A Cloud Access Security Broker (CASB) is a policy enforcement point that delivers data and threat protection in the cloud, on any device, anywhere.

There are three requirements for a CASB vendor:

  • Management: Visibility and clean-up after high-risk events
  • Security: Preventing high-risk events such as data leakages and threat intrusions
  • Zero-Day Protection: Protection from known and unknown data leakage risks and malware threats

Correspondingly there are three types of CASB:

  • API-Only that deliver only management. Such CASB use API access to SaaS apps to remediate after data-leakage events
  • Multi-mode First-Gen that deliver management and security, but not Zero-Day protection. Such CASB offer signature-based protection for known data leakage paths and a fixed set of applications
  • Multi-mode Next-Gen that deliver management, security and Zero-Day protection. Such CASB dynamically adapt to deliver protection for known and unknown data leakage risks and malware threats, on any app.

API-Only CASB Architecture

API-only CASB offer management capabilities by remediating data-leakage events after the fact via the APIs provided by some applications.

API CASB operate “out-of-band” not real-time. Users directly access cloud apps and data from any device, managed or unmanaged, without restriction or control. API CASB use the applications’ API to analyze the data-at-rest in the cloud. Based on policies set by the administrator, files that are in violation may trigger visibility logging alerts. Alternatively, files that are in violation may be quarantined, or have sharing permissions revoked.

Strengths:

  • Visibility & DLP remediation on data at rest after breach & compliance violations

Weaknesses:

  • No Real-time protection
  • No Mobile data protection
  • No Threat protection
  • No Zero-day App Control
  • No Zero-day Threat protection
  • No Identity Control
API-Only CASB Architecture

Multi-Mode First-Gen CASB Architecture

Mult-mode first-Gen CASB offer both API mode and proxy mode. Operating in proxy mode typically requires an agent on every device, and is not suitable for unmanaged personal devices. Proxy agents may also interfere with existing infrastructure such as Secure Web Gateway proxies. Multi-mode first-gen CASB can also identify “ShadowIT” cloud applications used in the enterprise, by checking against a manually curated index of cloud applications.

Strengths:

  • API visibility and control of data-at-rest
  • ShadowIT analysis with manual index

Weaknesses:

  • Requires proxy agents on every device
  • No agentless mode
  • No Mobile Data Protection
  • No Zero-Day App Control
  • No Zero-Day Threat Protection
  • No Identity Control
Multi-Mode First-Gen CASB Architecture

Multi-Mode Next-Gen CASB Architecture

Multi-mode Next-Gen CASB deliver management, security and Zero-Day protection. Such CASB dynamically adapt to deliver protection for known and unknown data leakage risks and malware threats, on any app. Such CASB have dual architectures and can operate in agent-based or agentless mode. Agentless mode enables rapid deployment, and is fully interoperable with existing infrastructure such as Secure Web Gateways.

Strengths:

  • API+Forward Proxy + Reverse-Proxy + Active-Sync Proxy + SAML Proxy
  • Zero-Day real-time control of any managed app
  • Zero-Day read-only control of any unmanaged app
  • Zero-Day real-time agentless AJAX-VM on any device
  • Zero-Day threat protection
  • Searchable, sortable cloud encryption
  • Custom app support
  • API visibility and control of data-at-rest
  • Agentless Mobile Security
  • Integrated identity control
  • Automated ShadowIT analysis w/100k+ apps
Multi-Mode Next-Gen CASB Architecture