Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Skyhigh CASB Architecture

  1. Last updated
  2. Save as PDF

As applications transition from on-premises architectures into the cloud, mainstay strategies for securing them struggle to keep up. Applications are developed, updated, and consumed continuously using a variety of cloud platforms. Where once IT Security was tasked with governing a single infrastructure with visibility and control over components such as storage, network, and web access, it is not uncommon to have data and applications hosted at dozens of different SaaS and IaaS vendors, each with a unique toolset of security controls. As the number of disparate services and controls increases, creating programs that provide consistent visibility, governance, and control into where and how data is being used by whom becomes exponentially more difficult.

A primary purpose of a Cloud Access Security Broker (CASB) is to provide a unified set of controls and policies that apply to multiple, dissimilar cloud services. While the abstracted toolset is similar to what many IT Security experts expect in terms of DLP, remote access, and event monitoring, they are implemented differently with the CASB, smoothing out the differences between one cloud service provider (CSP) and another. A properly deployed CASB should provide a single pane of glass providing at least the following security services: Shadow IT discovery, data security including data classification, DLP for data at rest and in motion, encryption/DRM, and collaboration/sharing control, matching learning threat protection (UEBA), adaptive access controls to restrict access using context such as location or device category, and secure configuration to ensure IaaS resources comply with benchmarks and standards.

Architects considering a Skyhigh CASB need to be aware that there are three primary methods in which Skyhigh CASB services are applied to corporately-sanctioned cloud providers (see Figure 1, Skyhigh CASB Architecture):

CASB architecture.png

Figure 1 - Skyhigh CASB Architecture

API

Security services applied through APIs offer a frictionless, 100% native application experience for users. In this deployment mode, the CASB relies on a streaming activity feed from the CSP and enforces security on a near real-time basis by making API calls back into the service.

Reverse Proxy

Leveraging a reverse proxy has the advantage of applying security in-line without the need for agents, SSL decryption, and other complexity that can be associated with forward proxies. Instead, a reverse proxy is inserted into the traffic flow by modifying the SAML endpoint in the cloud application’s entry in the customer’s identity provider. When traffic is directed through the reverse proxy, it can perform functions such as conditional access control, DLP, and activity monitoring.

Forward Proxy (Skyhigh SWGS)

Forward proxies are a classic mainstay of web security, positioned well to protect the "on-ramp" to the cloud. In the context of cloud security, forward proxies continue to play a major role in detecting, preventing, and coaching users away from hazardous cloud use and towards corporate-sanctioned cloud solutions. Skyhigh Security offers Skyhigh Web Security Gateway Service as either a SaaS or on-premises solution. As a SaaS solution, Skyhigh Web Security Gateway Service can be configured as either a complete solution or one that complements existing proxy or firewall infrastructure by tunneling only selected cloud traffic. While it is commonplace and workable to have a different vendor provide for the API and Reverse Proxy components of CASB, there are benefits to a single-vendor solution, including a consolidated dashboard, DLP policies, and investigation workflows.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    1. diagram