This article was published as a part of the Data Science Blogathon.

Introduction

Cloud Access Security Brokers (CASB) are security applications that help organizations manage and secure data stored in the cloud. Gartner recommends that organizations look for a “Goldilocks” CASB solution that provides the best experience for SaaS applications and cloud infrastructure.

A Cloud Access Security Broker (CASB) is software between you, a cloud consumer, and a cloud service provider. CASB extends security management from on-premises infrastructure to the cloud. Helps enforce security, compliance, and governance policies for cloud applications. Typically, on-premises or hosted in the cloud.

As you move to the cloud, you must be prepared to implement a comprehensive cloud security strategy right from the start. It starts with identifying the right cloud provider and then implementing a strategy that combines the right tools, processes, policies, and best practices.
It is important to understand your overall responsibilities and focus on compliance.

In cloud security, employees or cloud providers are one of the most important and often overlooked aspects of protection against cybercriminals.

It is important to remember that cloud computing is no less secure than deploying services locally. Many cloud service providers offer advanced security hardware and software that cannot be accessed otherwise.

Choosing the right vendor can improve your security posture and reduce risk regardless of the risks associated with cloud computing.

Importance of Cloud Access Security Broker

CASBs are quickly becoming a central tool for implementing cloud security best practices. The software between you and your cloud service provider enforces security controls in the cloud. The

CASB provides a comprehensive set of cloud security tools that provide visibility into the cloud ecosystem, data security policy enforcement, threat detection and protection, and compliance.

This includes local and cloud resources, including personal gadgets such as mobile phones. Before the CASB era, it was difficult for corporate security managers to understand how their company data was protected. Its role is augmented with an intermediary cloud access security service that allows businesses to include unmanaged devices in their networks, such as personal phones. On the other hand, it increases the risk to the endpoint portfolio.

In the early days of cloud computing, organizations needed a way to provide consistent security across multiple clouds. Similarly, everyone had to protect their data from being used. As a result, the services of cloud access security brokers have become indispensable as they provide businesses with insight into their SaaS usage and other important data elements.

Cloud Access Security Broker Model

To optimize the adoption of the cloud, people and corporations should be able to collaborate without limits, working safely across the cloud, web, devices, and locations. A decent Cloud Access Security Broker (CASB) platform should provide the deepest visibility into cloud and web transactions so IT security teams can make informed policy decisions to scale back risk.

The platform should also enable enterprises to secure sanctioned and unsanctioned cloud services, protect sensitive data across the cloud and web and stop even the foremost advanced online threats. Essentially a simple CASB solution should empower organizations to customize security designed in keeping with how the corporate work without slowing them down.

CASB protects against serious security threats in the cloud while enabling continuous monitoring and mitigation of high-risk events. This is achieved by protecting data moving between on-premises and cloud environments with your organization’s security policies.

The CASB protects users from cyberattacks with anti-malware and end-to-end encryption to secure data to prevent external users from decrypting your content.

Features Selection for CASB Solution

• Blind Spot Elimination – Ability to know all inputs (Logs, SaaS, IaaS, web) in extreme definition and performs big data analytics on details including user, group, location, device, service, destination, activity, and content in real-time. This helps enterprises eliminate the blind spots legacy vendors can’t see and make policy enforcement simple across thousands of SaaS and IaaS services and immeasurable websites.
• Guard Data Everywhere – Protect and guard sensitive data through DLP and encryption across SaaS, IaaS, and the web. The answer should be equipped with intelligence to cut back your inspection area and advanced DLP methods like exact match and fingerprinting to extend detection accuracy. In-built, the cloud, with the flexibility to figure no matter location or device, handles the direct-to-cloud and direct-to-web traffic that others miss.
• Stop Elusive Attacks – Built-in advanced threat protection to prevent elusive attacks across SaaS, IaaS, and the web. in-built the cloud and filled with real-time and deep detection engines, with the ability to seek out malware and ransomware that legacy tools miss. Proactive threat intelligence and powerful workflows to quarantine malicious files and reverse the results of an attack.
• Full Control – SaaS, IaaS, and web security platform built from the beginning in one cloud that’s easy to use. Unlike cobbled-together tools, the CASB solution should eliminate policy conflict through standardized categories across SaaS, IaaS, and the web. Save your security team’s time by avoiding redundant DLP and threat protection configuration steps and changing from one tool to the next. An answer built on the cloud would also ensure that it scales automatically to satisfy your needs.

How Does a CASB Work?

