As cloud computing took hold, it became apparent that organizations needed a way to secure their data in cloud and software-as-a-service environments. Enter CASBs, which helped give organizations visibility into their cloud environment to detect security threats and protect sensitive data.
CASBs scan internal and external networks in real-time for suspicious files. They discover, classify and block malicious activity from cloud apps.
CASB solutions help protect sensitive data when it moves to or from the cloud. They provide significant visibility into multi-cloud activity, enabling organizations to detect and respond to malware, phishing attacks, DDoS attacks, and more.
Some also offer granular threat protection capabilities like sandboxing, packet inspection, URL filtering, and browser isolation.
A Cloud Access Security Brokers (CASB) visibility into activity in the cloud allows enterprises to identify shadow IT and enable them to address their share of security responsibility by extending on-premises policies to infrastructure as a service, platform as a service, and software as a service environment (IaaS, PaaS, and SaaS).
Many CASBs can now provide robust visibility, access control, governance, security policy enforcement, compliance management, and data protection capabilities, including encryption and tokenization.
Early CASBs focused on stemming the tide of what was then called “Shadow IT.” The sales pitch was that IT teams were discovering that their employees were using commercial Dropbox or other apps for work, and traditional security tools couldn’t see the traffic since it never crossed the corporate network.
The CASB solution identifies the apps and provides a list of user identity and behavior patterns, which form a baseline so that any deviation from normal user activity can be flagged as a possible threat. This enables a CASB to block or quarantine unapproved cloud applications or notify the user of a potential policy violation.
The security pillars in a CASB include granular access control, malware prevention, and threat detection. This helps the CASB identify suspicious activity, mitigate it, and alert administrators of potential risks.
For example, a CASB could monitor the download of sensitive customer data from a cloud-based sales application on a managed device and raise an alert if it’s downloaded on an unmanaged device like a smartphone or IoT device.
As organizations shift to a remote and dispersed workforce, it becomes increasingly important to understand how data is handled in the cloud. On-premises data loss prevention (DLP) tools are practical. Still, they cannot protect against the risk of information being shared with third parties or stolen by insiders through cloud collaboration or file-sharing.
A CASB enables organizations to gain visibility into data handling in the cloud and protect it using features such as access control, data leakage protection (DLP), encryption, information rights management, and tokenization.
Additionally, CASBs help organizations adhere to regulatory requirements. CASB solutions can identify regional data residency laws and benchmark security configurations against compliance regulations such as SOX, HIPAA, and PCI DSS. CASBs can be deployed on-premises or in the cloud and are often delivered as software as a service (SaaS) to provide better performance and scalability.
In either deployment mode, CASBs can be configured with a forward proxy, a reverse proxy, or both, and API support for the administration of SaaS, infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS) applications.
Security Policy Enforcement
While the cloud has made it easy for employees to access corporate information, lack of employee training, sloppy data handling, and third-party threats can still result in various security breaches. CASBs provide strong, data-centric protection to mitigate these risks.
For example, a standard risk is losing intellectual property, such as engineering designs or product specifications, through collaboration tools like Slack and Trello or file storage services. CASB solutions protect this information by blocking file downloads from unapproved sites or encrypting files to prevent sensitive data leaks.
A CASB can also block malicious behavior using various techniques, including threat detection and response, sandboxing, packet inspection, URL filtering, anti-malware, and other advanced technologies. This provides a critical layer of protection if an employee downloads a file containing malware.
CASBs can also help enterprises meet compliance requirements. This capability leverages user behavior analytics to recognize high-risk activities, such as accessing regulated data or using a service that doesn’t adhere to an enterprise security policy.
CASBs can also use encryption and tokenization to encrypt or replace sensitive data in favor of non-sensitive information (e.g., replacing a birth date with a year).
However, these functions aren’t always included in every CASB solution because cryptography requires considerable subject matter expertise and doesn’t typically fall within the scope of a CASB’s core capabilities.
While mitigating shadow IT-related risks was the initial driver of CASB adoption, these tools’ ability to discover and monitor all cloud apps (whether sanctioned or not) and data in real-time has become increasingly important.
With many companies moving most of their workloads to the cloud, a CASB can help them manage security policies and control access to sensitive information no matter where it resides.
Moreover, CASBs can protect against data loss and other threats by scanning content as it travels between the cloud and the organization’s networks.
For example, a CASB with DLP functionality can identify sensitive data within cloud services or upload to the cloud (sanctioned or not) on mobile or desktop devices and then block quarantine or delete any content flagged as a potential policy violation.
In addition, a CASB with encryption capabilities can encrypt all the data transferred to the cloud or stored on endpoint devices, scrambling it so that it cannot be deciphered even if stolen from a device or compromised by malware.
Lastly, a CASB with monitoring functionality can scan for and detect misconfigured infrastructure configurations that could create severe risk and alert administrators.
It can also ingest log data from firewalls, secure web gateways, and endpoint agents, and detect unauthorized cloud apps and devices.