A cloud access security broker (CASB) is cloud-based or on-premises security software positioned between users and cloud services. A CASB is responsible for enforcing enterprise security policies for cloud services access. Learn more about CASB and how it works below.
In this definition...
What Is a Cloud Access Security Broker (CASB)?
Whether on-site or remote users are sanctioned or unsanctioned, a CASB offers enterprises a critical control point to secure the use of cloud services across multiple providers, especially as software-as-a-service (SaaS) apps become more pervasive.
These security features include authentication, authorization, and single sign-on (SSO); credential mapping; device profiling; encryption and tokenization; logging and alerting; and malware detection and prevention.
Portions of this definition originally appeared on eSecurity Planet and are excerpted here with permission.
How Can a CASB Be Used?
With the increase of internet-enabled technology and cloud computing comes an increase in inherent security risks. While companies can strengthen their security posture with next-generation firewalls (NGFWs), web gateways (SWGs), and web application firewalls (WAFs), these technologies fail to cover cloud-specific security.
A cloud access security broker fills in the gaps by implementing a number of cloud-specific security practices:
- Secure shadow IT: A CASB can enable IT teams to discover, monitor, and secure shadow IT, or users and IT endpoints with unauthorized access to cloud applications and services. This process mitigates security risks related to corporate security, compliance, and governance policies.
- Govern device usage: A CASB can monitor and control user activities on mobile or desktop applications. It can also sync client and user activities on collaboration tools and social media without blocking those services. In addition, it can govern access to public cloud services by device ownership class and monitor privileged accounts to prevent unauthorized activity.
- Secure data: A CASB can prevent data exfiltration from sanctioned to unsanctioned cloud services as well as apply data encryption. It can also enforce policies for corporate and personal instances of the same cloud service, an activity- or data-level policy across a category of services, and conditional activity-level and layered policies.
- Block malware: A CASB can block or remediate malware; detect and send alerts about user login anomalies; detect anomalies such as excessive downloads, uploads, or sharing with both sanctioned and unsanctioned cloud services; and prevent data infiltration involving new employees.
- Protect applications: A CASB offers some of the network visibility, access, data loss prevention (DLP), threat protection, and breach logging that might have been lost when moving data from an on-premises data center to the cloud.
- Monitor remote work and BYOD devices: A CASB can monitor and authenticate access in the cloud and gives IT teams visibility into the many access points brought on by remote work and BYOD (bring your own device) policies.
Interested in learning more about CASBs? Read more on eSecurity Planet.
What Are the Benefits of a CASB?
By combining a variety of security policy enforcement requirements, a CASB can control cloud application and data access as well as provide a variety of benefits including:
- Restriction of unauthorized access
- Identification of account takeovers
- Discovery of shadow IT
- Cloud DLP
- Internal and external data access controls
- Record and audit trails of risky behavior
- Cloud phishing and malware threat monitoring
- Continuous monitoring for new cloud risks
Other benefits mentioned by current CASB users include reduced costs and increased agility as well as outsourced hardware, engineers, and code development.
How Do CASBs Work?
API-based systems are often easy to deploy, as they rely on cloud providers’ APIs to control cloud access and apply security policies. However, not all applications provide API support, which limits the range of cloud services for API-based CASB systems.
Comparatively, forward proxy CASBs can be used for all types of cloud applications and data, but they require users to install self-signed certificates on every device that accesses the proxy. This process can be cumbersome for larger organizations with many employee-owned devices.
Reverse proxy CASBs aimed to remediate this issue by not requiring a special configuration or certificate; however, these CASBs can’t work with client-server-type apps, which have hard-coded hostnames.
While each method has its own pros and cons, the rise of cloud-based technology and processes, as well as the security concerns and complexity that comes with it, has necessitated the shift toward hybrid or mixed CASB systems. As such, companies are able to benefit from both API- and proxy-based systems.
Types of CASB Deployment
How a CASB is deployed depends on the type of CASB system chosen. Inline deployments are popular for forward and reverse proxies, and out-of-band deployments are common for API systems.
For inline deployments, a forward proxy is positioned closer to users and can proxy traffic to multiple cloud services by redirecting relevant devices to PAC files, unique DNS configurations, third-party agents, advanced forwarding, chaining, or TAP mechanisms.
Comparatively, a reverse proxy is positioned closer to the cloud application and can integrate into identity-as-a-service and identity and access management solutions. As such, they can receive requests from the cloud application, apply predefined security rules, and pass the user’s request.
Out-of-band deployments operate differently from inline deployments in that they use asynchronous APIs to monitor and direct traffic, which enables frictionless change for application behavior, a wide traffic coverage, and retrospective policy enforcement.
CASB and Identity management
As the world of remote workers continues to grow, identity management will become more important to ensure the security of companies’ networks. As a result, CASBs will continue to be deployed to supplement IAM behavior monitoring and cross-application security configuration.