The CASB Challenge: APIs or Proxies?Palerra CEO Rohit Gupta on How to Make Your Cloud Security Decision

Gupta founded Palerra in 2013 with a vision of enterprises embracing the cloud. And that’s happened. But with cloud ubiquity has come a new reality, he says.

“Enterprises recognize that there is a security aspect that they’ve got to take care of,” Gupta says. “They’ve got to understand that information is going into the cloud. They have to be careful about their users whose information is [in the cloud] ... and, really, the cloud represents this new attack vector that enterprises have to care about.”

Hence, the rise of the CASB and the question over which approach is better to take - proxy vs. API.

In an interview about CASB strategies, Gupta discusses:

• Merits and tradeoffs of each CASB approach;• Why Palerra has embraced the API method;• What security leaders need to be asking of their prospective CASB technology partners.

Gupta founded Palerra in 2013 with the vision of ushering in a new paradigm in security and DevOps: one that would enable enterprises to confidently embrace and accelerate the move to the cloud.

He has spent his entire career in enterprise software. Most recently, he was Vice President and General Manager for the Remedy IT Service Management division at BMC Software, a product line producing over $500M in revenues. At BMC, Rohit helped build and grow their first two SaaS offerings including RemedyForce and RemedyOnDemand. Prior to BMC, Gupta was Vice President of Product Management for Identity and Access Management at Oracle Corporation, with responsibility for product strategy, marketing, business development and alliances. Under his leadership, Oracle rapidly grew their IAM market presence from a nascent player to market leadership with revenues over $300M, in the first five years since inception.

Rise of the CASBTOM FIELD: Why have cloud access security broker solutions emerged so quickly to become a mandatory control to help IT get a handle on cloud security? What’s your perspective on that?

ROHIT GUPTA: Companies, large and small, have been moving to the cloud across so many different form factors. They’re consuming services like Salesforce.com and Microsoft Office 365. And they’re using the cloud as a delivery mechanism for their own services. Netflix delivers its video streaming service using Amazon Web Services, and Capital One also uses AWS to deliver its retail banking platform – and these are just two of many.

So, the cloud has become this incredible transformation mechanism for enterprises large and small. But now enterprises recognize they must protect this new attack vector. They understand that information is going into the cloud. They have to be careful about their users, whose information is either in the cloud or whose credentials are being leveraged to access the cloud services, and make sure that information doesn’t get compromised.

Rohit Gupta, CEO of Palerra

In recent months, Cloud Access Security Broker solutions have emerged as a de facto, mandatory control. Which is a better approach to CASB - proxy or API? Rohit Gupta of Palerra shares his insight and recommendations.

“The greatest advantage of the API approach is its ability to secure all types of traffic – managed traffic and unmanaged traffic – leaving no security gaps.”

The CASB Challenge: APIs or Proxies? 2

With cloud security, we often hear it referred as a “shared responsibility model,” where the cloud provider is responsible for the security of their services and the enterprise consuming or delivering services through the cloud provider is responsible for the data being accessed through these services. It’s led to the emergence of cloud access security brokers, or “CASBs,” especially over the last 12 to 18 months, as a mandatory control point that helps enterprises gain deeper visibility and tighter security, as they leverage the cloud for their digital transformation. CASB technologies can reside on premise and in the cloud and help information security and information technology teams get a holistic handle into securing and monitoring your information and infrastructure in the cloud.

CASB Approaches: Proxy vs. APIFIELD: There are two primary approaches to CASB: proxy services and APIs. What do you find to be the merits and the tradeoffs of each of these approaches?

GUPTA: The proxy approach involves the setup of an inline approach or an inline gateway – a control point that sits between the enterprise and the service provider. The control point leverages traditional packet inspection techniques to inspect the traffic going through it and then make policy enforcement decisions, depending on what the enterprise wants.

In contrast, the API approach is an out of band approach that essentially leverages APIs to connect to the cloud provider on behalf of the enterprise and inspect it on a regular basis to assess the state, health and compliance, if necessary, of what is happening in the cloud service itself.

The primary benefit of the proxy approach is the notion of real-time protection, where traffic goes through the proxy in real time, the proxy inspects the information and then makes real-time enforcement decisions, such as blocking a user from going to a site or preventing them from sharing or emailing a document. One of the primary concerns with this approach, however, centers around the fact that these proxies have a hard dependency on web traffic, so when you deal with cloud service providers such as IaaS (Infrastructure as a Service) providers like AWS or Microsoft Azure, they don’t work.Moreover, proxies have been notorious for poor performance and being susceptible to DDoS attacks, both of which can make them a central point of failure that could lead to downtime and ultimately the disenchantment of employees and end users. The greatest advantage of the API approach is its ability to secure all types of traffic – managed traffic and unmanaged traffic – leaving no security gaps. APIs ensure you have complete coverage and visibility, whether you’re using a web-based or SaaS application like Salesforce or Office 365 or an IaaS provider like AWS, Azure or Rackspace, which gives you complete peace of mind.

APIs: ‘Core Elements of the New Internet’FIELD: We also hear the term “multimode” frequently. How relevant is multimode in today’s cloud security landscape?

GUPTA: The term “multimode” came from what some industry analysts and other thought leaders did around the deployment topologies of these CASBs. The early school of thought on deployment modes was the ability to take advantage both of what proxy deployment and API deployment architectures offered, hence the multimode term. But as CASB technology has evolved, the API approach now can provide all of the core benefits natively, along with the preventative and enforcement capabilities that were initially only available just through the proxy mode, making the proxy mode questionable as a deployment methodology.

