Your Comprehensive Guide to CASB (Cloud Access Security Broker)

What is CASB?

Cloud Access Security Broker (or CASB, pronounced “Kaz-BEE”) solutions are complex software systems that act as automated security mediators between users and cloud service providers. Designed for businesses with users who access cloud-based data and services, a CASB blocks those users from accessing and installing unauthorized software as a service (SaaS) applications. Blocking users from unauthorized cloud apps with CASB helps to mitigate cybersecurity risks.

What does CASB stand for?

CASB is an acronym for “Cloud Access Security Broker,” a term first used by Gartner industry analysts in 2011. Due to the rapid adoption of cloud-based infrastructure such as Amazon Web Services (AWS) and software as a service (SaaS) apps in the enterprise, CASB solutions were required by business IT leaders to automate the enforcement of consistent cybersecurity policies across multiple cloud service providers.

What risks does CASB address?

According to Gartner and other industry analysts, the majority of businesses use at least two different cloud service providers. Cloud services—whether they are custom line of business apps hosted in AWS or cloud-based productivity apps such as Microsoft 365 or Google Workspace—deliver agility to a business because these enterprise-grade services are available to anyone on-demand; sometimes without corporate IT knowing the services were in use at the company. The on-demand ease of procuring cloud services gave rise to users “shadow IT,” where users install unsanctioned software on company IT assets and thereby increase the attack surface hackers can use to access corporate IT systems.

A CASB solution protects businesses against these cybersecurity risks by blocking shadow IT installations and encrypting data if needed. In addition, a CASB can enforce a business’ specific data security and compliance policies to help mitigate accidental and intentional data leaks (known as “data loss prevention” or DLP) to and from the cloud. CASBs also act as an important line of defense for organizations with remote work and bring your own device (BYOD) policies, as the CASB extends security policies to employee devices connecting to corporate networks and multiple cloud resources from outside a corporate office, such as public WiFi, mobile internet via LTE and 5G, and home broadband.

How does CASB work?

At a high level, CASB solutions control business user access to cloud-based assets in three steps:

1. Connect to a cloud service via a proxy or an application programming interface (API) to enable intermediary communication between the cloud and the business
2. Provide deep visibility into the communication between the cloud and the business users. Visibility is accomplished either by the CASB’s native identity and access management (IAM) system or integration with common corporate IAM systems such as Microsoft Active Directory
3. Enforce the business’ IT security policies, such as blocking unsanctioned SaaS app installs, detecting then altering IT of excessive login attempts to view financial data, applying encryption to sensitive data, et cetera

How do you choose a CASB vendor?

According to industry analysts at Gartner, there are three key criteria for selecting a CASB vendor:

1. Provide visibility & control: Does the CASB continuously monitor sensitive data flows to and from the cloud, identify shadow IT, then either recommend or automatically take appropriate action to remediate? For example, the Masergy Managed CASB solution is powered by Forcepoint, named in 2020 as a Leader in the Gartner Magic Quadrant for CASB report for the third year in a row. Masergy Managed CASB solutions can integrate into Masergy Managed SD-WAN Secure connectivity that brings together Shadow IT Discovery and granular network security analytics to automate real-time remediation.
2. Enact consistent security policies: Related to the visibility and control criteria, it is crucial for any good CASB to enact consistent IT security policies for cloud apps. Masergy Managed CASB solutions allow IT managers to govern access to apps and data at an extremely granular level. For example, Masergy Managed CASB solutions can enable your finance team to access sales and marketing data for report creation, but block the marketing and sales teams from accessing sensitive finance data. This consistent policy enforcement can also extend to geographic regions, so that Masergy Managed CASB would alert IT if a finance team member that normally works from their desktop in the Chicago office tries to log in from a laptop in an apartment in North Korea.
3. Mobility: Since the 2020 pandemic, many businesses have empowered their employees with more work from home options. But a good CASB should enable true “work from anywhere” secure remote access. Masergy Managed CASB solutions secure any employee’s mobile device—laptop, tablet, or smartphone—without the need for IT intervention.