CASB (Cloud Access Security Broker)

Every day, your people access cloud apps—whether it’s Microsoft Office 365, Box, or Google G Suite—from all types of devices in the office or remotely. If your organization seeks better visibility into and control over app usage and sensitive data in the cloud, consider evaluating a Cloud Access Security Broker (CASB) solution.

A CASB is an intermediary between users and cloud platforms that protects data in the cloud while addressing authorization and visibility concerns of corporations leveraging cloud services. Think of a CASB as a central point where all access controls and authorization rules are validated against set policies. A CASB makes it more convenient for administrators to deploy and enforce security policies. It helps businesses build security rules when their administrators are unfamiliar with providing cybersecurity in the cloud. As Gartner explains, CASBs address security gaps associated with third-party cloud services and platforms—not under your control—that process and store your data. While cloud services offer a certain level of security, cloud security is a shared responsibility. The onus is on you to protect your users, workloads, and data.

In today’s cloud-driven world, cloud app security has become an essential component of a comprehensive enterprise defense. Businesses that rely on Software-as-a-Service (SaaS) can benefit the most from investing in a CASB. A recent survey by the Cloud Security Alliance found that 70% of organizations plan to have dedicated SaaS security teams in place.

The term “CASB” was first coined in 2012 when using a security broker for cloud resources became necessary. In 2013, the first CASB vendor was introduced to the market, but the introduction of Office 365 is considered the start of the CASB era. As more companies leverage cloud applications, the need for CASB increases.

In a hybrid cloud environment, data synchronizes between the cloud and on-premises resources. It provides encryption services to protect data from eavesdropping, and identity management to restrict access to resources to authorized users. These users can share documents and data with others, and organizations can obtain visibility into how documents are shared and accessed. It also protects from malware and malicious software that can steal data from the cloud.

Using cloud resources creates a constant connection between the on-premises network and the cloud. This connection and the point at which users connect to cloud resources must be secured. So, accessing business resources at remote workers’ fingertips requires a secure connection and authentication point.

A CASB is responsible for enforcing security policies that protect data in the cloud. The first primary protection solution includes malware prevention so that ransomware and other advanced persistent threats cannot access internal and cloud resources. The second way to protect data is by encryption, which secures data as it’s stored on a disk and traverses the network.

Malware prevention scans files and rejects suspicious data that could interrupt productivity or steal information. Encryption is a multipurpose protection. Any data that crosses the wire is subject to eavesdropping, and encryption makes it unreadable should an attacker intercept sensitive information. Encryption also protects data stored on a device, safeguarding sensitive information from theft after a user loses their corporate device.

A CASB deploys a three-step process:

• Discovery: The CASB scans and finds resources on the organization’s cloud infrastructure.
• Classification: After the CASB discovers all cloud resources, a risk value is assigned to each component for categorizing and assessing applications and data for sensitivity.
• Remediation: Using data classification, the organization assigns designations to apply the proper access controls on data and can subsequently take appropriate action on unauthorized requests.

Administrators determine appropriate security strategies that a CASB helps enforce, providing the defenses necessary to protect data using security layers. For example, if your organization allows users to connect to cloud resources using their own devices (e.g., smartphones and tablets), a CASB enables administrators to monitor data and control access across numerous endpoints.

A CASB offers several cloud security features that protect data from external and internal hackers as well as malware. CASB can be used for:

