A Cloud access security broker, or CASB, is cloud-hosted software or on-premises software or hardware that act as an intermediary between users and cloud service providers. The ability of a CASB to address gaps in security extends across software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) environments. In addition to providing visibility, a CASB also allows organizations to extend the reach of their security policies from their existing on-premises infrastructure to the cloud and create new policies for cloud-specific context.
CASBs have become a vital part of enterprise security, allowing businesses to safely use the cloud while protecting sensitive corporate data.
The CASB serves as a policy enforcement center, consolidating multiple types of security policy enforcement and applying them to everything your business utilizes in the cloud—regardless of what sort of device is attempting to access it, including unmanaged smartphones, IoT devices, or personal laptops.
With the increase in workforce mobility, the growth in BYOD and the presence of unsanctioned employee cloud usage, or Shadow IT, the ability to monitor and govern the usage of cloud applications such as Office 365 has become essential to the goal of enterprise security. Rather than banning cloud services outright and potentially impacting employee productivity, a CASB enables businesses to take a granular approach to data protection and the enforcement of policies—making it possible to safely utilize time-saving, productivity-enhancing, and cost-effective cloud services.
The evolution of the CASB
Before the rise of cloud computing and BYOD policies, enterprise security existed in the same “walled garden” model that it had for more than a decade. But as services began originating in and shifting to the cloud—and employees began using these cloud services, with or without prior knowledge or approval of IT—businesses began looking for a way to enforce consistent security policies across multiple clouds and safeguard both users and corporate data.
The development of the cloud access security broker (CASB) allowed enterprise security professionals to gain visibility into the cloud, particularly unsanctioned software-as-a-service (SaaS) usage, or Shadow IT.
The insights provided by their CASB were shocking to many IT managers, who soon discovered that cloud usage in their enterprise was much deeper and more pervasive than they had imagined. According to the 2019 McAfee Cloud Adoption and Risk Report, while the average IT professional thought the business utilized around 30 cloud services, in reality they were using an average of 1,935.
While stemming the threats resulting from Shadow IT was a primary use case, it wasn’t the only thing that drove widespread adoption of CASBs. During this time, many businesses were moving their data storage capabilities from on-premises data centers to the cloud. This made CASB, which protected both the movement of data (by restricting things like access and sharing privileges) and the contents of the data (through encryption) even more essential.
While this change was taking place, the threat landscape was also being altered. Today, malware is more pervasive, phishing is both more elegant and better targeted, and small mistakes—for example, opening an AWS S3 bucket to the public—can create a security hole that could cost millions.
Because CASB security measures include features specifically designed to address these issues, the use of a CASB is now regarded as essential elements of enterprise security. According to Gartner (who first coined the term CASB in 2011), by 2022 60% of large enterprises will use CASBs—triple the number that used them at the end of 2018.
What CASBs offer
Many CASB security features are unique compared with those offered by other security controls such as enterprise/web application firewalls and secure web gateways, and may include:
- Cloud governance and risk assessment
- Data loss prevention
- Control over native features of cloud services, like collaboration and sharing
- Threat prevention, often user and entity behavior analytics (UEBA)
- Configuration auditing
- Malware detection
- Data encryption and key management
- SSO and IAM integration
- Contextual access control
Four pillars of CASB
From its beginnings as an answer to Shadow IT, CASB has grown to include functionality that can be described in terms of four pillars:
Large businesses may have any number of employees accessing many applications in many different cloud environments. When cloud usage is outside the view of IT, enterprise data is no longer bound by the company’s governance, risk, or compliance policies. To safeguard users, confidential data, and intellectual property, a CASB solution provides comprehensive visibility into cloud app usage, including user information such as device and location info. The cloud discovery analysis provides a risk assessment for each cloud service in use, allowing enterprise security professionals to decide whether to continue allowing access or whether to block the app. This information is also useful in helping shape more granular controls, such as granting varying levels of access to apps and data based on an individual’s device, location, and job function.
While businesses can outsource any and all of their systems and data storage to the cloud, they maintain responsibility for compliance with regulations governing the privacy and safety of enterprise data. Cloud access security brokers can help maintain compliance in the cloud by addressing a wide variety of compliance regulations such as HIPAA, as well as regulatory requirements such as ISO 27001, PCI DSS, and more. A CASB solution can determine the areas of highest risk in terms of compliance and provide direction as to what the security team should focus on to resolve them.
- Data Security
Cloud adoption has removed many of the barriers preventing effective collaboration at distance. But as much as the seamless movement of data can be of benefit, it can also come at a tremendous cost for businesses with an interest in protecting sensitive and confidential information. While on-premises DLP solutions are designed to safeguard data, their ability to do so often does not extend to cloud services and lacks cloud context. The combination of CASB with sophisticated DLP allows IT the ability to see when sensitive content is traveling to or from the cloud, within the cloud, and cloud to cloud. By deploying security features like data loss prevention, collaboration control, access control, information rights management, encryption, and tokenization, enterprise data leaks can be minimized.
