A CASB (cloud access security broker) is an intermediary between users, an organization, and a cloud environment. CASBs allow organizations to manage cloud security and enforce security policies through a consolidated platform.
The term CASB was introduced by Gartner in 2012, defined as “... on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed.”
CASBs are one of many emerging technologies recognized by Gartner, alongside other cloud security solutions, such as Cloud Security Posture Management (CSPM) and Cloud Infrastructure Entitlement Management (CIEM).
How Does a CASB work?
CASBs protect the flow of data between an organization’s users and cloud services, such as Software-as-a-Service (SaaS) products. They enact organizations’ security policies to offer comprehensive and consistent cloud security, across all applications and resources, accessed from any device.
CASBs can integrate with other security functions, including:
- Data Leak Prevention (DLP)
- Security Information and Event Management (SIEM) systems
- Firewalls
- Secure Web Gateways (SWGs)
CASB’s Role in Cybersecurity
With 61% of businesses migrating their workloads to the cloud in 2020, organizations must effectively manage the cybersecurity risks and cloud misconfigurations which inevitably follow the implementation of new technology.
Common cloud-based services like software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) all have their own independent security functions in place.
While these third-party vendors provide their own security and protection methods, there is no single management point for security teams.
The security posture of each service provider also differs across platforms which increases the potential for threat actors to identify and exploit cloud vulnerabilities.
CASBs allow organizations to enforce their own security policies across all cloud services and user devices accessing the cloud through several functions.
The Four Pillars of CASB
Gartner categorizes CASBs’ functions into four pillars to achieve network security.
1. Visibility
CASBs provide visibility over user behavior across the cloud. This visibility covers the usage of cloud apps that are deployed by an organization’s IT team (sanctioned apps) and those that are not (unsanctioned apps aka shadow IT).
For sanctioned apps, CASBs can log and audit cloud usage patterns and other indicators of compromise to prevent potential unauthorized access. For example, if a user is trying to access a SaaS application from two different geographical locations simultaneously, the CASB will flag this information and alert the information security team.
CASBs identify the use of shadow IT, allowing organizations to determine what action to take next. Many CASB services also provide the security rating of all applications users are attempting to access to help security teams determine whether or not to authorize access.
2. Compliance
CASBs help organizations manage and monitor regulatory compliance. Most service providers offer frameworks to guide the formation of security policies for recognized compliance regulations like GDPR, HIPAA, CCPA, and FISMA.
A CASB will also log users’ access to data and identify all data stored in the cloud, enabling more efficient compliance auditing and reporting.
3. Data Security
At their core, CASBs offer data security and protection. They can recognize sensitive data such as Payments Card Industry (PCI) data, personally identifiable information (PII), and protected health information (PHI), and apply stricter security controls to ensure adequate protection.
CASBs use data manipulation techniques to secure data including:
- Anonymization: Removes identifying data completely.
- Pseudonymization: Replaces identifying data with generic data, e.g. replacing a full birth date with the birth year.
- Tokenization: Replaces identifying data with non-sensitive data - called tokens.
4. Threat Protection
CASBs offer protection against cyber threats surrounding user behavior and data access to help prevent cloud leaks, data breaches, malware intrusions, and other cyber attacks.
Leveraging user behavior analytics, a CASB performs detailed logging to establish consistent operating patterns. They identify irregular behavior and challenge it with additional authentication.
Organizations can also set automatic controls such as limiting file downloads, restricting users from accessing information not required for their job, and enforcing additional controls if a user is frequently accessing resources they don’t require.
CASB Security Policies
CASBs consolidate multiple security policies, enabling simultaneous enforcement across all cloud activity.
Some examples of security policies enforceable by CASBs include:
- User and Entity Behavior Analytics (UEBA)
- Single Sign-On (SSO)/Security Assertion Markup Language (SAML)
- Authentication
- Authorization
- Device Profiling
- Credential Mapping
- Encryption
- Logging
- Alerting
- Malware Detection and Prevention
CASB Types
The way in which a CASB secures access depends on which method of deployment it uses.
There are three different types of CASBs deployment methods.
API-based CASB
API-based CASBs use custom code to facilitate access between the user and a specific cloud application.
Agent-based CASB
Agent-based CASBs are forward proxies placed on a managed endpoint (e.g. company laptop), enabling it to enforce security policies before the endpoint accesses cloud apps.
Agentless CASB
Agentless CASBs are reverse proxies that sit on the organization’s end, used to authorize or deny cloud access on a non-managed device (e.g. personal laptop) through authentication and security policies.
CASB Use Cases and Benefits
The types of CASB, or combination of types, your organization will need to implement depends on the use case. You may need a combination of CASB deployment methods to cover your specific needs.
Below are some common CASB use cases and their benefits.
Security for Bring Your Own Device (BYOD)
As many organizations are introducing work from home or hybrid working models, bring your own device (BYOD) - the use of personal devices - is becoming a more common choice for employees and third-party vendors, who also require some access to the cloud environment.
Agentless CASBs allow security teams to manage authorization of unmanaged devices, through the use of a reverse proxy. When a user attempts to log in to a cloud service, the reverse proxy can either allow or deny the request and redirect the user accordingly with the permitted level of access.
The use of a reverse proxy also eliminates privacy concerns, as the user does not need to install any additional certificates or other software directly onto their device.
Preventing Cloud Leaks
Implementing a cloud environment significantly increases an organization’s attack surface by adding the risk of cloud leaks. Security teams must effectively manage the potential for attack vector exploits like malware, which could facilitate a data breach.
CASBs provide cloud security through several settings, for example, they can limit users’ access rights to sensitive data and corporate data and even restrict download rights for certain users/devices. CASBs can also examine data exchanges between a device and the cloud to check for different types of malware intrusions.
Providing Data Security
Data security is a core pillar of a CASB’s functions and can identify sensitive data and apply appropriate data manipulation techniques when needed. Organizations can still perform analytics on this data.
CASBs also provide continuous security monitoring, allowing organizations to gain real-time insights into the security posture of any of their cloud service providers.
Enabling Data Encryption
Organizations can use API-based CASBs to enable data encryption. APT integrations allow organizations to use their own encryption algorithms instead of the cloud service provider’s methods.
The use of independent encryption can help prevent third-party data breaches as the service provider cannot access or view the information the data it is storing in the cloud.
Monitoring and Managing Regulatory Compliance
Organizations in all industries should ensure regulatory compliance monitoring is a priority in their cybersecurity programs. Keeping up-to-date with the latest regulatory requirements and managing compliance can be difficult in a rapidly changing threat landscape, especially in financial services.
As another core pillar of their functions, CASBs help organizations monitor and manage compliance through guided templates for compliance with global regulations and frameworks, alongside their data logging functionality.
The data manipulation techniques that CASBs offer also allow organizations to remain compliant with privacy regulations, like GDPR and CCPA.
Providing Access Control
CASB solutions provide access control to manage how users access and edit data by assigning specific permissions depending on their role in the organization’s requirements.
Preventing Unauthorized Access
In 2020, 90% of companies were operating through a multi-cloud strategy. The larger the cloud environment, the greater the risk of unauthorized access occurring through compromised accounts.
CASBs use UEBA to ensure that users’ cloud behavior aligns with previously recorded usage logs. They alert security teams of any abnormal behavior and can provide additional data protection in such scenarios by enforcing extra authentication requirements, restricting or limiting data access, or entirely denying user access.
The Future of CASBs
The steady rise of organizations turning away from data centers and towards cloud computing solutions like AWS and Azure has increased the demand for cloud access brokers following their market introduction.
Gartner’s introduction of the concept Secure Access Service Edge (SASE) in 2019 has further increased their demand, as security teams begin to implement SASE into their organizations.
SASE involves the consolidation of network and security functions into a cloud-based service. The SASE security model outlines CASBs as one of five core security components, working alongside other vital network and security functions, including:
- Software-defined Wide Area Network (SD-WAN)
- Firewall-as a-service (FWaaS)
- Secure Web Gateway (SWG)
- Zero-trust Network Access (ZTNA)
CASB vendors are continuing to refine and diversify their capabilities, with many reputable solutions now offering both API-based and proxy-based services.
Top CASB Vendors
The following vendors provide organizations with effective CASB solutions.
1. McAfee MVISION Cloud
McAfee MVISION Cloud provides comprehensive visibility and control for SaaS, PaaS, and IaaS, across Content and DevOps environments.
Features:
- Cloud registry
- Cloud activity monitory
- AI-driven activity mapper
- Insider threat detection
- Guided learning
- Structured data encryption
2. Microsoft Cloud App Security
Microsoft Cloud App Security operates on multiple clouds and provides visibility, control over data travel, and analytics to identify and combat cyber threats across all cloud services.
Features:
- Endpoint detection and response
- Unified endpoint management
- Identity and access management (IAM)
- Data loss prevention (DLP)
- Security workflow automation
- SIEM
- Cloud security posture management (CSPM)
- Incident response
3. Broadcom (Symantec) CloudSOC Cloud Access Security Broker
Symantec CloudSOC Cloud Access Security Broker offers cloud app security by providing visibility, data security, and threat protection across sanctioned and unsanctioned cloud apps and services on SaaS, PaaS, and IaaS platforms.
Features:
- DLP
- UEBA
- Encryption
- Contextual data for security incident remediation
- Cloud service discovery and usage
4. Netskope Security Cloud
Netskope Security Cloud offers visibility, real-time data, and threat protection across all devices accessing cloud services, websites, and private apps.
Features:
- Cloud app risk scoring
- DLP
- Granular visibility and control
- Real-time enforcement
- Flexible third-party integrations
5. Bitglass Cloud Access Security Broker
Bitglass Cloud Access Security Broker protects data end-to-end, across all cloud apps and devices by enforcing access controls, limiting sharing, protecting against malware, avoiding data leakage, and more.
Features:
- DLP
- Zero-day threat protection
- UEBA
- Anti-malware engine
- Real-time security
6. Cisco Cloudlock
Cisco Cloudlock is an API-based cloud access security broker (CASB) that helps accelerate cloud usage by securing identities, data, and apps to combat account compromises, breaches, and cloud app ecosystem risks.
Features:
- DLP
- Firewall
- Security risk scoring
- App discovery and analytics
- Automated data protection and remediation workflows