Cloud Access Security Brokers (CASBs) are among the prime candidates to become an integral part of modern enterprise cybersecurity infrastructures. The capillary access control capability allows Cloud Access Security Brokers (CASB) to implement real IT governance systems in the security sector , to ensure total visibility between the interactions that users make with cloud services.
This is a need that is more alive than ever, considering that smart working and the new collaboration methods envisaged by hybrid work are leading to a progressive expansion of the corporate security perimeter, making it increasingly difficult to defend against cyber threats ever wider and more varied.
So let’s see what a Cloud Access Security Broker (CASB) actually consists of, what its fundamental functions are and what are the reasons why today a company should at least consider configuring an IT security architecture of modern conception, to guarantee the security on the cloud side and on the user side of their hybrid and multi-cloud infrastructures.
What is a Cloud Access Security Broker (CASB)
According to the definition offered by Gartner , the Cloud Access Security Broker (CASB) market consists of a set of products and services useful for identifying the security gaps of a company in the use of cloud services. A CASB therefore places itself between the users and the cloud to monitor and verify that the services used are in all respects compliant with the corporate security policies, and to intervene if critical issues are detected.
What at first glance might seem like an alternative to the various anti-intrusion systems that already exist in the field of corporate security, and therefore a useless additional complication for the IT department called upon to manage it, upon closer analysis reveals itself as a fundamental from a strategic and organizational point of view to increase the control of security in the company.
In fact, CASBs are placed at a different operational level compared to traditional security infrastructures, such as hardware and software firewalls, rather than SWGs (Secure Web Gateways) which regulate the behavior of the various network access points. Consideration that we could also detect against a traditional antivirus.
The reason for this substantial ambiguity is very simple to understand, if we consider how the corporate IT department has in fact no control over the intrinsic security of a SaaS (Software as a Service) to which users connect to work.
The security of the native cloud web apps belongs to the CSPs (Cloud Service Providers) who supply the service, as well as data storage in the cloud and all the possible applications in the cloud, which companies use increasingly as they are more sustainable in terms of of initial costs, scalable according to workload trends and simple to maintain, since their management is fully the responsibility of the service provider.
This is a decidedly attractive scenario, with an important price to pay, which does not refer so much to the invoice issued by the CSP, but rather to having to blindly trust its work in terms of security. An error by the manager of cloud services could cause serious damage to a client company, if the bad guys manage to get hold of sensitive data or industrial secrets.
A Cloud Access Security Broker (CASB) is therefore designed natively for the cloud, as well as the applications and resources it is called upon to monitor. Its goal is not to replace the traditional IT security infrastructure, but to integrate it with new functions, to manage policies relating to all cloud activities, to enhance IT governance by specifically supporting all security-related control actions of data, users and applications.
Waiting to go into detail in the following paragraphs, we can anticipate the main operating benefits that derive from a conscious adoption of a CASB:
- Threat detection : allows you to obtain complete visibility and perform dynamic analysis on the behavior of applications in the cloud, with the possibility of identifying or even predicting threats, thanks to the active detection of anomalous ones that could correspond to the occurrence of malicious actions . This happens thanks to the use of tools based on machine learning, which allow real-time analysis of the enormous flow of data that is generated, for example, between users and applications.
- User Protection – The analytics system monitors all aspects of user behavior to enable secure provisioning of applications. The possibility of integrating directory systems allows the CASB to verify all possible correlations between active users and the various enabled cloud applications, in order to detect possible anomalies and the consequent threats that could be active internally or externally of the corporate perimeter.
- Secure configuration and application monitoring : a Cloud Access Security Broker (CASB) allows you to have visibility into the cloud applications you use, to ensure their secure provisioning since their implementation, armed with all the necessary security configurations to ensure compliance with the corporate policies. Application monitoring is part of the activities to be foreseen in order to detect possible cyber attacks in real time. In the next paragraph we will see what specifically is meant by visibility and compliance in the context of corporate IT security.
The 4 pillars of the CASB
Now aware of the definitions and the general framework, we can address the next topic. The IT literature, through some definitions originally formulated by Gartner, is in fact used to recognize some points of reference to Cloud Access Security Brokers (CASB), otherwise known as the four pillars of the CASB. Let’s take a cue from these definitions to observe which are the four pillars on which companies should try to build a secure framework for their cloud business.
Visibility
CASB systems guarantee complete visibility of what is defined as shadow IT, to shed light on gray areas that could occur given the growing use of multi-cloud architectures, which see the SaaS applications used in the company multiply daily.
An effectively implemented Cloud Access Security Broker (CASB) must allow IT managers to have a single control panel, able to summarize all cloud applications, to which users are registered and connected, with a detailed list of devices used . Only in this way is it possible to have complete visibility of the software used by employees and to make the appropriate assessments in terms of security, in relation to the very nature of the cloud-native applications, the methods of access, data processing and archiving, etc.
In other words, a CASB must answer the following question: “Who is doing what in the cloud?”. This is a fundamental question to classify the applications in use as valid or not for the purposes of the business objectives, in accordance with the corporate security policies. In addition to the fact that, going beyond issues that specifically concern only the aspects related to security, this information can allow a rationalization of the software park, with a relative saving in terms of costs for subscriptions to services.
Modern CASBs make use of features based on artificial intelligence to analyze large amounts of data and draw up detailed reports on the activity logs of the various applications, with the possibility of setting up auto-alerts in case suspicion emerges about some malicious actions. A classic case is given by a simultaneous access by the same user from two different places, which gives rise to the suspicion of a compromise of his access credentials. Similarly, the Cloud Access Security Broker (CASB) is able to detect in real time if a user is using software deemed unreliable, such as a P2P file sharing application, to proceed with its eventual ban.
