According to Gartner, cloud access security brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. Which of the following is the least common CASB implementation?
A. Install a server that acts as an intermediary for requests from clients.
B. Install a server that retrieves resources on behalf of a client from one or more servers.
C. Install a server that accepts requests to establish a VPN connection from clients.
D. Install a server that provides direct, secure access to cloud applications through API.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Install a server that accepts requests to establish a VPN connection from clients.
A cloud access security broker is an intermediate layer between the end-user and cloud services (IaaS, PaaS, and SaaS) to control access and enforce the security policy. CASB services can be provisioned as a proxy (forward or reverse) or API.
A VPN server or gateway provides secure connections only. It doesn’t provide end-to-end protection and application-level security. For example, it cannot prevent a human resource manager from accidentally sharing a confidential document in cloud storage to the public.
Using the modern API based approach to interacting with public cloud resources, the API based CASB can integrate seamlessly with the public cloud vendor open APIs made available for consumption. This allows the API based CASB to natively enforce security and policy baselines assigned by organizations. It becomes part of the public cloud resources, as opposed to being a standalone single gateway or “add-on” that must be traversed before security and policy is applied. It allows for dynamic “learning” so data can be analyzed retroactively and actions can be taken based on analysis. Additionally, no matter which network path an end user takes to reach company public cloud resources, those policies and security enforcement protocols are applied regardless. No proxy must be configured on the end user device and there is no performance impact for the end user since the CASB integrates natively with the public cloud vendor. It cannot be bypassed by VPNs or other network means. The API based CASB solution integrates and scales much better than the firewall/proxy based CASB solution.
In computer networking, a proxy server is a server application or appliance that acts as an intermediary for requests from clients seeking resources from servers that provide those resources. A proxy server thus functions on behalf of the client when requesting service, potentially masking the true origin of the request to the resource server.
Reverse Proxy at the Cloud
In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client, appearing as if they originated from the server itself. Unlike a forward proxy, which is an intermediary for its associated clients to contact any server, a reverse proxy is an intermediary for its associated servers to be contacted by any client. In other words, a proxy acts on behalf of the client(s), while a reverse proxy acts on behalf of the server(s); a reverse proxy is usually an internal-facing proxy used as a ‘front-end’ to control and protect access to a server on a private network.
- CASB 101: How Cloud Access Security Brokers Can Make Your Data More Secure
- CLOUD ACCESS SECURITY BROKER (CASB)
- Google Security Partner Ecosystem
- DO YOU NEED A GOOGLE CLOUD ACCESS SECURITY CASB?
- Reverse proxy
- Proxy server
- API based CASB: How to Address the Cloud Security Gap
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.