Remote work, cloud security, and SASE: Putting CASB to work in the real world
As a popular cloud security technology, Cloud Access Security Broker (CASB) has garnered much attention recently due to its inclusion in the emerging Secure Access Service Edge (SASE) paradigm, but it remains poorly understood as a solution providing day-to-day value. Masergy has been working to address this disconnect by sharing CASB use cases in real world settings along with insights into CASB’s unique capabilities in the modern security landscape. Here, we examine why CASB is essential, particularly in today’s world where cloud applications and remote work both dominate.
CASB: A brief overview
CASB is software that establishes a policy enforcement point between users and cloud-based applications. It monitors user behavior and enforces security policies governing cloud access in an organization. For example, with CASB in place, if an employee wants to use a Software-as-a-Service (SaaS) application remotely, he or she would need to go through the CASB solution to gain access and the user policy for that specific session. The CASB would proceed to monitor the user’s behavior and prevent actions that go against policy, such as downloading data to a personal device. Other aspects of CASB include single sign-on (SSO), Multi-Factor Authentication (MFA), Identity Access Management (IAM) integration to create customized user/group profiles, encryption, logging, malware protection, and more.
Understanding CASB’s fit with SASE
Uniting network services and security capabilities under a single SASE framework is an approach gaining strength, because it addresses many of this era’s most urgent security requirements. Without digressing into a long discussion of SASE, understand that it provides connectivity and security for users, their devices, and corporate digital assets–regardless of where they are located, with the goals being improving application performance and improving security. To achieve this goal, SASE combines SD-WAN with CASB as well as other security features including Firewall-as-a-Service (FWaaS), Zero Trust Network Access (ZTNA), and secure web gateway. To learn more about SASE, here’s a Straight Talk Guide to SASE.
CASB is a natural fit for the SASE framework. It serves to restrict unauthorized access to cloud applications and data, which is one of SASE’s main purposes. CASB can enforce policies that uphold SASE’s overall security requirements. For example, CASB can block malware from penetrating the secure edge, identify account takeovers and record audit trails of suspicious behaviors. It provides continuous monitoring to protect cloud-hosted digital assets from improper use.
Drivers of CASB adoption
Multiple factors are coming together to drive a strong demand for CASB. Adoption is growing, and SASE is just the first reason why it’s catching on. The rise in Bring Your Own Device (BYOD) policies has also increased security risks for employees accessing cloud-based data. Plus, the use of SaaS solutions is exploding. In tandem, the pandemic has led to a boom in remote work that is becoming largely permanent even as pandemic strictures ease.
When home-based employees use personal devices on the public Internet to access sensitive corporate data in the cloud, that’s a formula for risk exposure. Old strategies that fit security neatly into the network box have less relevance today. For many clients there is no more network perimeter to protect corporate data assets from external users. We can no longer assume that the user’s device will be hardened or in-policy. It’s a potential free-for-all, with grave implications for protecting data and systems. Hence the need for CASB.
Use case example: CASB and Data Loss Prevention (DLP)
Imagine that an employee is at a coffee shop using her personal laptop on the shop’s public WiFi to log into Salesforce.com. With this move, she now has access to her employer’s entire customer list. Without CASB, she could theoretically download a vast amount of private corporate data onto her personal machine.
It’s bad enough to let sensitive information go onto a personal device that might be infected with malware. However, it could get a lot worse. What if the user isn’t who she says she claims to be? What if someone swiped her laptop from the coffee shop or used a stolen password to impersonate her? What if that employee is planning to leave the company? She would be a “trusted” employee now acting in a nefarious manner. Now, the data from Salesforce.com could be exfiltrated to anywhere, and no one would even know that anything had gone wrong.
To mitigate this risk, CASB can enforce Data Loss Protection (DLP) policies. For example, a CASB agent running in the user’s browser can automatically interrupt any attempt to download data from Salesforce. It could obfuscate data fields that remote users are not supposed to see, such as those that contain Personally Identifiable Information (PII) or credit card numbers. Files can be encrypted, requiring further credentials every time the file was accessed, even after being downloaded.
Smart strategies for CASB implementation
IT leaders enjoy a variety of implementation options for CASB. The best approaches are those that make CASB part of a broader security ecosystem. This could be a SASE solution, but it doesn’t have to be. It may be effective to make CASB part of a Defense-in-Depth (DID) strategy. This might mean connecting CASB with a secure SD-WAN, such as Masergy’s, as well as with solutions for end user and traffic visibility, such as Managed Detection and Response solutions. CASB does well when it integrates with identity management systems, especially when deploying CASB onto a device the company doesn’t control. In this case, some CASBs have granular settings where they will not interfere with a user’s personal apps.
Better still, the smartest strategies combine best-of-breed CASB technologies, like those from Forcepoint, with best-in-class security services. For instance, Masergy takes the CASB technology a step further with a comprehensive solution to proactively monitor and manage cloud application risk. It’s critical to monitor and quickly respond to SaaS security alerts before any damage is done. And it’s not always easy for companies to take on the responsibilities of security alert investigation, much less incident response. Masergy’s Security Operations Center (SOC) can assist with 24/7 alert monitoring, correlation with other data points, and incident response. This way you can stay focused on strategic activities.
CASB should be an essential part of one’s security strategy now and going forward. Employees will continue to work remotely, using personal devices and the public Internet to access SaaS applications. As part of a SASE program or as an element in defense in depth, CASB offers much-needed policy, customization, enforcement and DLP. Companies that do not yet have CASB should probably make it a priority. The threats and user patterns are not going to get any less challenging and risky in the future.
Learn more about CASB use cases in our webinar, “Expert Insights: Trends and Use Cases in CASB”