Cloud access control is a critical part of cloud security strategy. Without granular controls in place, unauthorized users could gain access to your data or even take down your entire cloud infrastructure. Solutions such as Cloud access broker solution (CASB) help you enforce access controls by acting as a layer separating users and cloud service providers.
What does CASB mean?
A CASB stands for Cloud Access Security Broker, that is a cloud-based or on-premise cloud security solution deployed between users and cloud services. These services can be both sanctioned and non-sanctioned and the users can also be on-site or remote users.
The main role of CASB is to implement security policy enforcement points and govern the access to cloud services. Generally, CASB addresses security concerns in SaaS, PaaS and IaaS environments by enforcing multiple consolidated security policies and applying them to all services offered by the cloud, and the policies are implemented regardless of the type of devices used to access these cloud services.
A cloud access security broker (CASB) provides a variety of services to protect businesses that use cloud computing from data breaches and cyber assaults. Due to the ability of CASB to cater to various types of devices, it is becoming especially useful in businesses following the BYOD models.
The main feature and capabilities of a CASB solution include:
- Cloud governance and risk assessment
- Data loss prevention
- Single sign-on, authentication and authorisation
- Credential mapping
- Control over native cloud services
- Device profiling
- Malware detection and prevention
- Threat protection
- Contextual access control
- User and entity behaviour analytics (UEBA)
- Logging and monitoring
Four pillars of CASB
Shadow IT is a common practice that is now being limited due to security concerns highlighting the potential risks. It is when technology, devices, systems, application or services etc are being used without the permission of the IT managers or IT department.
This practise is especially common when it comes to the usage of cloud services. To combat this risk, CASB has grown to work on the following four pillars and increase the security postures of organisations.
It gets tough to keep track of each employee’s actions when the number of people in an enterprise grows, especially if they use the software on a cloud platform.
Because cloud-based applications and services are generally out of the IT department’s sight, corporate data privacy, governance, and compliance rules can not be effectively applied.
To prevent these issues, CASB security software offers a thorough overview of employees’ cloud usage, including information such as the device and geographical location at which they access the cloud service.
The CASB cloud discovery analysis provides businesses with a compact risk assessment for each of the cloud services in use. It helps the organisation to determine which services need to be allowed in their environments and which services to block completely.
Businesses can outsource their software, infrastructure and services on cloud platforms but the responsibility of maintaining compliance with regulatory bodies remains with the business owners.
CASB helps businesses to maintain compliance in the cloud environments by addressing a variety of compliance regulations including but not limited to HIPAA, PCI DSS, ISO 27001 etc.
Using a cloud platform offers a business a lot of benefits and makes the lives of the business stakeholders easier, however, this opens the organisation to a very important risk factor for data privacy and security.
Data leak prevention (DLP) solutions, while working efficiently to safeguard data on-premise, these solutions typically fail to provide the same protection on cloud platforms.
However, with the combination of a DLP solution and CASBs, the IT department can have clear visibility on what data is being transferred and thus DLP rules can be implemented on this data.
Using a combination of these two solutions, organisations can control and minimise their data leakage and protect sensitive information.
With any technology, the risk of insider and external threat actors exists. To help business owners detect malicious behaviours, CASBs offer their users the ability to analyse user behaviour using machine learning and user and entity behaviour analytics (UEBA) to detect any changes or anomalies in a user’s regular behaviour and activities.
Using this technology, the IT departments can identify threats as soon as any irregular activity takes place. Other than this CASB also offers threat protection and malware protection mechanisms to block malware.
How does a CASB work?
The responsibility of a cloud access security broker is to provide enhanced visibility and control over the data stored and transferred to and from the cloud services and also to identify threats that can arise. The CASB achieves these objectives using a three-step process:
First of all the CASB solution uses its automatic discovery toolkit to compile a list of all third-party cloud services being used in the company, and also the users who are using these services.
Once the CASB has complete visibility, it then determines the risk level against each cloud service provider by determining what the service is being used for, what type of data is residing in the cloud and how it is being shared.
