Resources > Security Terms Glossary > What Is a Cloud Proxy

What Is a Cloud Proxy?

A cloud proxy is a cloud-based system that sits between a client and a web server, SaaS application, or data center. It acts as an intermediary between the client and the server, providing secure access to resources while protecting the server from malware and other threats.

Why Do You Need a Cloud Proxy?

A cloud proxy functions like a reverse proxy in many ways—client requests flow through the cloud proxy on the way to an internet address, and replies (e.g., permission to access a webpage) return through the proxy on their way to clients—but because the cloud proxy resides in the cloud, it isn’t confined to data center hardware like a conventional appliance-based proxy.
 

Challenges with Appliance-Based Proxies

Traditional reverse proxy servers and HTTP proxies are still commonplace in today’s network security stacks, but IT leaders increasingly cite issues with:

  • Latency: Proxies need to operate inline to intercept traffic. Routing traffic through bandwidth-limited appliances in a serial fashion can add significant latency to requests—particularly with on-site enterprise deployments—leading to a poor user experience.
  • Compatibility: Traditional proxies are prone to application compatibility issues because they weren’t built for the ways rich web-based applications perform authentication, API calls, service requests, and more, forcing additional troubleshooting.
  • Cost: Commercial proxy appliances cost too much compared to typical IT budgets—even more so if an organization wants to use them to inspect TLS/SSL traffic, for which some vendors can recommend as many as eight times more appliances.
  • Caching: Once a critical function of a proxy architecture, caching is now a feature of all modern web browsers, making network-based caching a secondary offering at best.
     

Benefits of a Cloud Proxy

Proxies are still the right solution for enterprises looking to prevent stealthy threats without compromising the user experience. In the era of the cloud and mobility, hardware-based offerings can’t reliably deliver on that promise. An effective cloud-based proxy architecture offers:

  • Universal application awareness, including cloud-based apps, on any port, with significantly fewer compatibility issues.
  • Global scale to keep up with users who are constantly in motion, often far removed from the enterprise network.
  • Significant cost savings compared to typical hardware proxy price points, reducing IT spend.
  • Great user experience, even with full TLS/SSL inspection enabled, with no detectable latency for end users.
  • No outside visibility into the server, with support for XFF headers for apps that require the user’s real source IP address.

The most effective cloud-based proxy architecture is part of a comprehensive security architecture, able to address the entire range of compliance and security benchmarks without leaving gaps for another function or a third party (e.g., a cloud provider) to resolve.

Many of the capabilities of SASE will use a proxy model to get in the data path and secure the access. Legacy in-line network and enterprise firewall vendors lack the expertise to build distributed, in-line proxies at scale, risking higher costs and/or poor performance for SASE adopters.

Gartner, The Future of Network Security Is in the Cloud

How Does a Cloud Proxy Work?

Sitting in the flow of traffic, a cloud proxy integrates with an organization’s authentication service (e.g., single sign-on), after which it can operate inline without an agent. This offers a straightforward user experience, with incoming traffic to managed cloud apps and the like redirected to the cloud proxy automatically.

Let’s take a closer look at this process.

A cloud proxy can protect sensitive data (e.g., PCI data, PII) by acting as a middleman or stand-in for the server on which that data resides. Client requests are routed first to the cloud proxy, then through a specified port in any applicable firewall, and then to the content server—and finally, back again. The client and the server never communicate directly, but the client interprets responses as if they had. Here are the basic steps:

  1. Client sends a request, which the cloud proxy intercepts
  2. Cloud proxy forwards the incoming request to a firewall if applicable
  3. Firewall either blocks the request or forwards it to the server
  4. Server sends response through the firewall to the proxy
  5. Cloud proxy sends the response to the client

Backed by the elasticity of the cloud, this all happens in near-real time regardless of traffic volume.

Proxy-based security: a pillar of the cloud-first architecture

Read the blog
read the blog

Why Proxies and Firewalls Are Essential in the Modern Threat Landscape

Read the blog
read the blog

Zscaler SASE at a Glance

Read the solution brief
read the solution brief

Zscaler Cloud Proxy

To provide clean, safe, and compliant internet access and a great user experience to all users, on any device or operating system, over any network—no matter where they are—the solution is a cloud-based proxy architecture.

Our proven cloud proxy-based architecture forms the foundation of Zscaler Internet Access™, a cloud native security service edge (SSE) solution that builds on a decade of secure web gateway leadership. Offered as a scalable SaaS platform from the world’s largest security cloud, it replaces legacy network security solutions to stop advanced attacks and prevent data loss with a comprehensive zero trust approach.

Zscaler Internet Access is part of the Zscaler Zero Trust Exchange™, a comprehensive cloud native security platform.

Learn more about Zscaler Internet Access.

Many of the capabilities of SASE will use a proxy model to get in the data path and secure the access. Legacy in-line network and enterprise firewall vendors lack the expertise to build distributed, in-line proxies at scale, risking higher costs and/or poor performance for SASE adopters.

Gartner, The Future of Network Security Is in the Cloud

Zscaler Cloud Proxy Use Cases

The Zscaler cloud proxy architecture provides reverse proxy coverage for all traffic, a core element of cloud access security broker (CASB) within the security service edge (SSE) model.

As part of an SSE framework, our cloud proxy architecture supports your organization in:

Securing Unmanaged Devices
Many of your employees may use multiple devices for work, including personal ones. Beyond that, plenty of suppliers, partners, and customers may need access to your internal applications on their own unmanaged devices, presenting a risk to your security.

You can install agents to manage devices your organization owns, but unmanaged endpoints are a different story. Third parties won’t let you install agents on their endpoints, and many employees don’t want agents on their personal devices, either. Instead, our proxy architecture offers agentless protection against data leakage and malware from any unmanaged device accessing your cloud applications and resources.

Data Protection
The Zscaler proxy architecture can enforce data loss prevention policies to prevent accidental or intentional uploads or downloads of sensitive information to or from sanctioned cloud apps. Because it operates inline and inspects all traffic, even encrypted traffic, it can ensure uploaded or downloaded data falls in line with your policies.

Threat Prevention
An infected file in a cloud service can spread to connected apps and devices—especially unmanaged devices. By agentlessly preventing uploads or downloads of infected files to or from cloud resources, our proxy architecture provides advanced threat protection against malware and ransomware.

By nature, our architecture also hides servers and their IP addresses from clients, which protects your web resources from threats such as distributed denial of service (DDoS attacks).

Load Balancing
The Zscaler proxy can be used to handle client requests that could otherwise overwhelm a single server with high demand, promoting high availability and optimizing load times by distributing requests to your servers evenly.