Cloud Access Security Brokers (CASB): Why, How and What?


February 27, 2015
Comments Off on Cloud Access Security Brokers (CASB): Why, How and What?
Cloud Security Access Brokers

What are Cloud Access Security Brokers (CASBs)? According to Gartner, CASBs function in a cloud computing environment and act as control points to make the cloud environment secure. CASBs are on-premise security policy enforcement points that are placed between cloud consumers and cloud providers, which are utilized when cloud-based platforms and assets are accessed.

The security policy enforcement points generally work in conjunction and include encryption, credential mapping, data loss prevention, device profiling, built-in malware protection, alerting mechanisms, tokenization and so forth.

The cloud has been widely adopted by businesses of all sizes. According to Sky High Networks, a business, on average, uses over 500 cloud-based services to perform their day-to-day business or other IT functions. Previously, IT had to fully-manage and setup the infrastructure, in either standalone mode or arranged in a complex environment, to ensure continuity and run it at optimal levels. This was common prior to the cloud, which really lessened IT’s burden because cloud service providers have taken on that responsibility. IT, however, cannot cut corners and has to ensure that the company’s resources are still safeguarded and protected in any environment. Living up to certain privacy concerns, the IT department has to be fully aware of who is accessing the company’s data and on what devices are they accessing the company’s precious digital resources.


What are Cloud Access Security Brokers? They are security tools that help your company safely enable cloud applications and mobile devices. These tools mediate between users and cloud apps by proxying traffic.

Don’t let security and compliance concerns keep you from adopting the cloud. CASBs provide visibility (audit logs, security alerts, compliance reports etc.)  and data security (access control, data leakage prevention, encryption etc.)


This is a dilemma that in-house or outsourced IT – in control of maintaining uptime, security and business continuity – must solve. A problematic point is that IT departments lack visibility on who is accessing this information and whether the necessary information is accessible, all the time, or if it is firewalled and inaccessible. When it comes to cloud services, this is not the only problematic point by which IT can fail in gaining more visibility and control. Other problem areas are:

  • tracking all the cloud services that are being used by employees in real-time
  • a full risk assessment of the cloud services that the organization uses
  • the auditing and cataloging of when the cloud services are used, so that patterns and usage levels can be precisely documented
  • ensuring that compliance requirements are being met
  • enabling encryption at all critical points of usage and ensuring that security vulnerabilities are patched and remedied
  • implementing system-wide malware detection
  • setting enterprise-wide or specific permission settings on when, where and what devices can access the cloud.

Cloud service providers often build-in security and privacy measures that are up to standards. CASBs protect sensitive data and are ideal for heavily regulated industries because they enable you to store sensitive data. For the organization, the problem lies within the fact that security policy is not consistent across the board. This is because most cloud providers diverge on security policies and while they are ensure that they integrate enterprise-grade security measures, they differ in how they go about it. To maintain integrity, uniformity and consistency, small business and big conglomerates, must make regularize measures that will strengthen their users when it comes to accessing the cloud. CASBs solves this problem by bunch up security tasks into a single point of enforcement. They also further help simplify the process of securing cloud-based data.

Cloud Access Security Brokers

Cloud access security brokers have a lot of built-in capabilities that help secure the various cloud services that organizations use. Some of the most important capabilities of Cloud Access Security Brokers are

  • a rating system that discovers and assesses the risks of each cloud services that a company uses
  • encrypting data that flows out of your organization, making it untranslatable to unauthorized eyes
  • enables you to limit access and control and define what type of user has access, based on the device they are using and from what location
  • helps you integrate a robust data loss prevention policy; (v) works side-by-side with various verification and authentication services
  • investigate vulnerabilities and keeps a log of all inquiries and actions made in a cloud ecosystem
  • a built-in alerting mechanism which can expose system liabilities, security loopholes and all other system threats.

CASBs may help stop employees from “going rouge” and working around security measures on their own:

  • Privacy: your employees have a right to their personal privacy.
  • Transparency: employees want their corporate apps to have the same usability as their personal apps
  • Mobility: employees want to be able to use their choice of devices while still connecting to their work data and apps.

An integral consideration in implementing a cloud access security broker is to ensure that the experience of an employee or partner, who is accessing the company information, is not compromised. A lot of times, when high-functioning and security-rich features are added-on to an existing IT infrastructure, in this case the cloud, user experience is not always considered. CIOs and business decision makers are in awe of the functionalities that enhance the IT architecture that they lose sight of the fact that it has to be used on a day-to-day basis by non-technologists. CASBs are no different than other feature and the user experience and user-intuitiveness of the overall system must be optimal. For example, with CASBs, on-site solutions can lead a user to access the cloud through a virtual private network (VPN), which can help them find ways around the CASB-protected cloud. At Fidelity IT Solutions, we help setup, integrate and optimize cloud services into your day-to-day, including Cloud Access Security Brokers.

How exactly are cloud access security brokers used at various points of the life cycle?

CASBs for cloud encryption:

  • Companies control their own encryption key.
  • No one can gain access to corporate data without their knowledge.
  • Some app functionality may be affected
  • Encrypted data can not be searched

CASBs control all traffic:

  • Contextual access control decides who can access each app.
  • Data protection identifies and secures sensitive data
  • Single sign-on for ease of access and control
  • Detailed visibility for security and compliance insights and reporting

CASBs protect data on the device:

  • Selectively wipe corporate data when employees leave or devices are stolen
  • Encrypt sensitive data upon download to minimize leakage risk
  • Enforce basic device policies like encryption and pass codes
  • Track and fingerprint downloads to maintain visibility

CASBs identify an organization’s cloud apps that are in use:

  • Categorize apps to analyze by function
  • Score applications on risk attributes for fast decisions to blow or allow
  • Evaluate usage by user, group and device, so you know who is doing what.
  • Track and fingerprint downloads to maintain visibility.

Choose the right primary proxy. For your business to mediate between your cloud apps and users.

Forward Proxy

Pros

  • Can be used for all application types
    • Client-server apps with hard coded host-names.

Cons

  • Difficult to deploy
    • In mobile workforce environment.
  • Reduced end-user privacy
    • Requires installation/ user acceptance of self-signed digital certificates at each point of use.

Reverse Proxy

Pros

  • Accessible from any device/ location.
    • Suitable for mobile workforce
  • End-user privacy
    • Only corporate traffic is sent via proxy. For example: corporate Gmail is proxied but not personal Gmail
  • Simple to deploy
    • No configuration or firewalls on mobile devices

Cons

  • Not applicable to client-server application with hard-coded host-names

It should be noted that many CASBs leverage a mix of forward and reverse proxy architectures for different use cases.  Cloud access security brokers are quickly becoming a must-have security solutions.

Written by
The author didn't add any information to his profile yet.