The Sookasa Blog

The Next Vision for CASB: API

Over the last couple of years, Cloud Access Security Brokers (CASBs) have burst on the scene as a way of controlling organizations’ data and maintaining security in the cloud. As more and more companies move to the cloud, adopt BYOD policies, and contend with their employees’ use of file sync-and-share applications (whether company-sanctioned or not), CASBs have become increasingly important in managing the proliferation of information.

A CASB is essentially a single platform that grants visibility, enforces compliance, maintains data security, and deploys threat prevention measures. Administrators can monitor their entire team’s or company’s file-sharing actions, knowing exactly where data is being kept and how it’s being shared and synced. Most CASBs use a proxy to redirect and analyze data passing between SaaS applications and the network. But there’s also a second type of CASB, which relies directly on the APIs of SaaS applications instead of rerouting the company’s network traffic to the cloud.

A recent Gartner report analyzed the two types of CASBs, and while they both have their strengths, it makes a lot of sense for CASBs to start moving off the network and into the cloud. After all, that’s what companies are already doing with their data, increasingly storing it on cloud providers like Dropbox, Google Drive, and OneDrive. As such, companies ought to turn their focus to API-based CASBs when considering the best security options for their companies.

Why should you choose an API-based CASB?

It’s quickly becoming clear that corporate data is proliferating rapidly and being duplicated, emailed, shared, and synced all over the place. While having files at their fingertips lets employees be a lot more productive and efficient, it also makes implementing security increasingly difficult: It’s hard to know just where sensitive data is being stored and who has access to it. An API-based CASB changes that.

In essence, an API-based CASB provides a centralized location from which administrators can see all company data being stored in the cloud. This is just one advantage API-based CASBs have over proxy-based ones, which only monitor data in transit; in other words, admins using a proxy-based CASB have no way of interpreting sensitive files that have already been stored in the cloud. And while monitoring data in transit is certainly important, proxy-based CASBs won’t recognize a file being shared externally, simply because the external recipient isn’t on the network. By contrast, an API-based CASB monitors the data itself—wherever it goes, on any devices, internal or external.

Here’s why that’s important: 74 percent of organizations already allow employees to use their personal mobile devices for work or plan to allow them within the next year. BYOD policies are notoriously difficult to control from a security standpoint, because employees use a wealth of applications on their personal devices, often skirting their employers’ sanctioned software choices. Companies are hard-pressed to fight BYOD; if they insist that employers use sanctioned applications—especially those that sacrifice ease-of-use for security—employees are likely to find workarounds anyway and use applications they feel comfortable with and already trust. This makes maintaining security by traditional means nearly impossible—and it’s why BYOD and employee mistakes are such major contributors to data breaches. An API-based CASB, however, makes it all the more manageable by providing a bird’s-eye-view of all company data, anywhere.

Allowing BYOD has become nearly inevitable in the corporate landscape, but being able to do so securely is a major victory. More importantly, the API-based CASB solution allows the security to be much more robust than it could be with a proxy, which, in order to work reliably, requires information to travel through the network, through managed devices, and through authorized users—making it not much more than a glorified firewall. In an ideal corporate world, that would suffice, but in today’s rampant data-sharing environment, it’s unfortunately not enough.

If guaranteeing robust security isn’t enough, it’s also worth noting that API-based CASBs are much more user-friendly, preserving the native user experience across applications. They’re also a lot less intrusive since they don’t require reverse engineering of the applications’ protocols, and they’re much easier to deploy because they don’t require an appliance or a special configuration of the company’s SaaS applications.

The bottom line on CASB

As more and more companies make the smart switch from on-premise networks to the cloud (the number is expected to more than double to 80 percent by 2020), their security measures will have to follow. CASBs are positioning themselves as the perfect means to do so by blending robust security, versatility, and transparency.

While an API-based CASB is ideal for cloud-based companies, we know it still isn’t perfect; for example, as its name suggests, it can only monitor applications that have an API. Some SaaS applications may also require a combination of API- and proxy-based solutions to function most effectively, although the number of SaaS providers that have comprehensive APIs is increasing rapidly. Proxy-based CASBs are also useful for discovering unsanctioned cloud applications, but for a company with many sanctioned SaaS applications, API-based CASBs are almost always preferable. Their advantages are manifold and provide the visibility, data auditing, and policy enforcement capabilities necessary for smooth maintenance of a company’s operations in the cloud. API is the next step for CASBs—and we can hope it will be a major step in decreasing data breaches and bolstering security across businesses.