A cloud access security broker (CASB) is a software tool or service that sits between an organization's on-premises infrastructure and a cloud provider's infrastructure. A CASB acts as a gatekeeper, allowing the organization to extend the reach of their security policies beyond their own infrastructure.
CASBs work by ensuring that network traffic between on-premises devices and the cloud provider complies with the organization's security policies. The value of cloud access security brokers stems from their ability to give insight into cloud application use across cloud platforms and identity unsanctioned use. This is especially important in regulated industries. CASBs use auto-discovery to identify cloud applications in use and identify high-risk applications, high-risk users and other key risk factors. Cloud access brokers may enforce a number of different security access controls, including encryption and device profiling. They may also provide other services such as credential mapping when single sign-on is not available.
A CASB may deliver security, the management or both. Broadly speaking, "security" is the prevention of high-risk events, whilst "management" is the monitoring and mitigation of high-risk events.
CASBs that deliver security must be in the path of data access, between the user and the cloud. Architecturally, this might be achieved with proxy agents on each end-point device, or in agentless fashion without requiring any configuration on each device. Agentless CASB allows for rapid deployment and deliver security on all devices, company-managed or unmanaged BYOD. Agentless CASB also respects user privacy, inspecting only corporate data. Agent-based CASB are difficult to deploy and effective only on devices that are managed by the corporation. Agent-based CASB typically inspects both corporate and personal data.
CASBs that deliver management may use APIs to inspect data and activity in the cloud to alert of risky events after the fact. Another management capability of a CASB is to inspect firewall or proxy logs for the usage of cloud applications.
CASBs deliver functionality through four pillars:
- Visibility. CASBs provide shadow IT discovery, a consolidated view of an organization’s cloud service landscape, and details about the users who access data in cloud services from any device or location. Leading CASBs take this further with a cloud service security rating database to provide visibility into the trustworthiness of the CSP and associated risks it might introduce.
- Data security. CASBs provide the ability to enforce data-centric security policies to prevent unwanted activity based on data classification, on data discovery, and on user activity monitoring of access to sensitive data or privilege escalation. Policies are applied through controls, such as audit, alert, block, quarantine, delete and view only. Data loss prevention (DLP) features are prevalent and are one of the most commonly deployed controls after visibility. CASB DLP operates natively and in conjunction with enterprise DLP products via ICAP or RESTful API integration. Some CASBs provide the ability to encrypt, tokenize, or redact content at the field and file level in cloud services. But because encryption and tokenization outside a SaaS application can affect functionality, CASB-facilitated encryption and tokenization are not commonly used.
- Threat protection. CASBs prevent unwanted devices, users, and versions of applications from accessing cloud services by providing adaptive access controls (AACs). Cloud application functionality can be changed based on signals observed during and after login. Other examples of CASB capabilities in this category are embedded user and entity behavior analytics (UEBA) for identifying anomalous behavior, and the use of threat intelligence, network sandboxing, and malware identification and remediation. All CASBs are primarily using OEMs of existing enterprise-grade anti-malware and sandbox tools rather than building their own. In some cases, CASB vendors have their own analyst teams researching cloud-specific and cloud-native attacks.
- Compliance. CASBs help organizations demonstrate that they are governing the use of cloud services. They provide information to determine cloud risk appetite and establish cloud risk tolerance. Through their various visibility, control, and reporting capabilities, CASBs assist efforts to conform to data residency and regulatory compliance requirements. Many CASB vendors have added CSPM capabilities to their products. CSPM assesses and manages the security posture of the cloud control plane, mostly for IaaS and occasionally for SaaS. The better offerings provide this across multiple public cloud providers for consistent policy enforcement.