The Advantages and Disadvantages of Cloud-Based-Proxy
Sometimes, something that is risky is the safest action. For example, no safe, undisturbed driver will deviate from the double yellow line. However, pedestrians may do so when there is no traffic, which is the least risky action.
Sometimes similar situations occur in the field of technology. For example, as early as 2018, Microsoft published a blog post detailing its position on this approach in the context of proxy-based security for Office365 and cloud-aware security agents. In short, Microsoft does not recommend it. The company said that proxy servers could cause performance issues, negatively impact support, and cause unwanted or unexpected behaviour.
How does proxy-based security work?
How proxy-based security approaches work and how they can lead to these problems. If you know exactly how and why the problems described by Microsoft occur, you can evaluate the use of Microsoft. Ultimately, it’s a good idea to decide if you want to continue using this approach.
So when it comes to the cloud-based proxy, it is important to understand which method the Cloud Access Security Agent (CASB) uses and why. Keep in mind that the main purpose of CASB is to allow the introduction of security features that SaaS does not offer in its original form. It may include increased authentication, registration, encryption of stored data, or other security-related functions. Suppose the organization has regulatory or commercial requirements for specific security measures and wants to use a SaaS that it does not provide. In that case, a solution that adds out-of-band capabilities is a bonus.
CASB can add additional security features in two ways. One of them uses the API proposed in SaaS to integrate additional functionalities. Another possibility is approaching the application traffic via a downstream or upstream proxy so that CASB can directly process the underlying HTTP data stream. For those unfamiliar with proxies, they are between the user’s browser and SaaS, intercepting requests and replies and responding when they are sent.
There are advantages and disadvantages to each approach. The use of the API requires some SaaS solutions. This API is associated with a particular service or set of services. Therefore, the API for Microsoft Office 365 only works in this country and not with other SaaS platforms. The security features they provide do not work in another service unless the CASB provider has written functions that use the API of other SaaS platforms.
Security for cloud-based proxy may be more flexible, but it still requires customization, and customization is done more easily because the approach generally works. After all, almost all SaaS services use HTTP and can, therefore, handle a wider range of SaaS services.
However, this flexibility also presents challenges. For example, what happens if the proxy stops responding or is overloaded? Or what happens if SaaS, which may not be aware that a proxy is processing its services, decides to change the distribution of its pages, make massive changes to the application or customize in different ways, and the proxy is unaware?
As Microsoft explained, proxy-based security can lead to performance and usability issues. How do SaaS providers deal with these problems caused by other products they do not control? In short, you cannot. Therefore, the technical support problem has been explained by Microsoft.
What is good for your organization?
It points to the initial questions professionals face when evaluating or using CASB. Added to this is that not all CASB products work similarly: some only support proxy servers, others only support API integration, some only support API integration, and others both. Understanding the architecture of your organization’s scope is a useful first step in assessing the current or initial adequacy of scope specific to your environment.
The second step is to assess the strengths and weaknesses of using a proxy or service-based API integration. For example, Microsoft does not indicate that proxy-based security is used for Office 365. Still, it warns that it is not recommended and that there may be problems accepting it, which means there is no unified solution.
For some users, the challenges associated with support are the decisive factor when using proxy-based security features in Office 365. For others, the availability of security features can make a difference in companies using SaaS. Ultimately, this is a risk management decision based on your security objectives, the services you use, and the CASB products that can be covered.
How to make a decision?
It begins by understanding your security goals. For example, you can use a formal approach, such as application threat modelling, to understand how you use SaaS and how a person can attack it as a vehicle using SaaS.
Cloud-based proxy is a good start, but making the right choice also means understanding how the product works or what you want to have. It can lead to difficult discussions and specific questions and answers with the supplier. If you know how it works, how SaaS services affect your reach, and how you can achieve your risk goals, you need enough data to analyze in consultation with a team that has used SaaS.
Also, Read the following: