Cloud Access Security Brokers (CASB)
CASB is a set of cloud security technologies delivered either through a device or SaaS model that addresses the challenges posed by the use of cloud apps and services. They work as tools that sit between an organization’s on-premises infrastructure and cloud provider’s infrastructure. The general purpose of CASB is to extend the reach of their security policies beyond their own infrastructure to third-party software and storage.
1. On-Premises a device is installed that acts as a proxy between your Organization, Identity Provider and Cloud Provider.
2. Cloud-Hosted Software that acts as a control point to support continuous visibility, compliance, threat protection, and security for cloud services.
CASB Use Cases:
1. Identity and evaluate all the cloud apps in use
2. Enforce cloud application management policies in web proxies or firewalls
3. Provide handling of sensitive information
4. Encrypt or tokenize sensitive content to enforce privacy and security
5. Detect and block unusual account behavior indicative of the malicious activity
6. Integrate cloud visibility and controls with broader security solutions for data loss prevention, access management, and web security
Shadow IT: Many enterprise business units are acquiring cloud services directly without IT’s involvement. Business units start using SaaS applications in general without a proper onboarding process, which evaluates security factors - Sanctioned Apps vs. Unsanctioned Apps.
This form of “Shadow IT” is fuelling growth in cloud service adoption as well as security risks.
CASB works by ensuring that network traffic between on-premises devices and the cloud provider complies with the organization’s security policies.
1. Cloud App Discovery and Analysis
Provide Shadow IT discovery and risk analysis including detailed cloud app ratings, usage analytics, and continuous reporting.
2. Data Governance and Protection
Provide the ability to enforce data-centric security policies to prevent unwanted activity such as inappropriate sharing of content. Support encryption and tokenization of compliance-related data.
3. Threat Protection and Incident Response
Prevent malicious activity such as data exfiltration due to account takeover, session hijacking, or insider activity through continuous monitoring of user behavior. Identify and block malware being uploaded or shared within cloud apps and provide tools for incident response.
4. Compliance and Data Privacy
Assist with data residency and compliance with regulations and standards, as well as identify cloud usage and risks of specific cloud services.
CASB Architectural Options:
CASB market was segregated between providers that deliver CASB features via forward and/or reverse proxy modes and others that used API modes exclusively. CASB’s offer a choice between the proxy modes of operation and also support APIs (multimode CASB’s).
Reverse Proxy: This can be deployed as a gateway on-premises or as the more method, as SaaS. This is performed that the CASB passes the authentication on to the IDaaS provider, but importantly, leaves the URL as belonging to the CASB and not the cloud service.
Reverse Proxy is one way to provide the ability to insert the CASB in front of end-users accessing the SaaS service (with the exception of mobile native apps using certificate pining) without having to touch the endpoints configuration.
It also allows for control over key management and application of cryptography solutions on-premises with no access by a cloud-based CASB or cloud service provider. With a hosted reverse proxy, there may be indirect access to the key management system and keys/tokens being used in the cloud by the CASB and/or CSP.
Forward Proxy: This can be deployed as a cloud or on-premises and some vendors may deploy software agents on endpoint devices or pass profiles for enterprise mobile management (EMM) to enforce or use other methods like DNS and proxy auto-configuration (PAC) files.
API Mode: This leverages the native features of the SaaS service itself by giving the CASB permission to access the service’s API directly. Also, allows organizations to perform a number of functions like log telemetry, policy visibility, and control and data security inspection functions on all data at rest in the cloud application or service.
API mode makes it possible to take advantage of both CASB-native, and a growing number of SaaS service data protection, features offered by the SaaS provider itself (for example, Salesforce Shield), whereby it performs encryption/tokenization functions, but the end-users still control the keys.
However, the SaaS provider still has access to the keys, and data is unencrypted while used by the application.
CASB Market Players:
1. Microsoft Cloud App Security
5. Cisco CloudLock
10. McAfee Skyhigh