The first question most people have when they hear the acronym CASB is, “What the heck is this CASB thing?” According to Gartner, a cloud access security broker (CASB) is an on-premises or cloud-based security policy enforcement point that is placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as cloud-based resources are accessed. Some examples are:
- Software-as-a-Service, or SaaS (Salesforce, Google Drive, Office365)
- Platform-as-a-Service, or PaaS (think Heroku, AWS Lambda, Joyant)
- Infrastructure-as-a-Service, or IaaS (AWS, Microsoft Azure, Google Cloud Platform)
The tradeoff of any ‘as-a-service’ offering is typically convenience, simplicity, and lower capital expense in exchange for potentially greater operational expense along with reduced visibility and control. Organizations are increasingly turning to CASB vendors to address cloud service risks, enforce security policies, and comply with regulations, even when cloud services are beyond their perimeter and out of their direct control.
Real World Examples
This is all wonderful information, but what are some real world examples of where CASB can really add to your organization’s visibility and security control of cloud resources?
As amazing as the cloud is, it does have several shortcomings when compared to on premise solutions. Two of the most glaring examples are Awareness and Control.
Shortly after employees started adopting SaaS at a breakneck pace, a variety of questions started popping up. Most organizations knew SaaS use was occurring, most next-gen firewalls can tell you where they are going, but what were users doing in these applications? Personal tasks? Work tasks? Both?
Awareness
The first need is awareness. What is going on.
- Discovery: What SaaS apps are in use and what are the metrics surrounding their utilization?
- Usage Analysis: What are employees doing with these applications?
- Data Analysis: What kind of data is getting stored? Corporate data? Personal? Both?
- Context: Are they only logging into it and using it from work and work-owned systems, or also from personal systems at home?
- Behavioral/Anomaly Detection: What if an employee uses a SaaS application to steal corporate secrets? How would we know? Are they using a new device for the first time? Sending more data than usual? Sending a lot of emails to their personal account with attachments?
Control
IT departments initially responded to Shadow IT with the blunt tool of blocking services in their firewalls. Unfortunately, services like Dropbox and OneNote can actually be used for good and can significantly increase productivity. Because of these business drivers, IT departments were forced to allow it. This made them search for something that could bridge the gap and ensure these tools were used for the corporate good and not to steal information.
CASB emerged in response to this need, giving company’s much deeper visibility into cloud use. Now IT has visibility into usage patterns and anomalies. Beyond visibility, IT departments can now have control over individual SaaS features and actions.
Data Loss Prevention (DLP)
Now that there is visibility and a mechanism to control cloud and SaaS utilization, the next necessity is to ensure critical data is not leaking out of the organization’s systems, both cloud and on premise. Data Loss Prevention (DLP) is a critical component to any CASB offering. Without the ability to monitor, identify, and categorize data going into the cloud, we wouldn’t be able to determine the risk of that data being transferred. In other words, we need to know if a document being uploaded contains cat pictures or private employee data, like social security numbers and salary information.
Compliance
The final example that I’ll give is for those industries that are highly regulated or have significant compliance requirements (HIPAA, SOX, DFARS, PCI, etc.). A good use case is simply applying compliance policies to specific users, files, or customers that those policies have been designed for (PCI, HIPAA, internal policy, OCC, etc.). One of the key attractions of a CASB is the ability to build a policy once and apply it across multiple applications.
CASB is another example of how the security industry adapts to maintain a defense in depth strategy as new technologies open new holes and challenges. CASB fills a critical gap in visibility and control that existed between companies and the cloud.
Author Bio: Joe Goldberg is the Senior Cloud Program manager at CCSI. Over the past 15+ years, Joe has helped companies to design, build out, and optimize their network and data center infrastructure. As a result of his efforts, major gains in ROI have been realized through virtualization, WAN implementation, core network redesigns, and the adoption of cloud services. Joe is also ITIL certified.
