You need to think deep about one fact here that--
Almost all enterprises are embracing the cloud...as THE DEFAULT STARTING POINT...for most of their new projects. They want all of their updates and enhancements to existing applications to happen on the cloud.
Thus, there is an emergence of a cloud-delivered security service that ensures the safe usage of cloud-based applications/services. It also ensures that accidental leakage of your data is prevented. It is known as CASB.
Cloud Access Security Broker (CASB) is primarily used to control & protect your corporate applications on the cloud, along with the usage of SaaS applications, IaaS and PaaS, that your company might be using.
According to analysts from Gartner and elsewhere, every enterprise with a significant cloud presence needs a cloud access security broker (CASB) to protect its cloud-based data. I think this point is straight and simple.
Some important CASB vendors are McAfee, Netskope, Bitglass, and Microsoft, etc.
-
4-Pillars of CASB
Pillar #1 VISIBILITY
There is a phenomena known as Shadow IT. It is defined as the so many applications, systems, processes, and online-services are used or accessed by the users of your networks, whether directly or remotely, that can put your corporate network and underlying assets in jeopardy. Shadow IT is a consistent headache for network admins, because it introduces so many of unknown security risks.
CASBs help you discover 'shadow IT' systems and processes, especially cloud services that are being used by your users. Most likely, such cloud services are not part of official scheme of things.
Because CASB provides you insights, alerts you, and reports about all inbound and outbound cloud activity. You gain a great visibility into:
-
Which cloud services are being used?
-
Who is using them?
-
What content is being sent and stored in the cloud?
-
Whether security policies are being followed in the process or not?
Thus, it is also possible to determine abnormal behavior of access to sanctioned apps.
For example if a user is accessing sanctioned app Office 365 at 1:00 PM from Boston and again login from San Francisco at 2:00 PM. The CASB will not only raise an alert but also will be preventing the access from San Francisco.
Another example if a user is trying to upload documents on a unsanctioned app such as Dropbox. The organisation has OneDrive as sanctioned app for storage so a access to other cloud service providers such as OneDrive/Box/AWS will be treated as an unusual behavior and appropriate alert will be raised.
+
Pillar #2 COMPLIANCE
When we are dealing with cloud, so much goes out of your company's direct control. But you are not never discounted of your responsibilities imposed by regulations such as SOC2, GDPR, HIPAA, PCI-DSS, etc. You are still liable to meet all your legal obligations without fail.
As a security person who is responsible for risk & compliance of your company, you would always need granular reporting system that allows you to see and track -- How your regulated data is stored across various cloud services.
By implementing strong security controls, CASBs help companies that store data and run business processes in the cloud achieve regulatory compliance. The level of such details are greatly helpful in making your 'Compliance auditors' convinced that your cloud-data handling and other related practices such as encryption, are up-to-the-mark for PII (Personally Identifiable Information) of your customers.
CASB overcomes the issue with data residency by encryption of data-at-rest. This provides protection to data stored on cloud against data breach. It also ensure organization Data Leakage Protection (DLP) are monitored on shared data items.
With a CASB, you can allow user to access enterprise Dropbox from office and disallow access to personal Dropbox account within office.
+
Pillar #3 DATA SECURITY
CASBs prevent the confidential data from leaving your company-controlled systems, and help protect the integrity of that data. You can still enforce a range of data-security policies, including 'Access Control' based on contextual variables like Job Role, Device Type, Device Protection Status, Geography, etc. Essential feature is DLP (Data Loss Prevention) that extends these measures across the cloud(s). By virtue of all this, you are allowed to control and restrict sharing of 'certain classes' of data across all cloud-storages or you can allow/disallow some 'certain storage providers,' as was mentioned above also.
In addition of encryption, they can be configured to enforce tokenization practices. They support enhanced authentication practices and integration with technology like single sign on (SSO) and identity and all major Identity & Access Management (IAM) platforms.
+
Pillar #4 THREAT PROTECTION
All CASBs are, by default, supposed to block all sorts of external threats/attacks to your cloud-resident data, whether in-transit or at-rest.
They are expected to provide you enough security tools and controls. They must integrate with all other security products your organisation is using. This integration is a key...
Apart from this, they are usually capable of monitoring activities of users and can find behavioral anomalies. They will generate alert immediately, if any suspicious activity is observed indicating some negligent behavior or malicious behavior of insiders, or potentially compromised accounts.
For example a sales executive attempts to download customer data from Salesforce. In such scenario CASB will raise an alert and also prevent the user from downloading the data.
In short, they can block external threats and attacks, in addition to stopping data leaks. Features such as anti-malware detection, sandboxing, packet inspection, URL filtering, and browser isolation can all help block cyber attacks.
-
Initially CASBs used to be on-premise hardware devices, but in recent times, they have evolved more into cloud-platforms themselves. They are still the 'security enforcement points, that you can place between your users of cloud-services and cloud-platforms. They allow you to combine or interject your company's security policies whenever your cloud-based resources are accessed.
REMEMBER
CASB is more than a Secure Web Gateway (SWG). CASB provides more comprehensive and granular control over how a user interacts with cloud-based services. This includes management of what data can be shared on a service, role-based access controls, and enforcement of your policies such as encryption requirements for sensitive data.
-
Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
You can also share with all if the information shared here helps you in some manner.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM