CASB, Cloud Access Security Broker Defined
Coined by Gartner in 2012, CASBs or Cloud Access Security Brokers "...are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASB solutions consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on."
How does a CASB work?
A cloud access security broker (CASB) works by securing data flowing to and from in-house IT architectures and cloud vendor environments using an organization's security policies. CASBs protect enterprise systems against cyberattacks through malware prevention and provide data security through encryption, making data streams unreadable to outside parties.
The CASB Use Case
CASBs were created with one thing in mind: protecting proprietary data stored in external, third-party media. CASBs deliver capabilities not generally available in traditional controls such as secure web gateways (SWGs) and enterprise firewalls. CASBs provide policy and governance concurrently across multiple cloud services and provide granular visibility into and control over user activities.
The Pillars of a CASB
Cloud apps unknown to IT result in information assets that are uncontrolled and outside the governance, risk, and compliance processes of the enterprise. Enterprises require visibility into cloud app account usage, including who uses which cloud apps, their departments, locations, and devices used.
Data loss prevention (DLP) tools are designed to stop enterprise data leaks due to unauthorized sharing but the cloud makes sharing data with the wrong people easier than ever before. If an organization uses cloud file storage, a traditional DLP product will not know what data is shared externally and who is sharing it.
It can be difficult to guard against the malicious intent or negligence of authorized users. To detect suspicious insider behavior, organizations need a comprehensive view of their normal usage patterns. Along the same lines, former employees pose significant risk, as they may have been disabled from the organizational directory, but can still access cloud apps that contain business-critical information. PWC found that security incidents attributable to former employees rose from 27% in 2013 to 30% in 2014.
As data moves to the cloud, organizations will want to ensure they are compliant with regional regulations that ensure data privacy and security. A CASB can help ensure compliance with regulations like SOX and HIPAA as well as help benchmark your security configurations against regulatory requirements like PCI DSS, NIST, CJIS, MAS and ISO 27001.
BYOD, Shadow IT, and Increased Cloud Usage
Phenomena such as BYOD (bring your own device) policies, the growing popularity of SaaS and cloud apps, and the rise of Shadow IT make restricting cloud app access to a defined set of endpoints a difficult task. Managed and unmanaged devices often require different policies to protect corporate data effectively. CASBs help enforce granular access polices as well as identify and categorize cloud apps in your organization.
Your Cloud Access Security Broker Vendor Checklist
|CAPABILITIES||WHAT YOU NEED TO KNOW - CASB VENDOR REQUIREMENTS|
|Cloud app discovery||How does the CASB discover cloud apps?
Does the CASB require log files to be sent outside your organization, i.e., is there an on-premises discovery process?
Is the CASB discovery and risk analysis catalog updated on a regular schedule? Can you search the app catalog to learn more about a given app?
|Risk and data governance||Does the CASB provide insight into the users of an application to better identify high-risk areas?
Does the CASB benchmark application security configurations against regulatory requirements (e.g., PCI DSS, HIPAA, SOX) or best practice standards (e.g., Cloud Security Alliance) to identify security gaps?
Does the CASB identify former employees who still have access to company data?
Can the CASB identify sensitive or regulated data in cloud file sharing services?
|Activity monitoring||Does the CASB monitor activities at the document level (e.g., can it report on Create/Delete/Upload/Download operations for all files and folders)?
Does the CASB monitor activities at the record level, say, for Salesforce, Workday, or Box?
Can new cloud apps be supported easily without changing the product or deployment model?
|Threat prevention||What kind of threats can the CASB detect and how?
How are threats detected for custom-built cloud apps?
Does the CASB profile user behavior in order to detect anomalous usage and suspicious behavior automatically?
|Data security||Can the CASB enforce in-transit DLP policies to prevent data loss?
Can the CASB enforce multi-factor authentication for high-risk activities?
Can custom policies and alerts be created based on any number and combination of criteria (who, what, where, when, how)?
|Activity analytics||Are activity analytics available with multiple levels of aggregation options (e.g., by user location, endpoint type, department)?
Can the CASB correlate login usernames with the user’s corporate directory (e.g., Active Directory) identity?
Can analytics be easily exported to SIEM solutions (e.g., Splunk)?
|Endpoint access control||Can the CASB distinguish between managed and unmanaged mobile and endpoint devices? And enforce unique policies for each?
Does the CASB support third-party MDM solutions?
|Remediation options||What remediation options are supported (e.g., alert, block, multi-factor authentication)?
Does the CASB integrate with NGFWs or other security solutions for applying remediation policies?
|Deployment considerations||Does the CASB support API-based integration with cloud apps?
Does the CASB support proxy-based (i.e., inline) deployments?
Can the CASB be deployed with a single sign-on solution (e.g., Okta, Ping Identity, Centrify, OneLogin, etc.)?
|Delivery infrastructure||How is the CASB infrastructure protected from DDoS attacks?
Does the CASB provide optimization capabilities to minimize latency when deployed inline as a proxy?
Is the CASB delivered from a Tier 1 exchange?
App Discovery—Obtain a global view of all cloud apps
- Discover all cloud apps accessed by employees
- Inventory cloud apps and assess risk posture – for each app and at an organizational level
- Aggregate firewall and proxy logs across the enterprise
- Generate a global view of cloud app usage, including metrics for traffic volume, hours of use, and number of accounts
- Create a baseline view so you can see how many apps have been added over a givenperiod of time
- Drill down into each cloud app to perform detailed risk analyses
Risk Governance—Assess risk contextually and set mitigation policies
- Identify high-risk activities for your business
- Determine who has standard and privileged access to an app
- Identify dormant (i.e., accounts not accessed for several days), orphaned (e.g., ex-employees), and external (e.g., partners) accounts to create appropriate access policies
- Benchmark current app security configurations against regulations or best practice guidelines to pinpoint security and compliance gaps
- Assess and define access policies based on the location of users and/or a cloud service provider’s data centers (i.e., location-based access control)
- Assign tasks to resolve user and application issues
- Leverage a built-in organizational workflow to assign and complete risk mitigation tasks via Forcepoint CASB or through integration with 3rd-party ticketing systems
Audit & Protection—Automatically enforce policies & protect against credential misuse & malicious insiders’ acts
- Monitor and catalog who is accessing cloud apps from managed and unmanaged endpoints
- Track and monitor privileged user access and configuration changes
- Monitor cloud app usage across multiple context-aware categories, including user, location, device, action, data object and department usage
- Ensure real-time detection of anomalous and suspicious behavior
- Implement attack remediation, including strong user verification, block application actions (e.g., block downloads of shared documents) and account access
- Enforce location-based access control (aka “geo-fencing”) policies
- Enforce endpoint access controls for managed and unmanaged devices, whether originating from a browser or a native mobile app
- Monitor and control uploads, downloads, and sharing of sensitive data for over 100 file types
- Inspect files and content in real-time to ensure that PII, PCI, HIPAA and other sensitive information stays protected