Cloud access security brokers (CASB) insert security between enterprises and their cloud services by providing visibility and access control, but IPv6 could be causing a dangerous blind spot.\nThat\u2019s because CASBs might not support IPv6, which could be in wide corporate use even in enterprises that choose IPv4 as their preferred protocol.\n\nFor example, end users working remotely have a far greater chance of connecting via IPv6 than when they are in the office.\u00a0 Mobile providers collectively have a high percentage of IPv6-connected subscribers and broadband residential Internet customers often have IPv6 connectivity without realizing it.\u00a0 Internet service providers and software-as-a-service (SaaS) vendors both widely support IPv6, so a mobile worker accessing, say, DropBox over a Verizon 4G wireless service might very well connect via IPv6.\nAdditionally, enterprises may contract with SaaS providers and Internet-based application services that use both IPv4 and IPv6 internet connectivity. IPv6 is now supported by major cloud providers, making it easier than ever for companies to IPv6-enable internet-facing web applications.\nCertain CASBs might not see IPv6 traffic\nSo wittingly or not, enterprises may be employing IPv6 for many internet connections that are used for common business functions. If the corporate choice of CASB (pronounced caz-bee) inspects and controls only IPv4 traffic, then these direct IPv6 connections could bypass corporate policies the CASB is supposed to enforce. If the CASB your organization selects is only looking at IPv4 connections, there could be dangers lurking in the blind spots.\nEnterprises aren\u2019t the only ones that might overlook this danger. Gartner outlines four pillars of functionality that CASBs should possess to be suitable for enterprise deployment:\n\nCASBs must provide visibility to end-user behavior and the cloud services used.\nCASBs should be cognizant of data classification, data marking and confidentiality.\nCASBs should help the organization protect against Internet\/cloud threats and malicious behavior.\nCASBs should provide governance of cloud service usage based on corporate policies.\n\nThese are good goals, but they should be expanded to explicitly include IPv6:\n\nCASBs must provide visibility to connections that could be occurring using IPv4, IPv6 or a combination of both.\nCASBs should be cognizant of data classification, marking and confidentiality regardless of client IP address family.\nCASBs should protect against Internet-based threats that could be transported over either IPv4 or IPv6 and alert to malicious behavior occurring over either protocol.\nCASBs should provide control and governance based on corporate policies dictated by physical location of either the end-user or the cloud service and should also be aware of geolocation information based on IPv4 or IPv6 address.\n\nEnterprise may not immediately enable the IPv6 features in a product or service.\u00a0 But, by purchasing products and services that already support IPv6, they have the option to enable IPv6 on their own schedule.\nSome organizations, including the U.S. federal government, have procurement guidelines that give preference to IPv6-capable products and services.\u00a0 Some organizations choose to procure IT products only from vendors who have performed the simple act of IPv6-enabling their websites.\nHow well do CASBs support IPv6?\nTo help alleviate these concerns, some CASB vendors now support both IPv4 and IPv6 and have dual-protocol websites.\u00a0 The following list describes which CASBs are able to inspect and control IPv6 traffic and connections, and notes those companies that have failed to recognize the importance of IPv6.\u00a0\nBitGlass teams \u201cconfirmed IPv6 is not a strong focus of their product, and that it is extremely rare to have IPv6 endpoints connecting to IPv6 cloud applications on the public internet.\u201d\u00a0 There is no mention of IPv6 on its IPv6-enabled website.\nCensorNet, an IPv6-capable CASB, works in two modes. When CensorNet runs in API mode (out-of-band), it receives both IPv4 or IPv6 information from the cloud provider. \u00a0When it runs in Inline mode, it uses a forward proxy, which is compatible with IPv6 connections between the end user and the cloud service, assuming the routers involved are configured for IPv6 routing. \u00a0The CensorNet CASB DLP scanner can also search for IPv6 style addresses in content uploaded to cloud storage apps.\u00a0 However, there is no mention of their IPv6 features on their IPv4-only website.\nCheck Point\u2019s CloudGuard SaaS CASB provides no information on its IPv6-enabled web site about IPv6 features in security service.\u00a0 In Check Point\u2019s R80.20 CloudGuard Controller Known Limitations it states that \u201cIPv6 information is not imported for Data Center Objects in Public Cloud. CloudGuard Gateways in Public Cloud do not support IPv6.\u201d \u00a0We reaching out to Check Point but were unable to confirm IPv6 support. This article will be updated if the company clarifies its IPv6 support.\nCipherCloud has no reference of IPv6 on their IPv4-only website. We reached out to them but received no response.\u00a0 If they confirm IPv6 support, we will update this article.