A cloud access security broker (CASB),is cloud-delivered software or on-premises software and/or hardware that acts as an intermediary between users and cloud service providers. The ability of CASBs to address gaps in security extends across software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) environments. In addition to providing visibility, a CASB also allows organizations to extend the reach of security policies from their existing on-premises infrastructure to the cloud and create new policies for cloud-specific contexts.
CASBs have become a vital part of enterprise security, allowing businesses to safely use the cloud while protecting sensitive corporate data.
The CASB serves as a policy enforcement center, consolidating multiple security policy enforcement functions and applying them to everything your business uses in the cloud—regardless of the kind of device attempting to access it, including unmanaged smartphones and personal laptops.
Why do I need a CASB?
As services previously offered on-premises continue migrating to the cloud, maintaining visibility and control in these environments is essential to meeting compliance requirements, safeguarding the enterprise, and allowing your employees to safely use cloud services without introducing additional risk.
With the increase in remote workers and workforce mobility, the growth in bring-your-own-device (BYOD) programs, and the presence of unsanctioned employee app usage (Shadow IT), the ability to monitor and govern cloud applications such as Microsoft Office 365, SAP SuccessFactors and Slack has become essential to enterprise security. Rather than banning cloud services outright and potentially impacting employee productivity, a CASB enables businesses to take a granular approach to data protection and policy enforcement, making it possible to safely use productivity-enhancing and cost-effective cloud services.
A CASB provides visibility and control over data and threats by employing the following steps:
The CASB uses auto-discovery to compile a list of all third-party cloud services, as well as who is using them.
Once the full extent of cloud usage is revealed, the CASB then evaluates the risk level associated with each by identifying the app and determining what sort of data is within it and and how the data is being shared.
After the relative risk of each app is known, the CASB can use the information to set data and user access policies to meet an organization’s security requirements and automatically take action whenever violations occur.
CASBs also offer additional layers of protection through malware prevention and data encryption. Read the Top CASB Use Cases
How do I deploy a CASB?
Here are some key deployment considerations:
Deployment location: A CASB can be deployed either on-premises or in the cloud. Currently, the majority of CASB instances are SaaS-based.
Deployment model: There are three CASB deployment models to consider.
API Control - provides visibility into data and threats in the cloud, as well as faster deployment and comprehensive coverage
Reverse Proxy - ideal for devices, especially those that are unmanaged and/or outside the purview of network security
Forward Proxy - usually working in conjunction with VPN clients or endpoint protection (requires an agent)
How does CASB relate to Secure Access Service Edge (SASE)?
In a recent report, Gartner describes CASBs as an essential element of SASE. While a CASB is crucial for securing a company’s cloud usage, it is also a key part of an overall strategy businesses should employ to ensure defense from endpoint to cloud. For comprehensive protection, enterprises should also consider expanding on CASB capabilities by deploying a secure web gateway (SWG) to help safeguard internet usage and a data loss prevention solution (DLP) to protect intellectual property and sensitive corporate data across the network.
Gartner recommends CASBs that offer a variety of architectures to cover all cloud scenarios—multi-mode CASBs help ensure that organizations will be able to expand cloud security as their digital transformation evolves.In order to get the most of your countless cloud apps without risking your data, you need to know exactly what’s going on. You also need to be able to detect and respond to threats and have the ability to dynamically control access. Lookout Cloud Access Security Broker (CASB) is a multi-mode CASB that provides full visibility into the interactions between users, endpoints, cloud apps and your data. It also enables you to dynamically dial in Zero Trust access controls. With continuous monitoring of user and entity behavior analytics (UEBA), you can detect and respond to insider threats and advanced cyberattacks. We provide advanced data loss prevention that can classify, encrypt and restrict sharing of your data on the fly so that only authorized users have access. We also perform automated assessment of all your cloud apps and infrastructure to ensure they are properly configured.