The 3 Types of CASB and How They Operate

Since so many applications we use rely on the cloud,  CASB solutions play a crucial role in modern cybersecurity strategies. In a previous post, I looked at why they continue to gain prominence. In this one, I'll explore the three types of CASB, their core functionalities and their benefits.

Exploring the 3 Types of CASB

Let's look at each of these, along with specific use cases. First up... API-based CASB.

1 - API-Based CASB

API-based CASBs are an out-of-the-band solution to secure SaaS applications. They connect to sanctioned cloud applications via APIs (application programming interface) to scan and assess files and data for issues such as unauthorized sharing or sensitive information exposure. Key features of API-based CASBs include:

• Data Scanning and Assessment: These CASBs evaluate files and data within cloud applications toidentify problems like unauthorized sharing or the presence of sensitive information, ensuring that files are neither publicly exposed nor improperly shared.
• Corrective Actions: Based on their assessments, API-based CASBs can implement measures such as removing sharing permissions, encrypting files, or relocating data to ensure compliance with security policies.
• No User Interaction Required: They operate without requiring direct user involvement, facilitating the seamless enforcement of security protocols on data already residing in the cloud.

However, API-based CASBs do not manage user access or offer real-time data protection, as they always perform scans in retrospect, after data has been uploaded. See the short video below:
 

API-based CASBs are primarily employed for:

• Scanning and Managing Existing Cloud Data: Assessing data already stored in cloud applications to identify and classify it (e.g., public, internal, confidential, restricted, etc.) and addressing any security issues.
• Securing Data in Approved Cloud Applications: Ensuring that data within sanctioned cloud applications is protected according to security policies.
• Compliance Monitoring: Enforcing and verifying compliance with regulatory and organizational data protection standards.
   

2 - Forward proxy-based CASB 

A Forward Proxy-based CASB acts as an intermediary between end-users and cloud applications to enforce security policies and protect data. The forward proxy-based CASB intercepts and routes user traffic through its servers before it reaches the cloud application. This can be done through various methods, such as deploying an endpoint agent, using a proxy auto-config (PAC) file, or through network routing via a secure web gateway.

Key features of API-based CASBs include:

• Real-Time Protection: By analyzing this traffic in real-time, the CASB can enforce security policies, monitor user behavior, and protect data as it is being accessed or transmitted.
• Policy Enforcement: It can apply policies for data protection, such as blocking unauthorized downloads, controlling access, and preventing data exfiltration based on pre-defined rules.
• Access Control: Manages and enforces user access policies to ensure that only authorized users can access sensitive information. 

Forward proxy-based CASBs require changes to user behavior, such as installing agents or configuring settings, and are limited to managed devices where the proxy is set up. Additionally, they cannot scan data at rest, focusing instead on real-time traffic.

3- Reverse proxy-based CASB

A reverse proxy-based CASB sits between the user and the cloud application, intercepting and inspecting requests before they reach the cloud application. It usually requires no configuration on the user's device. 

When a user attempts to access a cloud application (e.g., Salesforce, Office 365), the request is directed through the reverse proxy CASB instead of connecting directly to the cloud service. This redirection is typically achieved through DNS configurations or URL rewriting. The reverse proxy CASB verifies the user's identity, ensuring they have the appropriate permissions to access the cloud service. It also enforces security policies like single sign-on (SSO), multi-factor authentication (MFA), and role-based access controls. For unmanaged devices or those outside the corporate network, the reverse proxy CASB can impose additional security measures or restrict access based on the device's compliance status.

Key features of reverse proxy CASBs include:

• Traffic Inspection and Control: The CASB inspects the traffic between the user and the cloud service, looking for potential security threats, data leakage, or policy violations. This includes scanning for malware, detecting abnormal behavior, and applying data loss prevention (DLP) rules. The CASB can decrypt SSL/TLS traffic for deeper inspection, ensuring that sensitive data is not exposed or exfiltrated.
• Real-Time Protection and Monitoring: The reverse proxy CASB provides real-time protection, continuously monitoring user activity and applying policies to prevent unauthorized access, data breaches, and compliance violations.
• Response Handling: When the cloud service responds, the reverse proxy CASB intercepts the response before it reaches the user. It can apply further security measures, such as masking sensitive data or enforcing encryption before delivering the content to the user.
  
  

Reverse proxy CASBs are primarily employed for:

• Securing unmanaged devices: Compatible with both managed and unmanaged devices, without the need for endpoint installations. Ideal for BYOD (Bring Your Own Device) environments.
• Secure Access: Securing remote access to cloud applications.
   

Here's a summary of the three types of CASBs with use cases:

Each CASB offers distinct functionalities designed for specific scenarios. API-based solutions are ideal for securing data stored in the cloud, while forward proxy CASBs provide real-time protection and reverse proxy CASBs ensure secure access across multiple devices. 

Together, these tools are essential for enforcing cybersecurity protocols and ensuring compliance in today’s cloud-centric environments. For the most comprehensive protection, it's advisable to seek out modern CASBs that integrate all three approaches, delivering the broadest and most effective security coverage.