How Does CASB Differ From The Web Proxy Firewall?

admin Cloud Security Expert - CloudCodes Software
  • May 9th, 2018

Web Proxy Firewalls vs CASB

As the IT teams look around for solutions to cloud data security, a common misconception that they have is, with regard to the association with any Cloud Access Security Broker and the implementation of their CASB solutions. CASB vendors are bombarded with questions like “We already have a web proxy firewalls for protection, then why do we need a CASB solution?” or “Aren’t they one and the same?” The web proxy firewalls have visibility into all traffic to and from the cloud services. But the CASB is not a replacement for the existing network security solutions like the firewalls. There are significant differences between the two.

Web Proxy Firewalls Vs CASB

CASB is a separate and different concept from proxies and firewalls. To implement inline controls, CASB can be implemented in forward and reverse proxy mode and the similarity between them stops here. CASB is focused on deep visibility into granular controls for cloud computing, whereas, other network security solutions focus on inbound threats and filter potentially illegal websites. CASB can be employed in an API mode to scan and enforce policies for data that are at rest. Web proxies and firewalls offer broad protection to the network threats. But they do offer some protection to the cloud data even without integrating to a CASB.

Integration of CASB with Proxies and Firewalls

A CASB can leverage the already existing cloud infrastructure and act as a complementary to the firewalls and proxies. The value of the cloud network and infrastructure gets enhanced and cloud visibility into the cloud usage is gained through the CASB.

3 Methods Used by CASB to Integrate with Network Security Solutions

Log Collection

One of the drawbacks of the proxies and firewalls is that even though they are able to capture data regarding the cloud usage over the network, they will not be able to differentiate between the cloud usage and the internet usage. But a CASB can reveal which users are using which cloud services by ingesting log files from these solutions. Also they can manipulate the data volumes uploaded and downloaded from the cloud and categorize the risk of each cloud service. CASB can find out if enforcement gaps remain in the existing infrastructure and push access policies to them with up-to-date cloud service URLs so that the enforcement gaps are closed. When customers terminate SSL, CASB can also gather details on the user actions within cloud services from the logs. CASB can detect malware and botnets using machine learning. In short, CASB can make existing infrastructure cloud-aware.

Packet Capture

CASB ingests a part of traffic from the existing network security solutions to gain visibility into the content of data in the packet capture deployment mode. Here when the web proxy firewalls is integrated with a CASB, it can be configured to copy and forward the cloud traffic to the CASB so that the Data Loss Prevention (DLP) policies can be evaluated. Custom content disposition headers are used by many cloud services so that there is improvement in the performance of these applications. But these custom headers can also prevent the content inspection for DLP by network security solutions. CASB can be used to inspect cloud traffic and generate alerts for DLP policy violations. It can also evaluate DLP policies and leverage detailed cloud signatures.

Proxy Chaining

Many organizations already have a web proxy firewalls and would not want a different endpoint agent, but a CASB can be implemented for forward proxy. Thus, the downstream web proxy firewalls routes all the cloud traffic through the CASB in proxy chaining. CASB can hence enforce real-time governance and issue security protocols for the data traffic. CASB can enforce access control policy which limits the cloud service functionality. It can display alerts and send emails when the user tries to access a service outside the policy. It can also direct the users to approved cloud services and justify its access. In proxy chaining mode, a CASB can enforce inline DLP policies and check policy violations that are not possible in packet capture mode.

Hence, when CASB is integrated with any existing network security solution, the capabilities of network security can be extended. Together they can deliver better visibility into cloud services and enforce compliance and governance policies.