One of the problems with technology is the fact that there are way too many acronyms. They always used to be three-letters (think RAM, ROM, HDD etc.) but more recently they’ve expanded to become four. The last year or so has been dominated by GDPR but prior to that there had been a lot of talk about CASB but few people know what it is or what it’s for.
There are several different definitions around but, according to Gartner®, who coined the phrase back in 2012, cloud access security brokers are:
“…on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.”
What that means in real terms is that traffic going to, or from, the internet and cloud-based services is inspected and compared to internal policies for compliance. Traffic can be recorded, floagged, reported or blocked.
Increasingly, users are turning to the cloud for their applications and services. They use them to store documents and file for use when they are outside the office, to share data with colleagues in other offices or send it directly to clients for approval, information or comment. They may even be using applications to help them do their day to day work, thus bypassing internal controls.
CASB is designed to address four key areas:
Visibility – if you don’t know it’s being used you can’t police it. Whilst web-proxies are reasonably good at looking at website URL’s they are not very good for looking at how that site is being used, what’s being copied and stored. CASB should give that additional level of visibility.
Compliance – if data is only supposed to be stored in certain locations, how can you tell when it’s being sent or stored elsewhere? The compliance element allows organisations to demonstrate and report on those activities to show that policies are being consistently applied.
Data Protection – is used to reinforce data-centric security policies. It normally relies on data classification and good data policies but can also be used to reinforce user behaviour by alerting or blocking certain actions.
Threat Protection – is designed to stop users or devices from accessing services that shouldn’t be accessed. Certain solutions may look at User Behaviour (UEBA) and flag anomalous behaviour.
Computers and devices on the corporate network often go through a single or shared Internet connection point to get to data in the outside world. The CASB server, appliance or solution often sits inside the same environment, or more frequently now, within the cloud. Either way, traffic is either sent to it directly or a copy of the data is sent via mirrored port(s) on the network where all traffic routes.
Devices outside the corporate network, such as mobiles and remote workers, can still be included in CASB solutions, especially if the solution is cloud-based. Most solution providers are able to support both internal and external users.
There are many providers in this space and new ones are being added regularly. Several of the more prominent players are listed here, in alphabetical order, for reference.
The Forcepoint CASB story is based on Imperva’s Skyfence solution (another acquisition). However, Forcepoint have always had a strong pedigree in web-proxy/web-filtering (through Websense) and User Behaviour Monitoring (UEBA). They’ve also been a leader in the Gartner Magic Quadrant for Data Loss Prevention for a number of years. This makes it a very strong offering.
Microsoft Cloud App Security is based on their acquisition of Adallom in 2015 and is only effective for those who are heavily invested in other Microsoft products and services such as Azure Active Directory and Intune.
Netskope have regularly appeared in the Gartner MQ as a leader. Their product emphasises cloud application discovery and the security posture of different Software as a Service (SaaS) providers.
Skyhigh Networks was probably the first company to offer a solution for the problem and they are still one of the leading solution providers. However, they were recently acquired by McAfee and that may have a significant effect on their future.
Symantec CloudSOC is based on Perspecsys (which was bought by Blue Coat and subsequently acquired by Symantec) and Elastica (purchased November 2015). Symantec has integrated the two products to offer a complete CASB package.
Two quotes from the most recent Gartner report summarises why a company might should invest in a CASB solution.
“Cloud access security brokers have become an essential element of any cloud security strategy, helping organizations govern the use of cloud and protect sensitive data in the cloud.”
“Through 2020, 99% of cloud security failures will be the customer’s fault.”
Shadow IT is a known issue that is largely born out of frustration with the speed that most IT departments can deliver solutions. It would be a brave CIO who said they knew exactly what applications were being used and where all their data was being stored.
With greater adoption for cloud-based applications and services, and ever tighter legislation, it will become necessary to be able to demonstrate compliance and therefore necessary to monitor the use of these new services. Gartner, in their report, also make the following prediction that:
“By 2020, 60 percent of large enterprises will use a cloud access security broker”