Using this classification the IT department can also determine which cloud services to allow in their network and which to block completed.
Lastly, the CASB uses the policies set by the organisation and enforces them on all the users. Here the CASB also takes decisions and actions if any violation occurs.
What are the security features in CASBs?
Cloud access security brokers are an essential element in enterprise cloud security. Many of the renowned CASB solution vendors offer some or all of the following security features:
- Verification of identity i.e. to identify a user is who they claim to be by verifying several identification factors.
- Access control i.e. to control what resources are allowed to each user.
- Discovery of shadow IT i.e. to identify if any employee is using IT resources against the policies and guidelines enforced by the organisation.
- Data loss prevention (DLP) i.e. to ensure that no sensitive information is leaked from inside the organisation via any communication channel.
- URL filtering i.e. to block all malicious websites.
- Packet inspection i.e. to inspect all the data entering and leaving the company’s network for malicious attacks.
- Sandboxing i.e. to run and execute programs in an isolated environment to determine if they are malicious or not.
- Anti-malware detection and prevention i.e. to identify and stop malicious software.
Why do I need cloud access security brokers?
Maintaining visibility in a cloud environment is very crucial in today’s IT world as more and more services and companies are migrating towards cloud infrastructures. Cloud access security brokers equip organisations to maintain extensive visibility, safeguard sensitive data and in meeting compliance requirements.
Cloud access security broker also allows employees to safely use cloud services without bearing the overhead of any additional risk factors to the organisation. CASB can be especially beneficial in protecting cloud applications, implementing data loss prevention, in situations of remote work and Bring-your-own-device (BYOD) environments.
In cloud access security broker the main benefit IT professionals get is the ease of deployment. A CASB solution can be deployed either on the cloud or on-premises. Currently, SaaS deployment is the most commonly used method of deployment.
Once the deployment location is decided there are further three modes in which CASB can be deployed:
- Forward Proxy
- Reverse Proxy
The API based deployment offers visibility into security threats and data on the cloud and is the quickest deployment mode with comprehensive coverage.
The forward proxy usually works in combination with VPN clients and endpoint protection solutions, whereas the reverse proxy is more ideal for devices that are generally outside the purview of the IT department.
Types of CASB deployment
Inline deployment – Forward proxy
When a cloud access security broker is deployed as a forward proxy it is positioned closer to users and can be used to proxy traffic coming from multiple cloud services. The CASB works like a man-in-the-middle and inspects all the traffic going to and from the cloud service with the help of a self-signed certificate.
Inline deployment – Reverse proxy
When CASB is deployed as a forward proxy it is positioned closer to cloud application and can also be integrated with the Identity-as-a-Service (IDaaS) and IAM solutions.
Unlike the forward proxy method, this mode of deployment does not require any certificates. In this mode, the CASB received a request from the cloud application, applies the relevant rules and forwards the request back to the user.
Out of band deployment – API based
In this mode, the CASB sits in between the user and the cloud application and uses asynchronous API calls to monitor the network traffic. The API receives the incoming and outgoing traffic, enforces the relevant policies and controls on it and takes the appropriate action.
Common use cases for CASB
Now let’s look at the most common use cases that an organisation may encounter when implementing a cloud access security broker:
As mentioned earlier CASB is a very useful solution in discovering and mitigating shadow IT behaviour. CASB offers visibility and control on an organisation’s cloud services and provides a way for the company to govern cloud usage as per their business needs.
Accesses and policies can be maintained and implemented based on identity, service, activity, cloud apps and data.
Actions can also be defined in the CASB to either block, generate alerts, bypass, quarantine or encrypt the services or data on the basis of the defined policy.
One of the main concerns that CASB deals with is protecting and securing a company’s sensitive data across all the cloud services in the environment. Advanced DLP controls can be found in CASB solutions to discover and protect sensitive data stored in the cloud services, or transferring to and from the cloud service consumers and providers.