• Govern usage: A CASB can be leveraged to ensure only employees utilize cloud services approved by the organization and per established procedures and policies. This includes monitoring and controlling access to cloud applications, enforcing usage policies, and providing detailed reports on cloud service usage across the organization.
• Secure data: Whether stored on a cloud-based server or transmitted across the network, CASBs encrypt and secure data to protect sensitive information against unauthorized access. In addition to security and protection, CASBs provide data discovery and data classification tools, allowing organizations to effectively identify and classify sensitive data. They can also implement data loss prevention (DLP) policies, monitor data in transit and at rest, and provide real-time alerts for potential data breaches or policy violations.
• Discover and control shadow IT: Organizations can identify and track unauthorized cloud services used without team knowledge or approval, enabling the proper action to control them. CASBs use various discovery methods, including log analysis and network traffic monitoring, to uncover shadow IT. They can then assess the risk of these applications and either block or manage them, ensuring compliance with security policies.
• Secure non-corporate SaaS tenants: A CASB offers a powerful solution to monitor and protect access to cloud services used by non-corporate entities (contractors, vendors, or partners), ensuring that they remain compliant with the organization’s security policies. This includes implementing granular access controls, monitoring user activities, and enforcing security policies across all users, regardless of their affiliation with the organization.
• Control risky file sharing: Organizations can better monitor and control the sharing and distribution of sensitive files across cloud services by implementing policies like DLP and role-based access controls (RBAC) that limit access based on a user’s role. CASBs can also provide visibility into file-sharing activities, revoke inappropriate shares, and prevent unauthorized external sharing of sensitive data.
• Remediate SaaS misconfigurations: CASBs detect and correct misconfigurations in cloud services that could leave them vulnerable to attack. This allows an organization to properly secure and configure cloud services. They can continuously scan for security gaps, provide recommendations for remediation, and, in some cases, automatically apply fixes to ensure ongoing compliance with security best practices.
• Prevent data leakage: CASBs can prevent the unauthorized exfiltration of sensitive data from the organization by, for example, implementing DLP policies and monitoring network traffic. Organizations can also deploy controls limiting users’ ability to externally share files. Advanced CASBs use machine learning algorithms to detect anomalous data movement patterns, such as lateral movements, that might indicate a data breach attempt.
• Prevent successful attacks: One of the most valuable use cases of a CASB is detecting and preventing attempted cyber-attacks on cloud services by effectively implementing security protocols and monitoring suspicious activity. This includes real-time threat detection, user and entity behavior analytics (UEBA), and integration with threat intelligence feeds to identify and block known malicious actors or activities.

CASBs provide a range of services that improve the security and oversight of cloud-based applications and data. These technologies and solutions are essential for organizations that rely on cloud computing environments, providing critical protection against various threats. Some of the most essential services CASB vendors offer include:

Data Security

• Data loss prevention (DLP): CASBs provide DLP capabilities to prevent unauthorized users from leaking or accessing sensitive data. Data transfers can be managed to ensure compliance with information protection policies.
• Encryption and tokenization: These services protect sensitive information by converting it into unreadable formats unless authorized users decrypt it. Tokenization uses unique symbols that retain essential information to replace confidential data, making it unreadable to unauthorized users.

Threat Protection

• Malware detection and prevention: CASBs closely monitor cloud applications for suspicious activities and anomalies that signal a malware attack. This involves scanning malicious files and behaviors to detect and prevent malware-based threats, including ransomware and advanced persistent threats.
• Behavioral analytics: By analyzing user behavior and benchmarking normal activity, CASBs can effectively identify any deviations that may indicate a security concern. In turn, organizations can better detect insider threats, compromised accounts, or other cyber threats.

Access Control

• Authentication and authorization: By utilizing multi-factor authentication (MFA) and single sign-on (SSO) technologies, CASBs ensure that only authorized users can access cloud applications.
• Granular access control: These solutions allow organizations to set detailed access policies based on user roles, device types, and locations. This level of control ensures that users have the appropriate level of access to cloud resources.

Visibility and Compliance

• Cloud application discovery: CASBs provide visibility into cloud application usage in an organization, including shadow IT. This helps identify unauthorized applications and ensures compliance with security policies.
• Compliance management: CASBs help organizations meet regulatory requirements by providing tools to monitor and enforce compliance with standards such as GDPR, HIPAA, and PCI-DSS. This includes generating audit reports and maintaining logs of user activities.

