What is a Cloud Access Security Broker (CASB)?
A Cloud Access Security Broker (CASB) is an intermediary security policy enforcement point between cloud consumers (users, devices) and cloud providers. In today’s digital economy, where conducting business increasingly shifts to the cloud, a CASB extends an organizations’ enterprise security policy umbrella to cover cloud resources as well as the transactions and data exposed when users access those resources.
CASB is a critical component of your overall Secure Access Service Edge (SASE) strategy. CASB protects users and devices—including unmanaged devices such as personal smartphones and laptops, or IoT devices—on a granular and per-transaction level when accessing cloud applications or data from any location.
Why Was CASB Developed?
Traditional security services secured the perimeter of the enterprise network and focused on on-premises users, access and data storage. Security gaps resulted when the network perimeter dissolved as enterprises moved applications, data access and data storage to the cloud. CASB developed new cloud-focused products and services, deployed on-premises or in the cloud, to address these new security exposures in an organization’s use of cloud services.
CASB enables secure access to cloud services from users both within and outside the traditional enterprise perimeter, supports secure cloud-to-cloud access, enables secure work-from-anywhere, secures cloud access from unmanaged personal devices, and extends security across software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) environments. CASB protects organizational data in transit and at rest in the cloud.
How Does CASB Work?
CASB products and services provide visibility and control over data and threats in the cloud to meet enterprise security and regulatory requirements. A full-featured CASB solution helps you:
- Discover a list of cloud services accessed by your user community, as well as insight into who is accessing them.
- Determine a risk level associated with each cloud application by analyzing the application and the data used and shared within it.
- Enforce enterprise security policies based on risk levels, and prevent violations.
- Implement additional protection such as malware prevention and data encryption.
The four core functionality areas of a CASB include:
- Visibility: Discover cloud services in use; discover who is using these cloud services; provide financial insights in cloud spending, possible redundancies and license costs.
- Compliance: Preserve, improve and report on regulatory compliance when applications and data move to the cloud.
- Data Security: In concert with sophisticated cloud DLP detection mechanisms, data at rest and in motion are protected through methods such as encryption.
- Threat Protection: Protect your organization from malware and other threats entering the enterprise via cloud applications and access.
CASB delivers five critical security capabilities: cloud application discovery, data security, adaptive access control, malware detection, and user and entity behavior analytics.
Benefits of CASB
There are numerous security and management benefits to deploying a CASB product or service for your organization:
- A central location for consistent policy and governance across multiple cloud services for both users and devices (including BYOD).
- Granular visibility into, and control over, user activities, applications, sensitive data, and SaaS activity.
- Enables secure workforce mobility.
- Monitors and governs use of cloud applications such as Office 365.
- Enables businesses to take a granular approach to sensitive data protection. compliance and policy enforcement—making it possible to safely utilize time-saving, productivity-enhancing, and cost-effective cloud services.
- Protects all device access to SaaS applications as the industry moves away from traditional devices and device management practices to accommodate BYOD.
- Inspects and provides analytics on data, application, and user behavior in cloud services, including the presence of unsanctioned employee cloud use and shadow IT.
- Integrates with an enterprise’s existing identity provider, security information and event management (SIEM) tool, and unified endpoint management (UEM) product.
- Encrypt or tokenize sensitive content to enforce privacy.
- Detect and block unusual behavior indicative of malicious activity.
- Integrate cloud visibility and controls with existing security solutions.
- Operate in a multi-tenant cloud environment.
- Distinguish between corporate and personal instances of cloud services and provide the ability to limit or block the exchange of data between them.
How to Deploy CASB
CASBs can be either on-premises, colocated, or public cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to inject enterprise security policies as the cloud-based data or applications are accessed. CASB architecture is designed for flexibility, meaning a CASB can optionally operate as a virtual or physical appliance.
Deploying the right CASB architecture for your organization’s needs is critical to enable the use of all the features and use cases that you envision. Some features are available only in specific deployment models. When evaluating a cloud access security broker, confirm that the vendor and the solution support the deployment models you need. Enterprises often combine multiple deployment models to achieve complete coverage of their needs.
