What is a cloud access security broker (CASB)?
A cloud access security broker, also known as a CASB, is a cloud-delivered cybersecurity service that ensures the safe use of cloud computing applications and services to prevent accidental (or intentional) leakage of sensitive data, malware infection, regulatory noncompliance, and lack of visibility. It secures cloud applications, whether they are hosted in public clouds (IaaS), private clouds, or as software-as-a-service (SaaS) applications. In the beginning, the most common use case for CASBs was to expose the use of shadow IT—unsanctioned applications being used without the IT team’s knowledge and approval
Why is CASB needed today?
As organizations have adopted cloud services, CASB has become critical to enterprise security for its variety of functions related to cybersecurity, access controls, and data protection. With so many business-critical applications in the cloud, including Microsoft 365, Salesforce, ServiceNow, and many other cloud platforms, network security tools, like firewalls in the data center, have become increasingly ineffective.
While IT once controlled every application available to enterprise employees, the self-serve market for productivity applications—enabled by the cloud—has exploded, and people are free to use the applications of their choice that best serve their needs. While this freedom is great for productivity, it complicates IT's ability to apply security policies to data access.
CASB is the solution for control over cloud apps and corporate data, and has become the means by which organizations maintain security over data in motion to, and at rest within, cloud platforms and applications. By sitting inline via proxy and integrating with SaaS applications via API, CASBs can apply security policies in real time and out of band, providing shadow IT control, cloud data loss prevention (DLP), advanced threat protection (ATP), and SaaS security posture management (SSPM).
According to analysts from Gartner and elsewhere, every enterprise with a significant cloud presence needs a cloud access security broker (CASB) to protect its cloud-based data.
How CASBs work
CASB solutions can take the form of on-premises hardware or software, but they are best delivered as a cloud service so that scalability, cost, and management challenges can be avoided. A purpose-built cloud proxy architecture is the right underlying foundation upon which a CASB vendor’s offering should be built, because they need to operate in the data path (this is typically done via forward proxy, as reverse proxies regularly suffer from breakages). Before a request is sent to a cloud service, it is intercepted by an intermediary—the proxy—which can instantly apply policies such as authentication via single sign-on (SSO), device posture profiling, encryption/tokenization, logging, alerting, malware detection, and more. However, as mentioned above, this must be paired with out-of-band security for data already at rest within the cloud (which is attained through integrations with cloud resources’ APIs).
Top use cases for CASB and Zscaler solutions
Discovering and controlling shadow IT: As employees store and share corporate files and data beyond IT’s purview within unsanctioned cloud applications, such apps represent a significant, hidden avenue for data leakage. Consequently, cloud usage must be understood and secured.
Zscaler CASB automatically discovers shadow IT in your organization, revealing the risky apps visited by users. Automated, easily configurable policies then enforce a variety of actions on individual apps and app categories relevant for data security. They can allow or block access, provide read-only access that prevents uploads, or restrict usage.
Securing non-corporate SaaS tenants: In many cases, employees simultaneously use a sanctioned instance and an unsanctioned instance of a single app, such as Google Drive. While your company must respond, a one-size-fits-all approach of either allowing or blocking Google Drive entirely can lead to one of two problems: inappropriate sharing of data or hampered productivity, respectively.
Zscaler CASB can easily distinguish between sanctioned SaaS tenants licensed by the enterprise and unsanctioned instances belonging to external parties, so that it can apply policy enforcement appropriately. Preconfigured SaaS tenancy controls deliver automated, real-time remediation.
Controlling risky file sharing: One of the great benefits of cloud apps is their ability to enable sharing and collaboration. As a result, security teams must be mindful of who is sharing what within sanctioned apps. Failure to do so can easily lead to risky parties gaining access to sensitive files and data.
Collaboration management is a key capability of any leading CASB. Through this functionality, Zscaler quickly and repeatedly crawls files within your SaaS tenant, identifying sensitive data, checking the users with whom it is shared, and responding to risky shares as needed by, for example, revoking shares automatically.
