I recently was part of a moderated panel discussion on Cloud Access Security Brokers (CASBs). Since some of you may or may not be familiar with what a CASB is, and what they do, I thought that it would be a good idea to give you an overview below, along with a link to the recorded discussion if you want to find out more:
Cloud access security brokers (CASBs) address gaps in security resulting from the significant increases in cloud service and mobile usage. They deliver capabilities that are differentiated and generally unavailable today in security controls such as Web application firewalls (WAFs), secure Web gateways (SWGs) and enterprise firewalls. CASBs provide a single point of control over multiple cloud services concurrently, for any user or device.
Cloud access security brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. They increasingly support the control of enterprise social networking use, and popular infrastructure as a service (IaaS) and platform as a service (PaaS) providers.
CASBs deliver functionality around four pillars of functionality, which are of equal importance:
Visibility — CASBs provide shadow IT discovery and sanctioned application control, as well as a consolidated view of an organization’s cloud service usage and the users who access data from any device or location.
Compliance — CASBs assist with data residency and compliance with regulations and standards, as well as identify cloud usage and the risks of specific cloud services.
Data security — CASBs provide the ability to enforce data-centric security policies to prevent unwanted activity based on data classification, discovery and user activity monitoring of access to sensitive data or privilege escalation. Policies are applied through controls, such as audit, alert, block, quarantine, delete and encrypt/tokenize, at the field and file level in cloud services.
Threat protection — CASBs prevent unwanted devices, users and versions of applications from accessing cloud services. Other examples in this category are user and entity behavior analytics (UEBA), the use of threat intelligence and malware identification.
This technology is available as a SaaS application or on-premises via virtual or physical appliance form factors. Initially, the market was segregated between providers that delivered their CASB features via forward and/or reverse proxy modes and others that used API modes exclusively. Increasingly, a growing number of CASBs offer a choice between proxy modes of operation and also support APIs.
CASB integration points cover identity and access management (IAM) integration; reuse of data security policies for the cloud; and event integration with technologies such as security information and event management (SIEM) for a single view of an organization’s security events, plus support for a number of existing security processes such as incident response. CASBs themselves offer APIs that can be used by enterprises to take advantage of automation and integration opportunities with other enterprise management tools.
Cross-Over Technologies in CASB
Enterprises should not treat data used in cloud SaaS applications in isolation from on-premises data environments. There is a critical need to establish enterprise-wide data security policies and controls based on data security governance processes. However, data security capabilities should be integrated with on-premises enterprise data security solutions for Data Loss Prevention (DLP), data-centric audit and protection (DCAP), encryption, tokenization, user activity monitoring and analytics.
DLP and DCAP
Many CASBs provide data classification and discovery capabilities with built-in policy templates, as well as document controls, such as fingerprinting and watermarking. Policies can enable automatic blocking, quarantining, encryption/tokenization, etc.
CASBs are also developing overlapping DCAP policy capabilities, such as user activity monitoring that can detect anomalous data access or privilege changes, audit reports, and real-time security alerts or blocking, etc. An advantage of a CASB over native DLP capabilities is consistency— for example, one can apply a set of common DLP policies that extends to multiple services and even multiple providers, reducing the overall time required for developing and enforcing policies.
Security Analytics and UEBA
A number of CASBs employ advanced analytics, using techniques such as machine learning and anomaly detection. This gives CASBs the ability to perform sophisticated threat and misuse detection, which can then enable blocking options at the user, object and device levels.
Encryption and Tokenization
CASBs provide a common point of encryption and tokenization for cloud applications, making it another technology that organizations need to manage. The selection of a particular mode of operation has an effect on the cryptography and data security mechanisms available:
Reverse proxy — The on-premises option provides full physical control over key management and the application of cryptography solutions on-premises with no access by the CASB or cloud service provider (CSP). With hosted reverse proxy, there may be indirect access to the key management system and keys/tokens being used in the cloud by the CASB and/or CSP.
Forward proxy — The CASB typically provides encryption keys/tokens to the endpoints using asymmetric key distribution techniques or VPN connections. It may use self-signed digital certificates or supported third parties, or it may provide key management solutions that are managed by the enterprise.
API mode — This effectively moves the encryption engine to the CSP itself, also enabling organizations to perform data security inspection functions on all data “at rest” in the cloud application or service. The CASB may offer on-premises or hosted key management options. API mode makes it possible to take advantage of a growing number of native data protection tools offered independently by the SaaS applications themselves (e.g., Salesforce), whereby they perform encryption/tokenization functions, but the end users still control the keys.
Endpoint agent — No CASB can operate exclusively on the endpoint, but several vendors offer optional endpoint software for purposes such as cloud application discovery and tracking, routing to the proxy, and object encryption and decryption.
Hope that the overview helps to clarify what CASB’s are capable of.
- Rockin’ the CASB – What you need to know about Cloud Access Security Brokers …
- Cloud Tweaks Blog … What Do You Know About Cloud Security?
- Security Awareness @ ISC2 Security Congress 2015
- Secure the Power of the Cloud … (and get certified while doing it)
- Announcing Exchange Server 2016 Preview!
- VMware Scripting Overview – A quick look under the hood
- Checklist: Use AD FS to implement and manage single sign-on with Server 2012/R2
- Checklist: Setting up a Federation Server (ADFS) for use with Office 365 on Windows Server 2008/R2
- The (ISC)² CISSP Domain Refresh … Are you prepared?
- vSphere 6.0 is on the way !!! …. Are you ready???