Cloud Access Security Brokers (CASB) are a security application that helps organizations manage and protect the data stored in the cloud. Gartner advises organizations to find a “Goldilocks” CASB solution —one that provides just-right capabilities for SaaS applications and Cloud infrastructure.
In this article, we will talk about what those capabilities are, and how to best utilize CASB as part of your cybersecurity profile.
Get the Free Pen Testing Active Directory Environments EBook
- Pillars of Cloud Access Security Brokers
- Do You Need a CASB Solution?
- How to Choose a Cloud Access Security Broker
How Does a CASB Work?
CASB systems are part filter, part proxy, and part firewall between users and Cloud systems. They have capabilities to detect unsanctioned cloud applications, or “shadow IT,” as well as sensitive data in transit. CASB can also encrypt traffic to Cloud providers, and do much more, as we’ll discuss later.
Organizations use CASB to address specific use cases with their Cloud providers. They might buy more than one CASB solution, depending on the functionality available in each solution. For example, if an organization uses Salesforce, they will need a CASB solution that supports Salesforce APIs or has functionality designed to protect Salesforce traffic — not all CASBs can do this!
In short: there are too many SaaS applications for there to be a ‘one-size-fits-all’ CASB solution. We hope this article will help you make a better decision about the feature set you’ll need in a CASB.
Pillars of CASB
When you start investigating CASB, you’ll come across its four pillars. Let’s learn about them.
CASB solutions provide a window into the traffic between organizations and their Cloud providers. With CASB, you can see what sanctioned and unsanctioned cloud systems users access. The classic example of how a CASB can help CIOs is by informing them of the number of GBs of company data is uploaded into the cloud by users to unmonitored repositories.
CASB solutions also help executives learn what systems users actually access, and so they can guide employees to sanctioned alternatives in order to better control and manage critical data.
With the EU’s GDPR, and new US state privacy and security laws making news, we can expect more data laws and regulations going forward. CASB solutions have some functionality to classify data that passes through the CASB, which can help support compliance programs that govern data.
Many CASB solutions have capabilities to detect sensitive data, encrypt or tokenize data, and control access to data.
CASB solutions are not complete data security systems. They are one piece of the puzzle designed to complement other data security solutions in your portfolio. CASB solutions don’t actually touch the data, but rather they inspect data in flight that travels through the CASB software. CASB can intercept sensitive data in transit, or prevent access to certain websites. This does help data security, but it has some drawbacks. For example, you could have data encrypted by the CASB on it’s way to a database. If you expect the database to have a readable name field that includes encrypted data.. well that’s a problem.
CASB solutions are missing key parts of a data security system, like permissions management, data remediation, and stale data discovery. And as we said, CASB classifies data in flight, so it might not catch all of the sensitive data.
CASB have User Entity Behavior Analytical (UEBA) capabilities to detect insider threats and compromised accounts. CASBs scan network data that passes through them to identify potential threats or attempts to exfiltrate data from your Cloud solutions.
Why Do I Need a CASB Solution?
If you use Cloud services — SaaS or storage especially —consider adding a CASB solution to your cybersecurity strategy. With the right CASB, you can add specific security controls and protect your data as it moves between your network and your cloud-based service providers. However, their use cases are limited and the expense might not outweigh the benefits. Also, compare the CASB benefits to the security controls that the Cloud services provide. They might overlap enough you could cover the rest, with Varonis for Office 365, for example.
Q: Are cloud access security broker solutions vital to security?
A: CASB solutions are an important value-add to existing security systems when you use Cloud services. However, CASB shouldn’t be your first cybersecurity spend. If you have solutions for data security, endpoint, perimeter security, network security, and threat detection and response already in place, then augment what you have with a CASB.
Q: What are CASBs used for in security?
A: CASB solutions have several different capabilities to help protect your cloud data. Here are several from Gartner’s paper “How to Secure Cloud Applications Using Cloud Access Security Brokers.”
- Cloud application discovery and risk rating
- Adaptive access control
- Data loss prevention
- User and entity behavior analytics
- Threat protection
- Client-facing encryption (including integration with digital rights management)
- Pre-cloud encryption and tokenization
- Bring your own key (BYOK) encryption key management
- Monitoring and log management
- Cloud security posture management
Q: How do security teams benefit from CASBs?
A: Security teams see several advantages when they use CASB.
CASB allows security teams to:
- Determine risk of unapproved cloud solutions
- Increase security of approved cloud applications with APIs that support data loss prevention (DLP), UEBA, and adaptive access control (AAC)
- Monitor usage and adoption of approved cloud services
- Manage managed and unmanaged device access to cloud services
- Gain visibility into compliance risk
- Add threat detection capabilities to your cloud services
Selecting the Best CASB Solution
Here are some things to think about when you select your CASB:
- Start your CASB implementation with the most important cloud application in your portfolio. Find a CASB that provides API level support for that cloud application.
- Decide if you want to integrate your CASB with your existing IAS or SSO systems, and select a CASB that supports those integrations.
- Determine which CASB modes —Forward Proxy, Reverse Proxy, both — you need for your cloud applications.
- And of course, balance the cost of the CASB versus the benefit to your security profile.
Checklist: Questions to Ask Cloud Access Security Brokers
- How does this CASB discover cloud services?
- Where are the CASB logs stored?
- Does this CASB do sensitive data discovery? How?
- How does this CASB determine risk scores?
- What cloud services does this CASB monitor out-of-the-box?
- How does this CASB monitor new cloud services?
- Does this CASB share analytics with other systems (i.e. SIEM)?
CASB Vendors and Resources
Here are the top CASB vendors from Gartner with a highlight of their strengths.
- Bitglass CASB – Several deployment options and strong AAC and DLP functionality
- McAfee MVISION – dynamic peer group profiling to detect user behavior anomalies
- Microsoft Cloud App Security – native integrations with Azure AD, Azure Information Protection, and Microsoft Intune
- Netskope CASB – strong multimode deployment with endpoint software to protect roaming users
- Symantec CloudSOC Cloud Access Security Broker (CASB) – strong DLP software across the Symantec infrastructure
CASB Vendors and Varonis
Varonis and CASB play well together, but there are no specific product tie-ins or integrations. Varonis will protect your unstructured data on-prem and in the cloud by classifying sensitive data, highlighting and fixing permissions issues, and monitoring user activity to alert on abnormal user behavior patterns.
Varonis monitors and protects the data that lives on your cloud systems, including SharePoint Online, OneDrive, and Azure AD. Your CASB works with the data that flows through the CASB system on its way between users and Cloud services. Varonis monitors the data itself, and detects behaviors on those Cloud systems to uncover malicious insiders and cyberattacks.
CASB solutions are good at detecting, preventing, and enforcing access to SaaS websites, but they aren’t as good at the data protection and threat detection and analysis as Varonis.
Want to see how Varonis is different from other security solutions? Check out the Live Cyber Attack Workshop and see for it for yourself.
Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.