- Threat Protection
Whether through negligence or malicious intent, employees and third parties with stolen credentials can leak or steal sensitive data from cloud services. To help pinpoint anomalous user behavior, CASBs can compile a comprehensive view of regular usage patterns and use it as a basis for comparison. With machine learning-based user and entity behavior analytics (UEBA) technology, CASBs can detect and remediate threats as soon as someone attempts to steal data or improperly gain access. To protect against threats coming from cloud services, the CASB can use capabilities such as adaptive access control, static and dynamic malware analysis, prioritized analysis, and threat intelligence to block malware.
Why do I need a CASB?
Will a CASB provide comprehensive cloud security?
In its latest report, Gartner describes cloud access security brokers as an essential element of enterprise cloud security. But while the use of a CASB is crucial for companies wishing to secure cloud usage in their enterprises, it is just part of the overall security strategy businesses should use to ensure defense from device to cloud. For a comprehensive protection plan, businesses should also consider expanding on the capabilities of their CASB by deploying a secure web gateway (SWG) to help safeguard internet usage and device data loss prevention solution (DLP) to help protect intellectual property and protect sensitive corporate data across the network.
How does a CASB work?
The job of a cloud access security broker is to provide visibility and control over data and threats in the cloud to meet enterprise security requirements. This is done through a three-step process:
- Discovery: The CASB solution uses auto-discovery to compile a list of all third-cloud services, as well as who is using them.
- Classification: Once the full extent of cloud usage is revealed, the CASB then determines the risk level associated with each by determining what the application is, what sort of data is within the app, and how it is being shared.
- Remediation: After the relative risk of each application is known, the CASB can use this information to set policy for the organization’s data and user access to meet their security requirements, and automatically take action when a violation occurs.
CASBs also offer additional layers of protection through malware prevention and data encryption.
How do I deploy a CASB?
Simplicity is a major selling point of cloud access security broker technology. Along with ease of use, one major benefit of CASB is its ease of deployment. Still, there are some things to consider:
A CASB can be deployed either on premises or in the cloud. Currently, the SaaS version is most popular, and the majority of CASB deployments are SaaS-based.
There are three different CASB deployment models to consider: API-Control, Reverse Proxy, and Forward Proxy.
- API Control: Offers visibility into data and threats in the cloud, as well as quicker deployment and comprehensive coverage.
- Reverse Proxy: Ideal for devices generally outside the purview of network security.
- Forward Proxy: Usually works in conjunction with VPN clients or endpoint protection.
Proxy deployments are often used to enforce inline controls in real time and comply with data residency requirements.
Gartner suggests businesses consider CASB products that offer a variety of architecture options to cover all cloud access scenarios. The flexibility afforded by a multi-mode CASB ensures that businesses can expand their cloud security as their needs continue to evolve.
Three considerations for choosing a CASB
- Is It A Good Fit? Prior to selecting a cloud access security broker, enterprises should identify their individual CASB use cases and look specifically for the solution that best addresses their goals. To best ensure a good fit, companies should either perform detailed POCs, compile research from cybersecurity analysts, or perform in-depth reference calls with other companies of similar size and with similar needs.
- Will It Grow and Change to Suit Your Needs? As enterprise cloud usage continues to grow, the threat landscape will grow along with it. By partnering with the right CASB vendor, you’ll be able to keep your cloud compliance and cloud security policies up to date—and you’ll generally have access to new capabilities sooner.
- Does It Protect IaaS? Protecting the SaaS is clearly important, but for comprehensive enterprise security, IaaS environments must be protected, too. For enterprises requiring this capability, the CASB should not only safeguard activity and configurations in the IaaS, but also defend their customers through threat protection, activity monitoring, and DLP controls.
What to do before buying CASB
Due diligence doesn’t stop with taking a comprehensive look at all vendor offerings. Many cloud access security broker (CASB) providers offer cloud audits and free trials to help you get an accurate idea of your company’s cloud usage and learn how the CASB will fit into your overall security infrastructure. You’ll want to see whether the CASB integrates with other pieces of your cloud security strategy, such as your DLP, SIEM, firewalls, secure web gateways, and more, and determine your best points of integration. You’ll also have the option of integrating the CASB with some SSO (single sign-on) or IAM (identity and access management) applications—it’s best to decide sooner rather than later whether and how to take advantage of these capabilities.
“Test-driving” your CASB will help ensure you’ve made the right choice. You should choose one of your most mission-critical apps to initially deploy the CASB. Trying it on a smaller scope will allow a thorough test while causing as little disruption as possible, while deploying it on an essential app will ensure compatibility with that service before going forward. If the experience is positive, try expanding it on a wider basis.
During the trial and evaluation period, you’ll also want to determine the CASB’s role in authentication and the extent to which you want it to deliver these features.
With cloud adoption nearly universal, the need for visibility and control over cloud applications and data has never been greater. Regardless of where your data lives or where it’s going, however, the responsibility of enterprise security professionals remains the same: to protect your users, your network, and your data. Learn more about McAfee’s CASB offerings.