With the cloud now an integral component of enterprise networking, organizations need to ensure their cloud applications are secure, accessible only to authorized users and compliant with company policies. One platform that addresses all of these concerns is a cloud access security broker, or CASB. These systems, typically available as cloud services, sit between users and the cloud-based applications and resources they need to access.
CASB tools first emerged as a way to monitor shadow IT. Now, they play a more significant role by ensuring -- among other features -- that network traffic between users and cloud resources complies with an organization's security policies.
How do CASBs work?
Several elements make CASBs work. The most important is API support for the cloud app in question -- for example, Dropbox. In order to scan data objects or documents to ensure they are safe, the CASB must be engineered with the API of each specific app users access.
All CASB traffic ultimately originates in the user's endpoint. It is the endpoint -- or rather the user at the endpoint -- that logs in to a cloud app. Thus, the endpoint -- or the user device -- plays an important role in the CASB interaction.
User devices that access the cloud generally fit into two categories: managed and unmanaged endpoints.
Managed devices are those controlled by the IT department. CASBs use agents, deployed into these devices, to monitor traffic. Organizations have the greatest amount of control over managed devices and can further fortify them by installing a traditional endpoint security platform if available from the CASB vendor. With managed devices, a forward proxy sends the traffic to the CASB, which serves as a gateway that communicates with the cloud app on behalf of each client.
Unmanaged devices can include employees' personal tablets, phones or computers or a device used by a partner or contractor to access the company's cloud apps. These endpoints are used throughout an organization's environment, but since IT doesn't have direct control over them, a CASB software agent can't be installed.
Here, CASBs are triggered via reverse proxy. With this process, the CASB device terminates the session for the unmanaged device and creates a separate session into the target application. The CASB thus becomes a "man in the middle" between the user and the application, inspecting all traffic that flows between the endpoint and the target application. (Some vendors advocate using a gateway approach instead because some applications have problems with rewriting the URL, which is part of the reverse proxy mechanism.)
Access to the traffic is only a small part of CASB functionality; the CASB also needs to be application-aware, meaning it must understand the proprietary flow of the application and what occurs during each exchange. For example, the CASB should be able to employ data loss prevention (DLP) capabilities when detecting a file transfer.
Application knowledge is challenging, due to the vast number of cloud applications a CASB needs to decipher. According to Microsoft's Cloud App Security tutorial, while most IT admins believe their employees use some 30 to 40 cloud applications, that number is closer to 1,000, so sophisticated programming is necessary to understand all those interactions.
What are the main CASB use cases?
Since their inception, CASB use cases have grown to include the following.
Compliance and data security. Addressing compliance and data security issues is at the heart of what most CASB products are designed to do. During each session, CASBs examine or scan data objects, like files and documents, to ensure the data is in compliance with company and government standards. CASBs can also take various actions if violations are discovered. These include watermarking, removing or quarantining content. DLP is a key part of CASBs.
Added threat protection. A more advanced and growing use of a CASB is to act as an additional threat protection layer. The CASB scans data flowing to the corporate user and can detect viruses, malware and potentially more sophisticated threats. This capability will continue to evolve as more threats target cloud application environments.
Visibility into app usage. CASBs enable IT to view all sanctioned and shadow IT apps accessed by users. This alone is often justification enough to implement a CASB.
Cloud application usage tracking. CASBs can provide a way to view cloud application usage, making it easier to identify abuse and usage patterns. If one service is being overused, companies can take action by switching to a more appropriate plan. If other cloud services are getting little or no usage, they can be canceled or modified to cut excess costs.
User behavior analytics. Usage tracking can serve as a foundation for more sophisticated behavior tracking as the same data is subjected to more detailed analysis through advanced CASB technology. As more employees work remotely, employers are not only concerned with new security threats, but they also need to understand what their employees and devices are doing when they interact with company cloud applications.