This post was originally published here by Rich Campagna.
A competing CASB vendor blogged recently on why proxy-based Cloud Access Security Brokers (CASBs) shouldn’t be used for Office 365.
The post cites “7 reasons,” all of which are variations of just one reason: their CASB breaks each time Microsoft makes changes to Office 365. What they call “application breakages” due to “updates,” are really “CASB outages.” In other words, dog ate their homework.
Right now, there are millions of Office 365 users accessing the app through Bitglass’ proxy services. How can we confidently proxy this traffic while other vendors’ proxies exist in data sheet form only? Unique technologies like our reverse proxy with AJAX-VM. Our engineers and support personnel rest easy at night knowing that regardless of how many changes are made to Office, or any other application, the proxies will automatically learn and adapt to the change, with no “breakages” or “outages.”
So, knowing that a proxy-based solution for Office 365 can work, if you pick the right one, why go inline with Office 365 versus relying purely on out-of-band API integration? Here are 7 unique reasons:
- Managed vs Unmanaged Device Access Control – for most organizations, a managed device represents a much lower risk than an unmanaged BYO device. Proxy-based controls allow you to distinguish between the two and provide a different level of access to the app and to sensitive corporate data.
- OneDrive Sync Client Control – A OneDrive sync client constantly synching many GBs of corporate data to an unmanaged device is riskier than a user on that device logging into OneDrive via web browser to download a couple of files that they need. Proxy allows you to control by access method,
- Real-time Data Leakage Prevention – API-based integration with apps like Office 365 is great for scanning data-at-rest, but only provides “Monday morning” notifications of data leakage. Proxies prevent data leakage in real-time.
- BYOD Malware Prevention – Your organization probably has unmanaged devices connecting into Office 365. Devices that could be infected with malware. Proxy-based solutions stop malware from making its way into Office 365, thwarting would-be attempts to use Office as an IT sanctioned and paid for malware distribution tool.
- Session Management – You likely want to aggressively time out and reauthenticate users on unmanaged or new devices. Possible with proxy, not possible with API.
- Step-up Multifactor Authentication – see suspicious activity mid-session? Evidence of credential compromise? Only inline CASB allows you to do something about it as it starts to occur.
- Data-at-rest Encryption – in many industries, there is a desire to use the public cloud but without giving up control over your data. Proxy-based solutions allow you to encrypt data before it gets to the cloud. Public cloud apps with private cloud security – have your cake and eat it too!
Bonus: One bonus add — Office 365 might be your main (or only) cloud app today, but that will most definitely change in the future. The fact is, only a small handful of cloud applications provide APIs that are security relevant, whereas a properly architected proxy can support any application.
Photo:IT Security Guru