Security "Bits"

Hybrid Architecture Cloud Access Security Brokers

By Rich Campagna | July 9, 2015 at 7:00 AM

There are religious wars going on in the Cloud Access Security Broker market, many of which are focused on architectures, with several vendors laying out arguments for why their single-mode architecture is superior to others. Thus far in the development of the market, there are four primary CASB architectures - API, forward proxy, reverse proxy and ActiveSync proxy. Let's take a deeper look at each. 

API - The API-based approach leverages APIs provided by each cloud app vendor. It works out-of-band and scans the data stored in a cloud app in order to determine risks.

Pro - An API-based approach allows you to scan data at rest in the cloud without inspecting user traffic.

Con - Since it's out-of-band, this approach is suited for scheduled audits of leakage events, but offers little in the form of ongoing control of the data. 

Forward Proxy - Forward Proxy architectures are best suited for managed laptops and mobile devices. With a forward proxy, all data from a device to predetermined apps forwarded to a proxy for inspection. This is done by installing profiles or agent software on the device to control its network connectivity.

- Pro - Works for both browsers and thick client apps.

- Con - Requires agents and spoofed certificates on each device. Invades user privacy by inspecting both private and corporate traffic.  Unsuitable for BYOD.

Reverse Proxy - A reverse proxy intermediates network connections coming from any device on the Internet, to a specific set of applications.

- Pro - A key advantage of reverse proxies is that they can inspect traffic from any device. This makes reverse proxies particularly well suited to unmanaged devices. There is no need to pre-install software or reconfigure devices connecting to reverse proxies. 

- Con - Reverse proxies are not suitable for proprietary thick client apps. 

ActiveSync Proxy - Email, Contacts & Calendar are the number one application for  business productivity, and ActiveSync is the protocol of choice for email access on mobile devices and laptops.

- Pro - ActiveSync proxies, such as the one Bitglass provides, do not require any agent installation or profiles on the device, and are able to intermediate all mail/calendar/contact traffic to/from the mobile device. 

- Con - None


The table below summarizes the coverage areas of each of the four types of CASB architectures.


Customers need complete solutions and our position at Bitglass is to give customers what they need. Each approach has pros and cons, and each has use cases for which it is the best suited technology. We have built all of these models into our architecture, resulting in a unique hybrid approach, ensuring that our customers have exactly the tool that they need for every scenario, protecting data anywhere it goes.




BTW, here is an excellent video explanation of this topic on Glass Class by our very own, Mike Schuricht. 



see all