What is a CASB?
What is a CASB?
A cloud access security broker (CASB) is a security policy enforcement point that is deployed either on-premises or in the cloud.
The objective of a CASB is to enforce an organization's enterprise security policies when users attempt to access its cloud-based resources.
How Does a CASB Work?
A CASB is designed to sit between users and an organization's cloud-based resources.
All requests for cloud resources pass through the CASB, allowing it to inspect the details of the request and determine whether or not the traffic should be allowed to continue on to the requested resource.
This visibility and control enables the CASB to apply the organization's security policies to these requests, allowing an organization to more consistently apply security policies across its entire IT infrastructure.
How Do I Deploy a CASB?
CASB solutions can be deployed either in the cloud or on-premises.
A CASB can use one of three different deployment models:
- API Control: API-based CASBs are deployed out-of-band. They take cloud services provider-supplied APIs as input and use this information to monitor traffic within a cloud environment.
- Reverse Proxy: A reverse proxy is an in-line CASB option deployed near the cloud-based solution. All traffic to the cloud is targeted at the CASB, which forwards it on to its destination.
- Forward Proxy: A forward proxy is an in-line deployment option located closer to the user. By using SSL introspection, the CASB inspects traffic before forwarding it on to the cloud-based infrastructure.
After deployment, a CASB needs to know what cloud-based resources exist before it can protect them. It achieves the necessary level of visibility and control over cloud-based resources via a three-step process:
- Discovery: Due to shadow IT and the use of unauthorized cloud-based services, an organization may not be aware of all of the ways in which it and its employees are using the cloud. A CASB can automatically discover and compile a list of the cloud services in use and who is using it, providing visibility into an organization's actual cloud footprint.
- Classification: Many organizations use different security policies for data and applications with different levels of sensitivity. Once a CASB has discovered the scope of an organization's cloud-based resources, it can begin identifying the sensitivity and risk associated with each cloud-based application and data store.
- Enforcement: Based on this list of discovered and classified cloud-based resources, an organization can define policies for them. The CASB can then start enforcing these policies for requests to the cloud-based infrastructure.
What Does a CASB Do?
According to Gartner, once a CASB is aware of cloud-based resources, it can enforce a variety of different security policies and perform several functions, including:
- Single Sign-On
- Credential Mapping
- Device Profiling
- Logging and Alerting
- Malware Detection/Prevention
These functions range from protecting access to cloud-based resources to securing data being transmitted to/from the cloud to protecting the cloud against attack.
These capabilities are essential to an organization's data security and regulatory compliance strategy.
Why Do I Need a CASB?
A CASB solution provides an organization with the ability to address four key pillars in the cloud:
- Visibility: Many organizations struggle to achieve full visibility into their cloud infrastructure. The cloud is outside of the traditional network perimeter (where many security solutions are deployed) and accessible directly from the public Internet. A CASB enables an organization to achieve visibility into the cloud because all requests to an organization's cloud-based resources must pass through the CASB before being permitted to continue on to their destination. A CASB also enables the organization to apply and enforce its enterprise security policies on this cloud-bound traffic.
- Compliance: Organizations are subject to a number of different data protection regulations (such as PCI DSS, HIPAA, GDPR, CCPA, and others), and their obligations under these laws apply in the cloud as well as on-premises. A CASB enables an organization to comply with the requirements of applicable regulations by enforcing corporate policy on access requests to sensitive data stored in cloud-based resources.
- Data Security: The cloud is an invaluable resource for organizations, especially with the recent surge in remote work. By placing data in the cloud, organizations take advantage of increased accessibility, flexibility, and scalability compared to on-premises environments. However, this cloud-based data also needs to be protected against unauthorized access and potential compromise. By monitoring access requests for cloud-based sensitive data, a CASB allows an organization to manage access to these resources and enforce security protections - such as the use of encryption, tokenization, and similar technologies - for its sensitive cloud-based resources.
- Threat Protection: As cloud adoption increases, organizations will host more applications and store more sensitive data in the cloud. This makes cloud deployments a prime target for cybercriminals and increases the impact of insider risk that leaves these resources vulnerable to exposure. A CASB should be capable of detecting potentially risky or malicious activities in the cloud and take action to mitigate the threat.
Why a CASB May Not Be Enough
A CASB is designed to enable an organization to enforce enterprise security policies and protect sensitive data in the cloud.
However, this focus on policies and sensitive data means that a CASB's protection will never be "good enough".
A CASB is only as good as the policies and data classifications that are provided to it.
If a user takes actions that are within policy but place data at risk, the CASB will likely allow them. If data is not marked as "sensitive" in the CASB, then it will not be protected as such. On the other hand, a misconfigured policy or data misclassification can render employees unable to do their jobs.
A CASB places the burden on the administrator to define everything that can go wrong and classify every piece of potentially sensitive data.
A better approach is to assume that all data is important and monitor for the actions that place data at risk of a breach, rather than trying to define what should or should not be "allowed".
Cut the Cord: DLP and CASB solutions don’t combat today’s Insider Risk
Learn more in the 2021 Data Exposure Report, Volume II.