what is a cloud access security broker (CASB)?
A Cloud Access Security Broker (CASB) is a data-centric solution to securing SaaS apps end-to-end, from cloud to device. By proxying traffic between cloud apps and end-user devices, a CASB offers granular access control and deep visibility over corporate data in the cloud.
watch the video
CASB architectures vary from one vendor to the next. Most have a primary proxy mechanism upon which their architecture is built - either a forward proxy or a reverse proxy, supported by API integration into the applications for scanning data at rest. Proxies enable real-time, inline control. APIs, while not real-time, provide control over backend functions like external sharing. Most enterprises will require a hybrid CASB that provides both proxy-based and API-based protections for comprehensive cloud data protection.
components of a complete CASB solution
CASBs protect corporate data across four primary areas of control - cloud, mobile, identity and network.
cloud data protection & visibility
To enable secure, compliant public cloud usage, a CASB vendor must offer both visibility and real-time, inline data protection from any device.
Visibility ranges from detailed, audit-level logging to suspicious activity detection and user behavior analytics. By profiling user behavior, CASBs can generate a baseline and alert or take action on suspicious activities.
CASBs leverage APIs and proxies for comprehensive data protection. APIs are used to scan and protect data-at-rest, and proxies are used for inline, real-time protection for data being accessed via both managed and unmanaged devices. In both cases, CASBs allow the enterprise to apply data leakage prevention and contextual access control to all cloud data-at-rest and data-in-transit for comprehensive security.
mobile data protection
Cloud and mobile are inseparable components of a complete security solution in that data must be protected at rest in the cloud, at rest on mobile devices, and in transit. This data-centric approach to security ensures that corporate information stays protected on any device, anywhere.
CASBs are frequently used as an alternative to MDM and are capable of enforcing a wide array of device security policies on any device, without installing software or agents. Examples include PIN or passcode enforcement, selective wipe, and device level encryption.
breach and shadow IT discovery
Data leaving the corporate network and heading to high-risk destinations can take many forms - malware command and control sites, anonymizers like Tor, “shadow IT” cloud applications, and more. Discovery solutions analyze proxy or firewall data to identify traffic headed to high-risk destinations. Each destination is classified according to overall risk and prioritized for rapid investigation.
cloud identity management
A complete CASB vendor features an integrated identity management solution or works with an existing identity management infrastructure to enable secure authentication across all cloud apps. Organizations can also opt to employ more secure means of authentication for suspicious logins.
download the gartner market guide to CASBs