Fundamental Cloud Security Part 17 – Cloud Access Security Broker

In the past couple of years, a new range of solutions and technologies known as Cloud Access Security Brokers (CASB) have emerged in-order to provide additional security controls for cloud environments where many traditional tools and controls cannot be used.

A CASB allows organizations to apply their security policies beyond their own infrastructure and provide visibility of usage of risky or unsanctioned cloud applications.

There is no official standard for defining what exactly a CASB (Cloud Access Security Broker) is, however, in this post we will discuss common terminology and common capabilities most CASB solutions have.

CASBs are very common for SaaS applications such as Office 365, SalesForce, Box, Dropbox, etc.

Network topology

Reverse proxy – This type of deployment is usually done on-premise. All traffic between the desktop/laptop and the cloud services must pass through the CASB device, in-order for the CASB to enforce policies and gather audit logs.
- Pros: Effective enforcement of policies, such as blocking capabilities and data leak prevention
- Cons: The CASB is “blind” for traffic that doesn’t go through the device
Forward proxy – This type of deployment is usually done as SaaS solution in the cloud. All devices (both on-premise and mobile/laptops) must be configured to pass traffic through the CASB solution
- Pros: Effective enforcement of policies, such as blocking capabilities and data leak prevention
- Cons: The CASB is “blind” for traffic that doesn’t go through the device
API based – This type of deployment is configured “out of band”, between the clients (desktop/mobile) and the cloud (usually SaaS applications)
- Pros: No need to change the network topology during the deployment phase
- Cons: Not all cloud services support API integration. Enforcement of policies (such as blocking or data leak prevention) is done with a delay (according to the cloud service capabilities and the SLA between the cloud service and the CASB vendors)

Common pillars of a CASB solution

Visibility
- Ability to identify “shadow IT” (applications and infrastructure that are managed and utilized without the knowledge of the enterprise’s IT department), and in many cases ability to provide a report on the security risk of cloud applications/services used by the organization’s employees.
Data Security
- Ability to enforce policies based on data classification (GDPR-related, health and private information, etc.) such as alert, block and quarantine.

Some CASB solutions also offer DLP (Data Leakage Prevention) and encryption or tokenization as post remediation action.

Threat Protection
- Ability to perform user behavior analysis in order to detect anomalous behavior, malware identification and remediation at the end user desktop/mobile or malicious software download from the cloud site/application.
Compliance
- Ability to enforce governance on cloud services, such as where data should or shouldn’t reside in the cloud (such as European employees’ data shouldn’t be stored outside European data centers).

Additional features that exist on some CASB solutions

Agents for mobile devices – Ability to enforce policies on remote mobile devices. Useful for BYOD (Bring Your Own Device) scenarios.
Tagging and auto classification – Ability to automatically tag and classify data before it is stored in the cloud
SIEM integration – Ability to connect to various logging systems for auditing and investigation
Authentication – Ability to allow SSO (Single Sign On) between the end user and the cloud service (protocols such as SAML or OAuth)

Additional information about CASB solutions:

About the author

Eyal Estrin is a cloud architect, working in the Inter-University Computation Center (IUCC) in Israel. He has more than 20 years of experience in infrastructure, information security and public cloud services. He is a public columnist and shares knowledge about cloud services. You can follow him on Twitter at @eyalestrin