Home Network Security Network Security Stanislav Krajcir 24.12.2024 6 min read What is a CASB Architecture? A Cloud Access Security Broker (CASB) is a security solution designed to protect your business data while utilizing cloud applications. It acts as a gateway positioned between the cloud service provider and the end user, monitoring traffic to and from the cloud. This enables CASBs to enforce security policies, implement data controls, and provide visibility into the different cloud applications employees use and how they handle your data. Stanislav Krajcir24.12.20246 min readTable of ContentsWhat is a CASB Architecture?Inline CASB ArchitectureAPI-based CASB ArchitectureMultimode CASB ArchitectureHow to Choose a CASB SolutionGaining CASB Protections and More with Check Point SASE CASB refers to the solution itself. CASB architecture describes the design or method by which organizations deploy the solution to protect against risks when using cloud services. CASBs can be implemented in multiple ways, requiring different: Architectures or tools Technologies Frameworks Integration processes These architectures can be divided into inline or proxy-based solutions and API-based methods. Each deployment has pros and cons, making them better suited for different use cases. You can combine them for more holistic protection, known as multimode CASB. Inline CASB Architecture Inline CASB deployments use a cloud proxy architecture to sit directly in the network path, monitoring traffic between users and cloud storage locations or applications. As users access cloud applications, their request is first directed to the proxy or CASB tool. At this point, the proxy server can implement a range of functionality: Intercepting requests Applying security policies Controlling data access Monitoring events within different applications Identifying malicious activity, policy violations, or data exposure Implementing protections in real-time For instance, inline CASB tools can prevent specific actions that increase risk, such as blocking traffic to unapproved cloud applications, stopping file transfers to unmanaged devices, and more. The main advantage of inline CASB architecture is its real-time protection and added flexibility by operating directly on the data stream. But, there can be challenges redirecting traffic from certain cloud services, leading to more complex operations or reduced visibility and protection. There are two types of inline CASB architecture, forward and reverse, defined by whether the proxy is positioned closer to the user or the cloud. Forward Proxy-based CASB In this mode, the proxy is positioned closer to the user, with the gateway server configured on the user’s device or network to monitor outbound traffic sent to the cloud. With forward proxy CASB deployments, the tool inspects user-initiated cloud requests through: PAC (Proxy Auto-Configuration) files that determine if the request goes directly to the cloud service provider or is rerouted through the forward proxy. DNS URL redirect that is applied to certain cloud service requests. Agents deployed on the user’s endpoint to send traffic to the CASB proxy via a secure VPN tunnel. Agents are the most common method as they are harder for users to bypass and don’t require more complex DNS modifications. With all outbound traffic passing through the forward CASB proxy, the tool can implement various functions, from: Deep packet inspection and certificate management Filtering or blocking traffic based on security policies Forward proxy-based CASB is excellent for identifying shadow IT (using unapproved cloud applications) and tracking cloud use from managed devices. Reverse Proxy-based CASB In this mode, the proxy is positioned closer to the cloud monitoring traffic as it leaves the cloud applications. With reverse proxy CASB, traffic is only monitored for certain cloud services rather than applied universally to all data leaving the user’s network or device. Approved cloud services are configured to send traffic through a CASB reverse proxy server (CRPS) on its way to the user. Whenever the user accesses their cloud account (regardless of device or location), the CRPS is able to implement security controls and protections as well as monitor activity. Compared to forward-proxy CASB, CRPSs do not require agents and are therefore simpler to implement with less impact on network latency. But, they only focus on specific cloud applications rather than monitoring all traffic between users and the cloud. This means reverse-based CASB architecture is better suited to securing access to approved services from unmanaged devices. In comparison, forward-based CASB monitors all traffic, enabling it to identify unapproved SaaS use. Supercharge Your Business Security Request Demo Start Now API-based CASB Architecture API scanning directly integrates CASB functionality with cloud applications using their APIs. This allows API-based CASB methods to monitor and implement protections without intercepting or rerouting traffic through proxy servers. API-based CASB architecture continuously scans the API calls made to applications that access or manipulate data in the cloud environment. Unlike proxy-based CASB architecture, which only monitors data in transit for risks, API-based CASB also inspects files at rest within cloud storage. So, you can implement periodic scans of data stored by cloud service providers, ensuring they’re free from threats and comply with internal corporate policies and external regulations. You can inspect historical and new data stored in the cloud without the more complicated configurations required for inline solutions. Plus, without the need to reroute data through a proxy server, API-based CASB offers a better user experience without impacting connection speeds. Multimode CASB Architecture Multimode CASB products