Compliance
One of the actions of the CASB consists in highlighting the aspects linked to what in the jargon is defined as compliance, i.e. compliance with the company standards and rules regarding certain functions, specifically those relating to safety. In essence, the CASB analyzes the characteristics, in order to highlight the inconsistencies and possible risks deriving from the use of a SaaS or other cloud services.
Most SaaS vendors lack detailed visibility and data protection tools to ensure compliance by default. The Cloud Access Security Broker (CASB) therefore has the task of filling this gap, with specific actions capable of guaranteeing an additional level of security against threats such as data breach, rather than guaranteeing total compliance with data access policies sensitive, avoiding as much as possible the occurrence of a data leak.
Data Security
CASB systems help to consolidate compliance with data security policies, implementing monitoring and analysis actions, useful for preventing malicious actions on the data itself.
Monitoring takes place by controlling access to data in the various situations in which this may occur and automatically adopting actions useful for safeguarding their integrity, such as quarantine, watermark or encryption, as weapons to counter a possible data leak by criminals, who could come into possession of a company’s confidential information to resell it illegally to its competitors, causing damage that goes far beyond the economic fact.
Cloud Access Security Brokers (CASB) are particularly effective in controlling the accesses that users make based on their authentication status, the device used and the place of connection. In particular, device control is essential in remote or smart working regimes where employees can resort to BYOD (Bring Your Own Device), a condition that should always be avoided if possible, since it contributes dangerously to expanding the corporate security perimeter, making it significantly more complex to control.
A CASB can check the devices connected to the network and identify their interaction with cloud services. In this way, in addition to excluding unauthenticated IDs from its systems, it can also prevent certain behaviors that comply with the policies, such as downloading or uploading files to email / office applications via mixed-use devices, which the employee also uses for personal activities, in a context completely unrelated to corporate IT.
Cloud Access Security Broker (CASB) for Threat Protection
The CASB is generally an effective tool for protecting corporate systems from cyber threats that can occur inside, rather than outside the corporate security perimeter. The actions it can carry out in this sense are really many.
Based on what is highlighted in the first three pillars, the Cloud Access Security Broker (CASB) can, for example, prevent specific users, devices and applications from accessing cloud services. It can also activate a UEBA activity (User and Entity Behavior Analytics), rather than the advanced detection of malware and all those actions that can take advantage of the analytic-predictive functions with which modern CASBs are equipped, thanks to the use of artificial intelligence.
A classic mistake, or formal defect that companies often commit is to trust the cloud a priori, as the CSPs (Cloud Service Providers) are required to comply with the SLAs set out in the contract, which also include specific security conditions and resilience. Which isn’t to say it isn’t true, but the daily news informs us that CSPs are anything but foolproof in the face of the staggering amount and variety of threats that occur. If an attack involves the data of a client company, it is true that this will eventually be able to retaliate against the supplier, but in the meantime the loss or leakage of information can cause even fatal damage to the business. And there is no revenge that holds.
While, as we have seen above, the Cloud Access Security Broker (CASB) can close the security gaps between the enterprise and the cloud, it can be equally effective in deterring certain insider behavior. Thanks to its monitoring, it could for example realize that an employee, even without particular malicious intentions, but for example to enjoy a presumed convenience, can try to download the entire customer database from a CRM. Even if it is not an illegal manoeuvre, this practice causes the leakage of sensitive data from a secure perimeter, with all the risks involved, for which it is desirable that the CASB prevents downloading by users who remain authorized to access it even remotely.
The application areas of a Cloud Access Security Broker
The CASB helps to substantially reduce the risks deriving from cyber threats, thanks to a greater awareness of what is happening in the company. On a practical level, the implementation of a Cloud Access Security Broker (CASB) can take place in-line, with real-time control of the interaction between the user and the SaaS application, rather than off-line thanks to the use of an API telemetry available through SaaS providers. For example, CASBs are currently used to ensure compliance with corporate security policies in many application areas, including:
- Cloud Governance and Risk Assessments
- Authentications, Authorizations and Single Sing-On
- Credential mapping
- Device profiling
- Data Loss Prevention
- Control collaboration and sharing activities with cloud native applications
- Behavioral Threat Prevention (UEBA)
- Data tokenization and encryption, with access key management
- Registrations and reports
- Malware detection
- SSO and IAM integrations
The real-time nature and the use of tools for the advanced analysis of large amounts of data thanks to artificial intelligence techniques make modern CASBs very effective systems for safeguarding company security. However, CASBs cannot act alone, but must be combined with other security devices, on-premises rather than in the cloud, such as systems able to decouple hardware from control mechanisms to create hybrid networks (e.g. Software Defined WAN, Zero Trust Network Access, Firewall as a Service, Secure Web Gateway, etc.), over VPN connections, as expected for example by a modern network architecture such as SASE (Secure Access Service Edge).
It should also be noted that Cloud Access Security Broker (CASB) is in no way a substitute for a corporate security culture that is generated only through continuous employee training. Using a typically slang expression, the technology doesn’t allow users to care about security, but it helps business systems work more securely. Driving a safe car does not prevent the occurrence of an accident in the event of reckless conduct, nor the theft of the car itself if the most basic rules of common sense are ignored, leaving the keys inserted in the dashboard.