What is a Cloud Access Security Broker (CASB)?

The Evolution of the CASB

Before the rise of cloud computing and BYOD policies, enterprise security existed in the same “walled garden” model that it had for more than a decade. But as services began originating in and shifting to the cloud-and employees began using these cloud services, with or without prior knowledge or approval of IT-businesses began looking for a way to enforce consistent security policies across multiple clouds and safeguard both users and corporate data.

The development of the CASB allowed enterprise security professionals to gain visibility into the cloud, particularly unsanctioned software-as-a-service (SaaS) usage, or Shadow IT. The insights provided by their CASB were shocking to many IT managers, who soon discovered that cloud usage in their enterprise was much deeper and more pervasive than they had imagined.

While stemming the threats resulting from Shadow IT was a primary use case, it wasn’t the only thing that drove widespread adoption of CASBs. During this time, many businesses were moving their data storage capabilities from on-premises data centers to the cloud. This made CASB, which protected both the movement of data (by restricting things like access and sharing privileges) and the contents of the data (through encryption) even more essential.

While this change was taking place, the threat landscape was also being altered. Today, malware is more pervasive, phishing is both more elegant and better targeted, and small mistakes-for example, opening an AWS S3 bucket to the public-can create a security hole that could cost millions.

Because CASB security measures include features specifically designed to address these issues, the use of a CASB is now regarded as essential elements of enterprise security.

What CASBs offer

Many CASB security features are unique compared with those offered by other security controls such as enterprise/web application firewalls and secure web gateways, and may include:

• Cloud governance and risk assessment
• Data loss prevention
• Control over native features of cloud services, like collaboration and sharing
• Threat prevention, often user and entity behavior analytics (UEBA)
• Configuration auditing
• Malware detection
• Data encryption and key management
• SSO and IAM integration
• Contextual access control

Four pillars of CASB

From its beginnings as an answer to Shadow IT, CASB has grown to include functionality that can be described in terms of four pillars:

1. Visibility
   Large businesses may have any number of employees accessing many applications in many different cloud environments. When cloud usage is outside the view of IT, enterprise data is no longer bound by the company’s governance, risk, or compliance policies. To safeguard users, confidential data, and intellectual property, a CASB solution provides comprehensive visibility into cloud app usage, including user information such as device and location info. The cloud discovery analysis provides a risk assessment for each cloud service in use, allowing enterprise security professionals to decide whether to continue allowing access or whether to block the app. This information is also useful in helping shape more granular controls, such as granting varying levels of access to apps and data based on an individual’s device, location, and job function.
2. Compliance
   While businesses can outsource any and all of their systems and data storage to the cloud, they maintain responsibility for compliance with regulations governing the privacy and safety of enterprise data. Cloud access security brokers can help maintain compliance in the cloud by addressing a wide variety of compliance regulations such as HIPAA, as well as regulatory requirements such as ISO 27001, PCI DSS, and more. A CASB solution can determine the areas of highest risk in terms of compliance and provide direction as to what the security team should focus on to resolve them.
3. Data Security
   Cloud adoption has removed many of the barriers preventing effective collaboration at distance. But as much as the seamless movement of data can be of benefit, it can also come at a tremendous cost for businesses with an interest in protecting sensitive and confidential information. While on-premises DLP solutions are designed to safeguard data, their ability to do so often does not extend to cloud services and lacks cloud context. The combination of CASB with sophisticated DLP allows IT the ability to see when sensitive content is traveling to or from the cloud, within the cloud, and cloud to cloud. By deploying security features like data loss prevention, collaboration control, access control, information rights management, encryption, and tokenization, enterprise data leaks can be minimized.
4. Threat Protection
   Whether through negligence or malicious intent, employees and third parties with stolen credentials can leak or steal sensitive data from cloud services. To help pinpoint anomalous user behavior, CASBs can compile a comprehensive view of regular usage patterns and use it as a basis for comparison. With machine learning-based UEBA technology, CASBs can detect and remediate threats as soon as someone attempts to steal data or improperly gain access. To protect against threats coming from cloud services, the CASB can use capabilities such as adaptive access control, static and dynamic malware analysis, prioritized analysis, and threat intelligence to block malware.

Why do I need a CASB?

As services that were previously offered on premises continue migrating to the cloud, maintaining visibility and control in these environments is essential to meeting compliance requirements, safeguarding your enterprise from attack, and allowing your employees to safely use cloud services without introducing additional high risk to your enterprise.

But while the use of a CASB is crucial for companies wishing to secure cloud usage in their enterprises, it is just part of the overall security strategy businesses should use to ensure defense from device to cloud. For a comprehensive protection plan, businesses should also consider expanding on the capabilities of their CASB by deploying a secure web gateway (SWG) to help safeguard internet usage and device data loss prevention solution (DLP) to help protect intellectual property and protect sensitive corporate data across the network.

How does a CASB work?

The job of a cloud access security broker is to provide visibility and control over data and threats in the cloud to meet enterprise security requirements. This is done through a three-step process:

1. Discovery: The CASB solution uses auto-discovery to compile a list of all third-cloud services, as well as who is using them.
2. Classification: Once the full extent of cloud usage is revealed, the CASB then determines the risk level associated with each by determining what the application is, what sort of data is within the app, and how it is being shared.
3. Remediation: After the relative risk of each application is known, the CASB can use this information to set policy for the organization’s data and user access to meet their security requirements, and automatically take action when a violation occurs.

CASBs also offer additional layers of protection through malware prevention and data encryption.

How do I deploy a CASB?

Simplicity is a major selling point of CASB technology. Along with ease of use, one major benefit of CASB is its ease of deployment. Still, there are some things to consider:

Deployment Location
A CASB can be deployed either on premises or in the cloud. Currently, the SaaS version is most popular, and the majority of CASB deployments are SaaS-based.

Deployment Model
There are three different CASB deployment models to consider: API-Control, Reverse Proxy, and Forward Proxy.

• API Control: Offers visibility into data and threats in the cloud, as well as quicker deployment and comprehensive coverage.
• Reverse Proxy: Ideal for devices generally outside the purview of network security.
• Forward Proxy: Usually works in conjunction with VPN clients or endpoint protection.

Proxy deployments are often used to enforce inline controls in real time and comply with data residency requirements.

Gartner suggests businesses consider CASB products that offer a variety of architecture options to cover all cloud access scenarios. The flexibility afforded by a multi-mode CASB ensures that businesses can expand their cloud security as their needs continue to evolve.

Three considerations for choosing a CASB

1. Is It A Good Fit? Prior to selecting a CASB, enterprises should identify their individual CASB use cases and look specifically for the solution that best addresses their goals. To best ensure a good fit, companies should either perform detailed POCs, compile research from cybersecurity analysts, or perform in-depth reference calls with other companies of similar size and with similar needs.
2. Will It Grow and Change to Suit Your Needs? As enterprise cloud usage continues to grow, the threat landscape will grow along with it. By partnering with the right CASB vendor, you’ll be able to keep your cloud compliance and cloud security policies up to date—and you’ll generally have access to new capabilities sooner.
3. Does It Protect IaaS? Protecting the SaaS is clearly important, but for comprehensive enterprise security, IaaS environments must be protected, too. For enterprises requiring this capability, the CASB should not only safeguard activity and configurations in the IaaS, but also defend their customers through threat protection, activity monitoring, and DLP controls.