Every day, your people access cloud apps – whether it’s Microsoft Office 365, Box or Google G Suite – from all types of devices, at the office or remotely. If your organization is looking for a way to gain better visibility into and control over app usage and sensitive data in the cloud, consider evaluating a Cloud Access Security Broker (CASB) solution.
What Is CASB?
A CASB is an intermediary between users and cloud platforms that protect data in the cloud while addressing authorization and visibility concerns of corporations leveraging cloud services. Think of a CASB as a central point where all access controls and authorization rules are validated against set policies. A CASB makes it more convenient for administrators to deploy and enforce security policies. It helps businesses build security rules when their administrators are unfamiliar with the ways cybersecurity must be provisioned in the cloud. As Gartner explains it, CASBs address security gaps associated with third-party cloud services and platforms that are not under your control but that process and store your data. While cloud services offer a certain level of security, cloud security is a shared responsibility. The onus is on you to protect your users, your workloads and your data.
Cloud app security has become an essential component of a comprehensive enterprise defense in today’s cloud-driven world. Gartner estimates that, by 2022, 60% of enterprises will incorporate CASB into their security toolbox – up from less than 20% today.
History of CASB
The term “CASB” was first coined in 2012 when the idea of using a security broker for cloud resources became a necessity. In 2013, the first CASB vendor was introduced to the market, but the introduction of Office 365 is considered the start of the CASB era. As more companies leverage cloud applications, the need for CASB increases.
How It Works
In a hybrid cloud environment, data synchronizes between the cloud and on-premises resources. It provides encryption services so that data is protected from eavesdropping, and it provides identity management so that only authorized users can access resources. These users can share documents and data with other users, and organizations can obtain visibility into the ways documents are shared and accessed. It also provides protection from malware and malicious software that can steal data from the cloud.
When an organization provisions cloud resources, there is always a connection between the on-premises network and the cloud. This connection must be secured, but the point at which users connect to cloud resources must also be secured. So, having business resource access at remote workers’ fingertips requires a secure connection and a secure authentication point.
Administrators set up security policies that guard data in the cloud, but the CASB is responsible for enforcing these policies. The first primary protection includes malware prevention so that ransomware and other advanced persistent threats cannot gain access to internal and cloud resources. The second main protection is encryption, which is used to secure data as it’s stored on a disk and traverses the network.
Malware prevention works by scanning files and rejecting any suspicious data that could be used to interrupt productivity or steal data. Encryption is a multipurpose protection. Any data that crosses the wire is subject to eavesdropping, and encryption makes it unreadable should an attacker intercept your sensitive information. It’s also used to protect data stored on a device, protecting your sensitive information from theft after a user loses their corporate devices.
A CASB has a three-step process:
- Discovery: The CASB scans and finds resources provisioned on the organization’s cloud infrastructure.
- Classification: After the CASB discovers all cloud resources, a risk value is placed on each component so that applications and data can be categorized and assessed for importance.
- Remediation: With data classified, the organization can then use the classification designations to apply the proper access controls on data and take appropriate action on unauthorized requests.
What is CASB Commonly Used For?
Administrators determine the right security strategies, and a CASB helps enforce these strategies. It provides the defenses necessary to protect data using security layers. For example, if your organization allows users to connect to cloud resources using their own devices (e.g., smartphones and tablets), a CASB will let administrators monitor data and control access to it across numerous endpoints.
A CASB handles several security features common in the cloud. These security features protect data from external and internal hackers as well as malware. CASB can be used for:
- Single Sign-On (SSO) service: Users can authenticate from one location and get access to multiple systems with only one username and password.
- Encryption: A CASB will encrypt data at-rest (on storage devices) and in-transit (as it moves across the network) to avoid eavesdropping and man-in-the-middle (MitM) attacks.
- Compliance tools: With so many moving parts, CASB compliance tools report on every system so that administrators can identify any non-compliant systems.
- Traffic analytics: Monitoring the environment is a big component in effective cybersecurity, and CASB tools provide reports based on user behaviors and traffic patterns so that administrators can identify anomalies.
What are the Four Pillars of CASB?
