Gartner’s recent guidance affirms that Cloud Security is a top of mind problem. Accordingly, CASB adoption is the utmost priority for security teams keen to address the inherent risks associated with modern, decentralized, SaaS-centric IT operations. Security practitioners, analysts and the CASB industry at large have progressively evolved prescribed CASB best practices to favor an API centric approach over more invasive and cumbersome techniques that involve proprietary data encryption or inline session interception (proxies).
This guidance aptly reflects the wisdom gained from the panoply of existing enterprise CASB deployments. Simply, CASB has become mainstream and users have figured out what works and what doesn’t. Empirical results strongly indicate that an API-based CASB approach provides several distinct advantages that have left competing approaches in its wake.
These advantages include fast time to value, zero application impact, comprehensive application coverage, and low operational costs. Let’s further explore the benefits of this approach. API-based CASB solutions:
- Cannot be bypassed, unlike proxies that can be circumvented by using VPNs, mobile devices, and unmanaged users
- Capture and analyze cloud-to-cloud traffic (e.g., between Marketo and Salesforce.com)
- Do not introduce new attack vectors or interception points into the environment
- Can analyze data and actions retroactively
- Do not introduce a single point-of-failure that can prevent end users from accessing cloud services
- Minimize applications performance degradation and impact to user experience
Security professionals increasingly recognize these factors as critical to the effectiveness, impact, and ultimate success of IT security programs. By comparison, inline approaches introduce several potential failure modes and distortions that may negatively affect application fidelity and disrupt operations. Google, for example, recognizes this risk and offers the following guidance to their application subscribers:
“Avoid routing Google Apps data through a proxy that inspects the content of HTTP traffic, because this will reduce performance, and a great deal of Google Apps content is dynamic or encrypted…” – Google Apps Deployment Guide, page 10
These factors do not obviate the need for in-line CASB controls. In fact, Cloud service providers and SaaS vendors have started to address this need by offering APIs that provide for transaction level controls. This new class of APIs authorizes third-parties (i.e., API-based CASBs) to preempt data uploads and user actions, such as changing configurations and sharing data.
This is accomplished by allowing those third parties to connect to the cloud service either directly through APIs or by using a managed package or app. These programmatic in-line controls have been commonplace in traditional enterprise software architectures for over a decade. This pattern is patently inevitable, in SaaS and cloud software architectures, and visionary cloud companies are already making this concept a reality.
Enter the multi-mode world. The magical place where APIs and in-line access meet (and truly orchestrate with) best-of-breed security tools across the entire security infrastructure. So go on, stay ahead of the curve, and like other CASB buyers realize the benefits of API based approaches to enjoy predictable, risk free, early returns. The future looks bright as imminent API advancements mean risk free, real time controls are just around the corner.
Read what Gartner has to say on the topic in “Mind the SaaS Security Gaps“, providing detailed guidance for CISOs and security managers on how to address cloud providers’ security gaps with CASB.