What is a Cloud Access Security Broker?

The proliferation of cloud computing has heightened the need for organizations to monitor and manage the safe use of cloud services. Cloud access security brokers, or CASBs, provide the necessary security features to protect cloud-based resources as they’re accessed while also detecting threats and controlling data that flows through the cloud.

What Are the 4 Pillars of Cloud Access Security Brokers (CASBs)?

A cloud access security broker is either on-premise or cloud-hosted software strategically placed between service consumers and cloud service providers. Its primary role is to enforce security policies with features like malware detection, encryption, authentication, credential mapping, tokenization, and regulatory compliance.

In essence, a CASB is an added layer of security that acts like a firewall. It also enables organizations to extend the reach of their security controls beyond network boundaries. Consequently, this empowers CISO/CIOs to protect mission-critical data in their enterprise, like intellectual property (IP), personally identifiable information (PII), and comply with payment card industry (PCI) standards.

To accomplish this, a CASB is based on foundational building blocks, such as the following:

1. Data Security

With its on-demand computing, the cloud has boosted data movement and collaboration at a distance. However, this seamless interaction with data has made it more vulnerable, especially when it exits outside the network perimeter. This widened attack surface comes at a considerable cost to businesses that must protect sensitive data such as customer information, intellectual property, and trade secrets.

To strengthen data security, a CASB is equipped with sophisticated tools to minimize the risk of costly leaks. These typically encompass a range of data protection and monitoring tools, including cloud data loss prevention (DLP) mechanisms, to protect sensitive data and battle shadow IT.

Other tools in the CASB arsenal to prevent data leaks include encryption mechanisms, information rights management, authentication and authorization, access control, and tokenization.

2. Visibility

Visibility is paramount if organizations are going to identify and protect sensitive data, whether it’s at rest or in motion. The visibility challenge that enterprises typically struggle with is having too many employees across multiple cloud environments juggling data at various endpoints.

Having a CASB enables organizations to discover all their data in use, pinpoint shadow IT, scope redundancies, evaluate license costs, and provide reports on cloud expenditures.

As a result, CASB capabilities can equip organizations with visibility to observe how sensitive data travels, whether in the cloud, to and from the cloud, or from cloud-to-cloud environments.

3. Compliance

Data's importance and mass migration to the cloud has underscored the need for robust personal privacy protections. With the raft of regulatory laws passed in recent years around securing PII, enterprises are increasingly facing complex security enforcement demands.

Aside from regulations with an international scope like the General Data Protection Regulation (GDPR), enterprises in different business verticals need to monitor their compliance with laws governing their respective industry.

Fortunately, CASBs are equipped for such versatility, ensuring that healthcare providers can comply with the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Health Insurance Portability and Accountability Act (HIPAA); financial service organizations are in line with the Federal Financial Institutions Examination Council (FFIEC) and the Financial Industry Regulatory Authority (FINRA) and retailers are aligned with Payment Card Industry Data Security Standard (PCI DSS) compliance.

Traditional security systems are usually insufficient to monitor enforcement between users and cloud-based systems, especially across multiple locations and devices. Having a CASB in place helps facilitate cloud governance and risk assessment by providing security teams with the appropriate guidance on resolving multiple risk areas.

4. Threat Protection

With how fast data is passed through cloud-based services, organizations have to identify and isolate threats proactively. Fortunately, today’s CASBs are equipped with cutting-edge technology that enables them to evolve continuously in their ability to detect anomalous behavior.

Powered by intelligent automation tools and AI in the form of machine learning, CASBs can help thwart zero-day threats, ransomware, and advanced persistent threats. They can also integrate the principle of least privilege (POLP) controls to prevent attackers who have breached the network from moving laterally to access sensitive data.

How Does a CASB Work?

The main goal of a CASB is to secure data flowing through an organization’s IT infrastructure, both on public cloud vendors and on-premise environments.

To achieve this, CASBs primarily use a three-part process:

Discovery

As the name implies, discovery seeks to automatically unearth and pinpoint all cloud applications, especially third-party services. CASBs can identify apps and the employees affiliated with them.

Classification

CASBs use data classification to identify and prioritize data, evaluate each cloud application, and determine its security risk levels. Classification also facilitates the understanding of how an application is used, the kind of data it consumes, and how it is shared within the app.

Remediation

CASBs don’t stop at identifying threats; they can also mitigate vulnerabilities after they discover the risk levels encountered in cloud services. Consequently, CASBs can leverage this information to create tailored policies to address the organization’s security requirements. They can take action automatically to fix any security violations according to policy.

The Main Use Cases of CASBs

While CASBs provide many security benefits, their main use case is safeguarding proprietary data, such as trade secrets and intellectual property, in third-party, external-facing media, like public cloud environments.