Integration and Automation

• Integration with existing security tools: CASBs can integrate with other security solutions like firewalls, SIEMs, and identity and access management (IAM) systems, providing a unified security posture and seamless enforcement of security policies across various environments.
• Automated responses: Organizations can benefit from automated responses to security incidents, such as blocking access, requiring additional authentication, or alerting security teams. The result is quickly diffused threats and reduced impact of security breaches.

With these comprehensive services, CASB providers help organizations secure their cloud environments and ensure reliable data protection, regulatory compliance, and threat defense.

CASB’s four pillars (or functions) summarize the benefits of using a CASB so that organizations get everything they need to secure their data.

Here are the four pillars of CASB:

1. Visibility: Monitoring and watching resource usage provides the visibility needed to detect suspicious behavior. Administrators must be aware of all data stored on the network and the devices used to access it. A CASB enables administrators to detect suspicious access requests, uploaded malicious files, and security vulnerabilities from poor access controls. It allows administrators to train users on the best security policies for shared resources.
   
   A CASB also provides visibility into potentially unauthorized connected devices like shadow IT and discovers data administrators may have overlooked. Instead of allowing users to upload data to unauthorized locations, a CASB blocks access to third-party locations and alerts administrators of the unusual activity. A CASB’s comprehensive view of your cloud environment offers the enhanced visibility required to make informed decisions about resource allocation and security measures.
2. Compliance: Compliance regulations oversee many cybersecurity factors required to protect cloud data. Non-compliant organizations can suffer hefty fines, so a CASB ensures that organizations have the necessary access tools and monitoring to achieve compliance. A CASB ensures that stored cloud data is encrypted to comply with the latest regulatory standards.
   
   In addition, a CASB’s visibility and cybersecurity controls help keep the organization compliant with various regulations such as HIPAA, SOX, PCI-DSS, PHI, and more. You can automate many compliance-related tasks, reducing your IT team’s burden. This automation helps you stay up to date with evolving regulations and maintain a resilient compliance posture.
3. Data Security: Sensitive data such as customer information, intellectual property, and secrets might be stored in the cloud. The primary pillar is the security offered, including access controls, encryption, tokenized data, permission management, data discovery, and remediation. Monitoring and logging are components of a CASB’s functionality. The CASB blocks access to data based on various user attributes like IP address, browser, operating system, device, and location.
   
   By using a combination of device attributes, a CASB lowers the possibility of false positives and improves accuracy. CASB deployment allows you to apply consistent security policies across multiple cloud services. This unified approach to data security helps maintain control over your sensitive information, regardless of where it resides.
4. Threat Protection: Along with monitoring, threat detection mitigates suspicious activity. The threat detection pillar identifies external and internal threats, mitigates them, and sends a notification to administrators. User behavior patterns are commonly used in a CASB to identify suspicious behavior. For example, a salesperson should have access to customer data in a sales application, but the CASB raises an alert if a developer attempts to download the same data. By leveraging machine learning and advanced analytics, CASBs can detect and respond to threats in real-time. This proactive approach helps you stay ahead of potential breaches and minimize the impact of security incidents.

Security and compliance concerns with cloud apps and services are pushing more and more enterprises to implement CASB solutions. These include:

