Your CASB Solution Guide

Moving to the Cloud: The SASE Puzzle Part 3

What is a CASB Solution?

A Cloud Access Security Broker (CASB) is the watchdog between users and cloud service providers. Coined by Garner in 2012, CASBs are “on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed.”

CASB solutions combine various kinds of security policies, including authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, and malware detection/prevention. These solutions have been a vital part of growing organizational security, specifically with growth in Bring Your Own Device (BYOD) and the need to expose cloud use regarding Shadow IT. Overall, CASB grants organizations the ability to use the cloud while still protecting their sensitive data.

Four Pillars of CASB

4 Pillars of CASB

There are four main functions, or pillars of CASB solutions:

    1. Visibility – CASB allows a new level of transparency between cloud providers and organizations by each sharing a responsibility model. While cloud providers are responsible for maintaining the application and underlying infrastructure, organizations are responsible for ensuring proper monitoring and control of your data.
    2. Compliance – CASB extends data protection and monitoring to see how data is accessed and used. Additional integration with Identity and Access Management (IAM) and Data Loss Prevention (DLP) solutions further improve compliance.
    3. Data Security – Some CASB solutions can protect sensitive data; however, having a DLP system in addition to CASB adds an extra layer of protection. Together, they enhance the ability to identify and authorize access and sharing of data by users of cloud applications, preventing and alerting when improper data access or actions occur.
    4. Threat Protection – Reduce the chance that cloud malware and threats are not able to spread through cloud storage service vectors or synced clients or services.

Why do you need a CASB Solution?

CASBs are just as important as having a firewall in your environment due to new features and functions constantly being introduced. For example, some CASB solutions provide Private Applications, which provide protection for internally hosted applications. Additionally, CASBs now offer benefits that make them necessary to be in place by 60% of large enterprises by 2022. Previously, many businesses looked at CASB primarily as a vector to expose and address the large amount of unknown Cloud application use via Shadow IT reports or audits. Now, CASBs contain features for in-motion or at-rest Cloud SaaS applications, which allows the extension of existing policies to be leveraged for Cloud SaaS enforcement. This does not, however, address the need for business access to Cloud SaaS – creating a policy of enforcement is not enough to make sure business requirements are met while still maintaining the security needs to protect sensitive corporate data.

It may be easy to assume that if you have on-premise Next-Generation Firewall (NGFW), Secure Web Gateway (SWG), DLP, Anti-Virus Software (AV), and other devices, your users will be jointly protected from web-based threats since these products may support add-ons or partial protection of Cloud SaaS applications. Each vendor product may offer a portion of protection; nevertheless, layering each portion of protection does not necessarily mean that additional layers will execute in the intended behavior or not bring additional delays to the user traffic. Attempting to leverage features on all your devices could block where a permit was desired (or vice versa) due to the layers of policy applied between different functional appliances.

Using a CASB to protect Cloud SaaS solutions is beneficial because CASBs are designed for Cloud SaaS awareness (as opposed to classic web traffic proxy appliances, which were not build for Cloud SaaS but for web browsing). With the right settings, CASB can be configured to know the difference between a corporate owned SaaS tenant, an external vendor SaaS tenant, or a personal user account. These systems also have adapted many integration benefits with ZTNA (Zero Trust Network Access) and allow for connections to Single-Sign On (SSO), DLP, and Global Web Security Gateway (GWSG) for adaptive policy application.

Getting Started

Before putting this type of solution in place, a Shadow IT report is the most valuable assessment to start with. This report identifies whether the cloud SaaS traffic is corporate owned or non-corporate owned, while also pinpointing if current policies are working as intended or not. On the contrary, if the assessment contains only a small quantity of your traffic (and that traffic traverses network devices that can log this), you may end up with a report that does not fully represent all Cloud SaaS application use and will need to be updated as you proceed forward.

A Program “champion,” or someone who can head the project, is advised to not only drive progress internally, but allow for collaboration between groups to protect access provided by Acceptable Use Policies (AUP) and data protection goals.

Keep in mind that CASB by itself is not a complete solution, as it is a part of the SASE solution set. Consider complimentary tools to advance defense in depth, such as DLP, IAM, and GSWG. If you already have such tools at your disposal, ensure they can integrate with any prospective CASB platform. Further, continuous monitoring is a key piece of any compliance efforts. Integration with a Security Information and Event Management (SIEM) system along with automated alerting ensures those charged with monitoring and auditing are enabled to succeed.

CASB Solution Checklist – What to look for

✅ Cloud Application Discovery, also known as Shadow IT

✅ Risk and Data Governance Visibility

✅ Activity Monitoring

✅ Threat Protection

✅ Data Security

✅ Activity-based Analytics

✅ Endpoint Access Control

✅ Remediation Actions

✅ Deployment Flexibility

✅ Delivery Infrastructure

CASB Assessment Questionnaire

Looking to get started with a CASB solution? Take our assessment questionnaire to understand where you currently are in maturity.

At Braxton-Grant, we are a multi-vendor integrator that has deep experience in CASB implementation that you can leverage. Reach out to us today to get started today!

Get in touch