carloscastilla - Fotolia

Skyhigh Networks obtains cloud security patent for CASB platform

Skyhigh Networks' patented method for providing cloud access security broker services uses a reverse proxy mode to provide authentication and policy controls.

Cloud access security broker Skyhigh Networks has obtained a new patent for the company's method of delivering CASB services to enterprises without installing agents on endpoint devices.

The cloud security patent is for what Skyhigh calls "pervasive cloud control," which gives the CASB, based in Campbell, Calif., the ability to intermediate traffic from enterprise users to third-party cloud providers, as well as single-sign on (SSO) vendors. Specifically, U.S. Patent 9,137,131 describes "a network traffic monitoring system for redirecting network traffic between a client device and a cloud service."

Using what's called a reverse proxy mode, Skyhigh sets up a "monitor proxy server" that acts as a network intermediary between the client device and SSO system, as well as between the client device and the cloud service. The company's CASB platform configures the approved cloud app or service, so the login request from an enterprise user is first sent to Skyhigh for authentication and any additional security policy controls for data governance. The Security Assertion Markup Language (SAML) authentication request, once validated by Skyhigh, is then forwarded to the SSO vendor for confirmation to complete the login.

The process removes the need for software agents on endpoint devices, which Skyhigh CEO Rajiv Gupta said can negatively impact performance and user experience.

"Downloading agents for devices is a nonstarter," Gupta said. "It's a nightmare that causes friction for users and isn't something that employees, business partners or customers want to do."

Agents are especially problematic when it comes to mobile devices, because they are often too cumbersome for smartphones and tablets, or incompatible with mobile operating systems. As a result, Gupta said, enterprises have virtually no visibility or control over employees accessing cloud services through their mobile devices. "It's going to be an increasingly mobile-to-cloud world," he said. "And the need for a cloud control point for those devices is what led to this."

The cloud security patent, which was originally filed in March 2013, was awarded by the U.S. Patent and Trademark Office on Sept. 15. While other CASBs -- such as Adallom, Bitglass, CipherCloud and Netskope -- use reverse proxies, Doug Cahill, senior analyst of cybersecurity at Enterprise Strategy Group Inc. in Milford, Mass., said he hasn't seen anything quite like Skyhigh's pervasive cloud control method. "What I like about this patent is it shows security standards in action with SAML, and it provides a way to authenticate and secure cloud services without causing friction," Cahill said.

Rich Mogull, analyst and CEO at Phoenix-based research firm Securosis LLC, agreed and said Skyhigh's technique is important to the CASB model because it aligns well with how people use the cloud today. Basically, relying on agents or traditional network proxies doesn't really fit the model of mobile workers not relying on connecting through an enterprise network," Mogul said. "While technically the CASB is still a "bump in the wire" between the user and the cloud service, this allows them to do so in a manner that reduces the impact and complexity to the user and the enterprise."

Gupta said the configuration process for enterprise-approved cloud services is relatively simple, and that the only requirement is for the enterprise to have an SSO product that uses SAML. There is no impact on the cloud provider, itself, he said.

David Levin, director of information security and end-user computing at Western Union Holdings Inc., based in Englewood, Colo., said the agentless approach of Skyhigh is vastly superior to alternatives. Levin said Western Union initially began working with Skyhigh two years ago for cloud discovery, but later began using the company's CASB platform to add security controls for several cloud apps and services.

"We have a partnership with Okta for SSO, and that's where Skyhigh really made sense," Levin said. "We had to make a few small changes on the back end, but the process was easy. Now, our users don't even know they're logging on through Skyhigh. It's completely seamless."

Cahill said the patent could give Skyhigh a leg up in the fast-growing CASB market, which has seen a number of acquisitions and venture capital investments this year. "It could be a big competitive advantage for Skyhigh if this becomes the method of choice for enterprises to get security cloud services," he said. "Even if there's some friction with Skyhigh's model, it's much less than what you'd experience with agents on endpoint devices."

Next Steps

Find out why the security industry needs a standardized framework for CASBs

See how Microsoft's acquisition of Adallom could change the CASB market

Dig Deeper on Cloud Computing Software as a Service (SaaS) Security