• “Shadow IT” and the proliferation of third-party apps: When CASBs first entered the scene, enterprises deployed them primarily to curb “Shadow IT” (cloud apps and services used without IT’s explicit approval). Now, enterprises also face the challenge of governing hundreds and sometimes thousands of third-party apps and scripts with OAuth permissions (which use tokens instead of passwords) to access enterprise data. These third-party apps add more features to Office 365, G Suite, Box, and other platforms. But some are poorly built or overtly malicious. And, once an OAuth token is authorized, access continues until it’s revoked. After auditing each cloud app for its security controls, like certifications, and other risks, like broad data permissions, IT teams can make informed decisions on access controls for risky cloud apps and promote “safe” cloud services.
• Cloud account compromise: Cybercriminals often access apps and data in the cloud through compromised cloud accounts. Proofpoint recently analyzed over 100,000 unauthorized logins across millions of monitored cloud accounts and found that 90% of tenants are targeted by cyber-attacks. Sixty percent of tenants have at least one compromised account in their environment. These typically begin with brute-force attacks where threat actors submit multiple user names or passwords to correctly guess user credentials to access an account. Another method is credential phishing, where attackers try to steal user passwords through socially engineered emails. Once they have the credentials, attackers leverage these cloud accounts to pose as legitimate users to get employees to wire funds to them or release corporate data. Threat actors also hijack email accounts to distribute spam and phishing emails.
• Loss of intellectual property: The risk of losing trade secrets, engineering designs, and other corporate-sensitive data is high when employees use cloud-based collaboration or messaging tools to share files and information. Employee negligence or lack of training can result in oversharing files via public links that anyone can access. Insider threats are also common. A typical example is a salesperson planning to leave the organization stealing customer records from the CRM. Enterprises can increase visibility to data handling in the cloud and improve data security by employing user-centric policies to control access to cloud services and data via CASB solutions.
• Stricter regulations and bigger fines: Organizations in virtually all sectors are finding that maintaining compliance has become a daunting task. Many regulations and industry mandates now require knowing where your data is and how it’s shared in the cloud. Violations of recent data privacy and residency regulations can result in hefty fines. For example, violators of GDPR can be fined up to 4% of worldwide annual revenue. CASBs can lighten the compliance burden and instill confidence during audits.
• Visibility into cloud usage: Whether it’s to protect data or obtain insights into how cloud services are used, a CASB provides the visibility required for security and future scaling. A CASB can help organizations plan for future resources so that performance is always maintained. It also enables administrators to review threat activities and provision security resources to mitigate attacks.

Now that you know why you need a CASB, let’s examine its capabilities. CASBs perform several key functions that surpass enterprise firewalls and web gateways:

1. Cloud app governance: CASBs govern cloud apps and services by offering a centralized view of your cloud environment, with details like who’s accessing what apps and what data, from where, and from which device. Because cloud app usage is so pervasive, CASBs catalog cloud services (including third-party OAuth apps), then rate the risk level and trustworthiness of cloud services and assign them a score. CASBs even provide automated access controls to and from cloud services based on cloud service risk scores and other parameters, such as app category and data permissions.
2. Defense against cloud threats: CASBs can help detect cloud threats by monitoring suspicious or excessive logins and sending out alerts. CASBs also use advanced anti-malware and sandbox tools to block and analyze threats. In some cases, CASB vendors rely on their global research and third-party feeds to help identify the behaviors and characteristics of current and emerging cloud-based attacks. Today’s sophisticated CASB solutions also allow you to configure policies for automated remediation of cloud threats. For preventative measures, you can configure user-centric adaptive access controls based on the user’s role (such as privileges and VIP status), the risk level associated with the login, and other contextual parameters, such as the user’s location, device hygiene, etc.
3. Securing sensitive data: Detection and removal of public and external shares of files, as well as data loss prevention (DLP), are critical components of a CASB solution. For example, CASBs enable you to set and enforce data security policies to allow users to access only certain categories of data based on their privileges. In most CASB solutions, DLP works natively and is also integrated with enterprise data protection solutions.
4. Compliance for the cloud: CASBs can help prove that you exercise proper governance over cloud services. Through visibility, automated remediation, policy creation and enforcement, and reporting capabilities, CASBs enable you to stay compliant with industry and government regulations. These include regional mandates, like the European Union General Data Protection Regulation (GDPR), and industry standards and rules, like the Health Insurance Portability and Accountability Act (HIPAA).

CASB provides the resources necessary for data security in the cloud. A CASB has the web gateways, firewalls, policy and governance, and access controls a business needs to protect data. A corporation without security resources can leverage CASB offerings to integrate security with existing infrastructure. CASB providers excel in their simplicity of cybersecurity enforcement. However, they are beneficial in several scenarios that likely affect your organization.

