Posted: 4 Min ReadProduct Insights

Mirror, Mirror on the Wall. Who’s the Riskiest Device of All?

BYOD and the proliferation of unmanaged devices present new challenges to security managers who rely on CASB to keep data safe

Cloud applications and services are brilliant for industrious organizations or employees who want to work collaboratively to solve problems fast. They are flexible, don’t require a lot of time or effort to deploy, and less expensive than on-premises solutions.  They also end up managing and containing highly sensitive, regulated, or confidential data. Cloud apps are accessible directly via a browser by users from any endpoint, including completely unmanaged and unknown personal devices. This is very convenient for the end user, but a significant security challenge for an organization.

Security over the use of apps in cloud services is typically taken care of by a Cloud Access Security Broker (CASB), which provided visibility, data security, and threat protection.  The CASB governs granular access controls, applies data loss protection, detects malware, and generally keeps a security eye on users to identify compromised accounts or other high-risk activity.  Until now, the CASB solutions for preventing unsafe use of cloud apps from completely unmanaged devices have been inherently limited.

The Remediation Method

The easiest way to apply CASB protection over activity originating from an unmanaged device is via API integrations. This is a great approach, but it is limited to a few popular apps with APIs which can support CASB-type services. The API model is inherently a monitoring and remediation approach; it cannot block a transaction between the user device and the cloud app.

The Real-Time Enforcement Method

Because APIs cannot cover every use case, leading CASBs also offer inline protection via gateways. Inline controls can prevent a confidential file from being downloaded, block a malware infected file from being uploaded, or prevent a high-risk user from sharing files or collaboration spaces with others. For an inline approach to work, the cloud traffic must flow through the CASB. If your end user has a managed endpoint device, there is no problem because you simply route all cloud traffic to the CASB and “Voila!” the CASB can do the job.

But what do you do when your industrious end user has an unmanaged device? BYOD planning is important - we know employees will use whatever device in whatever location is convenient to get their job done.

An Impossible Task

Traditionally, the only option available to provide inline security for traffic from unmanaged devices was to use a reverse proxy approach which required the proxy to rewrite tens of thousands of cloud app URLs to redirect traffic to flow through the CASB gateway and then out to the cloud app. In this scenario you have no visibility or control over the endpoint device, which is continually trying to connect directly to the cloud app.  Additionally, the CASB vendor has no control over all the URLs maintained by all the different cloud service providers.

In this scenario, the CASB reverse proxy has to recognize and update the many micro-service specific URLs maintained by all the different cloud providers for all the apps. Unfortunately, a cloud service provider can change a URL at any time, and they have no requirement to inform all the security vendors in the world that they have made a change.  If one of those URLs change and the CASB doesn’t know it, cloud transactions using that URL will not complete for the end user – resulting in a surprise downtime for that employee who’s trying to work. 

The Old Limited Approach

It is so difficult to maintain a reliable reverse proxy use case that most CASBs have only offered inline control over use of unmanaged devices for a limited number of apps. What happens if you have a business-critical cloud app that isn’t in the limited list of supported services? And even if your critical cloud app is supported, the CASB may only support a few app functions – often this is limited to login, upload, and download. These are important functions when you want to protect your sensitive data in the cloud from downloading to an unknown endpoint device, or when you want to prevent malware from being uploaded into a shared collaboration space, but they do not protect from a user deleting critical files, sharing confidential data, adding people to a user group, etc.

A Mirror Gateway Solution: Any Device, Any App

Symantec has solved this long-standing CASB challenge with the patent-pending CloudSOC CASB Mirror Gateway innovation. The Mirror Gateway takes a completely new approach to delivering inline, real-time security over the use of any cloud app even, if the user has an unmanaged or BYOD device.

How It Works

Essentially, this innovation mirrors the user in the cloud. The user must complete an identity authentication in the same way they log into a sanctioned cloud app. The identity process initiates the mirror gateway, which uses web isolation technology to present a browser window to the user that appears as a local browser on the endpoint device. The user proceeds to do their work as if they were going directly to the cloud app from their local browser.

Unlike a traditional CASB reverse-proxy solution, the Mirror Gateway acts as a managed endpoint; now all the control functions of a forward-proxy CASB gateway can be easily applied to transactions with the cloud app. Because the mirror plays the role of the endpoint device, it adds another level of protection because all app data is processed and stored in web isolation, thus never reaching the endpoint unless the gateway policy explicitly allows it.

The Mirror Gateway will support more application and functions because it does not require the many URL rewrites of a traditional reverse proxy CASB implementation; all it requires is a single round of identity authentication. The Mirror Gateway supports any device because it does not require the endpoint device to be managed in any way. The Mirror Gateway can enforce granular, context-driven policies. For example, downloads of confidential data can be automatically blocked if the user has an unmanaged device, or a policy can dictate that an unmanaged device cannot access to confidential data.

In Conclusion

The Mirror Gateway is a completely new and unique way to enforce CASB protection inline. With Mirror Gateway, it doesn’t matter if your user has a managed endpoint or one of those super-risky unmanaged BYOD devices. CloudSOC CASB will be able to enforce extensive, context-driven inline cloud controls over more functions for more cloud apps than is possible by other CASB solutions.

Symantec Enterprise Blogs
You might also enjoy
Product Insights5 Min Read

5 Key Integrations for a Successful CASB 2.0 Deployment

No one wants an island of security that’s hanging out there disconnected from the rest of your security. Here’s how to think about putting the pieces together

About the Author

Deena Thomchick

Sr Director Product Mgmt, Cloud Security

Deena is a 25 year technology veteran and security enthusiast, a senior member of the Symantec CASB product group. In addition to her current focus on cloud security, her background includes work on encryption, ATP, network security and endpoint security.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.