Before the existence of the cloud, all of an organization’s data resided inside the enterprise perimeter which was relatively easy and straightforward to secure. Along comes the cloud and all of a sudden, the data has moved beyond the four walls of an enterprise making securing that data significantly more difficult.
As we all know, the security in the cloud is a shared responsibility between the service provider and the customer. Even though the cloud vendors provide an optimum level of security for the applications hosted on their platform, there will always be limited visibility to the users accessing the apps especially outside the organizational network or through their own personal devices.
This lack of visibility in the cloud brings in greater challenges and security risks in organizations, especially in this time of increasing instances of ransomware attacks like WannaCry. As Shadow IT and consumerization are changing the enterprise IT world, cloud security needs to be re-examined.
Gartner sees CASB (Cloud Access Security Broker) as a path forward to increase visibility and policy control in an efficient way to address the cloud security conundrum.
Gartner defines Cloud access security brokers (CASBs) as
“on premise or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.”
The three ways in which CASB can be deployed includes:
- On-premise gateway or reverse proxy model
- Host based agent or forward proxy
- API Cloud Centric SaaS solution
The reverse proxy model is the most common method for deploying CASB. In this mode, CASB acts as the first source of authentication replacing identity and access management service. CASB owns the Cloud service URL, authenticates it and then passes it to the identity and access management service provider for the next level of authentication. This is an easier way to implement CASB in front of the cloud end users without having any special configuration or certificate installation.
In the forward proxy model, CASB can be deployed in the cloud or on premise and the users need to install self-signed certificates on the devices from which they are accessing the proxy. This is considered more as an intrusive deployment method as the end users are forced to route the traffic to the CASB through their devices or network.
In API model, the CASB’s can be directly connected to the cloud service API’s to monitor the usage irrespective of how and where the cloud services are accessed. This also covers the tracking of the usage out of the organizational network in unmanaged devices.
CASB provides visibility to shadow/stealth IT and also closely tracks the activities, transactions happening in the cloud environment. It also offers extended coverage for communications happening between the cloud applications which is out of the organizational network. CASB’s can also do instantaneous incident response by alerting/ quarantining anomalies if any, while handling the cloud data. The CASB proxies act as the single point of entry for cloud data in which certain malicious traffic can be funneled and held for further inspection. It takes care of data protection, compliance checking, security controls provisioning and actionable threat intelligence sharing in the cloud environment. Many top notch CASB vendors are planning to take the capabilities of CASB to the next level by integrating supervised and unsupervised machine learning in to their CASB offering to provide advanced threat detection and risk mitigation.
There are four key pillars of CASB:
- Visibility: CASB provides a clear visibility into the cloud environment in an organization which covers users, devices, applications, data and actions. It provides the insight on Shadow IT, and information on the authorized/ unauthorized apps that the users are accessing and how often they are using it.
- Compliance: CASB helps to ensure the internal as well as external security compliance in the cloud including HIPAA, PCI Compliance and so on.
- Data Security: CASB helps implement appropriate data protection measures including encryption, tokenization, and data loss prevention with the enterprise taking care of the key to access it.
- Threat Protection: CASB provides adaptive security controls for preventing unwanted devices, unauthorized users and applications from accessing cloud services. CASB also covers User Behavioral Analytics (UBA) and Entity Behavioral Analytics (EBA) for determining anomalies, malware identification and threat intelligence formation.
Author Bio: Joe Goldberg is the Senior Cloud Program manager at CCSI. Over the past 15+ years, Joe has helped companies to design, build out, and optimize their network and data center infrastructure. As a result of his efforts, major gains in ROI have been realized through virtualization, WAN implementation, core network redesigns, and the adoption of cloud services. Joe is also ITIL certified.