A cloud access security broker (CASB) is a software tool or service that sits between an organization's on-premises infrastructure and a cloud provider's infrastructure. A CASB acts as a gatekeeper, allowing the organization to extend the reach of their security policies beyond their own infrastructure.
CASBs typically offer the following:
- Firewalls to identify malware and prevent it from entering the enterprise network.
- Authentication to checks users' credentials and ensure they only access appropriate company resources.
- Web application firewalls (WAFs) to thwart malware designed to breach security at the application level, rather than at the network level.
- Data loss prevention (DLP) to ensure that users cannot transmit sensitive information outside of the corporation.
How CASBs work
CASBs work by ensuring that network traffic between on-premises devices and the cloud provider complies with the organization's security policies. The value of cloud access security brokers stems from their ability to give insight into cloud application use across cloud platforms and identity unsanctioned use. This is especially important in regulated industries.
CASBs use auto-discovery to identify cloud applications in use and identify high-risk applications, high-risk users and other key risk factors. Cloud access brokers may enforce a number of different security access controls, including encryption and device profiling. They may also provide other services such as credential mapping when single sign-on is not available.
Use cases for CASBs
CASB tools have evolved to include, or work alongside, other IT security services -- though some vendors, such as Netskope and Bitglass, still offer stand-alone tools. CASBs are particularly useful in organizations with shadow IT operations or liberal security policies that allow operating units to procure and manage their own cloud resources. The data that CASBs collect can be used for reasons other than security, such as monitoring cloud service usage for budgeting purposes.
Vendors in the cloud access security space include SkyHigh Networks and Netskope. Microsoft includes CASB functionality in its base Azure security services at no extra charge. To meet the needs of IaaS and PaaS users, CASB vendors have added or expanded functionality for security tasks, such as the following:
- Single sign-on (SSO) -- allows an employee to enter their credentials one time and access a number of applications.
- Encryption -- encrypts information from the moment it's created until it's sitting at rest in the cloud.
- Compliance reporting tools -- ensure that the company's security systems comply with corporate policies and government regulations.
- User behavior analytics -- identifies aberrant behavior indicative of an attack or data breach.