Cloud Access Security Broker (CASB)

January 7, 2021

What is a CASB (cloud access security broker)?

A cloud access security broker (CASB) is a security check point between cloud network users and cloud-based applications that manages and enforces all data security policies and practices, including authentication, authorization, alerts and encryption. CASBs improve an organization’s visibility as to who is accessing their data and how it is being used across endpoints.

A CASB protects the organization through a combination of prevention, monitoring and mitigation techniques. In addition to reviewing user activity, the CASB can warn administrators about likely malicious activity, block the installation of malware or other threats and detect potential compliance violations. The CASB may also review the organization’s firewall or proxy logs to better understand cloud application usage and identify anomalous behavior.

A CASB solution is especially helpful given the proliferation of cloud-based services and the growing popularity of bring-your-own-device policies. Taken together, these two trends have greatly expanded the data environment, making it harder for the IT organization to oversee network use and ensure the protection of enterprise data.

Because CASBs access personal devices, it is important that the solution observes modern privacy standards and inspects only corporate data.

What is a CASB?

What does a CASB do?

The primary purpose of the CASB is to protect the organization’s sensitive data from theft, loss or leakage. CASBs fill a security void created by the shift to the cloud and an explosion of endpoints. Core functions of a CASB include:

Data Governance

  • Govern the organization’s cloud usage with granular visibility and a wide variety of controls based on user identity, service, application, activity, location or endpoint
  • Automate the management of data policy violations through a variety of actions, such as block, override, alert, encrypt or quarantine
  • Provide the IT team with a summary of actions taken in response to policy violations

Data Security

  • Protect and prevent the theft, loss or leakage of data across all cloud services and applications through encryption, tokenization or other techniques
  • Establish data loss prevention (DLP) tools and processes for data in use, in motion or at rest from any cloud service or application to any endpoint
  • Proactively monitor the cloud security environment for policy violations
  • Integrate the CASB within the broader security strategy and security architecture

Threat protection

  • Establish full visibility and control over all organizational data across all cloud services
  • Identify and isolate cloud-based threats, including malware and ransomware
  • Leverage artificial intelligence (AI), machine learning (ML) and other intelligent automation tools to detect anomalous behavior, as well as threats such as ransomware and malware
  • Continuously evolve the CASB to respond to the ever-changing threat landscape and ensure ongoing threat protection
  • Alert the cloud security team to any active threats or anomalous activity

2021 CrowdStrike Global Threat Report

Download the 2021 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.

Download Now

What are the 4 pillars of CASB?

CASBs are based on four main principles: visibility, compliance, cloud security and protection.

The 4 pillars of CASB

Visibility
The shift to the cloud has made it exponentially more difficult for IT organizations to maintain visibility as to where and how their data is being used in any number of cloud environments and applications. If the organization cannot “see” this data, then they cannot ensure that its use complies with the organization’s data policies.

The CASB helps improve the organization’s visibility into which cloud services, apps and endpoints are accessing enterprise data. It also controls varying levels of access based on user identity, location, job function or device. For example, the CASB may allow select files to be shared internally with authorized users and block the sharing of the same files with external parties.

Compliance
Despite the increasing complexity of a cloud-based business model, organizations must continue to comply with a wide variety of government and industry regulations concerning privacy and responsible use of enterprise data. A properly designed and configured CASB helps simplify the regulatory environment by automating reporting activity and detecting possible violations with relevant regulations, such as HIPAA, GDPR and PCI-DSS.

Cloud Security
As companies move to a more remote and dispersed workforce and rely more heavily on cloud-based infrastructure, protecting sensitive data has become more challenging. In addition, the growing sophistication of hackers and digital adversaries place greater emphasis on the organization’s prevention capabilities. While traditional data protection solutions are designed to safeguard data being used on-premises, they must be adapted and expanded to protect cloud services.

A CASB supplements the organization’s existing DLP, allowing IT to apply the same principles to data in use, in motion and at rest within a cloud environment.

Threat Protection
The growing sophistication of digital adversaries increases the risk of data theft or leakage. Meanwhile, the relatively complex nature of cloud architecture increases the possibility of human error. For example, misconfigured S3 buckets, which leave ports open to the public, or the use of insecure accounts or an application programming interface (API), could turn typical cloud workloads into obvious targets that can be easily discovered with a simple web crawler.

The CASB helps organizations improve data visibility within the cloud environment through a variety of detection, monitoring and prevention tools. For example, the CASB can enable the infosec team to scan and remediate threats across internal and external networks, in real time. The solution also allows the organization to detect and block unauthorized user access to cloud services and data.

