CloudSOC CASB Gateway

 View Only

 What is the DLP traffic flow when both Cloud SWG and CloudSoc gateway are in the picture?

Jump to Best Answer
Wasfi Bounni's profile image
Broadcom Knight Wasfi Bounni posted Feb 27, 2024 06:34 PM

Hi;

Let's say I purchased both a Cloud SWG solution, with its additional license to integrate with Cloud DLP detector over ICAP; Also, I had purchased a CloudSoc solution with the additional license to integrate with Cloud DLP detector over an API on TCP port 443.

Let's say that I have setup Cloud SWG to integrate with CloudSoc, and that I activated the gatelet for office 365 on the CloudSoc portal.

Now, my understanding is that "without" DLP in the picture, the traffic flow for office 365 is as follows:

End user device > Cloud SWG > CloudSoc gateway > Office 365 infrastructure 

Now, "with" DLP in the picture, and assuming that the content uploaded is not sensitive, is the traffic flow:

End user device > Cloud SWG > CloudSoc gateway which uses an API over port 443 to send the file to > Cloud DLP detector which sends the verdict back to Cloudsoc gateway over the same API > CloudSoc gateway > Office 365 infrastructure

Or

End user device > Cloud SWG which sends the file over ICAP to Cloud DLP detector > Cloud DLP detector which sends the verdict back to Cloud SWG over the same ICAP connection > CloudSoc gateway > Office 365 infrastructure

Kindly

Wasfi

Olin's profile image
Broadcom Employee Olin posted Feb 28, 2024 01:56 PM Best Answer
Coming from a lab perspective where it has Enforce, CDS for WSS, and CDS for CASB: CloudSWG only wants to know if there is a CASB gatelet activated and if so it knows to route that over to CASB gateway. From there, CASB does whatever it will do based on DLP policies, if there isn't a gatelet activated, then CloudSWG knows to run it through all it's policies and to use the CDS for WSS instead. Cloud traffic never goes on prem nor uses on prem resources for the inspection process. We leverage GCP infrastructure to do the heavy lifting for this process.
 
As for Cloud Managed DLP or CASB/Enforce hybrid, both scenarios use the CDS Rest detector in the same way to handle content inspections. In both setups, the CDS is always aware of any policies created.
 
What this means is that traffic flow remains in both scenarios (with or without enforce) as the following: End User Device > CloudSWG > CloudSOC Gateway (assuming a gatelet turned on) > CDS > O365 infrastructure.
Here is a traffic flow diagram: