A Cloud Access Security Broker (CASB) is a software tool or service that sits between an organization’s on-premises infrastructure and a cloud provider’s infrastructure. A CASB acts as a gatekeeper, allowing the organization to extend the reach of their security policies beyond their own infrastructure.
CASBs work by ensuring that network traffic between on-premises devices and the cloud provider complies with the organization’s security policies. CASB services may collect data that is useful for other purposes, such as demonstrating compliance, monitoring cloud service usage and auditing.
This collected the data gives cloud access security brokers ability to provide insight into cloud application that are used and identify usage of unsanctioned cloud apps. This is especially important in regulated industries. CASBs use auto-discovery to identify cloud applications in use and identify high-risk applications, high-risk users and other key risk factors. Cloud access brokers may enforce a number of different security access controls, including encryption and device profiling. They may also provide other services such as credential mapping when single sign-on is not available.
CASBs are particularly useful in organizations with shadow IT operations or liberal security policies that allow operating units to procure and manage their own cloud resources. The data that CASBs collect can be used for reasons other than security, such as monitoring cloud service usage for budgeting purposes.
CASB use cases
A CASB has multiple use cases for the enterprise.
Secure shadow IT
One major use case is to discover, monitor, and secure shadow IT — the unauthorized use of cloud services by line-of-business staff. Because IT teams are not aware of shadow IT, it is not subject to corporate security, compliance, and governance policies. This exposes enterprises to significant security risks.
According to a recent survey of more than 2,000 IT pros by Intel Security, almost 40 percent of cloud services are now commissioned without the involvement of IT. As a result, 65 percent of IT professionals think shadow IT is interfering with their ability to keep cloud usage safe and secure. More than half of respondents said they have tracked malware from a cloud application.
Despite cloud security worries, 62 percent of respondents store sensitive customer information in the public cloud. Also, the number of companies using private cloud only has dropped from 51 percent to 24 percent over the past year, while hybrid cloud use has increased from 19 percent to 57 percent.
Govern device usage
CASBs can monitor and control user activities when users are accessing cloud services from a mobile or desktop app or sync client, govern access to public cloud services by device ownership class, monitor privileged accounts and prevent unauthorized activity in the cloud, monitor and control user activities with collaboration tools and social media without blocking those services, and monitor and control advanced or cross-service activities in real time.
In terms of securing data, CASBs can prevent data exfiltration from a sanctioned to an unsanctioned cloud service, enforce different policies for personal and corporate instances of the same cloud service, enforce a policy at the activity or data level across a category of services, enforce conditional activity-level policies, enforce layered policies, and apply encryption.
To protect against threats, CASBs can block or remediate malware in sanctioned cloud services and to and from unsanctioned cloud services, detect and alert enterprises about user login anomalies, detect anomalies such as excessive downloads, uploads, or sharing with both sanctioned and unsanctioned cloud services, and prevent data infiltration involving new employees.
Where CASBs run
CASBs may run on premises or in the cloud. Logically, CASBs sit between the end user and the cloud, but physically a CASB has to be located in one of two places: in a corporate data center or in the cloud itself. That means you have a choice between using a cloud access security broker as a service or hosting one on a physical or virtual appliance.
The SaaS option is easier to manage and is the more popular option, according to Gartner, but in certain industries you may have to use an on-premises system for compliance reasons.
How CASBs work
There are two key ways that a CASB can work. It can be set up as a proxy — either a forward or a reverse proxy — or it can work in API mode, using cloud providers’ APIs to control cloud access and apply corporate security policies. Increasingly CASBs are becoming “mixed mode” or “multi-mode,” using both proxying and API technology. That’s because each approach offers pros and cons.
For example, a forward proxy can be used for all types of cloud applications and all data passes through the proxy, but to use a forward proxy you need to install self-signed certificates on every single device that accesses the proxy. This can be difficult to deploy in a distributed environment or one with a large number of employee-owned mobile devices.
A reverse proxy system is easier in that respect because it is accessible from any device, anywhere, without the need for special configuration or certificate installation. The drawback is that a reverse proxy can’t work with client-server type apps, which have hard-coded hostnames.
API-based systems are also easy to deploy. One drawback, however, is that the range of cloud applications they can work fully with is more limited because not all cloud applications provide API support.