question

MicrosoftLearner-1334 avatar image
0 Votes"
MicrosoftLearner-1334 asked JamesTran-MSFT commented

Technical concepts of CASB Reverse Proxy

Lately, I have been noticing a lot of blogs about CASB Reverse Proxy being used to route the traffic of a cloud application to improve security by parsing the traffic and applying various conditions to evaluate its risks.

I couldn't find any technical explanation related to this.

  1. How can a cloud application like Office 365 or GSuite route its traffic through a proxy server? I do not see any configuration for this in these apps.

  2. Assuming, I configure the proxy to point to a cloud application like Microsoft Teams. Whenever I access the proxy url, it proxies everything to Microsoft Teams. In my Reverse Proxy, I either get the url being accessed or the HTML content of the page being loaded. How can these be used to evaluate security risks? I couldn't find any docs in Office 365 or Gsuite regarding this.

  3. Are there any APIs provided by Office 365 for this? I also checked Microsoft Graph Security API but it looks like those APIs give data about actions already completed and not the ongoing action which is what a reverse proxy is for..



PS: I'm not looking at any specific vendor. I'm just trying to learn the technical concepts. Any answers in context of Office 365 or Gsuite is appreciated because I have only those accounts and not any other cloud application.

azure-security-center
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered JamesTran-MSFT commented

@MicrosoftLearner-1334


I was able to look into your question and will provide some links below that will hopefully help.


When it comes to a CASB specific feature, there's Microsoft Cloud App Security, which is a Cloud Access Security Broker(CASB) that supports various deployment models including log collection, API connectors, and reverse proxy. I wasn't able to find proxy specific documentation, however, you can find out more using the links below.


Links:


Microsoft Cloud App Security Documentation


Get Started with Microsoft Cloud App Security


Cloud App Security Best Practices


Connect Office365 to Microsoft Cloud App Security


Connect G Suite to Microsoft Cloud App Security


Lastly, you should be able to navigate through the Microsoft Cloud App Security Documentation using the left tile page if you need more info: 9894-doctiles.jpg


Hopefully this helps answer questions, if after reading through the docs you have any more questions please let me know!




Please do not forget to "Accept the answer", whenever the information provided helps you. This will help others in the community.



doctiles.jpg (38.3 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JamesTran-MSFT


Sorry, I wan't looking for Microsoft Cloud App Security. Like I have mentioned, I'm not looking for a specific vendor. I checked docs from various CASB vendors like Microsoft Cloud App Security, Bitglass, Netskope, McAfee.


I want to the technical working of CASB Reverse Proxy. How they are authenticated? How are DLP rules applied when traffic is routed through a reverse proxy? Are there any APIs provided by Microsoft (Couldn't find in any of the links you shared)


0 Votes 0 ·

@MicrosoftLearner-1334, Thanks for the clarification!

From your response, it sounds like you want the architecture of how a CASB Reverse Proxy works. I'll take this back to my team and see if we can find any info for you regarding this.

0 Votes 0 ·
JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered JamesTran-MSFT commented

@MicrosoftLearner-1334,


Unfortunately the only public documentation that we would have regarding CASB would be the documents I linked above regarding Microsoft Cloud App Security. I was able to find additional CASB related docs for McAfee and bitglass, which I'll link below. When it comes to your questions, I was able to read through the docs I linked and will answer your questions as best I can referencing these docs.


How they are authenticated? I'm assuming by "they" you're referring to how're user's authenticated?


Conditional Access App Control uses a reverse proxy architecture and integrates with your Identity Provider (IdP). Conditional Access App Control enables user app access and sessions to be monitored and controlled in real time based on access and session policies. Creating a session policy with Conditional Access App Control enables you to control user sessions by redirecting the user through a reverse proxy instead of directly to the app. From then on, user requests and responses go through Cloud App Security rather than directly to the app. You can find out more here.


How are DLP rules applied when traffic is routed through a reverse proxy? By DLP are you referring to Data Loss Prevention?


If so, Access and session policies are used within the Cloud App Security portal to further refine filters and set actions to be taken on a user. With the access and session policies, you can - Prevent data exfiltration, Protect on Download, Prevent upload of unlabeled files, etc.. You can find out more here.


Are there any APIs provided by Microsoft? - In regards to the APIs, the only CASB/Microsoft Cloud App Security APIs we have should be listed here. 10001-api.jpg


Additional Links:


Microsoft Cloud App Security Architecture


Tech Community Announcement


McAfee CASB


bitglass architecture




Please let us know if this reply helped resolve your question. If so, please remember to "mark as answer" so that others in the community facing similar issues can easily find a solution.



api.jpg (24.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MicrosoftLearner-1334

I just wanted to check in and see if my previous post helped answer your question or if you had any other questions.

Thank you for your time!



Please let us know if any of these answers helped resolve your question. If so, please remember to "mark as answer" so that others in the community facing similar issues can easily find a solution.

0 Votes 0 ·