Proxying Your Way to SaaS Security? There’s a Better Approach!

Originally published by DoControl.

Written by John Newsome, DoControl.

Over the course of my 20 plus years in cybersecurity, I’ve had the opportunity to work for some outstanding companies and thought leaders in the industry. One of the most controversial and debated topics throughout this time has been the question of “what’s the most effective approach to providing visibility into end user activity to expose potential malicious events?” One aspect of this debate where there is common ground centers around the need to have exceptional visibility. Where things start to break down is the strategy and approach to embed security technology between the end user and the resource they are attempting to access – whether it’s on premises, hosted in a cloud provider environment, or SaaS-based.

A proxy-based approach by and large has been the most popular method of providing this level of visibility and control. It’s a reasonable approach, as a proxy is able to sit between the end user and the desired resource the end user originally requested and act as a “middle man” – which is the true definition of a proxy. By terminating the end user session and recreating a new session to the resource the end user is attempting to access, the proxy based approach provides great visibility to enforce security policies as well as redirect traffic to other security inspection tools such as: DLP scanners, Malware analysis engines, etc. This method has been used for decades to provide effective security but it does not come without cost.

The challenges for any technical sales person in selling and supporting proxy-based security solutions were mainly around deployment options, and application performance and behaviors. In my experience this has created friction for the end users and operational challenges for the IT/Security teams. The value of any proxy-based deployment cannot be realized until traffic can be successfully routed to the proxy.

There are a number of ways this can be accomplished such as proxy.pac files, which can be simple or complex java script that a browser can be configured to point to providing the browser instructions on how to interact with the proxy. Other options include hard coding a proxy address into the browser settings or the use of an actual endpoint agent. Either of these options require a high-level of administrative overhead to configure and support and in some cases these settings can be circumvented by a savvy end user rendering their effectiveness useless, if the endpoint device is not a managed endpoint as is the case with most bring your own device (BYOD) use cases.

There are also the compatibility and performance problems typically associated with applications accessed through a proxy. Some applications do not perform well or have issues when traversing a proxy. In these cases, the typical remedy is to bypass the proxy for those applications leading to security blindspots. There is no rhyme or reason, or reliable list of applications that typically have issues being accessed through a proxy so in most cases, it’s a matter of trial and error. Some vendors of proxy-based solutions may pre-populate their bypass lists with applications that have been problematic when accessed through a proxy and these lists of applications vary from vendor to vendor.

So what’s the call to action?

When evaluating vendors offering SaaS security solutions, IT/Security teams should place specific emphasis on the ease and flexibility of deployment to help you realize a quicker time to benefit while minimizing both end user as well as operational friction. To gain visibility into SaaS applications, a number of vendors offering SaaS security solutions such as CASB and CSPM vendors have taken this legacy proxy-based approach and retrofitted it to support SaaS applications. IT/Security Teams must consider the various options available to redirect traffic to on-premises or cloud-based proxies, account for end user location awareness for traffic steering purposes, and determine in some cases, if endpoints need to be deployed. It will also be important for IT/Security teams to take an inventory of SaaS applications that need to be secured to determine if these applications are compatible with the chosen proxy solution. These considerations as part of the planning process drastically increases potential time to benefit and adds operational burden.