What Is a Cloud Access Security Broker (CASB)?
It is often said, "you cannot fight what you can't see," and this holds true for cybersecurity more than most things. As organizations evolve, adopt hybrid cloud models and increase their use and dependence on SaaS apps, there is a huge gray area in terms of the IT security team's field of vision for this SaaS traffic. We discuss a solution that grants visibility and enforcement ability to the IT team for API-driven SaaS traffic.
In the past decade, there has been a paradigm shift in how applications used by organizations are served, delivered and accessed. The main reasons for this shift were advantages associated with cloud-based services like easy scalability, ease of maintenance, flexibility and reduced time to benefit, accompanied by an increase in mobility and compute power of end-user devices.
As business reliance on cloud infrastructure, cloud computing and SaaS (software as a service) apps increases, there is a rise in companies embarking on a digital transformation journey. This is to facilitate users to work remotely with a Bring your own device (BYOD) model and keep the business running irrespective of their work location. However, the shift in the way of working has created a blind spot and a visibility nightmare for the IT security and compliance teams. Most of the existing security solutions are blinded by their inability to interpret cloud-based SAAS apps' API-driven model of communication. These apps span across IT security (SolarWinds), customer support (Zendesk), human resources (Workday, LinkedIn), engineering (GitHub), DevOps (Data Dog), sales (Salesforce) and all other business verticals of any modern organization. The rise in these apps has led to a rise in shadow IT — a term that is coined for scenarios where employees operate outside the scope (and management) of the IT teams.
All these issues stem from a lack of visibility, control and understanding of API-driven SaaS traffic by existing IT security infrastructure. Hence, there is the need for a cloud-based, cloud-delivered security solution specifically designed to understand SAAS applications — a solution that provides a new layer of security to enable oversight and control of activities and information across public and custom cloud, SaaS apps and IaaS. To meet these needs and requirements, let me introduce a solution called Cloud Access Security Broker (CASB).
CASB solutions and its four foundational pillars
According to Gartner, a Cloud Access Security Broker (CASB) is an on-premises or cloud-based security policy enforcement point that is placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as cloud-based resources are accessed. Gartner and Forrester deem CASB a key technology and Gartner has a Magic Quadrant dedicated to CASB.
CASBs are broken down into four key capability areas: visibility (shadow IT discovery), data security, threat protection and compliance. These provide a central control plane for governance and policy enforcement across all of your cloud apps and services.
CASB solution provides a window into the traffic, the workflow between the organization and the cloud workloads (SaaS apps) it accesses. CASB also deals with governing access to activities and data within services for managed or un-managed apps.
An ideal CASB solution could help enforce the "no sharing of data outside the organization" policy. Additionally, a CASB can help organizations discover all cloud services in use, report on what the cloud spend is and find redundancies in functionality and license costs.
As organizations move their data and systems to the cloud, there is a parallel growth in data breaches and additional regulations designed to ensure the safety and privacy of personal or corporate data. These compliances could be multination union-driven — like General Data Protection Regulation (GDPR) — or specific to industry domains — like Health Insurance Portability and Accountability Act (HIPAA) for healthcare, Payment Card Industry Data Security Standard (PCI-DSS) for the payment industry and The Gramm-Leach-Bliley Act (GLBA), to name a few.
A CASB can help meet these compliance norms and safeguard your company against costly data breaches by maintaining the data regulations set by your industry. Additionally, there are compliances and posture assessment norms like Cloud Security Posture Management (CSPM) that are pivotal to an organization.
3. Data security
The efficacy of a CASB solution is determined by its ability to decipher cloud-bound traffic and this comes from highly sophisticated data loss prevention (DLP) systems for fingerprinting — as well as using additional context (application, activity, location, etc). DLP systems (within CASB) allow detection and handling of suspected violations and enable the organization to indulge in deeper threat observation and research. CASB can act as a gatekeeper and whistleblower to impending malicious activity before it escalates.
4. Threat detection & protection
The final objective of CASB, like most security solutions, is to prevent malware and threats, especially those centered around and originating from clouds. These threats could originate from cloud storage services and their associated sync clients and services. This requires the ability to scan and remediate threats across internal/external networks or clouds in real-time.
This also means detecting and preventing unauthorized user access, which can help discover unauthorized accounts or compromised credentials. CASB, with its innate intelligence and deep visibility, offers a vast yet resilient and intricate ability to detect and block threats at all levels before they cause chaos.
To summarize, CASBs consolidate multiple types of security policy enforcement. CASB security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention, etc. This creates a consolidated safety net for organizations by covering all major aspects of security surrounding cloud/SaaS apps.
An organization that has implemented CASB will have granular visibility, protection and control over the action, activities or operations a user can perform over a managed SaaS app (e.g. Salesforce, Google Drive). Organizations will be able to plan their security, cloud and compliance strategy based on this newly acquired deep control and visibility.
How can organizations choose the right CASB?
- There is no right or wrong choice with CASB. The focus should be more on deciding what is the right fit for the organization's requirements. To establish this understanding we need a deep analysis/POC (proof of concept), keeping the organization's CASB use cases as the key objectives. It is also important to consider the deployment methodology of the CASB solution (client-based, reverse-proxy, forward-proxy, etc.) that fit the requirement.
- It is of paramount importance that an organization keeps its future and growth plans in contention when deciding on CASB. Based on the CASB's ability to scale to the future needs in terms of technology and business requirements. The number of POPs (points of presence) and their distribution across the globe is a parameter to consider.
- Consider the additional technological solution add-ons that integrate into a CASB solution to make it a cloud security solution. How good is the Internal DLP offering? Does it provide IaaS protection and compliance, or cloud security posture management (CSPM) alongside SaaS? How high is the SaaS app detection efficacy and how elaborate is the SaaS app repository?
- How well does the CASB integrate with other pieces of your cloud security strategy, such as your DLP, SIEM (security information and event management), firewalls, secure web gateways and more? We also need to determine our best points of integration with CASB. You’ll also have the option of integrating the CASB with some SSO (single sign-on) or IAM (identity and access management) applications.
Implementing a CASB solution
CASB offers a solution to a lot of visibility, compliance and enforcement concerns that have resulted in a modern enterprise that will only continue to grow with time. It becomes a pivotal cog in enforcing cyber resiliency and enabling a secure Zero Trust architecture for organizations.
WWT has industry-leading expertise and multiple success stories on cloud security, and provides different technical engagement levels by experts on cloud security solutions (CASBs), ranging from technology briefing, training and assessment to product bake-off. Initiate your discussion on cloud security and CASB deployment journey by requesting a Cloud Security Posture Assessment. If you are already past the adoption phase and have implemented a CASB or cloud security solution, please reach out to our WWT experts.