Protecting against threats
Using a CASB helps organisations to protect themselves from cloud-based threats such as malware or ransomware. Technologies such as anomaly detection and threat detection can be used to identify compromised user accounts.
An additional layer of static and dynamic ant–malware detection/prevention with incorporated machine learning capabilities can also be implemented to ensure optimal virus and malware protection.
Advantages of CASB
Through the help of CASB solutions organisations can control cloud applications and data access. Controls such as single sign-on, authentication, authorisation, logging and monitoring, encryption, device profiling, tokenisation, alerting etc can be achieved by using CASB.
The main advantages that an organisation can achieve when implementing CASB include:
- Restricting unauthorised access to sensitive data.
- Detection and identification of compromised accounts.
- Uncover shadow cloud IT.
- Implement cloud data loss prevention controls (DLP).
- Implement access controls on internal and external data.
- Enable audit logs to monitor risky behaviours.
- Prevent malware and phishing attacks.
- Continuous monitoring for any new cloud risks.
- Reduction of cost and increase in agility.
Things to consider when choosing a CASB
Before selecting and implementing a cloud access security broker, businesses should keep in mind the following consideration:
Will it be a good fit?
Before selecting any CASB solution, an organisation should identify and develop its own use cases and look for a solution that caters to its requirements. This should be followed by conducting detailed PoCs (proof of concepts), analyses and comparisons between multiple vendors to find the perfect fit for the organisation.
Is it scalable and customisable?
For any successful organisation, growth and scalability are important factors. Each solution that the organisation implements must be scalable to accommodate for future expansions. CASB is no exception, as the organisation grows the enterprise cloud usage will also increase and the CASB should be able to handle the growing capacity.
Can it protect IaaS environments?
In cloud environments, most businesses focus on the protection of SaaS i.e. Software as a Service, however, to achieve a comprehensive enterprise security state protecting IaaS i.e. Infrastructure as a Service is just as important.
To achieve this strong security posture, the CASB should not only focus on protecting and safeguarding the activities and configuration of IaaS but also offer controls such as cyber protection, activity monitoring and data loss prevention (DLP) controls.
FAQs to know when selecting a CASB vendor
Before adopting any solution in an organisation, the relevant stakeholders should ask specific questions from the vendors to judge if the solution is a perfect fit for their business.
Below we have compiled a list of questions any organisation should go through when they are evaluating a CASB vendor. These questions are specific and use-case based, which will help businesses narrow down the solution they need.
- Will the organisation be able to control activities in both managed and unmanaged cloud applications, rather than having the need to block services altogether?
- Will the organisation be able to identify and mitigate threats such as malware in the cloud services?
- Will the organisation be able to remotely enforce enterprise security policies, especially on mobile and in-sync clients?
- Will the organisation be able to monitor and report the activities with respect to compliance and other regulations?
- Will the organisation be able to reduce and remediate risks arising from compromised user accounts?
- Will the organisation be able to enforce security policies on sensitive data going to and from the cloud service providers and consumers? As well as reduce the number of false positives by analysing the cloud transaction in question.
- Will the organisation be able to implement and enforce policies based on Microsoft Active Directory groups or organisation units?
- Does the solution facilitate multiple deployment options depending upon the clients’ requirements, such as storing all data on-premise?
- Will the organisation be able to detect anomalies in cloud activities such as excessive downloads or file transfers etc.?
- Does the solution facilitate integration with other security solutions such as DLP, SIEM, EDR, sandboxing solutions etc.?
CASB solutions and vendors
There is a wide range of CASB vendors available to choose from, however, a few of the most popular ones are listed below:
- Palo Alto Networks
and loads more.
You know you need to assess your cloud security, but where do you start? And how can you be sure that the assessment is accurate and complete? Security assessments can be complex and time-consuming. It’s hard to know if you’re getting all of the risks identified or if important areas are being missed.
By having a comprehensive security assessment, you can be sure that your cloud environment is reviewed thoroughly and you have a good view of security controls in place. Get in touch to schedule a call to discuss your cloud security concerns.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.