CASB works by ensuring that traffic flows between cloud providers and on-premises devices comply with your organization’s security policies. In recent years, CASBs have been in high demand due to their ability to provide valuable insights into cloud applications’ usage across various platforms. This is especially useful in regulated industries.

Typically, cloud access security brokers use auto-discovery to display all cloud applications. This identifies high-risk applications, users, and other key risk factors. Brokers can secure an organization’s network by applying various security access controls, such as device profiling and encryption. It can also provide additional services, including credential matching, when single sign-on (SSO) is unavailable.

CASBs can be deployed in three ways: reverse proxy, forward proxy, or “API mode.” Each has its advantages and disadvantages, and many industry experts recommend multimode deployments.

Let’s take a closer look at the different CASB deployment modes.

• Reverse Proxy: The Reverse Proxy sits in front of the Cloud Service to provide built-in security while in the path of network traffic. A reverse proxy broker connection goes from the Internet to the application server, hiding information from the source behind it.
• Forward Proxy: The Forward Proxy sits in front of you, and the CASB proxy traffic to multiple cloud platforms. Forward proxy connections go to the Internet behind a firewall. Like the reverse proxy, it also provides built-in security features.
• API Mode Unlike: proxy deployments, application programming interfaces (APIs) allow CASBs to integrate with cloud services directly. This allows you to secure both managed and unmanaged traffic. You can view activity and content and take enforcement action based on Cloud Provider API capabilities.

CASB Implementation

To effectively monitor network traffic, you need the Cloud Access Security Broker service built with your organization in mind. A CASB implementation should start with your organization’s portfolio’s most appropriate cloud application. This is the application with the most sensitive data and, therefore, the highest risk. Choosing a CASB that provides API-level support for cloud applications is equally important.

Enterprise Security Administrators must decide whether to integrate their organization’s CASB with an existing SSO or IAS system. This allows you to choose a cloud access security brokerage service to support this integration. You also need to decide which CASB mode your organization needs. In this regard, you can choose the reverse proxy mode, forward proxy mode, or both.

Stepwise instructions to follow :

• Start with the most important cloud applications in your portfolio.
• Find a CASB that provides API-level support for this cloud application. 
  
• Decide whether you want to integrate the CASB with your existing IAS or SSO system.
• Choose a CASB that supports these integrations.
• Determine which CASB mode is required (forward proxy, reverse proxy, and both).
  
• Balance the cost of the CASB with the benefit to your security profile.

CASB Functional Pillars

CASB provides features that fall into four “pillars,” including:

• Visibility: When a cloud application sits outside the view of your IT department, you create information uncontrolled by your business’ governance, risk, and compliance processes. A CASB gives you visibility of all cloud applications and their usage. Including vital information on who uses the platform, their department, location, and the devices used.
• Data Security: The cloud platform increases the risk of inadvertently exchanging data with the wrong person. When using cloud storage, regular data loss prevention (DLP) tools cannot track or control who has access to your data. The CASB brings data-centric security to the cloud by combining encryption, tokenization, access control, and information rights management.
• Threat Prevention: One of the most difficult security threats to protect employees. Ex-employees who are disconnected from an organization’s core systems can still access cloud applications containing business-critical information. The CASB can detect and respond to malicious or inattentive internal threats, privileged users, and compromised accounts in your cloud infrastructure.
• Compliance: As data moves to the cloud, industry and government regulations require that data be kept secure and private. CASB defines and enforces DLP policies for sensitive data in cloud deployments.

What are CASBs used for in Security?

CASB solutions have a variety of capabilities to protect your cloud data. Below is an excerpt from the Gartner article How to Secure Your Cloud Applications with a Cloud Access Security Broker.

• Cloud Application Discovery and Risk Assessment
• Adaptive Access Control
• Data Loss Prevention
• User and Entity Behavior Analytics
• Threat Protection
• Client-Side Encryption (Including Integration with Digital Rights Management)
• Pre-Cloud Encryption and Tokenization
• Bring Your Own Key (BYOK) ) Encryption Key Management
• Monitoring and Log Management
• Cloud Security Status Management

Top 5 Cloud Access Security Brokers

The CASB market has exploded due to the large-scale migration of services to the cloud combined with the need to implement cloud security due to the significant risk of leakage and data loss.

The CASB is a next-generation technology that has become an important component of your cloud security strategy. According to the Gartner Magic Quadrant for Cloud Access Brokers, 1 in 5 large enterprises uses CASBs to secure or manage cloud services.

