There are significant obstacles for organizations to overcome in ensuring unmanaged devices are protected with Cloud Access Security Broker (CASB) controls. Using CloudSOC Mirror Gateway overcomes these; providing a simple way to secure cloud access from unmanaged devices.
Cloud applications are awesome and provide great value to organizations with employees who want to work collaboratively to solve problems fast. The security aspects of using SaaS workloads is typically taken care of by a Cloud Access Security Broker (CASB), which provides visibility, data security, and threat protection. The CASB governs granular access controls, applies data loss protection, detects malware, and generally keeps a security eye on users to identify compromised accounts or other high-risk activity. In order to provide real-time controls, CASB solutions can act as a ‘man-in-the-middle’, steering all network traffic to the SaaS workloads in question via the CASBs infrastructure. This allows the CASB solution to inspect and enforce the defined policies in real-time.
The BYOD Problem
In the world of managed devices, the security puzzle is solved. Using an agent on the corporate device or via proxy chaining, ensures all traffic is steered to the CASB solution, and consequently through the security controls on to the cloud application. But how do you achieve the same experience for an unmanaged device?
Some organizations are making use of a reverse proxy. However, this solution requires a vanity url which is prone to outages and the CASB vendor has no control over all the URLs maintained by the different cloud service providers. In addition there are some technical limitations with enforcing traffic steering without an agent on unmanaged devices.
A Better Approach - Mirror Gateway
Symantec CloudSOC Mirror Gateway (an add-on feature for CASB), solves the unmanaged device security problem. It enforces the same level of security controls on an unmanaged device, without needing an agent, as could be achieved by a managed device. All of this while maintaining a seamless user experience and removes the need to constantly update the ‘URL rewrite’ rules whenever the cloud application changes.
How It Works
A successful login to the corporate Identity provider from an unmanaged device is identified by Mirror Gateway. The user’s session is then seamlessly redirected to a dedicated Isolation chamber running a remote browser, rendering images of the data back to the user while all of the browser traffic is continuously inspected.
Users on unmanaged devices using Mirror Gateway are accessing the SaaS application directly from the remote isolated browser so no url rewriting is required. Using the isolated browser also provides the ability to limit copying and pasting. File downloads and uploads originating from an unmanaged device can be blocked while the actions are audited by the full CloudSOC CASB capabilities and controlled by the same policy engines as managed devices.
Mirror Gateway is a unique way to enforce CASB protection inline. It doesn’t matter if your user has a managed endpoint or an unmanaged device. CloudSOC CASB enforces extensive, context-driven inline cloud controls over more functions for more cloud apps than is possible by other CASB solutions.
Reach out to us via your account teams and one of us here at Broadcom will be happy to schedule some time with you to demo and discuss it.
We encourage you to share your thoughts on your favorite social platform.