Definition of Cloud Access Security Broker
Cloud Access Security Broker (CASB) is cloud-hosted software, or local software/hardware that acts as an intermediary between users and cloud service providers. CASB is able to address gaps in security across Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) environments. In addition to providing visibility, CASB also enables enterprises to extend the reach of their security policies from existing on-premises infrastructure to the cloud and create new policies for cloud-specific contexts.
Key benefits of CASB
CASB offers security measures that enable companies to mitigate risks, implement policies across devices and applications, and maintain compliance with established policies.
- CASB can gain a comprehensive view of cloud activities and establish appropriate security measures.
- CASB offers comprehensive, detailed cloud usage control with powerful analytics
- CASB prevents data loss thus helping security teams protect sensitive user information, such as proprietary data, financial data, medical history, credit card numbers, or social security numbers
- CASB enables enterprises to assess the risk of unauthorized applications and create access requirements accordingly
- CASB prevents malicious threats by detecting unusual behavior across cloud applications, identifying ransomware, attacked users, and fraudulent applications – one way is by analyzing the use of high-risk applications and automatically remediating threats, limiting the risk to the enterprise
The importance of using CASB
CASB is a gatekeeper that helps monitor and use cloud services safely, while ensuring that network traffic complies with established security policies and regulations. CASB protects data by exposing consumers to the use of cloud applications across multiple platforms. CASB can also identify threats so that security breaches can be stopped in their tracks.
The four foundations of CASB
Visibility
Visibility becomes very important when today’s work culture depends on cloud data access. Companies must know who is using cloud services and how they are using them. Yet, most cloud service providers lack auditing or logging capabilities.
Shadow IT, which is one of CASB’s strengths, can determine unusual access from unapproved applications and then send appropriate alerts. Shadow IT is also capable of determining abnormal behavior from access to unapproved applications.
For example, when a user tries to upload a document in an unapproved application such as Dropbox because the company has OneDrive as an approved application for storage so access to other cloud service providers such as OneDrive/Box/AWS will be treated as unusual behavior and appropriate alerts will be raised.
Compliance
CASB provides protection to data stored in the cloud against data breaches by data residency with data at rest encryption. It also provides controls to ensure data stored outside the organization meets all compliance policy requirements. For example, allowing users to access corporate Dropbox from the office and prohibiting access to personal Dropbox accounts within the office.
Data security
CASB provides built-in capabilities to monitor access to data stored in the cloud. It can provide access control on various parameters such as location, IP address, browser, operating system, and device. For example, allowing users to access G Suite and Salesforce from the office but only allowing G Suite from the user’s home.
Threat protection
CASB provides various alerts to inform IT of threats detected within the organization’s users based on user behavior. For example, if someone attempts to download customer data from Salesforce, CASB will raise an alert and prevent the user from downloading the data.
How CASB Works
- Identifies all cloud applications in use as well as employees who have an association with those applications
- Assess each application, identify data, and calculate risk factors
- Create customized policies for the company based on security needs, so that CASB can identify and remediate incoming threats or breaches
Three CASB implementation models
API scanning
API scanning is a non-intrusive security measure for data that is not active in the cloud but does not offer real-time prevention. This deployment is available for licensed enterprise applications.
Direct proxy
Direct proxies offer real time data loss protection for both permissioned and non-permissioned applications. However, this direct proxy CASB deployment only applies to managed devices and cannot request inactive data.
Reverse proxy
Unlike the direct proxy, the reverse proxy can be used on both managed and unmanaged devices as it redirects all user traffic. This proxy offers data protection from loss in real time, but only on licensed apps.