APIs essentially are the core elements of the new internet. As we move to the cloud and Internet of Things, APIs become those central components that connect all of these services together. Every major cloud provider is building and delivering a rich set of APIs that externalize information, whether around performance, security or compliance, among other things. So, CASBs that are designed with an API approach from the ground up can take advantage of all of the fidelity that cloud service providers deliver and combine that with the native capabilities that an enterprise has from a security tooling standpoint. Think of tools such as next-gen firewalls, software web gateways, and identity and access

The CASB Challenge: APIs or Proxies? 3

management products. By integrating and orchestrating with them, API-based CASBs can deliver the best user experience and the most holistic security, not to mention none of the performance or other bottlenecks that proxy-based technologies suffer from.

The Palerra CASB DifferenceFIELD: It’s no surprise Palerra is solidly behind the API approach. Is that how you differentiate yourselves in the CASB marketplace?

GUPTA: Absolutely! We were a pioneer in designing and architecting a cloud-agnostic API-centric approach that allows enterprises to create a single policy framework that starts off as IaaS and goes all the way up the stack to SaaS.

Think about that for a second. An enterprise harnessing the power of the cloud to deliver its own services using Rackspace or AWS or Azure now can create a policy framework that securely protects its users, data and workload – and at the same time, extend that policy framework to applications its employees use on a day-to-day basis. File-sharing applications, like SharePoint, OneDrive or Dropbox. CRM applications in the cloud such as Salesforce. ERP services such as Workday. The power to be able to have that common policy framework across infrastructure or from IaaS, all the way to SaaS leveraging this native API-centric approach, is critical to Palerra’s strategy.

Palerra has a few more differentiators as well. At a high level, Palerra is the only CASB that not only natively delivers an experience that ranges from security protection and monitoring both for information and infrastructure, but it also addresses the concept of remediation and change management by being able to deliver incident response with a full-fledged orchestration engine inside of our service. The way we’ve designed our service and deliver our API-centric CASB technology with a common policy framework that is universally extensible across infrastructure is really a core differentiator, making it incredibly compelling and cost-effective for an enterprise to maintain and deploy.

API-Based CASBs: Delivering ValueFIELD: Rohit, please provide some specific examples of how the API CASB approach has delivered the value that IT security leaders really are seeking.

GUPTA: Customers look for consistent ROI and value from any technology that they deploy, and the API-centric CASB approach, the Palerra approach, is no different. I’ll give you a couple of examples. One, think of an enterprise that has essentially rolled out a new kiosk-based ordering system in their retail outlets and they use a payment gateway that lets somebody swipe a credit card. The service delivering this is doing so through a cloud service provider, and so the ability to protect sensitive information like credit card information and customer information this particular application is storing

“API-based CASBs can deliver the best user experience and the most holistic security, not to mention none of the performance or other bottlenecks that proxy-based technologies suffer from.”

The CASB Challenge: APIs or Proxies? 4

is hugely critical, and the ability to essentially extend this from the databases where this information is stored all the way to the users whose information is being captured here, is critical. A CASB leveraging an API-centric approach like Palerra can look holistically across both infrastructure as well as application.

Two, think of enterprises that deploy the Microsoft Office 365 stack. If they leverage capabilities such as Exchange for email or SharePoint for file-sharing, you can now inspect, at any given point in time, what system administrators are doing. Is there any anomalous behavior going on? Are mail-routing rules being violated? Are DLT policies being changed? You’re able to do that at the same time as being able to assess and inspect is information going out from SharePoint. They can see if executive calendars and other sensitive files are being shared with folks outside the company. The ability to secure, monitor and protect both information and infrastructure is a critical aspect of how API CASBs deliver value.

Key CASB QuestionsFIELD: When weighing CASB decisions, what key questions should security leaders ask of their perspective technology partners?

GUPTA: I’d boil it down to three things:

One: How do you make sure we have the ability to inspect, secure and monitor my entire cloud footprint?

I don’t want to have any gaps. I don’t want to just inspect a portion of my cloud and just a couple of SaaS applications. I want to assess everything. I want to see the infrastructure, I want to see my custom applications, I want to see my out-of-the-box package SaaS applications.

Two: How do you quantify ROI? What is the payback on this investment, and how is it calibrated?

There’s always a concern in our industry, where there’s a technology overload and a lot of tools being used, some of them being shelfware, that CASB providers share with security leaders how they can benefit and deliver a return on this investment. I think it’s incredibly critical.

Three: Can you showcase a rapid return to a remedial steady state using automation and orchestration?

In today’s environment Where InfoSec leaders are inundated with alerts and notifications from their tools, the ability to provide true insights and take action against those alerts becomes critical. n

http://www.inforisktoday.com/interviews/casb-challenge-apis-or-proxies-i-3225

“The ability to secure, monitor and protect both information and infrastructure is a critical aspect of how API CASBs deliver value.”

About Palerra:

Palerra helps organizations protect their business-critical cloud infrastructure and data with Palerra LORIC™, the industry-leading solution for cloud security automation. Palerra is the only CASB that provides visibility and security across the entire security lifecycle from infrastructure to applications, enabling organizations to realize the full promise of the cloud. www.Palerra.com

The CASB Challenge: APIs or Proxies? 5

902 Carnegie Center • Princeton, NJ • 08540 • www.ismgcorp.com

About ISMG

Headquartered in Princeton, New Jersey, Information Security Media Group, Corp. (ISMG) is a media company focusing on Information Technology Risk Management for vertical industries. The company provides news, training, education and other related content for risk management professionals in their respective industries.

This information is used by ISMG’s subscribers in a variety of ways —researching for a specific information security compliance issue, learning from their peers in the industry, gaining insights into compliance related regulatory guidance and simply keeping up with the Information Technology Risk Management landscape.

Contact

(800) 944-0401 sales@ismgcorp.com