Demystifying Security: Cloud Access Security Broker (CASB)

Cloud Access Security Broker (CASB)
© natali_mis – stock.adobe.com

One of the numerous challenges of modern IT is to provide secure, controlled, and seamless connection to enterprise resources from any type of mobile device. Users need to be able to connect from anywhere, most of the time from the Internet (i.e. outside of the controlled company perimeter), and for things to be as easy and transparent as possible to offer the best user experience without compromising security and privacy. 

 

As you learned in our previous “Demystifying Security” article on Virtual Private Networks (VPN), well-known, proven, and robust technology integrates well with the mobility world, allowing secure connections to behind-the-firewall internal back-end servers and resources like email, collaboration tools, database, CRM/ERM systems, etc. for either the whole device or only a sub-set of pre-approved corporate applications. 

 

But nowadays more and more customers are moving from on-premises infrastructures to cloud-based deployments, either fully or partially (hybrid deployment). In this case, access to cloud-based services or SaaS applications is simplified as these are already accessible from anywhere. 

 

It is still possible to control who and how they connect to these external resources using firewall, proxy servers etc. as long as they are located in the office, physically or virtually, using ethernet and/or Wi-Fi network with their desktop or mobile device. However, as soon as they leave, this control is gone. Using VPN is not an ideal option, as it would introduce a high latency due to the additional path for the data to travel, plus the cost and complexity of having to manage such an unusual setup. Plus, while VPN does offer a secure path/tunnel for data to transit, it does not monitor traffic/activity to detect potential malware or hazardous actions. 

 

This is where Cloud Access Security Broker (CASB) come into play. 

 

What is CASB?

CASB is an on-premises or cloud-based software that will act as an intermediary between the endpoints (e.g. a mobile app/device) and SaaS applications (e.g. Office 365, Salesforce.com, etc.). The CASB monitors traffic and allows organizations to enforce data protection and access control policies. Combined with a secure web gateway, it allows to control traffic from the Internet onto the cloud SaaS applications. 

 

Pillars of CASB

  1. Visibility 
    CASB allows monitoring data traffic between an organization and the cloud-based providers in order to determine any unusual access or suspicious behavior. For example, a user checking his email on Office 365 from New York City at 1 AM, but then supposedly logging into SalesForce at 2 AM from San Francisco would definitely be considered suspicious activity. 

  2.  Compliance 
    CASB can classify data, enabling compliance with current data laws and regulations like GDPR in EU. 
  3. Data Security
    CASB can provide access control using several parameters like IP address, (geo)location, device/OS type, etc. in order to restrict access to data stored on the cloud to only a certain type of device, specific locations (e.g. office, home office) to cloud-based services.

  4. Threat Protection 
    All data traffic is monitored and scanned in order to identify potential threats or malicious attempts to access corporate data while in transit. Data itself is “untouched” and remains protected and confidential all along the way. 

Why You Need a CASB

If using any SaaS application and/or cloud-based service, you might want to add specific access controls and data protection for all traffic for either your internal network or the Internet onto these services. 

 

Which CASB to Choose?

Most UEM vendors already offer CASB, secure web gateways, and other security mechanisms like Zero Trust to address these needs, and this will require little to no integration effort and no user disturbances. Please check with your Account Manager to determine the best option for you. 

 

Contact

Note: Please fill out the fields marked with an asterisk.

(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group