How Does CASB Differ From The Web Proxy Firewall?

Marketing Team Cloud Security Expert - CloudCodes Software
  • September 13th, 2021

As the IT teams look around for solutions to cloud security, a common misconception is about the association with any Cloud Access Security Broker and the implementation of their CASB solutions. CASB vendors are bombarded with questions like “We already have web proxy firewalls for protection, then why do we need a CASB solution?” or “Aren’t they the same?” The web proxy firewalls have visibility into all traffic and cloud services. But the CASB is not a replacement for existing network security solutions like firewalls. There are significant differences between the two. 

Web Proxy Firewalls Vs. CASB 

CASB is a separate and different concept from proxies and firewalls. CASB can be applied in forward and reverse proxy mode to implement inline controls, and the similarity between them stops here. CASB framework is focused on deep visibility into granular controls for cloud computing, whereas, other network security solutions focus on inbound threats and filter potentially illegal websites. CASB can be employed in an API mode to scan and enforce policies for data at rest. Web proxies and firewalls offer broad protection against network threats. But they do provide some protection for the cloud data even without integrating it into a CASB. 

Integration of CASB with Web Proxy Firewalls

A CASB can leverage the already existing cloud infrastructure and complement the firewalls and proxies. The value of the cloud network and support gets enhanced, and cloud visibility into cloud usage is gained through the CASB. 

3 Methods Used by CASB to Integrate with Network Security Solutions

1. Log Collection

One of the drawbacks of proxies and firewalls is that even though they can capture cloud usage over the network, they will not be able to differentiate between cloud usage and internet usage. But a CASB solution can reveal which users are using which cloud services by ingesting log files from these solutions. They can also manipulate the data volumes uploaded and downloaded from the cloud and categorize the risk of each cloud service.  

CASB security can determine if enforcement gaps remain in the existing infrastructure and push access policies to them with current cloud service URLs to close the enforcement gaps. When customers terminate SSL, CASB can also gather details on the user actions within cloud services from the logs. CASB can detect malware and botnets using machine learning. In short, CASB can make existing infrastructure cloud-aware. 

 2. Packet Capture

CASB ingests a part of traffic from the existing network security solutions to gain visibility into the content of data in the packet capture deployment mode. When the web proxy firewalls are integrated with a CASB, they can be configured to copy and forward the cloud traffic to the CASB so that the Data Loss Prevention (DLP) policies can be evaluated.  

Custom content-disposition headers are used by many cloud services to improve the performance of these applications. But these custom headers can also prevent content inspection for Data Loss Protection by network security solutions. CASB can be used to inspect cloud traffic and generate alerts for DLP policy violations. It can also evaluate Data Loss Prevention Policies and leverage detailed cloud signatures. 

3. Proxy Chaining 

Many organizations already have web proxy firewalls and would not want a different endpoint agent, but a CASB can be implemented for forwarding proxy. Thus, the downstream web proxy firewalls route all the cloud traffic through the CASB in proxy chaining. CASB can hence enforce real-time governance and issue security protocols for the data traffic. CASB can enforce an access control policy, which limits the cloud service functionality. It can display alerts and send emails when the user tries to access a service outside the system. It can also direct the users to approved cloud services and justify their access. In proxy chaining mode, a CASB can enforce inline DLP policies and check policy violations that are impossible in packet capture mode.