Cloud access security brokers (CASBs) are security policy enforcement points between people who use cloud services and cloud service providers. CASBs combine different ways of enforcing security policies. Some examples of security policies are single sign-on, authentication, authorization, device profiling, encryption, logging, alerting, finding and stopping malware, and so on.

Forms/Types of Cloud Access Security Broker Deployments

There are three main deployment models for Cloud Access Security Brokers (CASBs): API Control, Reverse Proxy, and Forward Proxy. Each has its own unique strengths and weaknesses, making them suitable for different situations. Here’s a breakdown of each:

• API Control: This model sits directly between your cloud applications and users, intercepting and inspecting API calls for security threats and data exfiltration attempts. This offers deep insights into cloud application activity, data usage, potential threats, quick deployment, and comprehensive coverage but with limited functionality. It’s best for organizations prioritizing data security in cloud applications and needing rapid deployment.
• Reverse Proxy: In this scenario, the CASB acts as an intermediary between users and cloud applications, intercepting and redirecting traffic to legitimate cloud resources while blocking unauthorized access and malicious attempts. It provides strong access control and can enforce security policies on all user traffic and a single point for managing security policies and monitoring user activity. Additional traffic redirection can introduce latency, however. It’s best for organizations needing strict access control and security for devices outside traditional network security, including BYOD scenarios.
• Forward Proxy: Deployed on-premises or in the cloud, this model intercepts and redirects user traffic to cloud applications through a central point, enabling security inspection and access control. It’s cost-effective and works with various devices and applications, but because it’s primarily focused on web traffic, this model may not offer deep insights into cloud applications. It’s best for organizations with basic security needs and want to leverage existing infrastructure, primarily focusing on web-based cloud applications.

You can compare a CASB to apps you might install on your kids’ tablets and devices. You want to ensure they have access to educational apps and websites, but you also want to protect them from inappropriate content and online dangers. A parental control app monitors all their app activity, including what they search for, what data they access, and who they communicate with – just like CASB. 

Just like you set rules for screen time and website access, CASB allows you to define security policies for your cloud applications. You can block unauthorized apps, prevent sensitive data downloads, and restrict access to risky websites.

If your kids try to access something harmful, you might block it or guide them toward safer alternatives. Similarly, CASB can block risky actions, alert you to potential threats, and even shut down unauthorized access in critical situations.

Think of CASB as an app providing regular reports and alerts on your kids’ online activity. It offers detailed reports on app usage, data transfers, and potential security incidents, giving you valuable insights into how your cloud applications are being used and where to strengthen security.

Why Should Businesses Care About a CASB?

A CASB can play a crucial role in securing your cloud environment. Here are some reasons why you should care about having a CASB in place:

Reason #1: Enhanced Security

A CASB can prevent sensitive data breaches by controlling access, encrypting information, and detecting suspicious activity. It has defensive properties, too, blocking malware, phishing attacks, and other cyber threats targeting your cloud applications.

Reason #2: Improved Visibility and Control

With a CASB, your business can gain insights into cloud application activity, user behavior, and data flows for better decision-making. Your team can set granular security policies to control access, prevent unauthorized actions, and enforce security best practices. They will also have the ability to identify and manage unsanctioned cloud applications that might pose security risks.

Reason #3: Reduced Risks and Costs

Thanks to a CASB, you can identify and mitigate potential security incidents before they cause damage, saving time and money. Secure access ensures authorized users can access applications seamlessly, enhancing productivity. This also means you can avoid hefty fines and reputational damage associated with data breaches and non-compliance.

Reason #4: Streamlined Security Management

With a CASB, you can manage security across all your cloud applications from a single console, simplifying administration. This saves time and effort. 

Cloud Access Security Brokers and Your Broader Cybersecurity Program

Cloud access security brokers can play a vital role in your broader cybersecurity program, including:

MITRE ATT&CK 

The MITRE ATT&CK framework outlines the tactics, techniques, and procedures (TTPs) commonly used by adversaries throughout the cyberattack lifecycle. CASBs play a vital role in addressing various phases of this lifecycle:

• Initial Access: CASBs can help prevent attackers from gaining initial access to your cloud environment by enforcing strong authentication and access controls and blocking suspicious or unauthorized login attempts.
• Execution: Once attackers gain access, they often use various techniques to execute their malicious goals. CASBs can hinder their efforts by detecting and blocking malicious commands and scripts within cloud applications or monitoring for unusual data access or modification attempts.
• Lateral Movement: Attackers often move laterally within a network to expand their reach and access sensitive data. CASBs can impede this movement by segmenting your cloud environment to restrict unauthorized access to specific resources.
• Command and Control (C2): Attackers establish communication channels to maintain control over compromised systems and exfiltrate data. CASBs can disrupt C2 activities by monitoring and blocking unauthorized network connections and data transfer and detecting and preventing the use of known C2 infrastructure and techniques.
• Data Exfiltration: The ultimate goal of many attacks is to steal sensitive data. CASBs can protect your data by monitoring and controlling data downloads and transfers, encrypting sensitive data at rest and in transit, and preventing unauthorized data exfiltration attempts.

