sb-nz logo
Story image

All we need to know about reverse proxy

04 Jun 2020

Article by Bitglass senior product marketing manager Jacob Serpa.

To misquote George Orwell, not all cloud access security brokers (CASBs) are created equal. This is crucially important since CASBs are the go-to solutions for securing the use of cloud-based tools.

Whether it’s major software-as-a-service (SaaS) apps, niche or long-tail SaaS apps, custom apps built on IaaS platforms, or something else entirely, CASBs are used to protect data wherever it goes.

So let’s review the different CASB architectures and discuss the importance of one deployment option in particular - reverse proxy.

Different CASB architectures address different use cases, so it’s important to be familiar with all of them. However, some deployment options are more limited than others.

  • API-based architectures integrate with application programming interfaces in order to grant out-of-band visibility and control over data at rest within managed cloud applications.
  • Forward proxy architectures require that agents are installed on all user devices in order to provide inline visibility and control over managed and unmanaged app traffic and data.
  • Reverse proxy architectures are agentlessly deployed in the cloud and provide inline visibility and control over managed app traffic and data.

As each of the above options solves its own set of security challenges, organisations evaluating CASBs ought to select a multi-mode CASB that provides all three instead of just one or two.

However, as reverse proxies are the most useful in today’s business world (and are also the hardest to engineer), prospective CASB customers must make sure that their solution of choice contains this deployment option, in particular.

Why is reverse proxy so important?

Reverse proxy is essential for organisations today because it overcomes drawbacks in the other architectures that are highly disadvantageous for modern use cases. API-only architectures cannot provide real-time, inline security and are typically limited to securing a smaller number of apps.

Forward-proxy architectures are difficult to deploy because they require installations on users endpoints--a logistical challenge that becomes nearly impossible where bring your own device (BYOD) is enabled due to employee concerns around privacy and personal device performance.

Reverse proxy addresses these issues through an agentless architecture (which reserves user experience and provides a rapid, simple deployment) and through inline security for managed apps and data only (meaning that employee privacy on endpoints and personal app instances is respected).

As data is now moving to remote users and personal devices more than ever before, these benefits are indispensable. Even for organisations that may not actively enable BYOD, reverse proxy is still critical for securing access from third-party devices belonging to contract employees, auditors, business partners and new users from M&A activities.

How do reverse proxies work?

Reverse proxies work by mediating interactions between users and the applications they access. When users open managed applications and authenticate, the reverse proxy is inserted into the path of traffic so that it can monitor data in transit and apply protections in real-time.

In essence, the proxy is a code middleman that acts like the user for the app, and virtualises the session to act like the app for the user. Unlike something like mobile application management (MAM), a reverse proxy preserves apps’ native user experiences.

What to seek

Typically, reverse proxies are hardcoded to specific versions of applications. This means that when apps are updated and their underlying code is changed, the reverse proxy won’t know what to do or how to pass the new code down to the user.

To rectify breakages once they occur, vendors have an engineer manually handle the code rewriting so that she or he can update the reverse proxy. However, this reactive approach takes time, impedes security, harms the user experience, and disrupts business continuity.

Since the early days of CASB, at least one vendor has recognised the criticality of automated security that can adapt and scale to businesses’ needs on the fly. Consequently, while competitors were focused solely on forward proxy, this vendor was patenting AJAX-VM, technology critical for robust reverse proxy functionality.

AJAX-VM employs machine learning so that it can automatically handle code rewrites when applications evolve and change. This means that there are no breakages and that there is no time wasted waiting for engineers to manually fix the reverse proxy.

Look for a vendor whose technology is designed for total cloud security wherever data goes—a vendor with agentless real-time protections that scale to organisations’ exact needs on the fly. The selected vendor’s solutions should meet a wide breadth of use cases and solve them elegantly and comprehensively.

Story image
Malware and email scams targeting employees spread rapidly in Q2
"Businesses must stay alert and should employ defense-in-depth tactics and equip themselves with multilayered security mechanisms, including high-sensor spam filters and a VPN connection, which would prevent malicious pages from opening."More
Story image
Ripple20 threat has potential for 'vast exploitation', ExtraHop researchers find
One in three IT environments are vulnerable to a cyber threat known as Ripple20. This is according to a new report from ExtraHop, a cloud-native network detection and response solutions provider. More
Story image
Metallic adds data management and GDPR compliance
Now GDPR compliant, additions to the portfolio include eDiscovery features and support for Microsoft Hyper-V and Azure Blob and File storage.More
Download image
Network functions virtualisation: What is is, how to use it, and why it matters
Network functions virtualisation (NFV) is fast becoming the go-to method of simplifying corporate networks from planning, through deployment and management.More
Story image
Exabeam and Code42 partner up to launch insider threat solution
The solution will give customers a fuller picture of their environment, and will leverage automated incident response to obstruct insider threat before data loss occurs.More
Story image
Is cyber deception the latest SOC 'game changer'?
Cyber deception reduces data breach costs by more than 51% and Security Operations Centre (SOC) inefficiencies by 32%, according to a new research report by Attivo Networks and Kevin Fiscus of Deceptive Defense.More