CASB (pronounced cas-bee) stands for Cloud Access Security Broker. As the name suggests, a CASB sits between the enterprise networks and the cloud as a broker and protects the sensitivity of the data moving into the cloud, while enabling real-time controls to access those resources. The term CASB was coined by Gartner in 2012, and though there are multiple Gartner definitions of CASB existing on public forums, one of the simplest one goes as “products and services that address the security gaps in an organization’s cloud usage”. The cloud is replete with security controls such as Web Application Firewalls (WAF), Identity and Access Management (IAM), Secure Web Gateways (SWG), which address very specific cloud security use cases and can’t match the depth of security functions offered by a CASB. A CASB brings the same impact to the cloud security world that NGFW brought to the network security world.
CipherCloud has achieved the highest Gartner MQ Critical Capabilities Score for CASB in 2019. Read the report.
Why organizations need a CASB?
“Through 2025, 99% of cloud security failures will be the customer’s fault.” – Gartner
According to the Shared Responsibility Model of cloud service providers, the users are responsible for the security “in” the cloud, while the service providers are responsible for security “of” the cloud. This means securing the data residing in the cloud is always the user’s responsibility. This results in multiple sleepless nights to the IT security teams and the CISOs, who need to be on the watch 24×7 to ensure that the plethora of data going in and out of cloud at a rapid pace is secured and doesn’t fall into any wrong hands. Remember, organizations need to succeed always to stay protected, but a hacker just needs to succeed once to cause a breach and result in a million dollar loss in revenue to the organization.
Hence CASBs act as the security gatekeeper to the cloud apps, providing organizations complete visibility into their cloud data – at rest or in motion, while ensuring the data remains protected from any external or internal threats.
Download this whitepaper to understand why organizations need to deploy a CASB today!
CASB Deployment Modes
CASBs are offered in multiple modes – API-based or Proxy-based: forward and reverse (CipherCloud Mobile Connect). While some vendors offer CASB in API-only mode, some offer in proxy-mode or both. Each mode comes with its own set of benefits and limitations.
API-based CASBs are an easy to deploy, out-of-band solutions, and don’t sit in the direct path between the enterprises and cloud applications. Once the data goes to the cloud, based on an API trigger the CASB will spring into action and act upon the data. Since the operation is asynchronous, there is no performance impact or any latency in user experience. API mode provides coverage across both managed and unmanaged devices, and can act upon data both at rest and in motion. But CASBs in API mode have two major limitations – (a) not all cloud providers have API support (b) since the action is in retrospect, there is a delay in CASB acting upon the data, and the data remains unprotected until that time.
Proxy-based CASBs sit between the enterprises and cloud applications and control the data flow through a single gateway. Because it is an “inline” deployment, the action is taken in real-time ensuring the data always goes to the cloud in a protected form. But inline solutions may impact the performance of users accessing the cloud resources. Proxy solutions further come in two flavors:
- Forward proxy: Forward proxy mode requires installation of an agent on every user device to proxy traffic to all the cloud applications. This can become an expensive and time-consuming deployment. Moreover forward proxy works for managed devices but fail to govern unmanaged devices.
- Mobile Connect: Mobile Connect is a reverse proxy method that provides secure agentless connectivity for mobile and unmanaged devices. It works by simply redirecting all traffic through the CASB to the service provider. This can be done by integrating either with existing IDaaS solutions such as Okta SSO or with CipherCloud Secure Cloud Workspace to securely redirect traffic through CASB.
Click here to learn how CipherCloud Mobile Connect deployment enables secure connectivity to cloud apps.
CASB Use Cases
CASBs offer an unmatched depth of future-proof cloud security features. Gartner has grouped CASB functionality into four pillars – Visibility, Data Protection, Threat Protection and Compliance, but the functionality has evolved over the years and includes additional sophisticated and intelligent controls such as Adaptive Access Controls, UEBA, Digital Rights Management and many more.
Download the authoritative guide to the top CASB use cases.
Visibility – You can only control what you see
One of the major CASB use cases is to monitor and govern the usage of Shadow IT in the organization. While an organization keeps control over all the sanctioned clouds, a simple cloud discovery scan will reveal the usage of over a hundred unsanctioned clouds for a medium-scale business that act as the security holes for data loss. According to a survey, more than 40% of the clouds are commissioned without the authorization from the IT teams. This is where CASBs come to the defense and provide a 360-degree visibility into the organization’s cloud usage and provide an assessment on the risk of each cloud being used, based on multiple attributes. This enables a tighter visibility and control over the data flow and ensures the data follows the compliance and governance policies of the organization.
Data Protection – Secure your data (Identify, Classify, Encrypt)
Not all data that goes to the cloud is sensitive. CASBs, with granular field-level controls, can identify and classify some data as sensitive and apply necessary Data Loss Prevention (DLP) policies (such as encryption, tokenization or data masking) for protecting them in the cloud. With Digital Rights Management support, CASBs ensure the encryption stays with the data even after it gets downloaded, enabling last-mile data protection and preventing data exfiltration.
Threat Protection – Because malwares are everywhere
The cloud introduces new malware challenges that often bypass conventional threat protection systems and cause damage on a much larger scale than previously possible. As enterprises expand their cloud usage, they need to be assured that clouds don’t become a channel to deliver malware to their users or internal networks. CASBs scan all inbound and outbound cloud content for malicious code and clean or quarantine infected content on the fly, without adding any noticeable latency. CASBs can be integrated with high-performance scanning engines to detect zero day threats and take necessary preventive actions to keep the data safe in the cloud.
Learn how CipherCloud enables Zero-Day Threat Protection to stop cloud born malwares.
Adaptive Access Control – A dash of predictive intelligence to data access
As more number of users keep logging into the cloud for collaboration and file sharing, just filtering users as authorized or unauthorized may not be enough. You need to have a more granular definition of when a user is authorized to access the data. An employee downloading a sensitive data within office premises during office hours may look harmless, but what if the same employee downloads the same data at odd hours from his home, or worse, from a rogue domain? Your cloud security cover must stay vigilant and identify such anomalies in data access. With Adaptive Access Controls, CASBs assess the user risks in real-time and prevent unauthorized access based on location, time, device type or even the operating systems from which the user logs in.
Compliance – Data privacy matters!
One of the biggest checklist items during cloud migration is ensuring compliance with data residency and data privacy laws of the host nation. GDPR, CCPA, HIPAA, PCI – the list is ever expanding. Why is compliance important? Because data privacy is one of the biggest rights of the consumers and even a single violation can result in a lawsuit. With a CASB, organizations can selectively encrypt or tokenize the sensitive data, mainly the personally Identifiable Information (PII), as per the compliance definition and seamlessly meet the requirements. CASBs allow organizations doing business in multiple countries to remain compliant with the complex web of regulatory laws and ensure business continuity.
Learn more about how CipherCloud eases the overhead of multi-cloud and multi-region compliance.
CASB+ RFP Template
Ready to evaluate CipherCloud CASB+ solution? Utilize the request for proposal template to help hone in on the CASB related areas your team cares about the most. You can also fill out this request for demo form or drop us a note at firstname.lastname@example.org, and our representative will contact you at the earliest.