Why do you need a CASB?

The benefit of cloud computing is also its drawback: users can access cloud environments from anywhere with an internet connection — but so can cybercriminals and digital adversaries.

For businesses shifting to a cloud-based model, security is a top concern. Organizations must design and implement a comprehensive cloud security solution to protect against an expanding array of threats and increasingly sophisticated attacks within the cloud environment. Traditional security strategies, intended to protect on-premises hosted networks and associated assets, must be updated to address the threats related to the cloud environment.

It is important to remember that cloud networks adhere to what is known as the “shared responsibility model.” This means that much of the underlying infrastructure is secured by the cloud services provider. However, everything from the operating system to applications and data are the responsibility of the user. Unfortunately, this point can be misunderstood, leading to the assumption that cloud workloads are fully protected by the CSP. This results in users unknowingly running workloads in a public cloud that are not fully protected, meaning adversaries can target the operating system and the applications to obtain access. Even securely configured workloads can become a target at runtime, as they are vulnerable to zero-day exploits.

CASBs help give organizations much deeper visibility into how data is being used within the cloud environment, including cloud applications, cloud services and cloud users. They are designed to help organizations protect against the security challenges and weaknesses present in a cloud environment.

For example, a properly configured CASB can reduce the risk of Shadow IT — or applications and infrastructure that are managed and utilized without the knowledge of the enterprise’s IT department. Shadow IT is a growing concern for many organizations given the shift to an agile DevOps software model. In this model, developers often spawn workloads using their personal accounts. These unauthorized assets are a threat to the environment, as they often are not properly secured and are accessible via default passwords and configurations, which can be easily compromised. A CASB provides the organization with visibility into such instances and can offer automated recommendations for how the IT team can respond to such issues.

CASB vs CSPM vs CWPP

The core elements of cloud security posture management (CSPM) are often compared to that of cloud workload protection platforms (CWPP). CSPM focuses on security cloud APIs, preventing misconfigurations and integrations into the CI/CD pipeline. CWPP plays another key role focusing on runtime protection and continuous vulnerability management of the cloud container. But when in play, both CSPM and CWPP are meant to protect sensitive information that is stored in the cloud.

While CSPM and CWPP work to secure data, a CASB works to improve visibility across endpoints that includes who is accessing data and how it is being used.

CASB, CSPM, and CWPP are the trifecta of securing data in and access to the cloud. Organization’s are encouraged to deploy all three security methods to optimize their cloud security infrastructure.

Learn More

While Amazon Web Services (AWS) and Google Cloud Platform (GCP) offer logging and visibility options, there are some blind spots. Learn what they are and how to eliminate them.Read

How to choose a CASB

For organizations that are looking to adopt a CASB, it is important to consider this solution as a single tool within a broader cybersecurity strategy. For that reason, organizations should evaluate the CASB vendor’s ability to integrate with the organization’s existing security infrastructure, such as the DLP, security information and event management (SIEM), firewall and secure web gateways. Additional considerations include:

Examine the solution in relation to specific use cases. Every organization’s cloud security needs are unique. When considering a CASB vendor, organizations should establish which use cases they wish to prioritize. The team should then evaluate vendors in relation to these issues. This will help ensure that the business selects a CASB vendor with expertise that matches their organization’s specific needs.

Evaluate the CASB vendor landscape. Leverage media coverage and analyst reports to determine those organizations with a strong track record in preventing breaches, as well as quickly and effectively remediating security events. As noted above, it will be important to identify those vendors who can deliver the organization’s specific use cases. If the business is considering multiple use cases, be sure to consider any potential limitations within the solution.

Conduct a trial. Many CASB vendors offer clients the ability to pilot a critical app prior to a full deployment. This step helps ensure that the CASB solution is compatible with the organization’s current cloud infrastructure and can be supported by the company’s existing resources.

Outline CASB functionalities. During the trial and evaluation period, the organization should also determine the CASB’s role in authentication, authorization, alerts and encryption. For example, the IT team will need to determine when and how to apply granular, risk-based authentication — and if the CASB will deliver this functionality. The team may also need to determine if the CASB solution will integrate with existing identity-as-a-service (IDaaS) or single sign-on (SSO) tools.

Conduct regular audits. The threat landscape can change quickly. It is important to conduct regular audits with your CASB vendor once engaged to ensure the organization and its data are adequately protected.