API mode works out of band and is best suited for scrubbing the cloud of malware, protecting data, and monitoring the activity of specific SaaS accounts. In this mode, a SaaS sever is scanned through a powerful set of APIs that can take a user-centric approach and a data-centric approach. In other words, they can monitor and report on user activities, and they can also take action (e.g., quarantine or delete data, or restore files) according to organizational policy. Since this is not an inline solution, administrators do not have to install the agents, and there is no DNS manipulation or URL rewriting. Also, because API mode works out of band, no latency is added to the network.
Disadvantages of API mode include lack of discovery for unsanctioned applications, as well as lack of direct control for activities such as sharing, uploading, or downloading files. API scans can generate alerts for user activity but cannot block that activity in real time, Additionally, although most API scans can very quickly detect and quarantine an undesirable file (such as malware or sensitive data), there is still a narrow window of time in which information can be compromised. This mode is best for organizations that use traditional security devices and that are only concerned about data at rest.
A typical deployment using APIs consists of a combination of API-based and proxy-based CASBs. An API-based scan scrubs the cloud for historical data, while proxy mode provides real-time monitoring and control. To protect on-premises devices as well as personal, unmanaged devices, an organization can install both reverse and forward proxy CASBs.
Other technologies worth mentioning include active sync proxy, which is used for the mobile sync of emails, contacts, and calendars, and single sign-on (SSO). SSO is used for user authentication, authorization, and redirection in reverse proxy mode.
The following table summarizes the capabilities of different CASB deployment modes:
Once you understand what your organization needs, you can select the deployment mode that best meets those needs. If you have a robust on-premises solution, low tolerance for latency, and a need to protect data at rest in the cloud, you should opt for API-based scanning. If your organization wants to protect corporate devices (i.e., users are not allowed to access data from unmanaged devices), you should opt for forward proxy mode. If you are using unmanaged devices with heavy browser traffic, reverse proxy mode is your best choice. If you want to give users complete freedom, choose a “multimode” CASB, which is a combination of API, proxy with SSO, and LDAP integration.
Check out Part 3 of this series.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.