A cloud access security broker, a term coined by Gartner in 2012, is an on-premises or cloud-based security policy enforcement point placed between cloud service consumers and providers to combine and enforce security policies as the cloud-based resources are accessed.
With enterprises adopting a cloud-first strategy, business-critical applications are moving to the cloud at a rapid pace, allowing for seamless access from any location or device. This blurs the definition of network perimeter security, and organizations now prefer more granular security controls around their data and applications for secure cloud migration and collaboration. CASB is responsible for protecting the data moving into or out of the cloud, and the data residing in the cloud. CASBs are designed to protect the cloud data and the security controls offered by CASBs are far more comprehensive than Secure Web Gateways or Web Application Firewalls. CASB, today, is one of the fastest growing security category, and according to Gartner, by 2020 more than 60% of the large enterprises would be deploying a CASB solution to govern their cloud services.
Cloud access security brokers offer cloud security functionality through four essential pillars, as defined by Gartner:
- Visibility. As applications move to the cloud, organizations struggle to keep a visibility on the users accessing the resources at any point in time, or users subscribing for cloud applications not sanctioned by the organization’s IT team. A simple cloud audit will reveal hundreds of unsanctioned clouds accessed via the enterprise premises, with some of them hosting confidential data. CASBs provide a 360-degree visibility into the sanctioned and unsanctioned cloud resources within an organization, drilling down to individual file names, along with providing a risk score for each cloud. This ensures timely detection of any unusual access to cloud resources. One of the biggest CASB use cases is to monitor the usage of your organization’s Shadow IT, allowing tighter control over data flow.
- Data security. Organizations need a tighter lease on the data moving in and out of cloud. CASBs allow organizations to classify sensitive data on-the-fly and apply data loss prevention (DLP) policies such as, encryption, tokenization, masking, redacting etc., to protect the data in the cloud and prevent data leaks or loss. Some of the CASB solutions also implement digital rights management solutions to encrypt sensitive content during downloads and enable last-mile data protection.
- Threat protection. The conventional threat protection systems, which focus on perimeter security, are not suitable for protecting against cloud malwares, making threat and malware protection in cloud is a different ball game. As more and more users collaborate and exchange sensitive information over cloud, organizations need to ensure the data doesn’t become a driver for spreading malwares. CASBs, with built-in DLP templates, perform deep scanning of cloud data and identify threats and risks in real-time. On identification of malwares, CASBs take remediation necessary actions such as, data quarantine or permanent deletion. Some of the CASBs also integrate with enterprise AVAM solutions for seamless deployment with existing threat protection engines.
- Compliance. Data compliance is one of the biggest buzz words today. GDPR, HIPAA, the newly introduced CCPA, and the list goes on. While moving the data to the cloud, organizations need to make sure they are following the data privacy and data compliance laws of the host nation. A single violation can not only lead to hefty fines, but also a severe loss of reputation for the organization. CASBs can encrypt, and in some cases, tokenize the PII and other sensitive content in the cloud and help the organizations prevent data breach, and comply with the strict data residency and privacy laws of multiple countries.
CASBs are also offered in various modes, including API-based and proxy-based. Vendors offer the technology in one mode or both, and each mode has its own pros and cons.
- API. API-based are very easy to deploy, provide coverage across managed and unmanaged devices and can act on data in any form, whether at rest or in motion. However, not every cloud provider has API support, and the data can be unprotected when there is a delay in it acting on the data.
- Proxy. Proxy-based come in two different options: reverse proxy and forward proxy. Reverse proxies tend to provide better user experience and no friction, while forward proxies require an agent installation on every single user device, which can be get time-consuming and pricey.
1 person likes this post.