Cloud Access Security Brokers (CASB)

Elastica is a Cloud Access Security Broker (CASB). What’s that?

A Cloud Access Security Broker (CASB) is a visibility and control point residing between employees of an organization and the cloud services and SaaS applications they access (e.g., Box, Dropbox, Google Drive, Office 365, Salesforce, Workday, etc.). A Cloud Access Security Broker can potentially be deployed in either of two ways: as an on-premises offering or as a cloud-based gateway or proxy through which traffic enterprise traffic can be siphoned (typically on a per-application basis).

Because of its positioning, a Cloud Access Security Broker not only has (potentially granular) visibility into the traffic going to and from a cloud service or SaaS application, but can be used by IT organizations to actively detect threats and enforce policies.

There are a variety of different capabilities that a Cloud Access Security Broker might have. These capabilities include, but are not limited to, one or more of the following:

  • Uncovering Shadow IT by Auditing your network to discover the cloud services and SaaS applications being used by your employees and providing a business readiness rating that specifies how safe these application are for use by your company. By understanding what risks are posed by different applications, organizations are better positioned to pass compliance audits that often place stringent security guidelines on the third-party apps being used. Ideally, the business readiness rating should be organization specific and the scoring criteria should be adjustable by IT organizations. Get a Free SaaS Audit
  • Detecting risky users and activities associated with cloud services and SaaS applications. At one extreme, this activity could have be perpetrated by external adversarial parties who got access to an account through means such as spear phishing attacks, password breaches, or malware. At another extreme, threatening activity could be due to an insider who has gone rogue. For example, an employee getting ready to leave a company might try to pilfer sensitive data prior to his or her departure. In one variation, the insider might engage in risky behavior unwittingly. For example, simply mistyping an email address might cause a file containing sensitive data to be shared with someone other than the intended recipient. Identifying such threats could involve a plethora of techniques, such as threat signatures, anomaly detection, and machine learning based approaches. Ideally, detection should be actionable — in other words, it is not just about identifying and scoring risky behavior, but about providing IT security administrators with concrete information to rectify the situation.
  • Protecting by enforcing policies across multiple cloud services concurrently. These capabilities allow you to prevent threats in an effort to meet corporate governance, risk, and compliance guidelines. Protection in this case need not be limited to specific access controls, but could be made more granular and applied to specific actions. For example, your organization might be fine with a user employing a particular file sharing service, but might want to prohibit the specific action of sharing files to people with external email address domains.
  • Performing continuous monitoring and logging to simplify compliance audits and also facilitate post-incident investigation analysis and response across all historical transactions associated with your cloud services and SaaS applications. This capability enables customers to engage in deep dive analysis for legal, compliance or HR initiatives, ensuring cloud-based data is no longer outside the sphere of enterprise analysis.
  • Encrypting data en route to a SaaS provider to provide better data confidentiality guarantees. In this case, however, encrypting data could have downstream repercussions specifically around breaking downstream data analytics functionality like searching, sorting, or analyzing data. The reason being that encryption algorithms, by definition, are designed to hide information about the original plaintext. Doing so makes it more challenging to operate on that data. The other challenge with encryption is that a SaaS provider might be expecting data to be formatted in a specific way (e.g., a social security number will be represented as a sequence of 9 digits), and the encryption algorithm might fail to preserve that formatting. That said, there are encryption techniques that facilitate downstream analytics, but the security guarantees are weaker compared to what is provided with standard encryption algorithms.
  • Tokenizing data that goes to a SaaS provider to ensure that data contained in specific confidential fields never leaves the enterprise perimeter. Tokenization techniques, much like encryption techniques, are used to maintain data confidentiality. The implementation is, however, very different. In a tokenization scheme, a table is maintained that maps data in specific fields with random looking tokens. The CASB will supplant sensitive fields with the corresponding token value as data is transmitted en route to the provider. And as data is transmitted from the SaaS provider back to the user, the CASB will replace tokens back with the original data. One benefit of tokenization is that it facilitates format preservation since there is more flexibility over token choice. That said, maintaining a table that maps fields with token values can become challenging as the amount of data increases.
  • Federating identity and controlling access to cloud services at a coarse level to simplify the process of maintaining multiple sets of credentials. This basic step is often one of the first that organizations take since it provides a preliminary degree of control and centralization around multiple disparate cloud services.
  • Providing data loss prevention (Cloud DLP) capabilities in the context of cloud services. For example, customers might be using cloud-based file sharing services, like Box or Google Drive, and be interested in knowing what types of content is accessible and what types of risks might be associated with employee data. Does the file contain Personally Identifiable Information (PII), Personal Health Information (PHI) that could cause a violation of the Health Insurance Portability and Accountability Act (HIPAA), or Payment Card Information (PCI) that could cause a violation of the Payment Card Industry Data Security Standard (PCI-DSS)? Does the file contain sensitive intellectual property, like source code? While keyword search and basic regular expression matching can identify some of these risks, more elaborate techniques such those leveraging machine learning or natural language processing will typically be necessary to ensure that classification is done with a sufficient degree of accuracy.

It is unlikely that a single Cloud Access Security Broker (CASB) will offer every one of the above capabilities at the required degree of depth needed for most organizations. Instead, each will provide a subset of these capabilities, and organizations must pick and choose accordingly to ensure an adequate degree of coverage. Beyond that, different vendors will espouse different techniques and will differ with regard to their implementation details. For example, for threat identification and content classification, some vendors might only integrate with legacy solutions or limit themselves to keyword searches and regular expression matching. Other vendors might employ machine learning and natural language processing as well.

Some vendors might deliver their services as an on-premises appliance (physical or virtual). Other vendors might offer a software-based solution. And yet others will provide a cloud-hosted solution (figuratively sitting alongside the very cloud services and SaaS applications they are trying to protect).

Different techniques can be espoused by Cloud Access Security Brokers to gain visibility into the activity between end users and SaaS services. Some brokers will choose a forward proxy, others will choose a transparent proxy, and yet others will choose a reverse proxy.

It is worth clarifying one point here. People occasionally conflate Cloud Access Security Brokers with SaaS Platform Security Management (SPSM) technologies. The latter provide a similar set of capabilities as CASBs, but do so by leveraging any APIs offered by the SaaS provider to gain visibility into how the cloud service is used. However, only a small fraction of SaaS vendors offer an API (let alone one that is sufficiently robust to provide deep visibility). That said, on-boarding and deploying through a vendor API is extremely simple, so it is worthwhile when it can be done. Nowadays, however, vendors are emerging that provide a hybrid model. They can access SaaS traffic either via API or by sitting as a broker in between employees and SaaS applications. As a result, the term CASB is morphing to incorporate SPSMs as a special case.