Gartner identified five CASB market leaders in its Magic Quadrant, including:

• McAfee: McAfee entered the CASB market in January 2018 and gained notoriety by acquiring Sky-high Networks. The platform, now known as MVISION Cloud, provides coverage across CASB’s four pillars for a wide range of cloud services.McAfee has also made an on-premises virtual app available for those that require it.
• Microsoft: The Microsoft CASB product is called Microsoft Cloud Application Security. The platform supports multiple deployment modes, including reverse proxy and API connector. Microsoft continues to develop CASB solutions with improved visibility, analytics, data control, and innovative automation capabilities. Microsoft Cloud Application Security also integrates seamlessly with Microsoft’s growing portfolio of security and identity solutions, including Azure Active Directory and Microsoft Defender Advanced Threat Protection. This enables Microsoft to provide customers with a fully integrated solution for the Microsoft platform through one-click deployment.
• Netskope: Unlike many players in the field who simply acquire CASB solution providers, Netskope remains an independent company. This provider is known for its excellence in application discovery and SaaS security assessments. Netskope supports thousands of cloud services with built-in decoding of published and unpublished APIs. CASB provides DLP and combines threat intelligence, static and dynamic analysis, and machine learning-based anomaly detection to detect threats in real-time.
• Symantec: Symantec CASB’s CloudSOC offering expanded in 2016 with the acquisition and integration of Blue Coat Systems’ Perspecsys and Elastica products.CloudSOC provides its cloud API, real-time traffic processing, and DLP with automatic data classification and multi-mode control using inputs from multiple data channels. Advanced User Behavior Analysis (UBA) can automatically detect and remediate threats inside and outside your organization.
• Bitglass: Bitglass Cloud Security is a next-generation CASB that integrates with any application, device, or network. The platform runs natively in the cloud and is the only provider of enterprise data protection on mobile devices without using agents or profiles. Bitglass has gained notoriety for implementing a zero-day approach that focuses on trust scores, trust levels, and data encryption at rest.

Top 10 Cloud Security Certifications

Successfully securing a cloud platform requires advanced cloud security skills and knowledge. You will also need to learn platform-specific skills to configure access, network security, and data protection within your chosen cloud provider.

You can now choose from various platform and vendor-specific certifications to develop and validate the skills you need.

Listed below are a few certifications you might want to consider

• (ISC)2 – Certified Cloud Security Professional (CCSP)
• Cloud Security Alliance – Certificate of Cloud Security Knowledge (CCSK)
• AWS Certified Security – Specialty
• Microsoft Certified: Azure Security Engineer Associate
• Google Cloud – Professional Cloud Security Engineer
• Alibaba ACA Cloud Security Certification
• Alibaba ACP Cloud Security Certification
• Cloud Credential Council – Professional Cloud Security Manager Certification (PCS)
• Oracle Cloud Platform Identity and Security Management 2019 Certified Associate
• SANS SEC524: Cloud Security and Risk Fundamentals

Do’s and Don’t of Selecting a CASB

In summary, here are some do’s and don’ts that we found useful after evaluating various CASB decisions.

DO

• Decide which cloud services and platforms you have.
• Ask your vendor to plan your solution development to see what’s next.
• Request a referral to an organization of the same type that you manage. 
• Check out the link and ask about your experience
  
• Perform proof of concept/proof of value with the selected vendor.

DON’T

• Rely too much on publicly available materials, vendor specifications or marketing materials, or other estimates that are more than a year old. A booming market has likely rendered them obsolete. 
• Only rely on recommendations. In most cases, performing an RFI with a single vendor is the best way to ensure that a solution meets your needs.

Conclusion

While some of the CASB’s capabilities include familiar approaches and techniques previously used to protect data in on-premises applications, CASBs are different and unique technologies. Different from web application firewalls, corporate firewalls, and secure web gateways. When it first appeared, the cloud access security broker service was considered by many to be the cloud surveillance solution that many people discovered Shadow IT.

However, CAB now offers a wide range of capabilities across core compliance, data security, threat protection, and transparency. The growing popularity of using cloud computing in enterprises and the maturation of cloud access security brokerage services have led to increased adoption of enterprise-level software.

• Identify and categorize Shadow IT cloud services that are in use, employees using them, and the risks they pose.
• Evaluate and choose cloud services that match internal and industry security and compliance standards
• Safeguard enterprise data stored within the cloud by preventing specific kinds of sensitive data from getting uploaded, besides tokenizing and encrypting data.
• Identify the possible misuse of the organization’s cloud services. This includes unauthorized activities by insiders and third parties, which may compromise user accounts.
• Implement different levels of cloud service functionality and data access supported users’ devices, operating systems, and placement.

The media shown in this article is not owned by Analytics Vidhya and is used at the Author’s discretion.

Related