Why APIs beat proxies for cloud security

Cloud access security brokers that take an API approach can provide more comprehensive security without impacting network performance


While many businesses laud the benefits of cloud computing, some feel less than 100 percent confident in their ability to fully secure their cloud resources.

Is it any wonder? Your corporate network might link to multiple cloud services, run by different operators. Mobile users might be accessing cloud resources simultaneously over dissimilar WANs and device types. Some users and devices fall under your management domain; others don't.

In fact, corporate data seems to be everywhere. It's being copied, emailed, shared, and synced wherever users happen to be working. So it's tough to know exactly where sensitive data is being stored and who has access to it.

How can you successfully enforce internal policies and industry compliance mandates under these conditions, particularly when another entity now controls part of your hosting environment? The answer is to use a CASB (cloud access security broker). You'll need a certain kind -- one with API integration capabilities -- to do the job.

An automated approach to security

CASB software systems use automation to help you deliver comprehensive security across your cloud environment. Automation is a must; given today's traffic volumes, it's nearly impossible to manually track, aggregate, analyze, alert, and remediate all of the cloud security issues that could arise.

Instead of trying to deploy separate multilayer security solutions for each and every cloud service you use, you can install a CASB between your users and your cloud services, either on your own premises or in a provider's cloud location. The CASB brokers the security negotiation between the cloud and your back-end firewalls, authentication servers, and DLP (data loss prevention) policy engines. In this way, you can extend and enforce your own enterprise security policies across the cloud as users and devices attempt to access your cloud resources.

In addition to tightly managing access control to your cloud resources, CASBs continually monitor your application environment for non-compliant configurations and anomalous behavior, remediating as necessary. They automatically abide by best practices to change encryption keys and passwords at the frequencies you have established and enforce minimum password lengths.

While the leading cloud service providers rightly tout comprehensive security as a service advantage, it's your responsibility to handle security tasks that lie outside the cloud provider's control. The cloud provider will host the application or computing cycles you need in the cloud and will provide physical and administrator access control within the confines of its own facilities. But the provider will expect you to control who you let into the cloud and under what conditions. After all, you're the one who knows which user profiles, device types, and network connections should be allowed access to which resources.  

Because the CASB tackles complex security tasks through automation, it could be a key enabler of large-scale cloud adoption going forward. But exactly how the CASB integrates your security policies with cloud access will largely determine the comprehensiveness of your security solution. The method you use will also affect network performance and the user experience.

API-based vs. proxy-based control

There are two primary security deployment modes in use by CASBs today: the proxy service approach and the API approach. Both have advantages. However, the API method is pulling ahead in popularity. The API approach is not only fully comprehensive in the types of traffic it can protect, but it is deployed in a way that doesn't impact cloud service performance. Let's look at proxies, the original and older method, first.

Proxy-based CASB

A CASB deployed in proxy mode is an in-line solution. It checks and filters HTML-based traffic to SaaS applications through a gateway that also forwards other network traffic. All known users and devices are configured to access cloud services through this proxy service, which can be a reverse proxy or a forward proxy service.

The proxy's greatest advantage is that it takes security action in real time. For example, if someone violates policy by sharing a confidential document outside the company, the proxy solution can block it as soon as the attempted action is discovered.

The proxy's biggest disadvantage is that it has no visibility into traffic it's not configured up front to handle. That could include traffic from unmanaged users, devices that don't support proxies, and programmatic cloud-to-cloud traffic. With this yawning visibility hole, the proxy is simply not as secure as the API approach.

Further, proxies can negatively impact network performance. Because proxies force all data traffic through a common, in-line security filter (see Figure 1), they can cause network traffic jams and introduce distance-based latency for non-local users. The setup frequently results in users experiencing application slowdowns.

casb inline proxy

Figure 1. Because all cloud-bound network traffic flows through the in-line proxy, a proxy-based CASB can become a choke point between users and SaaS applications.

API-based CASB

A CASB deployed in API mode integrates tightly with the cloud application or other cloud service that it monitors for security. This integration – enabled by the open nature of the cloud provider APIs -- allows the CASB supplier to centrally deploy detailed, object-level granular controls for policy enforcement on a resource-by-resource basis. On the other side of the connection, the CASB integrates with your back-end security policy engines and firewalls. The CASB algorithmically integrates your policies with characteristics of the cloud application or other resource for optimum control.

When mobile users access the cloud resource, they don't have to come in through a common "front door" and risk a performance hit. They can access the SaaS application or other cloud service directly. At the back end, the CASB has infused the application being accessed with your permissions and policy so that the mobile user, device, and network are monitored and treated accordingly.

The API approach is an out-of-band solution. That means it doesn't follow the same network path as data, leaving all bandwidth available for data forwarding and having less impact on network performance.

The API's greatest advantage is that it secures all traffic to your cloud services -- both managed and unmanaged -- leaving no security gaps. And while the proxy solution works only with web-based SaaS traffic, the API-based CASB checks and secures all cloud services – IaaS and PaaS as well as SaaS. 

casb outofband api

Figure 2. An out-of-band API-based CASB can secure all access to all kinds of cloud services and imposes no bottleneck on the network.

Both the API and proxy approaches have positive attributes. However, the API method is arguably better suited to today's environment, because it accounts for all types of traffic, devices, and access methods.

Proxy services, on the other hand, see only traffic explicitly configured to go through the proxy "front door." A proxy presumes that all traffic is user traffic and that users accessing cloud resources are all known, identifiable, and managed. That's not the case in today's highly distributed and mobile world, however. With the proxy approach, unmanaged users, traffic from endpoints that don't support proxies, and programmatic (cloud-to-cloud) traffic fall through the cracks.

The table below summarizes the comparative attributes of the API and proxy approaches to enforcing enterprise security policies through a CASB.

Go the API route

You don't need both types of CASB security. When using all major cloud service providers, authentication and security policy enforcement can be achieved using the API method alone.

All cloud apps are now built with APIs, which constitute the first control point: the source. Enterprises already have two more existing control points: Namely, an identity server or service, which authenticates and authorizes the use of each app, and firewalls or secure web gateways, which are already configured to proxy traffic coming from managed networks.

The best CASBs take advantage of these existing control points, programming them dynamically as needed based on user, app, and data risk scores that the CASB calculates in real time.

Taking this approach will preserve your existing technology investments and keep costs down. The API approach also avoids the complexity and risk of adding another security provider's gateway technology to your environment, and it dramatically improves the end-user experience by minimizing latency.  

We've examined a number of reasons why API-based CASBs are gaining favor over their proxy-based counterparts for enterprise use. API-based solutions not only secure all data, users, and devices with no limitations, but they also keep you from duplicating functional investments. And they maintain good network performance and user experience both by design and in their ability to scale.

It's important to get a comprehensive solution to protecting your cloud resource usage. For the most comprehensive cloud security you can get today, coupled with the economics and performance you're looking for, it pays to take the API approach.

Ganesh Kirti is founder and CTO of Palerra.

New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to newtechforum@infoworld.com.

Copyright © 2016 IDG Communications, Inc.

How to choose a low-code development platform