Effective CISSP Questions

According to Gartner, cloud access security brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. Which of the following is the least common CASB implementation?
A. Install a server that acts as an intermediary for requests from clients.
B. Install a server that retrieves resources on behalf of a client from one or more servers.
C. Install a server that accepts requests to establish a VPN connection from clients.
D. Install a  server that provides direct, secure access to cloud applications through API.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Install a server that accepts requests to establish a VPN connection from clients.

A cloud access security broker is an intermediate layer between the end-user and cloud services (IaaS, PaaS, and SaaS) to control access and enforce the security policy. CASB services can be provisioned as a proxy (forward or reverse) or API.

VPN Server

A VPN server or gateway provides secure connections only. It doesn’t provide end-to-end protection and application-level security. For example, it cannot prevent a human resource manager from accidentally sharing a confidential document in cloud storage to the public.


Using the modern API based approach to interacting with public cloud resources, the API based CASB can integrate seamlessly with the public cloud vendor open APIs made available for consumption. This allows the API based CASB to natively enforce security and policy baselines assigned by organizations. It becomes part of the public cloud resources, as opposed to being a standalone single gateway or “add-on” that must be traversed before security and policy is applied. It allows for dynamic “learning” so data can be analyzed retroactively and actions can be taken based on analysis. Additionally, no matter which network path an end user takes to reach company public cloud resources, those policies and security enforcement protocols are applied regardless. No proxy must be configured on the end user device and there is no performance impact for the end user since the CASB integrates natively with the public cloud vendor. It cannot be bypassed by VPNs or other network means. The API based CASB solution integrates and scales much better than the firewall/proxy based CASB solution.

Source: SpinBackup

Forward Proxy

In computer networking, a proxy server is a server application or appliance that acts as an intermediary for requests from clients seeking resources from servers that provide those resources. A proxy server thus functions on behalf of the client when requesting service, potentially masking the true origin of the request to the resource server.

Source: Wikipedia

Reverse Proxy at the Cloud

In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client, appearing as if they originated from the server itself. Unlike a forward proxy, which is an intermediary for its associated clients to contact any server, a reverse proxy is an intermediary for its associated servers to be contacted by any client. In other words, a proxy acts on behalf of the client(s), while a reverse proxy acts on behalf of the server(s); a reverse proxy is usually an internal-facing proxy used as a ‘front-end’ to control and protect access to a server on a private network.

Source: Wikipedia



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

根據Gartner的說法,雲訪問安全代理(CASB)是本地部署,即基於雲的安全策略實施點,位於雲服務使用者和雲服務提供商之間,以在訪問基於雲的資源時合併和插入企業安全策略。 以下哪項是最不常見的CASB實施?
A. 安裝一台伺務器,作為來自客戶端的請求的中介。
B. 安裝一台伺務器,代替客戶端從一台或多台服務器提取資源。
C. 安裝一台伺務器,接受來自客戶端的建立VPN連線的請求。
D. 安裝一台伺務器,通過API提供對雲應用程序的直接安全訪問。

Leave a Reply