carloscastilla - Fotolia


How to strategically implement CASBs in the enterprise

CASBs can offer help for enterprises that leverage cloud services. Expert Ajay Kumar examines the use cases, functions and architectures of cloud access security brokers.

There are many benefits of using cloud services, such as the pay-as-you-go model, being able to quickly scale up...

or down to match the demand and developing new solutions by using emerging technologies like big data analytics, the internet of things and machine learning.

Despite the benefits of the cloud, enterprises are facing numerous security challenges and compliance requirements for business-critical data. The cloud also raises the cybersecurity challenge to enterprises to protect and secure their sensitive data, and it poses a risk to the IT team's ability to prevent data breaches or data leakage.

Enterprises are increasingly targeted with advanced zero-day attacks, as cybercriminal organizations are looking to steal their sensitive corporate data. The traditional security approach is to focus on external threats. But insider threats, such as an employee downloading sensitive data quietly using unsanctioned cloud applications, is a bigger security concern in today's digital enterprise environment.

The key challenges that enterprises face with the cloud are managing cloud security risks and maintaining compliance of corporate data as it moves in and out of the cloud. Various research reports indicate that the vast majority of business cloud applications do not meet enterprise standards for security and can put enterprises at risk of compromise. However, security continues to be the most commonly cited reason for enabling and embracing the use of cloud services.

Addressing these cloud security concerns is one of the emerging and fast growing cloud security technologies, the cloud access security broker (CASB). A cloud access security broker is a security policy enforcement gateway that is placed between cloud service consumers and cloud service providers to combine and put in place corporate security policies for when cloud-based resources or services are accessed. CASBs can help address the gaps in security resulting from the significant increase in cloud service adoption and enterprise mobility. CASBs deliver some unique capabilities that are generally unavailable in currently deployed security technologies, such as web application firewalls, secure web access gateways and intrusion prevention systems.

CASB use cases

One use case for CASBs is in Microsoft's Office 365. Every CIO or IT department wants to adopt a software-as-a-service delivery model as part of their cloud strategy to reduce the in-house IT cost and to increase employee productivity. However, due to the cloud security risk, and without proper security controls in place, it's hard for the CISO or CIO to make the decisions and approve cloud services, such as Microsoft's OneDrive storage or SharePoint, to move the business-critical data to the cloud.

Despite the fact that most enterprises have an existing security architecture that includes web proxies, next-generation firewalls and so on, these controls are inadequate for protecting business-critical data stored in the cloud, which companies allow their workforce to access from any device and anywhere. Therefore, CASB technology goes hand-in-hand with this scenario, and enterprises should include it in their security strategy.

The Microsoft Office 365 productivity suite enables the workforce to access business-critical and sensitive data without being concerned about data security compromises. A CASB provides adequate data protection controls, while ensuring access control for any sensitive content residing within the Office 365 suite or being uploaded from any devices or any locations. These controls may include encryption, data loss prevention, advanced threat protection and additional identity and access management layers.

Shadow IT is another example of when a CASB can be useful. Shadow IT refers to the technologies that are managed outside of and without the knowledge of the IT department. Due to the proliferation of cloud applications available to help improve workforce productivity -- such as file sharing, marketing, sales productivity, social media, collaboration and communication tools -- shadow IT raises security concerns for the enterprise, as IT departments don't have visibility to all of the applications that are used by its workforce and which security controls those applications may be missing.

Since these applications also connect to the corporate environment and can access corporate data, it becomes necessary for the IT team to assess the shadow IT risks. CASBs can help IT teams discover all of the shadow IT cloud applications through network traffic monitoring. The CASBs can also assess the risk of each service and get visibility by enforcing corporate policies and making informed decisions about which services to promote or enable with adequate security controls, without compromising security or compliance mandates.

CASB functions and capabilities

Cloud access security brokers can help enforce corporate security policies ranging from the application level to the fine-grained activity level. The four equally important capabilities of CASBs when it comes to securing enterprise architecture are:

  • Providing visibility: Helps discover all of the cloud applications in the enterprise -- both approved and unapproved -- reports cloud services usage and monitors cloud data usage as to which user is accessing what data and from what device or what location.
  • Compliance: Helps maintain compliance with regulations such as HIPAA, Payment Card Industry Data Security Standard, other security standards, as well as helping to identify risky cloud services or applications.
  • Data security: Provides the functionality and capabilities to enforce data-driven security policies across device types to prevent data exposure or data loss based on data classification level. This also helps to discover and monitor sensitive data access and usage.
  • Threat and malware protection: Provides the capabilities to prevent unauthorized devices or users from accessing cloud services and business-critical data. This also prevents outdated or old application usage, identifies and provides protection from cloud threats, conducts dynamic malware analysis and helps remediate the threats.

CASB architecture and deployment options

CASBs are available as software-as-a-service applications or on-premises via virtual appliances, or even in a hybrid architecture to meet the unique security and compliance requirements of an enterprise. CASBs also offer in-line or out of band deployment options, including agent or agentless integrations with endpoints. The policy enforcement mechanism provides different modes of integration with cloud applications, such as proxy mode, reverse proxy mode and API mode.

Evaluating CASB vendors

Since the CASB model is still evolving, there are no standards or frameworks available today for enterprises to easily select one vendor over another. Security teams need to carefully evaluate a CASB vendor offering and its capabilities, functionalities and supported use cases before selecting one.

Some vendors support fewer use cases over others, and sometimes support limited cloud applications. It's also important for enterprises to evaluate CASB vendors to find which one best fits into their security architecture and integrates best with existing technologies -- such as security information and event management, data loss prevention and so on. CASBs need to be able to easily integrate with the enterprise's management tools from a centralized management and operations standpoint.

In addition, CASBs provide encryption and tokenization for cloud applications, and key management options may differ based on the mode of operations. Either keys are being hosted on-premises under the full control of the enterprise with no access available to the CASB vendor, or vice versa.

Next Steps

Learn how to pick the best CASB for your enterprise

Understand why the security industry needs a standardized CASB framework

Find out more about using a CASB to help fight shadow IT

Dig Deeper on Cloud Computing Software as a Service (SaaS) Security