CASB delivers must-have protection for your SaaS apps
Tom Henderson |
Aug. 9, 2016
Cloud Access Security Brokers are products that can be described as firewall plus identity management plus anti-malware plus DLP plus encryption control/implementation plus threat management.
CipherCloud Trust Platform
Netskope GoScope Platform
Configuation, Flexibility, Installation
Administration, Overall User Experience
Features, Integration with Third Parties
The potential downside is that a clear communications circuit needs to be maintained to the cloud-based Bitglass portal, which isn’t under your control, unlike the on-premises, appliance-based products reviewed here. BitGlass meets high standards for its own security, but does not have worldwide points of presence all in sync with each other.
No one reviewed did, although the CipherCloud architecture uses an autonomous internal gateway VM methodology which places the onus of circuit protection strictly on IT staff. We found other minor foibles mostly relating to our sense of quieting noise; we like a security package that’s nervous. Heaven help us if Bitglass’s portal is ever compromised, a thought that nagged us.
The Netskope platform uses Active Directory, single sign-on or SSO brokerage mechanisms to steer traffic through a customer’s Netskope cloud gateway appliance. The Netskope CASB acts either as a forward proxy, a tokenizer and/or reverse proxy to cloud app destinations, depending on how a cloud application works. Some cloud apps, such as Office365, can need all three interactions, depending on the type of “sub-app” chosen, within Netskope’s construction.
This functionality is divided into progressive gradients of products for billing purposes. You can start with simple log discovery of what cloud apps are being used, by whom, when, and perhaps what’s being done. You can impose rules as the next gradient. You can add significant DLP, then add encryption features, and malware filtration. Or you can buy the full meal deal, which is what we tested.
Netskope, like other CASB products, becomes deeply enmeshed into your infrastructure. There are three major components used in the process of Netskope CASB, including an on-premises gateway appliance, an organization-specific cloud admin portal, and possible client-side agents. Although client agents aren’t required, they’ll provide greater access when present. The portal works with client agents and browser add-ins, or without them.
The SSO can be an Active Directory link, or another SSO service that understands SAML 2.0 — and nearly all of them do. Netskope has relationships with several SSO providers as “partners.” SSO is connected to Netskope as a proxy authenticator, and conversations are then managed by the SecureForwarder VM, itself based on an Ubuntu Server platform.
CASB control is asserted in the gradients we described through steered traffic mechanisms. Traffic is steered through the SecureForwarder appliance (or appliances, depending on the architecture chosen to be deployed). We used one gateway for testing, but the others can work somewhat autonomously, indeed you could use different encryption for geographic controls.