Cloud Access Security Broker (CASB)

What is Cloud Access Security Broker (CASB)?

Sensitive corporate data no longer resides behind a firewall in your servers, it is spread across data centers, public cloud or SaaS applications. And with hybrid work, employees access data and apps via unsecured networks—opening critical security challenges for businesses and security teams starting with:

1. How to restrict employees from sharing (uploading/downloading) sensitive data on managed and unmanaged (by IT) cloud apps.

2. How to control the use of applications and services that are not explicitly approved by IT (shadow IT).

3. How to meet various compliance regulations that mandate strict data privacy.

4. How to secure sensitive data in public cloud and restrict access on BYOD.

5. How to monitor data in public cloud for malware, ransomware, etc. and safeguard employees from downloading these types of malicious software.

The availability of cloud services in a click offers easy and unchecked access to employees. Things get complicated when employees use certain applications like GitHub, Dropbox, etc., for both professional and personal work, or create accounts on unmanaged apps for data analysis or managing project workflows. Actions like these open unseen challenges for security teams and put the corporate data at huge security risk.

CASBs help security teams extend their control to cloud by providing visibility into all cloud services used by the employees, monitoring or scanning SaaS applications for potential threats, securing data against threats, meeting compliance regulations, and restricting sensitive data sharing.  

A CASB solution is delivered via on premises hardware or software or as a cloud service, CASB uses proxy and API methods to enforce strong security checks: 

• Proxy workflow: for real time data inspection.

1. User attempts to access a SaaS app or IaaS platform. Traffic is intercepted by CASB and SSL inspection is performed.

2. CASB validates identity and applies policy via in-line CASB and data protection controls to restrict upload, download, and share activities. Compliances are checked, and access is automatically adapted based on real-time context changes.

3. With restricted actions in place, secure SaaS access is extended to the user while restricting unauthorized behaviors to prevent data loss and enforce compliance.

4. Admins gain visibility into all user activity while accessing the SaaS app. If security posture changes or the user attempts unauthorized activity, access is reassessed, and admins alerted.

• API workflow: for scanning data at rest.

CASB leverages out-of-band application programming interface (API) security for monitoring data stored in cloud services like Microsoft Office 365, Salesforce, Workday, SharePoint, etc. CASB integrates with the APIs of these cloud services and scans for malware, ransomware, malicious software, and other types of cyber threats. 

• In-line CASB: Enforce security policies in real time as data moves to and from the cloud. This can include authentication, encryption, and other security controls.
• SSL inspection for CASB control: Inspect encrypted SSL/TLS traffic to stop potential threats or data leakage before it happens. By decrypting the traffic, the CASB can apply security policies to protect sensitive data.
• Visibility into apps and shadow IT: Shadow IT refers to the use of applications and services without IT’s explicit approval. With CASB businesses gain visibility into SaaS apps and shadow IT to better understand and manage the risks associated with sanctioned and unsanctioned app usage.
• Granular control of restricted actions: Admins can set granular policies that restrict certain actions like uploading, downloading, sharing data, etc., from any SaaS application. This is an important requirement to protect against data loss and ensure compliance with various regulations.
• DLP for SaaS based apps: DLP (Data Loss Prevention) helps protect sensitive data within SaaS applications by monitoring, detecting, and blocking potential data breaches or unauthorized access. DLP can use regular expressions (regex) and dictionary matching or use OCR (Optical Character Recognition) to identify and protect sensitive data.
• Compliance with predefined and custom dictionaries: Predefined and custom dictionaries can be created to ensure compliance with specific regulations like HIPAA, PCI DSS, GDPR, and NIST. These dictionaries contain terms and patterns that are unique to each regulation, helping organizations meet their compliance obligations.