Google recently announced draft plans for some major changes to Chrome extension API requirements. Google’s Manifest V3 explains that the changes are meant to improve network performance and extension security. The tech giant has been busy cracking down on malicious Chrome extensions and fake ad blockers, and this move is being billed as part of that effort.
Manifest V3 goes on to explain that its aim is to limit or potentially remove blocking options from most events. This means that extensions that currently have the ability to intercept network requests and modify, redirect or block them may be limited to “observation only”.
Developers of ad blockers, cookie tracking, and marketing extensions are raising serious concerns about these planned changes. But the implications to some types of cloud access security brokers (CASB) can’t be overlooked. Those that have relied on browser extensions as network agents may find their cloud security products rendered effectively useless.
It really depends on how the CASB was built. CASB architecture is built on two different basic types of technology. Newer, more modern CASB solutions use cloud applications native APIs to secure access in the cloud. This type of API-based CASB doesn’t need an agent, or browser extension, because it behaves as if it is part of the cloud application itself.
The other type of CASB controls traffic requests through agents and/or proxies. They attempt to solve cloud security issues with old methods designed for on-premise, perimeter network security solutions.
These proxy CASBs use browser extensions as agents for their URL content filtering solution. This means that IT has placed a browser extension on every employee’s mobile device, laptop, etc. to rewrite URLs and direct the request to their proxy, instead of letting traffic go directly to the web site or application the user is trying to access.
[BLOG] API vs Proxy CASB: Which Is Right For You? >>
When announcements like these changes to Chrome extensions occur, there are two types of reactions in the CASB world…
Agent/proxy-based CASBs are sent into a scramble to figure out how these changes are going to impact their technology. They have to put other important product updates on the backburner while engineers and developers work to make sure their solution is still going to be able to do the bare minimum necessary to still call it a data security product.
API-based CASBs, on the other hand, sit back and say: “Yeah, I told you proxies were a bad idea. Welcome to the future.”
Google’s plans to change Chrome extension architecture is by no means final. More updates will emerge in the coming weeks and months that will clarify Google’s approach. But, when the security of your organization’s sensitive, regulated data is at stake, is it really worth waiting and wondering if your CASB solution will still be relevant in a few months time?