Cloud Access Security for the Modern Enterprise

When your employees rush to public clouds for service, there is usually a pretty good reason. And while many CIOs hesitate to admit this, the capabilities offered in cloud services such as Office 365, Box, ServiceNow, and Google Drive often exceed the capabilities provided by the local IT staff. Ultimately, this should be interpreted as goodnews for CIOs once they accept and embrace the notion of infrastructure, services, and computing being provided in an as-a-service manner. The biggest hurdle, however, involves assurance that security, compliance, and data protection are properly handled. This is where cloud access security brokers (CASBs) have emerged as an important component in modern computing and networking architectures. As part of the detailed research for my TAG Cyber Security Annual (download the PDFs at, I had the great privilege of speaking with one of the world’s leading experts in cloud security, Rajiv Gupta from Skyhigh Networks. As we sketched cloud security designs on napkins together in a small café in Manhattan, I asked Rajiv to share his views on where this important area of cyber security was headed. Here is what I learned:

EA: Rajiv, do you think the traditional notion of a perimeter works to stop cyber attacks anymore?

RG: The reality in today’s workplace is that the perimeter is rapidly disappearing. Employees are working remotely from home or from their favorite coffee shop, and accessing corporate systems from their personal devices. Partners collaborating from outside the perimeter are securely sharing confidential data. Therefore, traditional perimeter-based security needs to be re-imagined for the cloud-first and mobile-first era.

EA: CIOs have referred to public cloud usage in the past as part of shadow IT. Do you think this perception is changing and do you think the time will come when most IT functions are delivered from the cloud?

RG: Over the last four years, we have seen a major shift in CIOs’ attitudes towards public cloud services. There is universal acknowledgment that public cloud services can help accelerate innovation, increase employee productivity, and drive the business forward. As trusted partners to their business counterparts, CIOs have shifted focus on enabling cloud services, while meeting their various security, compliance and governance requirements. As CIOs embrace cloud services aggressively, I predict that one day most IT functions indeed will be delivered from the cloud for a broader number of companies than today where today this largely is true for younger companies.

EA: Have large and small companies behaved differently in the adoption of public cloud services?

RG: In the early days, IT departments at smaller companies in non-regulated industries led the charge to the cloud. This was partially due to necessity (they didn’t have the IT staff to support on-premises software), and partially because they had less stringent security and compliance requirements. IT teams in larger companies carefully plotted their adoption of public cloud services. However, business units and employees in the larger companies often lost patience and, taking a page from nimble smaller companies, took the initiative to adopt public cloud services, resulting in the shadow IT phenomenon.

EA: Tell me how a cloud access security broker function works. Is this a man-in-the-middle solution?

RG: A Cloud Access Security Broker is a cloud control point, one that controls access to cloud services, and protects corporate data in cloud services. Full and comprehensive CASB functionality – which includes visibility, threat protection, compliance, and data security – requires that the CASB support all deployment modes, including log-based visibility, integration using proxy and firewalls APIs, forward proxy-based inline intermediation, reverse proxy-based inline intermediation, and integration with APIs provided by cloud service providers. Different customer use cases require different deployment modes. Log-based visibility and integration with cloud service provider APIs are off-line approaches. Offline approaches can’t address requirements such as data encryption, data jurisdiction controls, or access control based on context which inline controls can. Integration with proxy and firewall APIs leverage existing firewall and proxy solutions to intermediate cloud data access. Forward and reverse proxy-based intermediation approaches are inline to the cloud access, however there is a big difference: reverse proxy-based intermediation does not require any device agent or other footprint, while forward proxy-based intermediation does. In traditional parlance, forward proxy approaches are referred to as man-in-the-middle.

EA: For complex environments with public, private, hybrid, and even traditional enterprise IT, is it a tough project to design, integrate, install, and operate a cloud access security function?

RG: In general, the complexity and effort of deploying and maintaining a cloud access security function depends on the deployment mode chosen. In general, off-line CASB deployment modes are faster and easier to design, integrate, install, and operate. Reverse proxy-based approaches that integrate with Single-Sign On solutions are similarly fast and easy. Forward proxy-based approaches are generally the most challenging, because they require device footprints to be distributed, installed, and maintained on all devices even as device versions change over time. Our experience with some of the largest organizations in the world, including 25% of the Fortune 100, has taught us that immediate and significant ROI can be delivered first through a cloud-based product that is simple to configure and integrate with existing in-cloud on on-premises IT investments; second, through best-practices workflow derived by hundreds of customers and codified in the product; and third, through a 5-step deployment methodology that delivers greater value over time. Thus, Skyhigh customers begin to see immediate value in as little as a week, and it grows from there.