Cloud Access Security Broker

Cloud access security brokers (CASBs) is a cloud-based security policy enforcement points between cloud service consumers and cloud service providers which monitors all activity and enforces enterprise security policies. CASBs combine different types of security policy enforcement which includes authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention, and so on.

CASB Life cycle

CASB Life cycle involves a complete solution that protects corporate data.

In the Cloud

Using a CASB for cloud encryption, it allows the enterprise to have control over their encryption keys. Without knowledge of the enterprise, nobody can gain access to corporate data.

The limitations of using a CASB for cloud encryption is that the SaaS application servers cannot process one encrypted data, and the encrypted data cannot be searched.

CASB products rely on hand-coded logics for SaaS applications that use client-side AJAX for most of its UI, and the challenge is that application usually breaks when it is updated.

At Access CASBs works as a proxy between cloud apps and users, and it can view all traffic to those cloud apps to inspect and secure data. CASBs at access provide Visibility, Identity, Access Control, and Data Protection.

• Visibility – CASB provides visibility of user behavior and activities across all cloud applications. Higher-level analytics and reports provide information on trends and insights. Alert can keep you informed of potential security and compliance issues on inappropriate data access.
• Identity – A CASB ensures that all cloud apps hold a single identity store. It acts as a cloud identity provider, eliminating the need to purchase a third-party solution.
• Access Control – CASB enables you to define policies, and the policies should be based on group or role in the Organization, Device type or Operating System, Geography.
• Data Protection – CASB holds the responsibility for identifying and classifying sensitive information, then allowing the customer to create policies that are like data leakage prevention capabilities observed inside a corporate premises network or on managed end-point devices.

On the Device

CASBs need to protect data stored in the cloud, access to the cloud and as well as cloud data on the consumption that include:

• Client-side file encryption of sensitive corporate data – CASBs must have the ability to encrypt sensitive data on the go ensuring it is only accessible to the authorized user for downloading the data.
• Selective wipe of cloud data from mobile devices- CASB must take on the responsibility of removing corporate data from devices when necessary.
• Data Tracking and Fingerprinting- CASBs offer the ability to embed fingerprints into corporate data that can identify who removed the file from the cloud application helping to track the source of the leak and acting as a barrier to employee malicious behavior.
• Enforcing mandatory device security policies -Any device on which corporate data synchronized must-have essential security measures in place, including passcodes and encryption.

On the Network If you have a secured web gateway or the latest firewall, then you would be having a source for this data. CASBs vendors offer some of the free and paid commercial services as an ancillary service for identifying cloud apps via log analysis.

Proxy vs API based solution

Cloud Access Security Brokers can be implemented in two ways, Proxy or Firewall based approach and API Based CASB and both the methods are different in its approach and limitations. API Based approach is the most effective method for CASB implementation.

Proxy-Based Solution

An Inline proxy solution through a single gateway checks and filters known users and devices as all traffic flows through the same checkpoint and helps to take security action in real-time.

This real-time security action is only effective if users are crossing the proxy to access cloud resources. If the users are not configured well to access the public cloud through the proxy-based CASB or having an outdated/unsupported devices that fail to take advantage of proxy-based CASB, then the traffic which could be out of compliance resulting in unseen or unfiltered by the CASB.

The lack of visibility into unsupported traffic impacts on the performance of the end-users despite the quick response. This would be a major drawback in security and scale.

It also slows network performance, and only secures known users. Further, proxy-based solutions only secure SaaS cloud services, leaving IaaS and PaaS clouds vulnerable.

API Based Solution

An API-based CASB is an Out-of-Band solution that does not follow the same network path as data. Since the solution integrates directly with cloud services, API-Based solutions have no performance degradation, and they secure both managed and unmanaged traffic across SaaS, IaaS, and PaaS cloud services.

API-Based CASB platform is the most powerful and modern approach to instantiating a CASB. API-Based CASB can integrate flawlessly with the public cloud vendor open APIs made available for consumption allowing it to enforce security and policy baselines assigned by organizations naturally.

It becomes part of the public cloud resources, as opposed to be a single standalone gateway or “add-on” that must be passed before security and policy are applied. Data can be analyzed retroactively, and actions can be taken based on the analysis.

Enforcement of policies and security protocols are applied regardless to whichever network path an end-user take to reach company public cloud resources.

No need for proxy configuration to be made on the end-user device and no performance is affected for the end-user since CASB integrates naturally with the public cloud vendor. It restricts VPNs, or another network means from bypassing it. The API case CASB solution integrates and scales much better than proxy-based CASB.

Some industry experts recommend a multimode approach, which is a CASB architecture that supports both API and proxy approaches. Both API and proxy approaches achieve multimode functionality, though they do it differently.

As enterprises move more business-critical functions to the cloud, implementing a CASB has become a mandatory control. Before choosing a CASB, it is important to know the facts on the alternatives so you can make the choice that is best for you.