What is CASB?

A cloud access security broker provides visibility, data security with Data Loss Prevention (DLP), and threat protection so you can safely use cloud apps.

The cloud affords organizations to be more agile, collaborative, and cost-efficient, but these benefits come with security challenges.

How do you gain visibility into what cloud apps people are using and if they are safe? How do you ensure sensitive documents are not being shared inappropriately? How do you adhere to critical compliance regulations? How do you protect against malicious activity? Cloud Access Security Brokers (CASBs) address all of these questions so you can be safe and secure in the cloud.

Cloud Access Security Broker (CASB)

A New Solution for Cloud Security

A cloud access security broker (CASB) is a software tool or service that sits between an organization's on-premises or remote infrastructure and a cloud provider's infrastructure, acting as a mediator to examine cloud traffic and extend the reach of their security policies. They do this by interposing themselves between end users - whether they are on desktops on the corporate network, on mobile devices, or working remotely using unknown networks - or by harnessing the power of the cloud provider's own API.

CASB helps an IT Security team:

  • Identify and evaluate all the cloud apps in use (Shadow IT)
  • Enforce cloud application management policies in existing web proxies or firewalls
  • Create and enforce granular policies to govern handling of sensitive information, including compliance-related content
  • Encrypt or tokenize sensitive content to enforce privacy
  • Detect and block unusual account behavior indicative of malicious activity
  • Integrate cloud visibility and controls with your existing security solutions

Cloud Service Models

A Cloud Access Security Broker Examines Three Categories of Cloud Apps

IaaS - Infrastructure as a Service

Examples include: AWS and Azure. The IaaS provider hosts hardware, software, servers, storage, and other infrastructure components enabling organizations to deploy their own applications and data in the cloud.

SaaS – Software as a Service

Examples include: Microsoft Office 365, Google G Suite, Box, Dropbox, and more. The SaaS provider hosts software applications and makes them available via subscription over the internet. SaaS is a popular model for many business enablement applications including messaging, email, file sharing, CRM, HRM, and more.

PaaS – Platform as a Service

PaaS provides hardware and software environment that can host applications and data. PaaS services can include web service integration, collaboration for DevOps, database integration, all while offering information security. PaaS environments include vendors like AWS, Azure, Google, IBM, Salesforce.com, Red Hat.

Reasons to Use a CASB

Uncover and rate cloud apps for risks

CIOs think they have 30-40 cloud apps on their network, when in reality the average organization has over 1,000. They need to be able to identify these apps, rate them according to their security risk, and select those that conform to the organizations’ risk tolerance. For more info, refer to the Shadow IT Discovery Best Practices Guide.

Classify data

Compliance Officers need to know what types of compliance-related data (PII, PCI, PHI, GDPR-related, etc.) are being stored and shared in the cloud, and whether this data is exposed or at risk. Other data types such as legal documents, engineering schematics, source code, and other intellectual property, need to be identified and protected.

Identify data exposures

Security Administrators and Compliance officers need to identify the rules to govern data exposure by classification to control accidental sharing in the cloud—either inadvertently due to user error, due to malicious use or hacker activity.

Extend on-prem DLP to the cloud

IT organizations with on-premises DLP often want to extend coverage to the cloud in a seamless way that will affords consistent dictionaries, policies, and workflows, and unifies reporting.

Identify risky users

CIOs, IT Security Directors, and Data Privacy Officers need to identify risky user behavior, including but not limited to sensitive file oversharing, data exfiltration, data destruction, and the use of unsafe cloud apps. They need to quickly respond to incidents, discover the the impact of and extent of credential compromise, malware infection, brute force attacks, or other issues, and automate security precautions wherever possible.

Develop a cloud governance program

Organizations need to protect their intellectual property, stay competitive in the marketplace, and maintain regulatory compliance. They need to do this by applying DLP, data security, encryption, and access controls to their SaaS, PaaS, and IaaS resources, perhaps forming a Cloud Center of Excellence.

Ensure compliance & data privacy

Compliance Officers may want to continuously monitor how data is being accessed and shared by the organization and individual departments to make sure they meet compliance requirements.

Monitor cloud usage & detect threats

Security managers need to continually monitor data usage for possible policy violations, data leakage, malware attacks, and user access to unauthorized websites that could pose a risk to cloud accounts and data.

Post incident response

In the event that cloud accounts are compromised, files are infected with malware, or data is mishandled from cloud accounts, IT departments need the ability to initiate a post-event investigation on the issue and to provide an audit trail detailing what documents were moved where and by what credentials.

