Cloud Access Security Brokers (CASBs) are go-to solutions for securing your cloud data and apps. However, because CASB technology offerings vary in their range of capabilities, it is important to determine if your solution can cover all of your intended use cases. Multi-mode CASB technologies are specifically designed to deliver broader protection, addressing a wider array of situations that can create security risk for organizations. Multi-mode CASB technologies support:
- A cloud-based reverse proxy for inline control of managed applications,
- API integrations for out-of-band discovery and remediation, and
- An on-device forward proxy for inline control managed applications.
Masergy Managed CASB, powered by Bitglass, is a multi-mode CASB solution and one of several security technologies included in Gartner’s Secure Access Service Edge (SASE) framework.
CASB use cases
- Secure applications running on personal devices
When securing sensitive corporate data used by enterprise SaaS apps running on employees’ personal devices, a reverse-proxy CASB can handle that without requiring agents installed on those devices. This avoids employee privacy issues tied to agents while ensuring that corporate data stays safe. CASB technologies offer contextual access control that can allow, limit, or block access to managed cloud resources on unmanaged devices, as well as the ability to prevent data leakage and defend against malware automatically. Corporate data is protected in real time without ever touching the employee’s personal data on their device.
- Prevent data theft
Data Loss Prevention (DLP) is a must for any organization using cloud-based services. DLP requires CASB technologies to identify which data is sensitive enough to require special treatment and enforcement to ensure unauthorized users cannot view or destroy that data. Typically, CASB comes with prebuilt libraries of data patterns and allows you to build your own set of custom data patterns to meet your needs.Using cloud service API integration, CASB can encrypt and quarantine data at rest. And using inline proxy capabilities, it can perform enforcement actions on data in transit, such as redacting sensitive information in emails or applying Digital Rights Management (DRM) to files so that viewing them requires additional authentication. Additionally, CASB can integrate with existing tools and policies, such as Identity Access Management (IAM), in order to ensure consistent protection of data on premise and in the cloud.
- Stop cloud malware and ransomware
A single contaminated file uploaded to the cloud can quickly proliferate throughout an entire enterprise by being downloaded to other devices or by spreading to connected apps. Since most cloud applications don’t provide built-in malware protection, this becomes an important use case that can be addressed by a CASB solution with advanced threat protection (ATP) using technologies from CrowdStrike, Bitdefender, or Cylance. CASB can leverage inline proxies to stop the flow of malware between the cloud and user devices in real time, and leverage API integrations to scan and quarantine infected files in the cloud.
- Detect and remediate unexpected user behavior
Sometimes account credentials get into the wrong hands or a legitimate user starts to access resources in a way that appears suspicious. An example would be a user accessing Salesforce from Russia five minutes after logging in to Office 365 from California. CASB lets you detect this unusual behavior through a combination of detailed activity logs and user and entity behavior analytics (UEBA). UEBA also identifies and responds when individuals log in at unusual times, download suspect amounts of corporate files, or exhibit suspicious access patterns to sensitive data. Upon detection of these behaviors, CASB can enforce remediation actions such as requiring the user to reauthenticate using multi-factor authentication (MFA), or blocking access completely.
- Encrypt data at rest
With CASB cloud encryption, corporate data in the cloud can be protected from unauthorized users. By providing organizations with control of their own encryption keys, CASB can even shield against the eyes of the cloud app vendors who store encrypted files. Field-level data in applications like Salesforce and ServiceNow can also be encrypted in the same fashion while still allowing filtering and sorting on those fields.
- Securely authenticate users
Today’s leading CASB solutions feature built-in group and user management via integration with Active Directory or other identity providers (IdPs), single-sign on (SSO) across all managed applications, and native multi-factor authentication (MFA). CASBs can log all authentication attempts, step up to MFA in risky contexts, and provision users with ease. Likewise, users exhibiting risky or suspicious behaviors can automatically be added to high-risk user groups which can be secured with more stringent policies. For companies that prefer to use an existing IdP like Okta or Ping, leading solutions can simply integrate with them via SAML 2.0.
- Identify risky configurations for IaaS and SaaS
When you use Infrastructure-as-a-service (IaaS) providers like AWS, Azure, and GCP, or SaaS providers like Salesforce and ServiceNow, you are given control of many settings that, if misconfigured, could compromise the security of your data, and in the case of IaaS, the security of your compute resources, too. In November 2020, a vendor for popular travel websites disclosed that misconfigured AWS S3 cloud storage had exposed over 24 GB of files with personally-identifiable information (PII) of users to cyber criminals for years.Leading CASB technologies include cloud security posture management (CSPM) and SaaS security posture management (SSPM) to address these issues for IaaS and SaaS, respectively. CSPM and SSPM detect misconfigurations as defined by various compliance benchmarks like CIS, PCI DSS, HIPAA, and even custom frameworks. Plus, they can remediate some misconfigurations automatically. In addition, storage services like Amazon’s S3 can be scanned for sensitive data at rest (thus avoiding the issue of potentially exposing PII to the public internet), and custom applications can have files and field-level data encrypted.
- Identify shadow IT and unmanaged app usage
Unmanaged cloud applications, or shadow IT, as these apps are called, allows employees to store and process corporate data in cloud applications that are not sanctioned by IT. By ingesting logs from on-premises routers and firewalls, a CASB solution can track the URLs of unsanctioned cloud-based apps that users are accessing so you take the appropriate remediation actions.