As you research into CASB, you’ll find that there are four pillars that define CASB services and what you get from them. The CASB you choose should offer four main functions, and these functions are called the “four pillars of CASB.” They summarize the benefits of using a CASB so that organizations get everything they need to secure their data.
Here are the four pillars of CASB:
- Visibility: Monitoring and watching resource usage provides visibility needed to detect suspicious behavior. Administrators must be aware of all data stored on the network and the devices used to access it. They can detect suspicious access requests, uploaded malicious files, and security vulnerabilities from poor access controls. It gives administrators an opportunity to train users on the best security policies for shared resources. A CASB also provides visibility into potential unauthorized connected devices like shadow IT and discovers data that administrators could have overlooked. Instead of allowing users to upload data to unauthorized locations, a CASB blocks access to third-party locations and alerts administrators of the unusual activity.
- Compliance: Compliance regulations oversee many of the cybersecurity factors necessary to protect cloud data. Organizations out of compliance can suffer from hefty fines, so a CASB ensures that organizations have the necessary access tools and monitoring in place to keep them compliant. A CASB ensures that stored cloud data is encrypted to comply with the latest regulatory standards. In addition, a CASB’s visibility and cybersecurity controls help keep the organization compliant with various regulations such as HIPAA, SOX, PCI-DSS, PHI, and more.
- Data Security: Sensitive data such as customer information, intellectual property, and secrets might be stored in the cloud. The primary pillar and arguably the most important is the security offered including access controls, encryption, tokenized data, permission management, data discovery, and remediation. Monitoring and logging are components of a CASB’s functionality. The CASB blocks access to data based on various user attributes like IP address, browser, operating system, device, and location. Using a combination of device attributes, a CASB lowers the possibility of false positives and improves its accuracy.
- Threat Protection: Along with monitoring, threat detection mitigates any suspicious activity. The threat detection pillar identifies external and internal threats, mitigates them, and sends a notification to administrators. User behavior patterns are commonly used in a CASB to identify suspicious behavior. For example, a salesperson should have access to customer data in a sales application, but the CASB raises an alert if a developer attempts to download the same data. In the former scenario, the CASB allows it, but the CASB would block access to the customer’s data and alert an administrator in the second scenario.
Why You Need CASB
Security and compliance concerns with cloud apps and services are pushing more and more enterprises to implement CASB solutions. These include:
- “Shadow IT” and the proliferation of third-party apps: When CASBs first came on the scene, enterprises deployed them primarily to curb “Shadow IT” (cloud apps and services used without the explicit approval of IT). Now enterprises also face the challenge of governing hundreds and sometimes thousands of third-party apps and scripts with OAuth permissions (which use tokens instead of passwords) to access enterprise data. These third-party apps add more features to Office 365, G Suite, Box, and other platforms. But some are poorly built or overtly malicious. And, once an OAuth token is authorized, access continues until it’s revoked. After auditing each cloud app for its security controls, such as certifications, and other risks, such as broad data permissions, IT teams can make educated decisions on access controls for risky cloud apps and can promote the use of “safe” cloud services.
- Cloud account compromise: Apps and data in the cloud are often accessed by cybercriminals through compromised cloud accounts. Proofpoint recently analyzed more than 100,000 unauthorized logins across millions of monitored cloud accounts and found that 90% of tenants are targeted by cyber attacks. Sixty percent of tenants have at least one compromised account in their environment. These typically begin with brute-force attacks – where threat actors submit multiple user names or passwords in an attempt to guess user credentials correctly so they can access an account. Another method is credential phishing, where they try to get users to part with their passwords through socially engineered emails. Once they have the credentials, attackers then leverage these cloud accounts to pose as legitimate users in order to get employees to wire funds to them or release corporate data. Threat actors also hijack email accounts to distribute spam and phishing emails.
- Loss of intellectual property: The risk of losing trade secrets, engineering designs and other corporate-sensitive data is very real when employees use cloud-based collaboration or messaging tools to share files and information. Employee negligence or lack of training can result in oversharing of files via public links that can be accessed by anyone. Insider threats are also common. A common example is theft of customer sales records from CRM services by sales personnel who plan on leaving the company. Enterprises can increase visibility to data handling in the cloud and improve data security by employing user-centric policies to control access to cloud services and data via CASB solutions.
