Evaluating the Role of CASBs to Enhance Cloud Security

Evaluating the Role of CASBs to Enhance Cloud Security

Danny Bradbury

Public cloud computing has taken over the world, it seems. As companies throw more applications and data into computing infrastructure and applications for hire, security and visibility become more of a concern. Cloud access security brokers (CASBs) could be a promising answer to companies struggling with the security implications of the cloud.

As cloud applications become more tempting for employees, IT and security managers face a growing problem. Their users want applications that are difficult to create in-house with a limited development budget and infrastructure resources. And of course, they want them now. Employees flock to unauthorised applications in the cloud, making ‘shadow IT’ a growing trend.

By becoming brokers for cloud applications, IT managers and CISOs can give users what they want and regain some control. Employees get the applications they want, which gives IT some navigating power. You may not want an employee using a specious app with no privacy controls, but by offering them an alternative, you may slake their thirst for online productivity.

Even then, though, security departments face a challenge managing how people access those applications and what they do with them. Each SaaS app will be different, with its own privacy and security controls. That can be worrying when you’re putting sensitive data into it.

Enter the CASB

CASBs can help solve the problem. These services sit between the users and a range of cloud services approved by IT, monitoring and controlling traffic to protect users and data alike.

CASBs often crop up in conversations about data compliance. Companies might be worried about putting sensitive data into a SaaS provider’s app, especially one based outside the UK or Europe. The SaaS provider may encrypt the data, but if it has the encryption keys in its possession, enterprise data could still be compromised by a rogue employee or a subpoena from a foreign government.

A CASB can encrypt data using a company’s own encryption keys before it reaches the cloud, keeping the data secure and compliant. That also leaves the company in charge of managing its own encryption keys, though.

CASBs often go beyond data compliance, offering other features that can help security departments control application and information access. These include identity and access management (IAM), enabling companies to control how users log into applications and what information they can see. This can be a great way to protect data from insider threats by stopping people from unwittingly or maliciously accessing information above their pay grade.

This IAM capability can become quite sophisticated. For example, administrators could create rules governing how an employee can access an application, and from where. Alternatively, a CASB may profile a user’s activity over time and create a baseline of normal behaviour, demanding more information in suspicious situations. If someone tries to access a SaaS account from either side of the country within half an hour, a SaaS app might let it through. A CASB dedicated to securing cloud applications might be more likely to catch the anomaly, block access, and escalate it for analysis.

By logging all this information, along with what users are doing on the SaaS platform, CASBs can create a useful audit trail for security teams to use for forensics and compliance purposes. That will be comfortable compared to the alternative, which involves trying to collate access and activity logs from multiple SaaS providers, or flying blind if they cannot provide them.

Should you get a CASB for your organization? Consider your current and projected reliance on cloud technology, including not just SaaS but IaaS offerings like Amazon Web Services and Azure. As your cloud portfolio becomes more diverse and the information that your employees store there becomes more sensitive, the more appealing a centralized point of control becomes.

Leave a Comment

Your email address will not be published. Required fields are marked *