Here are some key capabilities of CASB solutions:

• Data loss prevention: CASBs can identify sensitive data and enforce authorization policies, allowing organizations to control who can access, share, or modify corporate information. This capability helps prevent accidental or intentional data leaks.
• URL filtering: CASBs can block access to malicious or inappropriate websites, protecting users from phishing attacks and other web-based threats. This feature helps maintain productivity and reduces the risk of malware infections.
• Packet inspection: Advanced CASBs can perform deep packet inspection to analyze network traffic in real-time, identifying potential threats and policy violations at a granular level.
• Sandboxing: CASBs can provide sandboxing capabilities to safely execute and analyze suspicious files or applications in an isolated environment, detecting potential malware before it reaches the corporate network.
• Encryption: CASBs use encryption for data-at-rest and data-in-transit to stay compliant and secure data, ensuring that sensitive information remains protected even if intercepted.
• Identity and access management: CASBs offer robust authentication and authorization features, including single sign-on functionality, multifactor authentication management, and integration with existing identity solutions.
• Threat protection: CASBs can block malware and ransomware from being installed in the environment and stop the flow of malicious code between the cloud and on-premises networks using proxies and real-time quarantine functions.
• User behavior analytics: By using benchmarks and continual traffic data analysis, CASBs can detect and respond to suspicious user behaviors, providing more dynamic and effective threat detection.
• Configuration management: CASBs monitor and discover risky infrastructure configurations, alerting administrators to potential vulnerabilities and often providing automated remediation for misconfigurations.
• Shadow IT discovery and control: By ingesting logs and monitoring network traffic, CASBs can identify and control the use of unauthorized devices and applications, mitigating risks associated with shadow IT.
• BYOD protection: For organizations with bring-your-own-device (BYOD) policies, CASBs can protect personal devices from malware without interfering with employee data privacy, ensuring corporate data remains secure.
• Compliance monitoring: CASBs help organizations maintain compliance with various regulations by continuously monitoring, reporting, and enforcing compliance-related policies across cloud services.

By leveraging CASBs’ capabilities, organizations can enhance their cloud security posture and better protect their data and resources in increasingly complex cloud environments.

Cloud Access Security Brokers (CASBs) and Secure Access Service Edge (SASE) are fundamental technologies that support modern cybersecurity, but they each have distinct intentions and cover different scopes.

CASBs concentrate specifically on securing cloud-based applications and services. They act as intermediaries between users and cloud security providers, offering visibility, compliance, data security, and threat protection for cloud-computing resources. CASBs are especially relevant for organizations that rely on SaaS applications.

On the other hand, SASE covers a more comprehensive scope and framework that combines wide-area networking and security services into a single, cloud-based model. While SASE includes CASB functionality, it goes beyond cloud security to provide a broader set of capabilities, including software-defined WAN (SD-WAN), secure web gateway (SWG), firewall-as-a-service (FWaaS), and zero-trust network access (ZTNA).

The core difference lies in their scope: CASB is cloud-specific, while SASE offers a holistic approach to network security and connectivity for both cloud and on-premises resources.

CASB Integration with SASE

It’s common for CASBs to be integrated into more sophisticated SASE frameworks, enhancing the overall security posture of an organization through several features:

• Seamless security: By integrating CASB into SASE, organizations can seamlessly utilize cloud-specific security controls within the broader security and networking framework.
• Complementary functionality: Within SASE, CASB provides targeted security capabilities for cloud environments, working alongside other security services to offer comprehensive protection.
• Unified policy management: CASB policies can be centrally managed when integrated into SASE with other security policies, ensuring consistency across the entire network.
• Enhanced visibility: CASB integration provides a deeper view into cloud application usage, complementing SASE’s broader network visibility.
• Scalability: As part of a SASE solution, CASB capabilities are more easily scalable to meet growing organizational needs without requiring additional standalone deployments.

By introducing CASB into a SASE framework, organizations can utilize specialized cloud security capabilities while maintaining a unified, streamlined approach to network security and management.

