What is cloud access security broker?
Cloud access security broker, also known as CASB, is a cloud delivered security service that ensures the safe usage of cloud applications and services to prevent accidental data leakage. It is primarily used for controlling the use of SaaS applications but can often be used for portions of cloud service providers such as S3 buckets in AWS.
Why do we need CASB?
The adoption of SaaS applications has fundamentally changed the way employees do their job and accomplish their corporate goals. The majority of this adoption was driven by the ease of adoption, collaboration, and sharing made possible by these applications. The downside of faster adoption and greatly expanded collaboration is the increasing risks that are often beyond the experience and knowledge of the employees adopting them. Unfortunately, it is impossible to train every employee to consistently use security best practices with SaaS applications at all times, and that can lead to costly mistakes for the organization.
The traditional approach to solve this is to add a CASB as a separate overlay to report on SaaS usage and provide some level of control. Unfortunately, this is usually independent of the rest of the organization's security offerings and another separate data protection function that adds unneeded complexity without solving the key challenges of SaaS usage.
Some of those challenges include:
- Accidental data exposure—Because SaaS applications are built for sharing, it’s common for users to inadvertently share critical business data without knowing it.
- Malicious intent—SaaS applications can be a conduit for data theft, data exposure, or malware propagation if left unchecked.
- Compliance violations—SaaS usage is spread across applications and groups making unified assurance very difficult to impossible.
In short, CASBs helps prevent the exposure of data, whether accidental or intentional.
What the analysts say…
In its 2018 Magic Quadrant for Cloud Access Security Brokers, Gartner predicted that by 2022, 60 percent of large enterprises will use CASBs, up from the 20 percent that used them at the end of 2018.
That’s because CASB technology delivers dedicated services for SaaS visibility and control of data exposure which requires not only looking at the traffic that is inline (in motion) but also at rest within the SaaS application. This requires specific API-based access to the SaaS applications to look inside the cloud and determine the risk of data exposure and automatically correct it. Unlike premises-focused security products, CASBs are designed to identify and protect data that’s stored in someone else’s systems. CASBs provide a central location for policy and governance concurrently across multiple cloud services — for users and devices — and granular visibility into and control over user activities and sensitive data.
Also according to Gartner, CASB coverage applies broadly across the software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) cloud service delivery models. For SaaS coverage, CASBs commonly work with the most popular content collaboration platforms (CCPs), CRM systems, HR systems, ERPs, service desks, office productivity suites and enterprise social networking sites. Some CASBs extend support to less-common SaaS applications through custom plug-ins or automated learning of application behavior. For IaaS and PaaS coverage, several CASBs govern the API-based usage (including console access) of popular cloud service providers (CSPs) and extend visibility and governance to applications running in these clouds.
How Zscaler does CASB
Zscaler CASB enables organizations to securely adopt and govern the use of multiple SaaS applications. It provides real-time visibility and controls access and user activity across sanctioned and unsanctioned applications. The fully integrated platform eliminates overlay architectures and simplifies policy creation and administration, ensuring data is protected and compliance is maintained. Zscaler provides:
- Inline data protection (data in motion)—Zscaler CASB inline capabilities eliminate overlay architectures and proxy-chaining, which often break SWG implementations. The platform eliminates redundancies, as traffic has to be forwarded, decrypted, and inspected just once for policy to be applied on a per-user basis.
- Out-of-band data protection (data at rest)— Zscaler CASB out-of-band capabilities look inside the SaaS applications themselves through API integrations to identify accidental or intentional data exposure and compliance violations that would otherwise go unnoticed.
Zscaler CASB checks SaaS applications and cloud providers' configurations and compares them to industry and organizational benchmarks to report on violations and automate remediation. It also checks SaaS applications for hidden threats being exchanged and prevents their propagation. Zscaler CASB provides compliance visibility across SaaS and cloud providers and can mitigate violations automatically.
The Zscaler Cloud Security Platform provides unified data protection with DLP and CASB capabilities for internet, data center, and SaaS applications, and ensures that public cloud applications are configured to prevent data exposure and maintain compliance.