2. Visibility: log access to corporate cloud applications
  3. Mobility: Real-time protection of data access from any device anywhere 
  4. Privacy: Preserve employe privacy on personal devices (legal requirement per federal wiretapping laws)
Requirements for a SWG are:
  1. Perimeter protection: hygiene of HTTP traffic entering the perimeter
  2. Visibility: log HTTP traffic entering and exiting the perimeter
  3. Throttling: control HTTP bandwidth usage at the perimeter
  4. DLP: control HTTP data leakage at the perimeter
These are two different products with two different purposes. CASB are focused on data-protection and mobility whilst SWG protect the perimeter. If the two were interchangeable as the vendor claimed, the customer would not need to add a CASB in the first place.  Indeed, Gartner believes that CASB is now a market in its own. 
Our recommendation is as follows: Use Bitglass agentless reverse-proxy mode for mobile and unmanaged devices. On corporate-owned/managed devices, configure Bitglass to enforce access via your SWG. This architecture works with your existing SWG, delivers rapid deployment and the highest security.





see all