A cloud access security broker (CASB) is a software tool or service that sits between an organization’s on-premises infrastructure and a cloud provider’s infrastructure. A CASB is the security guard allowing the organization to extend security frameworks on private and public cloud environments. We look into the features, benefits and shortcomings of CASB solutions in this article.
4 features of CASB:
- Firewalls to identify malware and prevent it from entering the enterprise network.
- Authentication to check users’ credentials and ensure they only access appropriate company resources.
- Web application firewalls (WAFs) to thwart malware designed to breach security at the application level, rather than at the network level.
- Data loss prevention (DLP) to ensure that users cannot transmit sensitive information outside of the corporation.
“The sweet spot for CASBs has been protecting public SaaS applications,” explained Pete Lindstrom, vice president of security research at IDC. “Many enterprises now have half a dozen or more SaaS applications and need tools to ensure that security is implemented in a consistent manner across all of them.”
CASBs can add value for organizations through:
- Visibility into App Usage to manage shadow IT access
- Cloud Application Tracking for cost analysis
- Single sign-on
- Compliance & Data Security to quarantine sensitive data
- User Behavior
- Added Threat Protection to detect malware & viruses
Shortfalls of current CASB solutions:
On paper, sounds like CASBs have all the features one needs to be secure in a decentralized SaaS world. Reality is a bit more nuanced.
- Expensive: Installing and maintaining CASB is a money-pit requiring huge amounts of internal and external resources. Pricing is opaque and professional services are generally required for any uplift.
- Rigid: Reality is that for well-defined use cases such as a mailing program, these work great. But in any large enterprise, the many moving parts either make CASB specific to certain systems or parts of organization or become outdated very fast.
- Databases not handled: The proliferation of online databases through AWS or Snowflake are not handled within the CASB framework. As long as someone can login to those resources, sensitive data can be easily exposed or accessed.
- Broad Access Level: Explicit aim of CASB solution is allowing secure access to a SaaS app or platform. However, once a user has passed through this gate, there is no control on what the user can do there. With emphasis on collaborative tools, this is a gaping security hole.
- False Positives: A feature of CASB deployment is the frustration of employees and compliance professionals of the amount of manualness involved in checking-off whats’ truly sensitive and reviewing exceptions. This ends up being a big part of the job in the compliance or security groups.
Features of a CASB 2.0
- Faster Installation: With budgets tight and security teams being pulled in more directions, 6 months installation timeframes are way too long. Most organizations just need an easier way to plug and play, just like they do with SaaS tools.
- Operationally scalable: Human oversight is great but the sheer amount of data that is being moved to the cloud means that the controls need to be more automated than are currently available in the market.
- Multi cloud environments: With growing microservice based or Kubernetes-centric infrastructure, a more seamless compatibility with multi-cloud environments is needed.