Remediating SaaS misconfigurations: When deploying and managing a cloud application, there are many configuration settings that must be properly applied in order to ensure that the app functions properly and securely. Where misconfigurations exist, security hygiene suffers and sensitive data can easily be exposed.
Zscaler SaaS Security Posture Management (SSPM) integrates with your SaaS tenants via API in order to scan for potentially costly misconfigurations that could jeopardize regulatory compliance. It’s one component of Zscaler Workload Posture along with cloud security posture management (CSPM) and cloud infrastructure entitlement management (CIEM).
Preventing data leakage: In addition to cloud resource misconfigurations that could enable data breaches and leakage, enterprises must identify and control sensitive data patterns in the cloud. From credit card and Social Security numbers (SSNs) to protected health information (PHI) and payment card industry (PCI) data, there is a vast amount of information that needs to be protected (and which is regulated under frameworks like HIPAA, PCI DSS, GDPR, and many others).
The Zscaler cloud-native security platform, the Zero Trust Exchange, provides unified data protection with cloud DLP and CASB capabilities. Zscaler can ensure that cloud applications are properly configured for stopping data loss and noncompliance, and can use advanced data classification techniques like exact data match (EDM) and indexed document matching (IDM) to identify and secure sensitive data wherever it goes.
Threat prevention: Malware and ransomware are deadly foes for any organization’s security. Once an infected file has made its way into one of an organization’s sanctioned cloud apps, it can quickly spread to connected apps as well as to other user devices on download. Consequently, companies need a way to defend against threats in real time at upload and at rest.
Zscaler’s CASB is complete with advanced threat protection (ATP) that can thwart malware’s advances. Real-time proxy is used to prevent malicious files from being uploaded to the cloud, while out-of-band functionality scans files already at rest and remediates threats. Cloud sandboxing can be used in both scenarios to identify even zero-day malware, while agentless cloud browser isolation can secure access from unmanaged endpoints (like BYOD) that often house malware.
What Gartner says about CASB
In its 2018 Magic Quadrant for Cloud Access Security Brokers, Gartner predicted that by 2022, 60 percent of large enterprises will use CASBs, up from the 20 percent that used them at the end of 2018.
According to Gartner, CASB coverage applies broadly across the software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS) cloud service delivery models. In other words, CASB has evolved far beyond securing SaaS apps alone, and can now secure a variety of offerings from other types of cloud service providers.
In recent years, CASB capabilities have been overlapping more and more with secure web gateway (SWG) capabilities, with both being considered essential to enterprise security. In part because of this convergence, Gartner coined the term secure access service edge (SASE), a framework that refers to cloud-delivered security offerings that provide integrated functionality, such as CASB, SWG, zero trust network access (ZTNA), and more. SASE platforms deliver consistent, comprehensive protections across the IT ecosystem, delivering services at the "edge," closer to users for a faster, more seamless experience. At the same time, SASE streamlines security services and management for admins.
A final word about multimode CASB
As mentioned, the original CASB use case was shadow IT discovery, but the technology has evolved considerably.
CASBs come in proxy-based deployment modes whereby they can provide inline policy enforcement that stops leakage and malware in real time. However, they also integrate with application programming interfaces (APIs) to scan SaaS apps’ contents so they can find and respond to sensitive data patterns as well as threats such as ransomware. More recently, API integrations have been used for SaaS security posture management (SSPM), by which CASBs remediate misconfigurations within applications.
Today, leading CASBs provide all of this functionality and are known as “multimode CASBs,” which means that both proxy and API-based deployment modes are available. They also go beyond securing SaaS to provide protections for IaaS offerings, including Azure and AWS S3. Additionally, rather than deploying a CASB as yet another point product, organizations should select their CASB as a part of one comprehensive cloud security platform, in keeping with Gartner’s vision for SASE, to ensure consistent security, enhanced performance, and consolidated ease of management for admins.