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)

The NIST CSF outlines five core functions for managing cybersecurity risk: Identify, Protect, Detect, Respond, and Recover. CASBs contribute to various aspects of these functions, such as:

• Identify: Identifying cloud assets, risks, and vulnerabilities associated with cloud applications.
• Protect: Implementing access controls, data encryption, and threat detection capabilities.
• Detect: Monitoring cloud activity for suspicious behavior and potential threats aligned with CSF categories.
• Respond: Containing and remediating security incidents involving cloud applications.
• Recover: Restoring normal operations and minimizing damage after a security incident.

Zero Trust Principles 

CASBs enforce granular access controls, requiring strong authentication and authorization for every user and application attempting to access cloud resources, aligning with the core principle of least privilege.

Related Systems or Technologies

While CASBs play a crucial role in securing cloud environments, they work best as part of a broader security ecosystem. Some of the related systems and technologies that complement CASB include: 

• Firewalls: Firewalls protect your network perimeter from unauthorized access, complementing CASBs by securing the network layer.
• Intrusion Detection/Prevention Systems (IDS/IPS): These systems detect and block malicious network traffic, offering additional protection alongside CASB’s application-level security.
• Security Information and Event Management (SIEM): SIEMS collects and analyzes logs from CASBs and other security tools, providing centralized visibility and threat detection capabilities.
• Cloud Identity and Access Management (CIAM): CIAM manages user identities and access across all cloud services, including those protected by CASBs, ensuring consistent access control and authorization.
• Data Loss Prevention (DLP): A DLP prevents unauthorized data exfiltration from cloud applications, working in conjunction with CASBs to safeguard sensitive information.
• Cloud workload protection platforms (CWPPs): CWPPs secure workloads running in the cloud, including servers, containers, and microservices, complementing CASB’s focus on securing cloud applications.
• Endpoint security: Endpoint security systems protect devices accessing cloud applications, ensuring comprehensive security regardless of location, further strengthening the security posture alongside CASBs.
• Security Orchestration, Automation, and Response (SOAR): SOAR automates security tasks like incident response, streamlining processes, improving efficiency, and leveraging CASB-generated alerts and data.
• Cloud workload identity and access management (CWIAM): CWIAM manages the identities and access of workloads within the cloud, collaborating with CASBs to provide comprehensive access control for both users and applications.

Related Regulations and Compliance Goals

A cloud access security broker isn’t enough to ensure compliance on its own, but it will contribute to compliance with regulations, including: 

Payment Card Industry Data Security Standard (PCI DSS)

For organizations handling credit card data, PCI DSS mandates specific security controls. CASBs can help meet these requirements by:

• Controlling access to sensitive cardholder data within cloud applications.
• Encrypting cardholder data at rest and in transit.
• Monitoring and auditing cloud activity for suspicious behavior related to cardholder data.

Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

CCM provides a comprehensive set of controls for securing cloud environments, with CASBs contributing to various control domains, including:

• CCM Control 1.20: Protect data in transit: Encryption of data transfers is another key function offered by CASBs, addressing this control.
• CCM Control 2.1: Enforce least privilege access: CASBs can define and enforce granular access controls based on user roles and attributes, aligning with this control.
• CCM Control 2.3: Use multi-factor authentication (MFA): Some CASBs offer built-in MFA or integrate with IAM solutions that support MFA, contributing to this control.
• CCM Control 3.1: Discover and document APIs: CASBs can discover and inventory APIs used within cloud applications, supporting this control.
• CCM Control 5.1: Establish an incident response plan: CASBs can provide data and insights into cloud activity that can be valuable for incident response investigations, supporting this control.
• CCM Control 6.1: Define cloud governance policies: CASBs can help enforce cloud governance policies related to data access, security configurations, and application usage, addressing this control.

There are several other controls that CASB contributes to, making it an invaluable part of the CCM. 

Health Insurance Portability and Accountability Act (HIPAA)

For healthcare organizations, CASBs can support HIPAA compliance by protecting patient data confidentiality, integrity, and availability within cloud applications.