access security broker,
a term coined by Gartner in 2012, is an on-premises or cloud-based
security policy enforcement point placed between cloud service
consumers and providers to combine and enforce security policies as
the cloud-based resources are accessed.
enterprises adopting a cloud-first strategy, business-critical
applications are moving to the cloud at a rapid pace, allowing for
seamless access from any location or device. This blurs the
definition of network perimeter security, and organizations now
prefer more granular security controls around their data and
applications for secure cloud migration and collaboration.
is responsible for protecting the data moving into or out of the
cloud, and the data residing in the cloud. CASBs
are designed to protect the cloud data and the security controls
offered by CASBs
are far more comprehensive than Secure Web Gateways or Web
Application Firewalls. CASB,
today, is one of the fastest growing security category, and according
to Gartner, by 2020 more than 60% of the large enterprises would be
deploying a CASB
solution to govern their cloud services.
access security brokers
offer cloud security functionality through four essential pillars, as
defined by Gartner:
As applications move to the cloud, organizations struggle to keep a
visibility on the users accessing the resources at any point in
time, or users subscribing for cloud applications not sanctioned by
the organization’s IT team. A simple cloud audit will reveal
hundreds of unsanctioned clouds accessed via the enterprise
premises, with some of them hosting confidential data. CASBs provide
a 360-degree visibility into the sanctioned and unsanctioned cloud
resources within an organization, drilling down to individual file
names, along with providing a risk score for each cloud. This
ensures timely detection of any unusual access to cloud resources.
One of the biggest CASB
use cases is to monitor the usage of your organization’s Shadow
allowing tighter control over data flow.
Organizations need a tighter lease on the data moving in and out of
allow organizations to classify sensitive data on-the-fly and apply
policies such as, encryption,
masking, redacting etc., to protect the data in the cloud and
prevent data leaks or loss. Some of the CASB
solutions also implement digital
solutions to encrypt sensitive content during downloads and enable
last-mile data protection.
The conventional threat protection systems, which focus on perimeter
security, are not suitable for protecting against cloud malwares,
making threat and malware protection in cloud is a different ball
game. As more and more users collaborate and exchange sensitive
information over cloud, organizations need to ensure the data
doesn’t become a driver for spreading malwares. CASBs,
with built-in DLP
templates, perform deep scanning of cloud data and identify threats
and risks in real-time. On identification of malwares, CASBs
take remediation necessary actions such as, data quarantine or
permanent deletion. Some of the CASBs
also integrate with enterprise AVAM solutions for seamless
deployment with existing threat protection engines.
Data compliance is one of the biggest buzz words today. GDPR,
the newly introduced CCPA,
and the list goes on. While moving the data to the cloud,
organizations need to make sure they are following the data privacy
and data compliance laws of the host nation. A single violation can
not only lead to hefty fines, but also a severe loss of reputation
for the organization. CASBs
and in some cases, tokenize
the PII and other sensitive content in the cloud and help the
organizations prevent data breach, and comply with the strict data
residency and privacy laws of multiple countries.
are also offered in various modes, including API-based and
proxy-based. Vendors offer the technology in one mode or both, and
each mode has its own pros and cons.
are very easy to deploy, provide coverage across managed and
unmanaged devices and can act on data in any form, whether at rest
or in motion. However, not every cloud provider has API support, and
the data can be unprotected when there is a delay in it acting on
come in two different options: reverse proxy and forward proxy.
Reverse proxies tend to provide better user experience and no
friction, while forward proxies require an agent installation on
every single user device, which can be get time-consuming and
1 person likes this post.