\nCisco\u2019s Cloudlock CASB supports IPv6. \u00a0Cloudlock can be integrated with Cisco Web Security Appliances (WSA) running AsyncOS 11.7, which is IPv6-capable, and can share W3C logs with the Cloudlock portal.\u00a0 Any integration that Cloudlock would have with Umbrella could leverage the fact that it supports IPv6 and now uses the IPv6 addresses 2620:119:35::35 and 2620:119:53::53 for their service.\u00a0 Although there isn\u2019t any explicit mention of IPv6 Cloudlock features on their IPv6-enabled website.\nForcepoint CASB does not support IPv6.\u00a0 Forcepoint confirmed that when its product works in proxy-mode, it doesn\u2019t support IPv6.\u00a0 The Forcepoint Web Security Cloud seems to have some IPv6 features, but this statement on their site \u201cTraffic to IPv6 destinations that is allowed (default setting) is not filtered or logged,\u201d sounds like there is no security applied to IPv6 connections. However, they say are measuring interest in IPv6 features from customer input and requests. There is no mention of IPv6 features on their IPv4-only website.\nMcAfee MVISION cloud security CASB does support IPv6. \u00a0The company said, \u201cMcAfee MVISION Cloud works in a scenario where an IPv6 user accesses an IPv6-enabled cloud service\u201d. \u00a0McAfee stated \u201c\u2026 MVISION Cloud provides visibility to all cloud services being used in an organization \u2026 using either IPv6 or IPv4 at the user or CSP.\u201d\u00a0 There is no mention of IPv6 features on their IPv4-only website.\nMicrosoft Cloud App Security CASB supports IPv6 and documentation on the use of IP ranges and tags states \u201cBoth IPv4 and IPv6 are supported.\u201d\u00a0 Microsoft\u2019s Past-release archive of Microsoft Cloud App Security documents some IPv6 capabilities. The release notes mention that \u201cIPv6 support is now available for all appliances.\u201d starting in release 90.\u00a0 It also states that in release 88 \u201cCloud Discovery now supports IPv6.\u201d\nNetSkope does support dual-stack connections in their Netskope for Web (Cloud Native Secure Web Gateway), Netskope for Cloud Infrastructure (for IaaS), and its Netskope for Cloud Applications (SaaS) solution. Its traffic-steering technology can work with IPv6 connections.\u00a0 Dual-stack support is provided through IPv6 translation gateways which terminate the IPv6 connection as IPv4 at the CSP side. Netskope\u2019s IPv4-only web site makes no reference to IPv6.\nManagedMethods states that when using their APIs with cloud service providers, that the APIs could convey the IP address (IPv4 or IPv6) of the client or the cloud service in their reports.\u00a0 ManagedMethods doesn\u2019t have any mention of IPv6 functionality on their IPv4-only website or in their product data sheets.\nThe Oracle CASB doesn\u2019t seem to support IPv6, but we were unable to confirm this.\u00a0 We reached out to Oracle about IPv6 capabilities, but receive no response. \u00a0There is no mention of IPv6 functionality on their web site. If they respond, we will update this article.\nPalo Alto Networks Aperture for SaaS applications is its CASB service that supports IPv6 and logging of IPv6 client sessions. In the Aperture documentation \u201cGet Started with Aperture, Access the Aperture Service\u201d it used to say \u201cIPv6 addresses are not supported\u201d but recently that document was edited and that statement is removed. The Palo Alto Networks CASB works as inline enforcement on PANOS firewalls, which have a rich history of IPv6 support and robust IPv6 security features.\u00a0 Palo Alto has an IPv6-enabled website, but searches for IPv6 reveal no mentions of Aperture.\u00a0 The Aperture Administrator\u2019s Guide doesn\u2019t have any information about IPv6.\u00a0 In the Palo Alto Networks TechDocs for \u201cAll Aperture Documentation\u201d, a search for IPv6 reveals no results.\nProofpoint Cloud App Security Broker (Proofpoint CASB) doesn\u2019t appear to have any IPv6 features publicly documented.\u00a0 Searching for \u201cIPv6\u201d on their IPv6-enabled website, yields \u201c0 Results Found\u201d.\u00a0 We reached out to the company but received no response.\u00a0 If they confirm IPv6 support, we will update this article.\nSAVIYNT said that their CASB does not support IPv6, and it there was no mention of IPv6 functionality on their IPv4-only web site.\nSymantec CloudSOC Cloud Access Security Broker is its CASB that supports IPv6.\u00a0 Symantec confirmed that CloudSOC supports IPv6 in addresses for Shadow IT discovery, in API-based, sanctioned cloud-application monitoring and control, and with the in-line CASB Gateway.\u00a0 CloudSOC works with traffic accessing CSP services over IPv6, and CloudSOC automatically adapts to IPv6 so using it doesn\u2019t require any extra user action. There seems to be no mention of IPv6 related to the CloudSOC CASB on its IPv6-enabled website.\nEnterprises should acknowledge that their remote workers are using IPv6 on their mobile devices, at their employee\u2019s homes and when they are on-the-road. Having cloud-based security solutions that support both IPv4 and IPv6 will give them maximum visibility and control.\nCASB customers should make IPv6 support a required feature and be wary of CASBs with development strategies that call for use of IPv4-only addresses because that will limit the longevity of their offerings.