In addition, CASBs also bridge the gap between capabilities not found in traditional firewalls and secure web gateways (SWGs). Here are the common use cases associated with having a CASB: 

• Protect against cybersecurity threats: CASBs employ mechanisms such as continuous monitoring, threat intelligence gathering, and anomaly detection to fight against malware, ransomware, and advanced persistent threats.
• Threat prevention and activity monitoring: By leveraging user and entity behavior analytics, CASBs can establish a baseline of expected behavior and flag any deviation while establishing granular control of cloud usage. 
• Boosting risk visibility: CASBs can identify high-risk vulnerabilities and accurately assess risk contextually, subsequently setting appropriate mitigation policies. 
• Shadow IT assessment and management: CASBs offer much-needed insight into sanctioned and unsanctioned applications. Having visibility into cloud services can help uncover rogue applications while delivering a comprehensive picture of your risk profile and any security measures in place.
• Sandboxing: CASB runs code in an isolated environment to preempt and mitigate threats, vulnerabilities, and system failures. This cybersecurity practice enables it to determine whether the code is malicious before allowing fuller access to the system.
• Data loss prevention: CASBs can prevent data leakage and unauthorized access to sensitive data, such as proprietary information, financial, health, social security, and credit card numbers. This involves using robust user verification to control cloud-native resources, especially during collaboration and sharing, while blocking the downloads of shared documents.
• Maintaining regulatory compliance: With tools like encryption, key management, and DLP, CASBs can provide sufficient protection to handle problems related to local laws and data residency—the physical or geographic location of an organization's data or information. This can help your organization meet regulatory requirements, safeguarding data throughout its lifecycle while meeting compliance.
• Configuration auditing: Improper cloud configurations can create systemic risks for organizations. Unfortunately, most cybersecurity misconfigurations are self-inflicted. A recent Gartner report pointed out that 99% of cloud security failures are due to the customer. Configuration auditing with a CASB allows you to spot improper cloud misconfigurations, default passwords, and easily compromised settings.
• Adaptive access control: CASBs provide flexible and contextual cloud-based access control, whether to enforce location-based or endpoint policies. 
• Prevention of Data Leaks: By controlling who accesses what resources and when, CASBs can help prevent the accidental or malicious leakage of sensitive data, such as Personally Identifiable Information (PII) or intellectual property.
• Risk Assessment: CASBs can conduct real-time risk assessments on cloud applications to enable informed decision-making on whether to block, limit, or allow full access to an application.
• Integration: They can integrate with other existing security solutions such as Secure Web Gateways (SWGs), Next-Generation Firewalls (NGFWs), and Data Loss Prevention (DLP) solutions, thereby strengthening the overall security framework.
• Identity verification: Using identity access and management (IAM) procedures to ensure only legitimate users with authorized access are allowed to use an organization’s cloud-based resources.
• URL filtering: CASB enables organizations to restrict what content their users can access by blocking sites compromised by attackers for malware, phishing, and other malicious purposes. 
• Data packet inspection: As a prelude to URL filtering, CASB inspects the packets entering and leaving the network to ensure malicious data doesn’t have access to it.

Ten CASB Product Capability Questions You Need to Ask?

CASB plays a critical role in an organization's cloud security setup, providing visibility, control, and protection for data no matter where it resides and enhancing the overall security posture.

When evaluating CASB vendors, these are the ten crucial product capability questions that should be asked:

• Does the CASB support out-of-band and in-line modes of operation?
• Can the CASB enforce granular-level policies on managed and unmanaged cloud applications?
• Does the CASB understand and have control over data-at-rest as well as data-in-transit?
• Can the CASB provide measures for data encryption, tokenization, and redaction for all cloud applications?
• Does the CASB detect and prevent threats and malware on cloud applications?
• How does the CASB identify and remediate compromised accounts?
• How does the CASB monitor cloud services usage - is there comprehensive visibility into user and application behavior?
• Can the CASB enforce data protection policies on, in, and en route to cloud services?
• Can the CASB integrate with your existing infrastructure, such as secure Web gateways, firewalls, SIEM, data loss prevention tools, etc.?
• Can the CASB ensure compliance with standards like GDPR, HIPAA, and others by identifying and reporting on relevant data in the cloud? Can it prove the implementation of controls via audit trails?

How Can Fortra's Digital Guardian Help Me with a CASB?

Fortra has extensive expertise working with CASBs to protect sensitive data. Digital Guardian's Secure Service Edge (SSE) enhances the security coverage of Digital Guardian from endpoint to cloud. Our solution integrates CASB technology to deliver visibility and control from endpoint to cloud, providing cloud discovery and cloud data protection via a unified policy engine.

To learn more about how we can extend file protection in the cloud, read more about our SSE here.