Proxies are a popular default mode for many security products. However, proxies provide a
false sense of security for customers. While the idea of routing every user’s traffic through a
central proxy seems like a good idea, in practice it breaks down. Consider the following:
1) End user experience: it’s no secret that end users are not big fans of proxies due to delays
delays and the negative impact on user experience. Also, proxies give users a feeling of big
brother watching. Some savvy users go out of their way to avoid using proxies.
2) Another point of failure: proxies introduce an additional point of failure between the end user
and SaaS services. Cloud-based proxies may be running in a different infrastructure than your
own adopted standard. It is not uncommon to see some of the “cloud” proxies are being run in
outdated co-lo data centers as the original technology was built pre-cloud days.
3) Concept of perimeter is disappearing – Employees are mobile and they don’t always use
corporate approved computing devices. It is possible for an employee to create a Google doc
and share it with a business partner, completely outside the corporate perimeter.
4) Not all apps support it – for reverse proxies, often there is a dependency on standards based
single sign on (SAML often) support from SaaS. Not all SaaS providers support standards
based SSO, which means, the product switches to a forward proxy mode. Forward proxy relies
on end users installing a client agent/app on their device. See #3 on why this breaks down.
5) SSL inspection considered risky – In forward proxy mode, to enforce DLP policies, some of
the CASB vendors do SSL inspection, which increase risks for users. Please see this excellent
write up on the risks of SSL inspection:
In summary, using a proxy based approach to secure your organization use of SaaS may be
error prone and could cause you more headaches than benefits. A right approach for securing
sanctioned SaaS is to rely on the APIs provided by the SaaS provider and enforce policies by
leveraging the native APIs provided by the SaaS application. While this approach only works for
sanctioned SaaS apps, combining this with discovering shadow IT and employee education on
risks of using unapproved SaaS apps would go a long way to secure your organization.
Employees would thank you for not getting between them and the SaaS application they need
to use for their business purposes.
Written By Sateesh Narahari – VP of Products, ManagedMethods