There is a lot of chatter in the market about Cloud Access Security Brokers (CASBs) - so much so that it can be tough to frame each vendor’s functionality and decide what’s important. Fortunately, folks like Gartner* have done the tough work for us and have grouped CASB functionality into four pillars. Let’s take a look at each and offer some concrete examples of what a comprehensive CASB provides.
- “Visibility — CASBs provide shadow IT discovery and sanctioned application control, as well as a consolidated view of an organization's cloud service usage and the users who access data from any device or location.”
Essentially, CASBs answer the question of who’s doing what in the cloud. Two main use cases - sanctioned apps and Shadow IT (unsanctioned apps).
Visibility is a large gap in many sanctioned applications, with few providing even basic audit or activity logs. CASBs help fill these gaps by providing not only audit-level logging, but alerts and reports that up-level those logs into actionable security intelligence. For example, a CASB should be able to tell you that “Steve” is simultaneously attempting to log into Salesforce from San Francisco and into Box from New York - an indicator of a potential credential compromise.
Shadow IT discovery helps a CASB identify high risk traffic leaving the corporate network. Leading CASBs provide an overall assessment of risky traffic - including not only Shadow IT, but malware, anonymizers, and several other categories of traffic indicative of data exfiltration. An example might be that Eleanor is using a high risk file sharing application (as determined by several risk categories tracked by the CASB vendor), and that Jeremy’s machine is acting as a ToR endpoint on the corporate network. In both cases, the organization is armed with what they need to take action and in the case of the file sharing application, may decide to safely enable through use of a CASB.
- “Compliance — CASBs assist with data residency and compliance with regulations and standards, as well as identify cloud usage and the risks of specific cloud services.”
Organizations in regulated industries are no different than others in that cloud applications offer compelling benefits for both the organization and for the employee. Since most SaaS vendors don’t offer the appropriate visibility and data protection tools to remain compliant with regulatory mandates, CASBs help fill in the gaps. For example, a CASB can provide logs for audit purposes, can encrypt sensitive data-at-rest to protect against breach, and can enforce data leakage prevention policies to control access to regulated data.
- “Data security — CASBs provide the ability to enforce data-centric security policies to prevent unwanted activity based on data classification, discovery and user activity monitoring of access to sensitive data or privilege escalation. Policies are applied through controls, such as audit, alert, block, quarantine, delete and encrypt/tokenize, at the field and file level in cloud services.”
CASBs are able to monitor access to data, and vary the level of access to ensure that it is risk appropriate. Leading CASBs can provide both contextual access control and data leakage prevention - two key tools in determining what types of controls to apply to corporate data (such as encryption, quarantine, watermark/track, etc).
Contextual access control governs the level of access that a user has to an application given several contextual variables - things like role, device, geography, etc. A common example policy would be to allow full access to an app like Office 365 from a managed device, but allow only email and web (blocking OneDrive Sync clients) from unmanaged BYOD devices. Such a policy allows the user to be productive on all devices, but minimizes that amount of sensitive data that is automatically downloaded to an unmanaged device.
Data leakage prevention takes a look at the data actually being accessed, and makes decisions in conjunction with an access control engine. For example, a CASB might quarantine a spreadsheet that contains customer data and that is being shared outside of the organization. Or, it might redact sensitive content or apply digital rights management to a file being downloaded to a BYOD device.
- “Threat protection — CASBs prevent unwanted devices, users and versions of applications from accessing cloud services. Other examples in this category are user and entity behavior analytics (UEBA), the use of threat intelligence and malware identification.”
Most major cloud vendors spend more on security infrastructure and personnel than the typical enterprise can ever hope to, but their scope of responsibility does not extend to all cloud problems. Specifically, CASBs provide protection for threats related to user behavior and use of corporate data - threats that aren’t typically handled by cloud app vendors. Common examples here might be the aforementioned login from geographically diverse locations by “Steve.” Another example might be a sales rep that normally logs into Salesforce and updates some data in his or her accounts, but then one day logs in and attempts to download the entire company contact database to his/her BYOD device - a CASB should be able to thwart such risky activity in real-time.
Ready to start your CASB search? Download this free CASB RFP Template.
*Market Guide for Cloud Access Security Brokers by Craig Lawson, Neil MacDonald, and Brian Lowans, October 22, 2015.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.