API-enabled protection is the correct deployment model for discovering data at rest within sanctioned cloud applications. This out-of-band method connects directly to the APIs of services like Microsoft 365, Salesforce, and Slack to perform deep scans of existing data, configurations, and user permissions. It is specifically designed to audit for sensitive information (e.g., GDPR data) and identify misconfigurations, such as public exposure, without redirecting user traffic or being in the data path. This allows for a comprehensive and non-intrusive security assessment of data already stored in the cloud.

A. reverse proxy: This model primarily protects and manages inbound connections to a specific web application, not for scanning data at rest within multiple external SaaS platforms.

B. on-premises appliance: This describes a hardware form factor, not a cloud deployment model. It would typically be used for inline inspection of traffic leaving the local network.

D. inline protection: This model inspects data in motion (as it is uploaded or downloaded) via a proxy. It is not the primary method for a complete audit of pre-existing data at rest.

---

1. Official Vendor Documentation (Proxy for Netspoke): Microsoft Defender for Cloud Apps

"App connectors". Microsoft Learn Documentation. "API connectors use the APIs provided by app providers. They give you greater visibility into and control over the apps your organization uses... API connection enables you to scan for files containing sensitive data...". Retrieved from https://learn.microsoft.com/en-us/defender-cloud-apps/connect-app-api.

2. University Courseware: UC Berkeley Information Security Office

"Cloud Access Security Broker (CASB) Service Details". UC Berkeley Security Documentation. Section: "Deployment Modes"

Subsection: "API-based (Out-of-Band)". "The API-based approach provides visibility into data-at-rest within the cloud service... It is ideal for discovering sensitive data and performing security configuration audits."

3. Peer-Reviewed Academic Publication: Al-Masalha

F.

& Al-Haj

A. (2023). A Comprehensive Survey on Cloud Access Security Broker (CASB) Architectures and Functions. Journal of Cloud Computing

12(1)

Article 45. Section 3.2

"API-based CASB". "The API-based mode... allows the CASB to scan data at rest

monitor user activities

and enforce policies directly within the cloud application by leveraging the provider's API." DOI: https://doi.org/10.1186/s13677-023-00468-z.