There are two primary CASB solutions:
Out-of-Band
The CASB does not sit in the traffic path between user and cloud, or cloud-to-cloud. The CASB monitors and logs activity, and may inject policy actions (such as allow, deny, delete, challenge permission) via API access.
While out-of-band CASB solutions can monitor and report on events and activity, they have no visibility into the content of the interactions.
Inline
These CASB solutions use a proxy mode that terminates/re-originates the traffic between the user and the cloud, or cloud-to-cloud. The CASB can be deployed as either a Reverse Proxy (close to the cloud), or a Forward Proxy (close to the user).
Inline CASB solutions can monitor and report, as well as make all policy decisions, and also have full visibility into (and the capability to decrypt and/or intercept) the content of the interactions.
Multimode CASB providers are those who offer a combination of an API and an in-line mode of operation. While some of the most prominent cloud application and service providers publish public APIs, most SaaS applications do not offer this, necessitating a CASB solution with at least one inline capability.
Is CASB the Right Choice for Your Organization?
As services previously offered on-premises continue to migrate to the cloud, maintaining visibility and control in these environments is essential to meeting compliance requirements, safeguarding your enterprise from attack, and allowing your employees to safely use cloud services without introducing additional high risk to your enterprise.
Versa offers cloud-hosted security as a service as part of the SASE portfolio in both on-premises and provider-based models. These services provide a global footprint of locations where the CASB software nodes are deployed. Enterprises can use the nearest or most convenient point of presence (POP) as an on-ramp to high-speed and secure network and application access to their cloud infrastructure.
Additional Resources
CASB forms an integral part of Versa’s SASE solution, including gateways and cloud-hosted deployment models. SASE components and technologies aligned with CASB include:
The 4 Pillars of CASB
To produce an effective CASB, four foundational pillars must be present. CASB providers must ensure that their cloud access security broker has visibility, compliance, data security, and threat protection. What is a cloud access security broker without these features? A non-secure system that is at risk of being hacked or infected by malware.
Visibility
Companies need visibility into which systems and software are properly utilized within their company. Luckily, visibility is a key function of leading CASB architecture. Effective CASBs provide full visibility into both managed and unmanaged cloud systems. Not only does this identify useful cloud systems, but it allows company leaders to make informed decisions regarding cloud usage.
By providing visibility to all cloud services in use, reporting on cloud spend, discovering which systems are actually utilized, and finding any overlap in cloud functionality and cost, a cloud access security broker provides invaluable business insights.
Data Security
CASBs act as a company’s gatekeeper that identifies cyber risks before they become a serious threat. Because the CASB is constantly scanning for breaches in cloud security, companies can feel more secure in their stored data. This deep level of security that follows content from the moment it is in or on its way to the cloud helps IT departments further analyze potential cyber threats. Furthermore, many of the top CASB architectures have the capability to encrypt data, control access to data, and quickly detect sensitive information.
Compliance
Compliance with data regulation is an important tenet of any system, yet a lack of compliance may lead to data breaches and cyber-attacks. Good cloud access security broker architecture can be used to ensure compliance in a cloud system regardless of industry. For instance, a CASB can help healthcare organizations remain HIPPA or HITECH compliant or can ensure financial consultants are in compliance with FFIEC and FINRA.
Threat Protection
Because everyone has access to the internet and cloud services, companies need to ensure their employees are not introducing malware and other cyber threats. Many CASBs offer real-time scanning that monitors both internal and external networks. If cloud services go unprotected, employees may unknowingly release a dangerous cyber threat onto the company. But with a CASB, IT departments will be notified as soon as a threat is detected so that they can quickly act on compromised cloud services.
Free eBook
SASE For Dummies
Learn the business and technical background of SASE including best practices, real-life customer deployments, and the benefits that come with a SASE enabled organization.
Learn More
Find more research, analysis, and information on SASE (Secure Access Service Edge), networking, security, SD-WAN, and cloud from industry thought leaders, analysts, and experts.