How To Keep SaaS Data Safe When Inline Proxies Get Bypassed

The advent of modern workplaces and hybrid working has resulted in corporate data crossing organizational boundaries and surging into the cloud and beyond. However, routing user traffic through centralized security controls degrades network performance, creates latency and leads to poor user experience. 

Proxies alone are insufficient. Many Cloud Access Security Brokers (CASB) solutions still heavily rely on proxy-based or agent-based deployments to route user traffic through them. This approach does not fully resolve the network latency challenges. To circumvent this issue, many popular SaaS applications, such as Microsoft 365, recommend users to bypass proxy inspections while accessing the applications, increasing the risk of data loss in the cloud. Agentless, unmanaged devices can also bypass the inline proxy controls of CASB, resulting in security blind spots and increasing the risk of data exposure to unauthorized users and devices. 

So, how can organizations ensure that SaaS data remains protected, regardless of who accesses the data and how the data gets accessed?

API-based CASBs: Securing collaboration without impacting user experience

Enter CASB in API mode. Unlike proxy-based CASBs that sit inline between users and SaaS applications and require every traffic to traverse through them to apply policies, API-based CASBs provide a non-intrusive, out-of-band approach. They can integrate seamlessly with any SaaS application that exposes APIs, enabling policy enforcement without disrupting user traffic. This agentless deployment protects data regardless of how users connect, making it equally effective for both managed and unmanaged devices. Since data security is enforced directly within the SaaS application, organizations remain protected no matter how users access the cloud—whether directly, via a proxy, or through a VPN.

You can't protect what you can't see

There is another fundamental problem solved by CASBs in API mode. With almost 60% of corporate data today getting stored in the cloud, the risk of data loss and exposure in the cloud has increased at an alarming rate. Addressing this concern requires a comprehensive visibility into the data hosted in the SaaS applications. While proxy-based CASBs are great at inspecting SaaS traffic in real-time, they have no visibility into data already hosted within the applications, and the risks associated with the data. 

Lack of visibility into SaaS data can lead to severe ramifications in terms of compliance failure, security vulnerabilities and data breaches. API-based CASBs perform continuous scanning of the SaaS applications to discover sensitive data, classify the data, and automatically remediate the risks even after an event, such as file upload or file sharing, has happened. API-based CASBs provide the critical first step towards assessing the data risk exposure and enforcing adequate security controls to prevent the data from getting stolen by hackers and thieves.

Your Last Line of Defense for SaaS Security

Forcepoint CASB integrates via APIs with many popular SaaS applications, such as Microsoft 365, Google Workspace and Salesforce. The solution discovers sensitive data at rest across the corporate sanctioned applications, delivering comprehensive visibility and protecting the data with industry-leading data loss prevention (DLP) capabilities.

Forcepoint CASB prevents data leaks and enforces policies to make sure sensitive data is stored in cloud in adherence to global compliance standards, such as GDPR, HIPAA and PCI DSS. Out-of-band operation in API mode ensures there is no impact on the user experience. Combining API with inline capabilities, Forcepoint CASB provides comprehensive security across multiple SaaS applications - before, during and after data access.

Simplifying Data Security Everywhere

The trends around cloud adoption, BYOD and hybrid work setups have complicated data security strategies. Forcepoint simplifies data security by extending its best-in-class DLP product across all major channels - endpoints, networks, cloud, web and email. This empowers security teams to protect data everywhere with unified DLP policies enforced from a single management console. This differentiated capability allows new CASB customers to get superior visibility and control over their data with more than 1,700 pre-defined templates, policies and classifiers. Additionally, existing Forcepoint DLP customers migrating to the cloud can extend all the previously configured policies and custom policies to the cloud with just a few clicks, reaching time-to-value in minutes and accelerating the adoption of SaaS applications.

Watch this to understand how Forcepoint secures data in Microsoft using CASB in API mode.
 

If you’re interested in learning more about how Forcepoint provides visibility and control of all your organization’s data, talk to an expert today.