- Stricter regulations and bigger fines: Organizations in virtually all sectors are finding that maintaining compliance has become a daunting task. Many regulations and industry mandates now require you to know where your data is and how it’s shared in the cloud. Violations of recent data privacy and residency regulations can result in hefty fines. For example, violators of GDPR can be fined up to 4% of worldwide annual revenue. CASBs can lighten the compliance burden and spare you the headaches at audit time.
- Visibility into cloud usage: Whether it’s to protect data or obtain insights into the ways cloud services are used, a CASB provides the visibility needed for security and future scaling. A CASB can help organizations plan for future resources so that performance is always maintained. It also helps administrators review threat activities and provision security resources to mitigate attacks.
How CASBs Strengthen Your Security Posture
Now that you know why you need a CASB, let’s take a look at the capabilities of CASBs. They perform several key functions that go beyond enterprise firewalls and web gateways:
- Cloud app governance: CASBs govern cloud apps and services by offering a centralized view of your cloud environment, with details like who’s accessing what apps and data in the cloud from where and from which device. Because usage of cloud apps has become so pervasive, CASBs catalog cloud services (including third-party OAuth apps), rate the risk level and overall trustworthiness of cloud services and assign them a score. CASBs even provide automated access controls to and from cloud services based on cloud service risk scores and other parameters, such app category and data permissions.
- Defense against cloud threats: CASBs can help detect cloud threats by monitoring suspicious or excessive logins and then sending out alerts. CASBs also use advanced anti-malware and sandbox tools to block and analyze threats. And in some cases, CASB vendors rely on their own global research and third-party feeds to help identify the behaviors and characteristics of current and emerging cloud-based attacks. Today’s sophisticated CASB solutions also allow you to configure policies for automated remediation of cloud threats. For preventative measures, you can configure user-centric adaptive access controls based on the user’s role (such as privileges and VIP status), the risk level associated with the login and other contextual parameters, such as user’s location, device hygiene and others.
- Securing sensitive data: Detection and removal of public and external shares of files, as well as data loss prevention (DLP), are critical components of a CASB solution. For example, CASBs enable you to set and enforce data security policies to allow users to access only certain categories of data based on their privileges. In most CASB solutions, DLP works natively and is also integrated with enterprise data protection solutions.
- Compliance for the cloud: CASBs can be a big help when it comes to proving that you are exercising proper governance over cloud services. Through visibility, automated remediation, policy creation and enforcement and reporting capabilities, CASBs enable you to stay compliant with industry and government regulations. These include regional mandates, like European Union General Data Protection Regulation (GDPR), and industry standards and rules, like the Health Insurance Portability and Accountability Act (HIPAA).
CASB Use Cases
CASB provides the security resources necessary for data security in the cloud. A CASB has the web gateways, firewalls, policy and governance, and access controls a business needs to protect data. A corporation that does not have the resources for security can leverage CASB offerings so that security can be integrated with provisioning infrastructure. CASB providers excel in their simplicity of cybersecurity enforcement. However, they are beneficial in several scenarios that likely affect your organization.
A few CASB use cases are:
- Applications running on personal devices: If the organization has a bring-your-own-device (BYOD) policy, a CASB protects personal devices from malware without interfering with employee data privacy. Corporate data is protected while employee data remains untouched.
- Data loss prevention: A CASB identifies sensitive data and enforces authorization policies so that users are “allowed,” “blocked,” or “limited” to corporate information. It can also encrypt data-at-rest (e.g., stored in the cloud) or in-transit (e.g., transferred across the internet).
- Block malware and ransomware: Malware and ransomware pose significant threats to data security, but a CASB blocks these applications from being installed on the environment. It also stops the flow of malware between the cloud and the on-premises network using proxies and real-time quarantine functions.
- Monitor and handle suspicious user behaviors: Static user attributes are no longer an efficient way to detect malicious activity. Instead, a CASB uses benchmarks and continual traffic data to detect attackers and block malicious file access.
