CASB is short for Cloud Access Security Broker, which is an on-premises—or cloud-based—software solution that allows organizations to enforce security policies on cloud services. CASBs typically sit between the end user and the cloud service provider. Cloud services fall into one of three major categories:
Software as a Service (SaaS)
SaaS providers deliver software or applications via the cloud, as opposed to a single data center. Examples of SaaS solutions include Salesforce, Office 365, Box, and DropBox.
Platform as a Service (PaaS)
PaaS is a cloud platform that allows developers to build applications without having to manage the underlying architecture. Examples of PaaS solutions include AWS Elastic Beanstalk or Google Cloud App Engine.
Infrastructure as a Service (IaaS)
IaaS is a cloud-based platform that provides virtualized computing resources, such as compute power, networking, and storage. Examples of IaaS solutions include AWS EC2, Microsoft Azure, or Google Compute Engine.
No matter the types of cloud services being consumed, traditional data center security controls do not extend into the cloud. CASB solutions are a way for organizations to enforce their security and compliance polices on the cloud services their end users are consuming.
Although the CASB marketspace is still fairly young, there are plenty of solutions. No matter which one you choose, it should offer what Gartner refers to as the four pillars of a CASB: visibility, data security, threat protection, and compliance.
CASB solutions should provide a way for an organization to identify what cloud services are being consumed on their networks. This can help with monitoring the usage of sanctioned cloud services—as well as identify Shadow IT in the environment. Shadow IT is the use of technology that is not officially approved or managed by an organization. More mature CASB solutions provide risk posture assessments of cloud services. These assessments can help with deciding if a particular cloud service should be sanctioned for use.
CASB solutions can enforce data security policies on cloud services to govern how data is stored, classified, or shared. CASB policies can force encryption of data (depending on how it’s classified), generate alerts based on certain activities (such as sharing data with a third party), and discover sensitive information being stored in the cloud. Most CASB solutions can provide data loss prevention capabilities and integrate with digital rights management solutions.
CASBs can protect cloud services by restricting access based on user, device, and application version. Some solutions can perform behavior analysis to identify risky users or compromised accounts and identify / remediate malware.
When services are moved to the cloud, organizations still have to meet the same compliance requirements as their traditional IT infrastructure. CASBs can help meet compliance by enforcing security policies and providing evidence of enforcement.
There is no silver bullet when it comes to choosing a CASB solution. Every vendor has its own strengths and weaknesses. For example, one CASB solution may have a tighter integration with Office 365, while another is better suited for managing Google’s G Suite. It is important to understand your cloud service use cases when selecting a solution. If you are interested in further discussing CASB solutions, reach out to a Connection Account Manager or visit IT Solutions and Services.