The Advantages and Disadvantages of Cloud Based Proxy
There may be times when something that is usually risky is actually the safest action. For example, no safe and undisturbed driver will deviate from the double yellow line. However, pedestrians may do so when there is no traffic and that is the least risky action.
Sometimes similar situations occur in the field of technology. For example, as early as 2018, Microsoft published a blog post detailing its position on this approach in the context of proxy-based security for Office365 and cloud-aware security agents. In short, Microsoft does not recommend it. The company said that proxy servers could cause performance issues, negatively impact support, and unwanted or unexpected behavior.
How proxy-based security work?
How a proxy-based security approaches work and how they can lead to these problems. If you know exactly how and why the problems described by Microsoft occur, you can evaluate the use of Microsoft. In the end, it’s a good idea to decide if you want to continue to use this approach.
So when it comes to cloud based proxy, it is important to understand which method is used by the Cloud Access Security Agent (CASB) and why. Keep in mind that the main purpose of CASB is to allow the introduction of security features that SaaS does not offer in its original form. This may include increased authentication, registration, encryption of stored data, or other security-related functions. If the organization has regulatory or commercial requirements for specific security measures and wants to use a SaaS that it does not provide, a solution that adds out-of-band capabilities is a bonus.
CASB can add additional security features in two ways. One of them uses the API proposed in SaaS to integrate additional functionalities. Another possibility is to approach the application traffic via a downstream or upstream proxy so that CASB can directly process the underlying HTTP data stream. For those unfamiliar with proxies, this essentially means that they are between the user’s browser and SaaS, intercepting requests and replies, and responding when they are sent.
There are advantages and disadvantages to each approach. The use of the API requires some SaaS solutions. This means that this API is associated with a particular service or set of services. Therefore, the API for Microsoft Office 365 only works in this country and not with other SaaS platforms. It means that the security features they provide do not work in other service, unless the CASB provider has written functions that use the API of other SaaS platforms.
It means security for cloud based proxy may be more flexible, but it still requires customization, and customization can be done more easily because the approach works in general, because almost all SaaS services use HTTP and can, therefore, handle a wider range of SaaS services.
However, this flexibility also presents challenges. For example, what happens if the proxy stops responding or is overloaded? Or what happens if SaaS, which may not be aware that its services are being processed by a proxy, decides to change the distribution of its pages, to make massive changes to the application or to customize in different ways, and the proxy is unaware?
As Microsoft explained, proxy-based security can lead to performance and usability issues. How do SaaS providers deal with these problems when they are caused by other products they do not control? In short, you cannot. Therefore, the technical support problem has been explained by Microsoft.
What is good for your organization?
All of this points to the initial questions that professionals face when evaluating or using CASB. Added to this is the fact that not all CASB products work in the same way: some only support proxy servers, others only support API integration, and some only support API integration, and others both. Understanding the architecture of your organization’s scope is a useful first step in assessing the current or initial adequacy of scope specific to your environment.
The second step is to assess the strengths and weaknesses of using a proxy or service-based API integration. For example, Microsoft does not indicate that the proxy-based security can be used for Office 365, but simply warns that it is not recommended and that there may be problems accepting it, which means that there is no unified solution.
For some users, the challenges associated with support are the decisive factor when using proxy-based security features in Office 365. For others, the availability of security features can make a difference in companies when they use SaaS. Ultimately, this is a risk management decision based on your security objectives, the services you use, and the CASB products that can be covered.
How to make a decision?
It begins by understanding your security goals. For example, you can use a formal approach, such as application threat modelling, to understand how you use SaaS and how a person can attack it as a vehicle using SaaS.
Cloud based proxy is a good start, but making the right choice also means understanding how the product works or what you want to have. This can lead to difficult discussions and specific questions and answers with the supplier. If you know how it works, how SaaS services affect your reach, and how you can achieve your risk goals, you need enough data to analyze in consultation with a team that has actually used SaaS.