nobeastsofierce - Fotolia

Buying cloud access security brokers with confidence

IT security professionals buying cloud access security broker services must focus on what the technology now offers and determine precisely what their company IT architecture requires. Here's how.

With the explosion in cloud service adoption in the last several years, organizations are realizing a disturbing security reality -- they don't know what they don't know. Data is being stored and accessed in cloud environments that organizations do not see and cannot control, and security capabilities within the cloud provider environments have been slow to reach parity with in-house enterprise security controls. Buying cloud security services that control and monitor the information organizations are sending to the cloud is essential to any organization's security strategy.

CASBs explained

Cloud access security brokers (CASBs) are either in-house network gateways or security-as-a-service cloud offerings that inspect network traffic destined for the cloud. These platforms and services inspect all network traffic to determine whether sensitive data is being transmitted to the cloud, and they apply various policies and security controls to protect the data or prevent it from being transmitted in the first place.

How CASB technology works

Any good CASB should be easy to use and relatively simple to implement. It should also integrate with other tools and technologies -- both in-house and cloud-based. The majority of CASBs are service offerings -- organizations essentially are buying cloud services in their own right when they purchase one. Companies modify their network traffic routing to pass through the CASB provider's environment for inspection and policy control, allowing any malicious traffic or undesirable behavior on the part of users to be detected and remediated. In-house gateways are positioned at the edge of the network and perform the same inspection functions for all traffic leaving the environment. Many CASB services use APIs available from cloud service providers (CSPs), providing native integration capabilities with some of the most popular cloud services like Box, Microsoft Office 365, Salesforce and many more.

All CASB platforms should provide the ability to inspect network traffic, apply customer-defined policies for controlling what data can go where and apply some form of protective controls to the data as warranted. Some CASBs are integrated with significantly more cloud services than others and may also have many more tightly integrated features. Enterprises should carefully evaluate the partnerships each CASB has.

Features to look for

When IT security professionals consider buying cloud access security broker products or services, there are several features that they should expect to have:

  • Cloud service visibility and access control. CASBs originally were introduced to identify cloud applications in use, helping enterprises determine whether shadow IT was occurring in the cloud. To that end, application and data visibility and cloud-usage pattern profiling are still at the top of the list of features any CASB should have. CASBs identify cloud applications and data using a combination of URL inspection, traffic and protocol analysis, and data loss prevention pattern matching.
  • Data protection: Encryption and tokenization are the most common types of data protection controls available, and some CASBs offer both. Enterprises should carefully evaluate key management capabilities and practices at any CASB where they intend to implement encryption and decryption of data.
  • Threat protection. Many CASBs are now able to monitor traffic for indicators of malware and compromise by looking for anomalous behavior and known command-and-control signatures. Attackers may hijack cloud service accounts or try to access data stored in CSP environments. A CASB ideally should detect these unusual patterns of access.
  • Access controls. As many cloud services are tied to internal user directories like Active Directory, controlling access to cloud services and data through role-based access policies is another core element of protection. Ideally, the CASB will offer simple and native integration with internal user directories or cloud-based identity services. Strong access controls and authentication to the CASB console and configuration should also be available, and a mature offering should have role-based access for administrators, multifactor authentication to the console, and strong logging and audit trails for monitoring use of the CASB services.
  • Dashboard metrics and reporting. Any CASB platform that an organization selects should provide an easy-to-use dashboard that offers a variety of reporting options. All CASB providers should offer a set of "canned" reports that detail user activity, data detected or protected, malicious traffic detected and blocked, and the like.

While not critical must-have features, the following are nice to have in a CASB offering:

  • Integration with network malware sandboxes. Some CASB services can integrate with on-premises or cloud-based malware sandboxes from companies like Blue Coat and FireEye, allowing any malware detected in email or other traffic to be automatically analyzed.
  • User behavior timelines. For organizations looking to assess patterns of user behavior with cloud services -- often for detection of compromised accounts or fraud -- some CASBs have begun offering behavioral analytics and visualization tools that show user interaction with cloud services over a period of time.
  • In-house threat intelligence teams. Some providers offer additional threat intelligence services and data feeds that can augment the core data and user monitoring capabilities. Enterprises interested in this threat intelligence data should expect the CASB vendor to maintain an in-house intelligence team that continuously updates the threat intelligence provided to customers.
  • Cloud service reputation ratings. Some CASB vendors also monitor cloud service providers' activities and reputation. They can inform customers of any changes deemed risky.

The bottom line

CASB services primarily focus on monitoring cloud usage and protecting data sent to the cloud. But they're rapidly becoming more fully featured platforms that offer preventive, detective and response controls. Organizations buying CASB services can benefit from improved visibility into cloud service use; detection and prevention of malicious activity like account hijacking, malware, and insider threats; and protection of data through encryption and tokenization tools. When companies' IT decision makers consider buying cloud access security broker services, they should focus on compatibility with CSPs as well as user and data inspection and protection features. Threat intelligence, malware analysis and incident tracking are additional features that security and operations teams may find useful.

Implementing a CASB service should not require a major architecture overhaul, nor should it require significant manpower to maintain. Configuration of policies and tuning can take some time, however, as can the integration process with user directories and cloud provider APIs. 

Next Steps

More on potential obstacles to adopting a CASB platform

Learn more about the increasingly hot cloud access security broker market

How to eliminate redundancy in cloud security

Dig Deeper on Cloud Computing Software as a Service (SaaS) Security