CASB deployment demands careful planning and execution. Use this simple guideline to better ensure a successful implementation:

1. Assess your cloud environment: Conduct a thorough inventory of all cloud services and applications used within your organization, including shadow IT.
2. Define security requirements: Identify your specific security needs, compliance requirements, and risk tolerance levels.
3. Select the right CASB solution: Evaluate different CASB vendors based on your requirements, integration capabilities, and deployment options.
4. Plan the deployment: Choose the appropriate deployment mode (API-based, forward proxy, reverse proxy, or a combination) based on your organization’s needs.
5. Integrate with existing systems: Ensure the CASB solution seamlessly integrates with your current security infrastructure, identity management systems, and cloud services.
6. Configure policies: Set up and fine-tune security policies, including data loss prevention, access controls, and threat protection.
7. Test the implementation: Conduct thorough testing in a controlled environment to identify and resolve any issues before full deployment.
8. Train staff: Provide comprehensive training to IT staff and end-users on how to use and interact with the CASB solution.
9. Roll out in phases: Implement the CASB solution gradually, starting with non-critical applications and expanding to cover all cloud services.
10. Monitor and optimize: Continuously monitor the CASB’s performance, adjust policies as needed, and stay updated with the latest features and security enhancements.
11. Review and update regularly: Conduct periodic reviews of your CASB implementation to ensure it continues to meet your evolving security needs and compliance requirements.

CASB implementation is an ongoing process. Be prepared to adapt your strategy as your organization’s cloud usage evolves and new security challenges emerge. Regular assessment and adjustment of your CASB deployment will help ensure its continued effectiveness in protecting your cloud environment.

Every CASB provider has its own offerings, but you should find one with security controls that integrate with your current infrastructure. Consider and research pricing, advantages, features, and approved services. Find a vendor that matches your specific organizational needs. Your chosen CASB provider should have the four pillars included in their offering with the following capabilities:

• Cloud app discovery: Find unused or stale apps still accessible by users.
• Risk and data governance: Configure access and authorization rules.
• Activity monitoring: Obtain visibility and insights into how data is accessed and used.
• Threat prevention: Detect and mitigate threats automatically.
• Data security: Use data loss prevention to block attackers and alert administrators.
• Activity analytics: Provide visualization that helps administrators make decisions to better protect data.
• Endpoint access control: Manage mobile endpoints and monitor their data access usage.
• Remediation option: Fix issues after they occur to restore data.
• Deployment considerations: Support API-based deployment and automation of data transfers and provisioning.
• Delivery infrastructure: Reduce latency and mitigate distributed denial-of-service (DDoS) attacks.
• Threat protection from malware and phishing: The CASB should identify malware risks, block them from accessing infrastructure and data, and alert administrators.
• Account management: Administrators must be able to configure the CASB to stop suspicious authentication and authorization attempts.
• Discovery of sensitive data and applications: Your selected CASB should scan and discover sensitive data, perform risk assessments, and manage access across applications and data.
• Consider performance: CASB integration should not interfere with network performance or user productivity.
• Necessary certifications: Some industries require cloud providers and services to have specific certifications, including FERPA, COPPA, CSP, and more.
• Good customer support: Administrators typically need CASB help for various reasons, so the vendor should offer help even if it’s an extra cost for specific incidents.

As a global leader in cybersecurity, Proofpoint remains at the forefront of cloud-based security solutions for some of the most complex and attack-vulnerable industries. With the ability to seamlessly integrate with existing security tools, Proofpoint’s CASB supports a unified security posture, ensuring consistent enforcement of security policies across all cloud applications.

Proofpoint CASB provides granular visibility into your data, access controls, and ongoing threats. It provides an overall view of how data is used and gives administrators insight into risks that could create a data breach. Administrators can view suspicious authentication attempts, data loss prevention alerts, and dashboards that detail your security standing.

The CASB solution leverages advanced threat detection technologies, including behavioral analytics and anomaly detection, to identify and mitigate potential security threats. This proactive approach helps prevent malware infections, detect compromised accounts, and address insider threats before they can cause significant damage.

For more information about CASB and secure cloud solutions, contact Proofpoint.