sb-au logo
Story image

All we need to know about reverse proxy

04 Jun 2020

Article by Bitglass senior product marketing manager Jacob Serpa.

To misquote George Orwell, not all cloud access security brokers (CASBs) are created equal. This is crucially important since CASBs are the go-to solutions for securing the use of cloud-based tools.

Whether it’s major software-as-a-service (SaaS) apps, niche or long-tail SaaS apps, custom apps built on IaaS platforms, or something else entirely, CASBs are used to protect data wherever it goes.

So let’s review the different CASB architectures and discuss the importance of one deployment option in particular - reverse proxy.

Different CASB architectures address different use cases, so it’s important to be familiar with all of them. However, some deployment options are more limited than others.

  • API-based architectures integrate with application programming interfaces in order to grant out-of-band visibility and control over data at rest within managed cloud applications.
  • Forward proxy architectures require that agents are installed on all user devices in order to provide inline visibility and control over managed and unmanaged app traffic and data.
  • Reverse proxy architectures are agentlessly deployed in the cloud and provide inline visibility and control over managed app traffic and data.

As each of the above options solves its own set of security challenges, organisations evaluating CASBs ought to select a multi-mode CASB that provides all three instead of just one or two.

However, as reverse proxies are the most useful in today’s business world (and are also the hardest to engineer), prospective CASB customers must make sure that their solution of choice contains this deployment option, in particular.

Why is reverse proxy so important?

Reverse proxy is essential for organisations today because it overcomes drawbacks in the other architectures that are highly disadvantageous for modern use cases. API-only architectures cannot provide real-time, inline security and are typically limited to securing a smaller number of apps.

Forward-proxy architectures are difficult to deploy because they require installations on users endpoints--a logistical challenge that becomes nearly impossible where bring your own device (BYOD) is enabled due to employee concerns around privacy and personal device performance.

Reverse proxy addresses these issues through an agentless architecture (which reserves user experience and provides a rapid, simple deployment) and through inline security for managed apps and data only (meaning that employee privacy on endpoints and personal app instances is respected).

As data is now moving to remote users and personal devices more than ever before, these benefits are indispensable. Even for organisations that may not actively enable BYOD, reverse proxy is still critical for securing access from third-party devices belonging to contract employees, auditors, business partners and new users from M&A activities.

How do reverse proxies work?

Reverse proxies work by mediating interactions between users and the applications they access. When users open managed applications and authenticate, the reverse proxy is inserted into the path of traffic so that it can monitor data in transit and apply protections in real-time.

In essence, the proxy is a code middleman that acts like the user for the app, and virtualises the session to act like the app for the user. Unlike something like mobile application management (MAM), a reverse proxy preserves apps’ native user experiences.

What to seek

Typically, reverse proxies are hardcoded to specific versions of applications. This means that when apps are updated and their underlying code is changed, the reverse proxy won’t know what to do or how to pass the new code down to the user.

To rectify breakages once they occur, vendors have an engineer manually handle the code rewriting so that she or he can update the reverse proxy. However, this reactive approach takes time, impedes security, harms the user experience, and disrupts business continuity.

Since the early days of CASB, at least one vendor has recognised the criticality of automated security that can adapt and scale to businesses’ needs on the fly. Consequently, while competitors were focused solely on forward proxy, this vendor was patenting AJAX-VM, technology critical for robust reverse proxy functionality.

AJAX-VM employs machine learning so that it can automatically handle code rewrites when applications evolve and change. This means that there are no breakages and that there is no time wasted waiting for engineers to manually fix the reverse proxy.

Look for a vendor whose technology is designed for total cloud security wherever data goes—a vendor with agentless real-time protections that scale to organisations’ exact needs on the fly. The selected vendor’s solutions should meet a wide breadth of use cases and solve them elegantly and comprehensively.