CASB Deployment

Effective CASB solutions need to cover a wide range of scenarios including documenting sanctioned and unsanctioned apps, risk scoring of apps and users, and tracking business and personal accounts as they access sanctioned apps, mobile devices and desktops - both managed and un-managed. To protect the flow of information depending on content, a CASB may add authentication and encryption to traffic to and from the cloud. To address all of these scenarios, comprehensive CASB solutions use the following:

APIs

Many of the major cloud applications have well-defined APIs used by a CASB to monitor activity, analyze content, and modify settings as needed.

Gateways

CASB Gateways sit between the users and their cloud apps, providing valuable insights into cloud activity and offering a vehicle for real-time policy enforcement.

Log Data

CASB can import log data from firewalls, secure web gateways, or WAFs to analyze traffic and protect information.

Agents

Endpoint agents help manage cloud activity by users on BYOD, and enforce policies for CASBs.

What is CASB 2.0?

Secure your entire enterprise

The cloud is part of your organization’s infrastructure. Solve your cloud security needs with a CASB that integrates with the rest of your enterprise security.

The Emerging Need for CASB 2.0

In order to effectively protect your cloud apps and data no matter the user, location, or access device, your CASB needs to seamlessly integrate with core security infrastructure, including DLP, endpoint management, web security, encryption, user authentication, and advanced threat protection. Ultimately you want to leverage all of your security assets and investments to deliver the most effective security for the cloud. CASB 2.0 is about intelligently integrating CASB 1.0 functionality with all these core security technologies to provide comprehensive coverage of your cloud activity.

CASB 2.0 Requirements

A comprehensive CASB 2.0 solution requires deep integration to gain real value. Such a solution should:

  • Share critical information between systems through native APIs
  • Enable consistent policies to be enforced across cloud and other channels
  • Integrate user interfaces to enrich management consoles for various personas
  • Reduce deployment complexity related to multiple security solutions

Don't Just Discover Shadow IT, Control it

Many organizations will require some form of secure web gateway and CASB functionality. There are pragmatic issues to consider when deploying both. How do you steer traffic? How many user authentications are required? How can you share information between your secure web gateway and your CASB? How can you take action to control use of high risk cloud apps?

With CASB 2.0, the secure web gateway and CASB can be intelligently integrated to deliver more value.

  1. Empower your secure web gateway with rich CASB cloud app intelligence
  2. Enforce dynamic control over Shadow IT use of cloud apps based on cloud app risk attributes with the secure web gateway
  3. Simplify deployment of a combined CASB and secure web gateway solution with unified authentication, automated log sharing, and integrating the user interface

Eliminate Separate Islands of DLP

There are many ways to share content, including confidential data, in an organization. Cloud-based file sharing, email (in the cloud and on-premises), and shared servers or folders are all popular methods. With CASB 2.0 you can seamlessly integrate DLP across all channels at risk for data loss -- in the cloud and on-premises, ensuring effective DLP coverage and simpler operations.

  1. Deploy consistent DLP policies on-premises and in the cloud
  2. Gain optimal performance by inspecting cloud data in the cloud and on-premises data on-premises
  3. Empower DLP with CASB contextual insights and controls
  4. Manage all your DLP for your cloud accounts, endpoints, network, and data centers from one central console

End-to-End Information Rights Management

A CASB 2.0 approach to digital rights management, encryption, and tokenization will intelligently integrate end-to-end encryption with CASB, DLP, and user authentication to protect data wherever it goes, including but not limited to en route to or at rest in cloud apps.

  1. Security that follows the data so sensitive data is automatically encrypted and stays encrypted wherever it goes
  2. Content access can be revoked at any time because the encrypted files are beaconed, and user authentication is required for viewing files. So, at any future point in time the organization can digitally shred those files by revoking user access from a central management console
  3. One encryption solution for multiple platforms that works across multiple cloud apps and on-premises systems in an efficient way, using consistent policies.

Global Advanced Threat Protection

Malware, including advanced malware, affects files and systems both within your network perimeter and in your cloud accounts. Content enters cloud apps through direct cloud-to-cloud interactions, via on-premises or endpoint to cloud transactions, through sync and share of computing environments, or may be created natively within cloud apps so traditional perimeter protection is no longer sufficient.

A CASB 2.0 solution should leverage the best quality malware protection and ATP solutions to fully protect assets in the cloud.

