Cloud Access Security Brokers (CASB), it’s a mouthful to say so just stick to the acronym from here on out. But make no mistake, if you deal with the cloud at all (and these days who isn’t?) then you’re going to want to pay close attention because there’s a new sheriff in town and it’s not messing around.
CASB is not any old cloud security software. It can be hosted in the cloud or on premise and acts as a controller or gatekeeper of sorts that supports continuous visibility, compliance, threat management and of course, security. So important is this emerging technology that Gartner has already proclaimed that in a mere 4 years over 85% of all business using cloud services of some sort will require CASB. For comparison, it was estimated that only 5% of business utilised some sort of CASB in 2015. That’s massive jump in just 4 years.
The lay of the land
The current security landscape has seen a “SaaS security gap”. As more and more company data is moved to the cloud and companies embrace the BYOD (bring your own device) movement, admins and execs alike watch helplessly as their existing security protocols and policies are circumnavigated in some fashion. The natural response of course was for companies to tighten up ranks and put up great firewalls that block access to cloud services like Dropbox. Employees then seek out newer, potentially less secure, cloud services that have not been blocked. It’s like an arms race where no one wins. Employees are left frustrated while companies are left exposed.
CASB aims to bridge the chasm that is growing between company security and employee convenience by providing an identifiable and safe way to accomplish the goals of both parties.
Gartner weighs in
Gartner judges CASB’s using four criteria. Good and effective CASB’s must give the company visibility to its users, data, services and general going-ons within its network. It must also ensure that all file content is compliant with stated company policies and regulations. It must add to the overall security of the data in the network. Finally, it must be able to identify and analyse any threats to the network which includes compromised account and malicious usage.
When implemented CASB’s offer an almost instant return on investment as it seeks out hidden cloud services that may be running in the background, then it determines who is collecting the data, how such a program puts the company at risk and what data is being harvested. CASB also provides organisations with the ability to categorise, evaluate and carefully select the right cloud service for them. Furthermore, they can not only encrypt and tokenize certain files when uploaded to the cloud but can filter out certain pieces of data from ever reaching the cloud altogether. This includes putting in place policies to identify potential data leakage and preventing the action in the first instance. For example, a confidential spreadsheet being emailed from Dropbox or OneDrive by an employee. True to its gatekeeper image, CASB can also provide or prevent access depending on a users’s device location and OS.
While CASB can utilise all manners of log data and web proxies to peer into the flow of data, it is Gartner who names proxies and APIs as the deployment architectures of choice. With a proxy-based deployment, CASB positions itself in between the end user and the cloud, acting exactly like a real life gatekeeper, where it can monitor and enforce inline policies and log audit trails with a comprehensive approach. API-based deployments allow CASBs to peer into end user activity and define policies, however vendors who offer this option, with today’s technology and architecture, are not able to extend their platforms properly. Meaning that significant investment in resources must first be committed to make a user’s architecture more robust before an API-based solution can be implemented.
CASB moving forward
Unsurprisingly the CASB market is currently packed with vendors both large and small trying to push their product forward and claiming to be the best, the most secure, capable of wall-to-wall threat prevention. So with all the clutter and noise how can you make the best choice? The number of cloud services CASB can detect and integrate with is a major factor to consider when shopping around. It can be the best CASB ever coded but if it can’t recognise the cloud service you need then there’s really no point is there? The number of attributes tracked is another tell-tale sign to watch out for. The more the better in this case as the CASB platform is able to pull in more data points and is able to do its “job” more completely. Finally, try to delve into which business-cloud services (think Office 365) it supports or plans to support in the future. You’re looking for a solution that is not only up to date but is willing to evolve with the times.
Like most services and products, customer traction is another great indicator (although not the be all and end all) that a CASB has “legs” and will survive changes in the vendor landscape over the next couple of years. A company like CloudLock, is a prime example of a CASB that has both the ability to do the job well and the customer traction to continue operations well into the next decade. Its world class features, easy to use solutions, compliant-enabling, its integration with cloud data storage malware protection products such as Check Point’s SandBlast and the fact that it is completely cloud-based, makes it that much more convenient to adopt.