<img src="//pixel.quantserve.com/pixel/p-_JKXxuL8SR7wu.gif?labels=_fp.event.Default" style="display: none;" border="0" height="1" width="1" alt="Quantcast"> jQuery UI Accordion - Collapse content
shutterstock_553333903-4-1.jpg

CASB Architecture: Cloud Access Security Broker

A Cloud Access Security Broker (CASB) is a policy enforcement point that secures data & apps in the cloud and on any device, anywhere. There are three requirements for a CASB

  • Management: Visibility and clean-up after high-risk events
  • Security:  Preventing high-risk events such as data leakages and threat intrusions
  • Zero-Day protection: Protection from known and unknown data leakage risks and malware threats
Correspondingly there are three types of CASB
  • API-only CASB that deliver only management. Such CASB use API access to SaaS apps to remediate after data-leakage events.
  • Multi-mode First-Gen CASB that deliver management and security, but not Zero-Day protection.  Such CASB offer signature-based protection for known data leakage paths and a fixed set of applications
  • Multi-mode Next-Gen CASB that deliver management, security and Zero-Day protection.  Such CASB dynamically adapt to deliver protection for known and unknown data leakage risks and malware threats, on any app.
  mobile security cloud encryption cloud security   

API-only CASB Architecture

API-only CASB offer management capabilities by remediating data-leakage events after the fact via the APIs provided by some applications.  

API CASB operate “out-of-band” not real-time.  Users directly access cloud apps and data from any device, managed or unmanaged, without restriction or control. API CASB use the applications’ API to analyze the data-at-rest in the cloud. Based on policies set by the administrator, files that are in violation may trigger visibility logging alerts. Alternatively, files that are in violation may be quarantined, or have sharing permissions revoked.

Strengths:
  • Visibility & DLP remediation on data at rest after breach & compliance violations
Weaknesses:
  • No Real-time protection
  • No Mobile data protection
  • No Threat protection
  • No Zero-day App Control
  • No Zero-Day threat protection
  • No Identity control
API-only CASB architecture
 

Multi-Mode First-Gen CASB Architecture

Mult-mode first-Gen CASB offer both API mode and proxy mode.  Operating in proxy mode typically requires an agent on every device, and is not suitable for unmanaged personal devices. Proxy agents may also interfere with existing infrastructure such as Secure Web Gateway proxies.   Multi-mode first-gen CASB can also identify “ShadowIT” cloud applications used in the enterprise, by checking against a manually curated index of cloud applications.

Strengths:
API visibility and control of data-at-rest
ShadowIT analysis with manual index
 
Weaknesses:
  • Requires proxy agents on every device
  • No agentless mode
  • No Mobile Data Protection
  • No Zero-day App Control
  • No Zero-Day threat protection
  • No Identity control

First-gen CASB with forward proxy


Multi-Mode Next-Gen CASB Architecture 

Multi-mode Next-Gen CASB deliver management, security and Zero-Day protection.  Such CASB dynamically adapt to deliver protection for known and unknown data leakage risks and malware threats, on any app. Such CASB have dual architectures and can operate in agent-based or agentless mode.   Agentless mode enables rapid deployment, and is fully interoperable with existing infrastructure such as Secure Web Gateways.
 
Strengths:
  • API+Forward proxy + Reverse-Proxy + Active-Sync Proxy + SAML Proxy
  • Zero-Day real-time control of any managed app
  • Zero-Day read-only control of any umanaged app
  • Zero-Day real-time agentless AJAX-VM on any device
  • Zero-Day threat protection
  • Searchable, sortable cloud encryption
  • Custom app support
  • API visibility and control of data-at-rest
  • Agentless Mobile security
  • Integrated identity control
  • Automated ShadowIT Analysis w/ 100K+ apps
Next-Gen-CASB with reverse-proxy, forward proxy and API