  1. Leverage global threat intelligence to analyze cloud content, URLs, and cloud apps
  2. Block and neutralize malicious files with enterprise class A/V scanning engines and file reputation
  3. Detect zero-day threats with integrated ATP sandboxing and file emulation

User Authentication Beyond Single-Sign-On

A CASB 2.0 approach provides a deeper level of integration. Rather than a one-way sharing of information (SSO to CASB), CASB 2.0 solutions leverage a two-way sharing of information, so CASB insights can inform user authentication solutions. This way organizations can confirm and control user access to cloud assets mid-session if user behavior demonstrates high risk activity. A comprehensive solution would allow organizations to define granular policies based on a wide range of transaction attributes to enable the integrated system to require stepped-up authentication as users pursue high risk transactions or access highly sensitive data.

Protect from the Endpoint to the Cloud

Endpoint solutions have insights regarding user activity that could be valuable for CASBs to leverage. CASB 2.0 solutions can bring more value doing a deeper level of integration with existing endpoint security solutions.

  1. An endpoint protection agent that also enables CASB would simplify endpoint management and increase the number of devices that are CASB protected
  2. Improve Shadow IT monitoring with integrated telemetry from existing endpoint protection agents to your CASB
  3. Add additional control at the endpoint to enforce CASB policies over use of cloud apps

Compliance and Data Privacy

CASBs should assist with data privacy and compliance with regulations and standards, as well as identify cloud usage and the risks of specific cloud services.

What compliance issues should organizations consider?

Personally Identifiable Information (PII)

Basic information like names, addresses, and phone numbers of customers are subject to data privacy regulations, such as the EU’s General Data Protection Regulation (GPDR).

Personal Health Information (PHI)

Perhaps no type of data is as regulated as patient and medical record information. Since recent cyber-crime reports indicate that this type of data is a prized target for hackers, with records fetching over $300 each on the black market. Regulations like HIPAA and HITECH in the United States and their equivalents around the globe give organizations specific guidance on how sensitive data should be treated at all times.

Payment Card Details Or Personal Financial Data

Compliance mandates such as PCI DSS and Gramm-Leach-Bliley require financial institutions, as well as those storing or processing credit and debit cards, to take specific steps to protect the security and confidentiality of their customers’ financial information, regardless of whether it is kept on-premises or in the cloud.

General Data Protection Regulation (GPDR)

The European Union General Data Protection Regulation requirement has significant implications for organizations using cloud applications. GDPR requirements are concerned with location, access, protection, handling, security, and encryption for personal data. Organizations will need to monitor and control the cloud applications and services where employees may be sending personal data on EU residents and the personal data they store in these cloud applications and services will need to carefully monitored and protected. These compliance requirements will apply to any company no matter where they are located if they process personal data on EU residents.

Other Regulated Data Types

Many other industries have their own compliance measures. Educational institutions need to adhere to the guidelines specified in the Family Educational Rights and Privacy Act (FERPA). Manufacturers of defense related products need to adhere to the data security measures defined in the International Traffic in Arms Regulations (ITAR). Agencies and law enforcement groups dealing with data such as fingerprints and biometrics must follow the security guidelines specified by the Criminal Justice Information Service (CJIS). Finally, many institutions specify their own internal security guidelines that all of their units must comply with, for both on-premises and the cloud.

Three Areas Where Casb Plays A Critical Role

Given the strict nature of compliance requirements and the penalties for exposing sensitive data, enterprises and organizations need to ensure that they meet specific requirements in the cloud. CASB solutions are playing a critical role in helping compliance and security professionals ensure:

  1. Cloud apps and services have the appropriate security certifications.
  2. Certain clouds are blocked from receiving specific types of regulated data.
  3. Regulated data, that does legitimately need to be placed in the cloud, is secured per compliance guidelines.

Take Action!

Use a CASB to Support Compliance and Data Privacy

1. Ensure cloud apps meet compliance security requirements

Audit all cloud use in the organization. Use CASB intelligence on sanctioned and unsanctioned (Shadow IT) cloud apps in use to make sure they comply with any external or internal data security requirements. Restrict access to those cloud applications that cannot be brought into compliance.

2. Identify regulated content in cloud apps

Use a CASB to identify and monitor any regulated content that may be stored in or shared with a cloud application or service by the organization. Decide what type of regulated content (if any) should be allowed in the cloud. Establish requirements for how that data should be protected.

3. Enforce the right security policies to protect regulated data

Centrally define and enforce CASB security policies to protect regulated data and to control how it is (or is prevented from being) stored and processed in cloud apps and services per the requirements in the appropriate compliance regulation such as GDPR, HIPAA, PCI DSS, etc.