- Encryption: A CASB uses encryption for data-at-rest and data-in-transit to stay compliant and secure data.
- Validate authenticated users: Identity access management and built-in collaboration with Active Directory are significant benefits of using a CASB over your own solution. Using a CASB, administrators can set up single sign-on functionality, manage multi-factor authentication, and integrate current solutions (e.g., Okta) with the organization’s cloud environment.
- Identify misconfigurations: A simple misconfiguration in the cloud can lead to a severe data breach, but a CASB monitors and discovers risky infrastructure configurations and alerts administrators. In fact, some misconfigurations can be automatically remediated.
- Stop shadow IT and unauthorized applications: Ingesting logs and monitoring for unauthorized devices and applications prevent organizations from becoming victims of a data breach from lost laptops and smartphones or when an attacker attempts to authenticate from a suspicious location.
Proofpoint CASB provides granular visibility into your data, access controls, and any ongoing threats. It provides an overall view of the way your data is used and gives administrators insight into risks that could create a data breach incident. Administrators can view suspicious authentication attempts, data loss prevention alerts and dashboards that provide detail into your security.
What Do You Need to Know When Shopping Around?
Every provider has their own offerings, but you should find a provider that has the security controls that integrate well into current infrastructure. When shopping around it is important to consider and research pricing, advantages, features, and approved services. Find a vendor that matches your specific organizational needs. However, there are a few CASB must-haves. Your chosen provider should have the four pillars included in their offering, and they should have the following capabilities:
- Cloud app discovery: Find unused or stale apps still accessible by users.
- Risk and data governance: Configure access and authorization rules.
- Activity monitoring: Obtain visibility and insights into the way data is access and used.
- Threat prevention: Detect and mitigate threats automatically.
- Data security: Use data loss prevention to block attackers and alert administrators.
- Activity analytics: Provide visualization that helps administrators make decisions to better protect data.
- Endpoint access control: Manage mobile endpoints and monitor their data access usage.
- Remediation option: Fix issues after they occur so that data can be restored.
- Deployment considerations: Support API-based deployment and automation of data transfers and provisioning.
- Delivery infrastructure: Reduce latency and mitigate distributed denial-of-service (DDoS) attacks.
- Threat protection from malware and phishing: The CASB should identify malware risks, block them from accessing infrastructure and data, and alert administrators.
- Account management: Administrators must be able to configure the CASB to stop suspicious authentication and authorization attempts.
- Discovery of sensitive data and applications: Your selected CASB should scan and discover sensitive data, perform risk assessments, and manage access across applications and data.
- Consider performance: Integration of the CASB should not interfere with network performance or user productivity.
- Necessary certifications: Some industries require cloud providers and services to have specific certifications, including FERPA, COPPA, CSP and more.
- Good customer support: Administrators typically need CASB help for various reasons, so the vendor should offer help even if it’s an extra cost for specific incidents.
FAQs for CASB
What Does CASB Do?
A CASB offers many benefits to an organization, including advanced protections against numerous threats targeting cloud providers and its customer environments. In addition to security controls, a CASB also provides reporting and monitoring capabilities so that administrators can get complete visibility into all aspects of the environment, which helps them identify shadow IT devices and unauthorized data usage.
With the introduction of the cloud, administrators could not keep up with the evolving changes in cybersecurity. A CASB eliminates much of the overhead experienced by cloud administrators so that they can deploy more effective authorization controls. It not only enforces policy on data-at-rest, but it also monitors and controls data-in-motion, meaning data traversing the environment and sent over the internet is also validated and protected.
A CASB will do the following:
- Data loss prevention.
- Encryption for files and data transferred over the network.
- Two-factor authentication.
- Single sign-on.
- Access control.
- Auditing of data and network usage.
- Enforcement of security policies.
Why Do I Need a CASB?
Integrating cloud resources into your environment reduces operational costs and gives your organization access to advanced technology that would otherwise be too expensive to provision on-premises. With these advantages come risks of data loss and malware installation. With so many moving parts, it’s difficult for administrators to keep track of all resources on the network. A CASB unifies many of the cybersecurity measures that administrators must provision separately to manage infrastructure from one location.