combine inline and API-based architecture to get the best of both solutions – real-time monitoring of data in transit while enabling data scans at rest on cloud applications. Therefore, if you’re looking for the best possible CASB, you should focus on multimode solutions incorporating both architectures. How to Choose a CASB Solution To find the right CASB vendor for your organization, you need to identify: Your needs Solutions with the corresponding functionality The solution that best fits your existing IT infrastructure When considering functionality, a good selection criteria to apply is the four pillars of CASB: Visibility: Comprehensive real-time visibility for managing all cloud applications, both sanctioned and unsanctioned. Data Security: Data Loss Prevention (DLP) and granular access control measures to implement a modern zero-trust framework where users only have access to what they need for their role. Threat Protection: The ability to quarantine suspicious files and block malware while tracking user behavior to proactively prevent compromised accounts. Compliance: Policy enforcement to ensure you meet all relevant industry regulations and have the audit data to prove it. It’s also important to consider whether you need functionality beyond CASB. Comparing or Combining CASB With a Secure Web Gateway CASBs are just one of many products out there in the complicated and overlapping world of cybersecurity solutions. In particular, CASB shares functionality with Secure Web Gateways (SWGs). Both focus on monitoring traffic and implementing protections, such as: Malware detection DLP However, while CASB is concerned with cloud applications, SWG covers internet traffic. To choose between CASB and SWG, you need to understand the level of protection they offer and whether they meet the risk you face as an organization. Many choose to incorporate both into their security framework. For instance, CASB can be utilized for granular SaaS protection, while a SWG offers security for internet use. But, routing traffic through SWG and CASB tools can negatively impact network speeds and employee productivity. The better option is to incorporate both CASB and SWG functionality within a broader Secure Access Service Edge (SASE) solution. Gaining CASB Protections and More with Check Point SASE SASE provides the ultimate security framework for modern enterprise, securing your entire organization and its workflows regardless of where your data is stored and who is accessing it. By incorporating capabilities from a range of solutions (CASB, SWG, Firewall-as-a-Service, Zero Trust Network Access, SD-WAN, and more), Check Point’s SASE solution delivers comprehensive security for cloud-based environments while maintaining low latency – enabling you to inspect all network traffic and enforce security policies without diverting traffic. Book a demo today and see Harmony SASE in action. and security. FAQ What is a Cloud Access Security Broker (CASB)?A Cloud Access Security Broker (CASB) is a security solution that protects business data when using cloud applications. It acts as a gateway between cloud service providers and end users, monitoring traffic to enforce security policies, control data access, and detect threats. What Are the Different CASB Architectures?CASB solutions can be deployed using different architectures:– Inline CASB: Uses a proxy-based approach to inspect traffic in real-time.– API-based CASB: Directly integrates with cloud applications without rerouting traffic.– Multimode CASB: Combines inline and API-based architectures for comprehensive protection. How Does Inline CASB Work?Inline CASB operates within the data stream to:– Monitor and intercept cloud traffic.– Apply security policies in real-time.– Prevent unauthorized data transfers and access attempts. What Are the Types of Inline CASB?– Forward Proxy CASB: Positioned closer to users, monitoring outbound cloud traffic.– Reverse Proxy CASB: Positioned closer to the cloud, monitoring traffic as it leaves cloud applications What is API-Based CASB?API-based CASB integrates with cloud applications using their APIs to:– Scan stored data for threats and compliance.– Monitor API calls for suspicious activity.– Provide security without impacting network speed. Do you have more questions? Let’s Book a Demo Related LinksAlways On VPNBusiness VPNDevSecOpsFirewall as a ServiceIPSECWhat Is The OSI Model?Wireguard VPNWhat is Zero Trust? Request Demo Start Now ComplianceHIPAAThe HIPAA Act is a federal law that requires the creation of national standards in order to protect sensitive patient health information Read more16 min readNetwork SecurityWhat is Zero Trust?Zero Trust provides employees with more secure access to resources, network, and applications based on user permissions, and authentication.Read more4 min readNetwork SecurityFirewall as a ServiceFirewall as a Service unifies traffic inspection and infiltration prevention for all your organization’s resources with one cloud-based firewall, and it is a crucial part of Perimeter 81’s Network as a Service platform.Read more8 min read Looking for a SASE Solution? Simplify your network security today with Check Point’s SASE. Request Demo Start Now
ComplianceHIPAAThe HIPAA Act is a federal law that requires the creation of national standards in order to protect sensitive patient health information Read more16 min read
Network SecurityWhat is Zero Trust?Zero Trust provides employees with more secure access to resources, network, and applications based on user permissions, and authentication.Read more4 min read
Network SecurityFirewall as a ServiceFirewall as a Service unifies traffic inspection and infiltration prevention for all your organization’s resources with one cloud-based firewall, and it is a crucial part of Perimeter 81’s Network as a Service platform.Read more8 min read