The huge increase in the use of infrastructure-as-a-service cloud platforms -- primarily Microsoft Azure, Amazon Web Services and Google Cloud Platform -- in organizations highlights another potential gap in visibility for network administrators managing the security of public and private cloud systems.
Cloud access security brokers (CASBs) have traditionally focused on managing the security of software as a service (SaaS) tools by providing a central console that provides visibility and control over different cloud services.
Recently, major players in the sector, like Skyhigh Networks and Bitglass, recognized that infrastructure as a service (IaaS) uptake was growing faster than software as a service, and they are now expanding their product offerings to cover the major IaaS providers, too.
Generally, the tools offered by IaaS providers for auditing and controlling identity and access management (IAM) are very good. However, when an organization deploys data in multiple cloud environments, there comes an element of fatigue in logging into the various consoles and viewing reports or monitoring activity. These new CASB offerings enable a single console to manage these different IaaS providers.
Leveraging the CASB providers' experience in managing and securing SaaS applications, these new offerings focus on the applications deployed within IaaS. It enables the organization to monitor what data is stored in the cloud, who is accessing it and which applications have access to key data.
How CASBs could help IaaS security
Security in the cloud is about understanding where the key data is stored. Key data, in this sense, is the data that would have the most impact if it was intentionally or accidentally leaked. Without understanding who has access to this data, both at the infrastructure level and at the application level, it becomes difficult to apply security policies to protect the data.
Insider attacks especially need to be controlled by restricting data to those that require access and monitoring who accesses key data. CASBs, extended into IaaS, can aid greatly in providing this visibility.
CASBs for IaaS enable more granular control over access, and also extend data loss prevention (DLP) tools to IaaS. They can also provide context on IaaS access. For example, they can be set up to only allow Amazon Simple Storage Service buckets to be created by certain users from predefined devices or locations.
CASBs can also extend existing IAM tools and services into IaaS and provide context for them, too. For example, they can increase login security requirements for access requests from unrecognized devices. This enables organizations to have greater control over their IaaS deployments, further integrating them into their existing security policies. This is especially helpful with compliance, where the same rules need to apply wherever the data is stored.
Although IaaS vendors supply excellent tools within the consoles of their respective environments, extending CASBs to cover IaaS enables the central management of these controls and for the security profile of the organization's cloud presence to be more easily assessed and controlled. If your organization has already deployed a CASB and has applications deployed in IaaS, then it is a logical next step to allow management of these consoles via CASB.
Discover how to pick the best CASB for your enterprise
Learn how to strategically implement CASBs in your enterprise
Find out how to bolster DLP strategies with CASBs