Without a CASB, an organization risks misconfigurations and poor cybersecurity management, leading to numerous exploits, data breaches, and data corruption. Although CASBs are not new technology, their adoption has been slow across organizations, but their popularity is growing due to the numerous benefits offered by providers. Administrators that are unfamiliar with the ways attackers can exploit vulnerabilities get help from CASBs by having a system in place that detects threats and stops them from accessing corporate data.
Administrators require help to manage cybersecurity for ever-growing environments. An organization could use hundreds of cloud resources to manage corporate resources, but that would compromise cybersecurity because you wouldn’t have visibility into resources, usage, data access, and uptime. A CASB helps manage these resources to properly maintain cybersecurity infrastructure and enforce policies.
Why is a Cloud Access Security Broker Important?
CASBs offer numerous benefits, but their top benefit is shadow IT detection. “Shadow IT” is any device or hardware connected to the network without authorization. A shadow IT device could be a user knowingly connecting a device with malware on the network or a physical attacker connecting a device used for data theft. For example, an innocent user might connect their laptop to the network without knowing it’s carrying ransomware, but a malicious attacker could connect a portable USB device to a workstation to steal data. Both examples are forms of shadow IT, but one is unintentional, and the other is a malicious intentional attacker. A CASB provides visibility into devices connected to the network and blocks shadow IT hardware from accessing sensitive data.
Ideally, administrators should have permission to provision a new cloud resource, but anyone with access to the cloud management dashboard could deploy additional infrastructure. Without knowledge of the new resource, administrators could overlook it and mistakenly allow it to access data without the proper cybersecurity controls. A CASB gives administrators better visibility of cloud and on-premises resources.
As your organization moves data to the cloud, a CASB ensures that it’s protected from external attackers. Shadow IT devices cannot connect to the cloud and access your sensitive information, so users must get their laptops and tables authorized before using their personal devices to perform business tasks.
How Do I Deploy a CASB?
Another benefit of using a CASB is its ease of deployment. Even though deployment can be automated and many CASB policies are generated from risk assessments, administrators still need to build a model with the right deployment strategy to maintain efficiency.
Administrators can choose from three different CASB deployment models:
- API control: Use an application programming interface to make calls to CASB procedures, which reduces the overhead for deployment.
- Reverse proxy: Best for organizations with remote users and must make data available to only authorized users connected to the cloud.
- Forward proxy: For organizations that need endpoint protection, a forward proxy will obfuscate user device information and protect it from attackers. It also works well with virtual private network (VPN) connections.
What is a CASB Example?
Proofpoint has several example policies and security features that you can use to identify the best CASB vendor for your business. A few feature examples available through Proofpoint include:
- Application discovery: Find all applications used in daily business operations and collect logs to analyze user behaviors.
- Risk governance: Assess risks and apply the proper cybersecurity controls to reduce them.
- Audit and protect: Monitor and catalog data to automatically apply the proper cybersecurity controls and alert administrators of suspicious traffic.
Proofpoint Named a Challenger in the 2020 Gartner Magic Quadrant for CASBs
Proofpoint was recognized in Gartner’s Magic Quadrant for Cloud Access Security Brokers for the third year running. Gartner named Proofpoint a Challenger in its report based on our ability to execute and completeness of vision.
Webinar: How to Stop Cloud Threats by Leveraging CASB With a People-Centric Cybersecurity
Join our experts for a deep dive into how to use a Cloud Access Security Broker (CASB) to protect your organization's IT-approved applications, such as Office 365 and G Suite that contain your most valuable assets: your people and data.
Webinar: How to Protect and Govern Your Cloud with Proofpoint CASB
Whether you are just getting started with CASB or you are a cloud security authority, your practices need to address the fact that people are the new perimeter.
Live Demo: Achieve People-Centric Security with a CASB Innovator
Proofpoint provides the only CASB solution to meet the needs of security people serious about cloud threats, data loss and time-to-value.