-by Eyal Estrin, Cloud Architect, Inter-University Computation Center (IUCC)
Additional fundamental Cloud Security concepts can be found here.

In the past couple of years, a new range of solutions and technologies known as Cloud Access Security Brokers (CASB) have emerged in-order to provide additional security controls for cloud environments where many traditional tools and controls cannot be used.

A CASB allows organizations to apply their security policies beyond their own infrastructure and provide visibility of usage of risky or unsanctioned cloud applications.

There is no official standard for defining what exactly a CASB (Cloud Access Security Broker) is, however, in this post we will discuss common terminology and common capabilities most CASB solutions have.

CASBs are very common for SaaS applications such as Office 365, SalesForce, Box, Dropbox, etc.

Network topology

  • Reverse proxy – This type of deployment is usually done on-premise. All traffic between the desktop/laptop and the cloud services must pass through the CASB device, in-order for the CASB to enforce policies and gather audit logs.
    • Pros: Effective enforcement of policies, such as blocking capabilities and data leak prevention
    • Cons: The CASB is “blind” for traffic that doesn’t go through the device
  • Forward proxy – This type of deployment is usually done as SaaS solution in the cloud. All devices (both on-premise and mobile/laptops) must be configured to pass traffic through the CASB solution
    • Pros: Effective enforcement of policies, such as blocking capabilities and data leak prevention
    • Cons: The CASB is “blind” for traffic that doesn’t go through the device
  • API based – This type of deployment is configured “out of band”, between the clients (desktop/mobile) and the cloud (usually SaaS applications)
    • Pros: No need to change the network topology during the deployment phase
    • Cons: Not all cloud services support API integration. Enforcement of policies (such as blocking or data leak prevention) is done with a delay (according to the cloud service capabilities and the SLA between the cloud service and the CASB vendors)

Common pillars of a CASB solution

  • Visibility
    • Ability to identify “shadow IT” (applications and infrastructure that are managed and utilized without the knowledge of the enterprise’s IT department), and in many cases ability to provide a report on the security risk of cloud applications/services used by the organization’s employees.
  • Data Security
    • Ability to enforce policies based on data classification (GDPR-related, health and private information, etc.) such as alert, block and quarantine.

Some CASB solutions also offer DLP (Data Leakage Prevention) and encryption or tokenization as post remediation action.

  • Threat Protection
    • Ability to perform user behavior analysis in order to detect anomalous behavior, malware identification and remediation at the end user desktop/mobile or malicious software download from the cloud site/application.
  • Compliance
    • Ability to enforce governance on cloud services, such as where data should or shouldn’t reside in the cloud (such as European employees’ data shouldn’t be stored outside European data centers).

Additional features that exist on some CASB solutions

  • Agents for mobile devices – Ability to enforce policies on remote mobile devices. Useful for BYOD (Bring Your Own Device) scenarios.
  • Tagging and auto classification – Ability to automatically tag and classify data before it is stored in the cloud
  • SIEM integration – Ability to connect to various logging systems for auditing and investigation
  • Authentication – Ability to allow SSO (Single Sign On) between the end user and the cloud service (protocols such as SAML or OAuth)

Additional information about CASB solutions: