What Is a Cloud Access Security Broker (CASB)?

What Is CASB and Why Does Your IT Team Need One?

What is CASB? CASB, or cloud access security broker, is a relatively new term in the cybersecurity space. It is used to define the industry of solutions that protect the data stored in cloud applications, such as Google G Suite and Microsoft Office 365. Though, some argue that CASB is already outdated in favor of Cloud Application Security Platform (CASP).

Gartner defines a CASB as: "on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed."

Let's take a look into what CASB is and help you understand why you need cloud security to protect your organization's data stored, accessed, and shared in the cloud.

What Is CASB? A Brief History

In the beginning, there was hardware security. As computers became connected to each other within a closed network, then gained the ability to connect to servers globally with the Internet, network security was born.

Then, cloud computing began to take over. Cloud computing enables people, students, and teams to easily store, share, access, and collaborate with others across the room or on the other side of the globe. Today, doing business in the cloud is the norm. 92 percent of organizations now use the public cloud to conduct business, teach students, and more.

The problem with doing business in the cloud is that it requires a different approach to security than network security. Most people think that the firewall and/or gateway they have in place will also protect their information in the cloud. Or, they think that the cloud app vendor is taking care of data security for them.

The truth is that these measures are inadequate for cloud data security. Thus, the cloud access security broker (or CASB) was born.

The fundamental principle to access that makes working in the cloud so appealing is also what makes information stored and shared there vulnerable. Google and Microsoft have world-class physical and network security, encryption, and more than certainly helps take some of the pressure off of InfoSec managers. But they aren't responsible for managing access to, and the improper use of, that information for each individual client.

CASB vendors work closely with G Suite, Office 365, and other popular cloud applications to fill this critical data security gap.

As the cloud security industry began to blossom, the smart people at Gartner decided that this new category of tools should have a name. Working with their cybersecurity clients that were developing early versions of the CASB, they coined the term cloud access security broker (CASB) and published the industry's first magic quadrant in 2017.

There is some discussion around whether or not CASB is the right term for the industry today. Looking at the present — and into the future — the decision to include the word "broker" in the name is unlikely to stand up to the test of time. This is because a broker indicates that a "man in the middle" such as an agent or proxy needs to be used in cloud security. However, both Microsoft and Google have published recommendations against using such technology. Newer CASB tools use APIs to work with the cloud application, rather than sit between the app and its user. This distinction is important.

The Three Main Functions of CASB

Data Loss Prevention

Data loss prevention is probably the most critical function of any data security strategy. When it comes to securing data in the cloud, it's quite a bit different than traditional on-premise data loss prevention.

Data stored, accessed, and shared in the cloud is vulnerable to both accidental and malicious leaks. Try as they might, employees always seem to find a way around IT's sharing policies. One thing leads to another and all of the sudden there's data exposure to outside users. The openness and accessibility of the cloud are what also make it particularly challenging for IT and InfoSec managers.

Using a CASB helps to quickly identify where the leaks in an organization's cloud environment are and close them. A CASB will also provide IT with more robust rules and policy controls than they get from standard level G Suite and Office 365 licenses. This allows them to set specific content-level sharing and remediation policies, so data loss prevention becomes more automatic as they configure the system (and as the system learns!)

Threat Protection

While data breaches are most often the consequence of human error, plenty of malicious threats exist to haunt our dreams.

Phishing schemes of all types, malware, ransomware, etc. are constantly testing the durability of information systems. We hear about the big breaches in big companies most often. But the truth is that smaller businesses, education, and local government are falling victim to cyberattacks more often than ever before. These industries make it relatively easy for hackers to gain access to lucrative information because they lack the budget and/or expertise to properly secure their cloud applications.

Most CASBs help IT teams protect sensitive data stored in the cloud through partnerships, acquisitions, and/or homegrown threat protection technology. In this area, it's particularly important to choose your CASB wisely. As previously mentioned, some CASBs are built using legacy "man in the middle" security technology. This basically duplicates the security you likely already have in place with your firewall and/or secure gateway. API-based CASBs, on the other hand, work cumulatively with your existing InfoSec stack to create an additional layer of security.

Using an API-based CASB to protect your cloud environment from malicious threats is critical. There is an insane number of different threats in the cyberspace today. It's no longer just a matter of putting a spam filter on your company email. Cloud threat protection must also cover shared files, unsanctioned cloud applications, browser plugins, and more are all being used by criminals to try to gain access to your information infrastructure.

Account Monitoring and Compliance

This is where CASB functionalities get exciting. When an organization moves from on-premise software to the cloud, system admins find that they are left blind to account activity. You used to be able to see who was logging in, from where, what they were accessing, etc.

Unless your organization has the budget for enterprise-level licensing, all this visibility went away when you move to cloud-based G Suite and/or Office 365. There are a lot of issues with not having this, the first of which deals with the two sections discussed above. Without being able to see and control account activity, it's super difficult to prevent data loss and thwart malware and phishing threats.

There's also a compliance element to data security that requires account monitoring. Schools, companies, government agencies, and nonprofit organizations are all required to protect the public's personally identifiable information that is stored in their databases. When a breach does occur, organizations are also required to notify those affected (or potentially affected).