A cloud access security broker (CASB) offers a number of services to protect companies that use cloud computing from data breaches and cyber attacks.
After reading this article you will be able to:
Related Content
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
A cloud access security broker, or CASB, is a type of security solution that helps protect cloud-hosted services. CASBs help keep corporate software-as-a-service (SaaS) applications, along with infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) services, safe from cyber attacks and data leaks. Typically, CASB vendors offer their services as cloud-hosted software, although some CASBs also offer on-premise software or on-premise hardware appliances.
A number of different security technologies fall under the CASB umbrella, and a CASB solution will typically offer these technologies together in one bundled package. These technologies include shadow IT discovery, access control, and data loss prevention (DLP), among several others.
Think of a CASB as being like a physical security firm that offers a number of services (surveillance, foot patrol, identity verification, etc.) to keep a facility safe, rather than a single security guard. Similarly, CASBs offer a variety of services rather than one, simplifying the process of cloud data protection.
Gartner, an influential industry analyst firm, defines four "pillars" for cloud access security brokers:
Most CASB solutions will offer some or all of the following security technologies:
This list is not exhaustive, as CASBs can offer a number of other security products in addition to those listed above. Some of these technologies are included in other types of security products as well. For instance, many firewalls offer packet inspection, and many endpoint security products offer anti-malware. CASBs, however, package these technologies specifically for cloud computing.
To provide a full complement of CASB services, many major CASBs have at some point acquired a product or company that they bundle with their other previously existing products. They may also partner with external companies to offer additional services.
While DLP has grown in importance as data regulatory frameworks (like the GDPR) put pressure on organizations to maintain privacy and avoid data leaks, traditional DLP products come with weaknesses when it comes to securing the modern data landscape. Standalone DLP services are difficult to implement as an additional layer for cloud services. Bundling DLP in CASB solutions helps solve these challenges, enabling organizations to protect their data and maintain compliance.
In cloud computing, data is stored remotely and accessed over the Internet. As a result, companies using the cloud have limited control over where data is stored and how users access it. Users can access cloud data and applications on any Internet-connected device and from any network, not just the internal company-managed network. For instance, a user could log in to a company-managed SaaS app from an unsecured network on their personal device, which typically would not be possible for applications that run on on-premise computers and servers (unless remote desktop is used).
Using the cloud also makes it harder to ensure that data stays private and secure, just as it is harder to prevent strangers from eavesdropping when conversing in a public place instead of in a private room.
To fully protect data in the cloud, organizations typically use security services that are cloud-based as well. Sometimes, they obtain these services from different vendors: using one platform for DLP, one for identity, one for anti-malware, and so on. But this approach to cloud security also creates challenges: several contracts have to be negotiated separately, security policies have to be configured numerous times, implementing and managing multiple platforms creates complexity for IT, etc.
CASBs are one network security solution to these challenges. Purchasing these security measures from one cloud security broker instead of several different vendors means:
Scalability: CASBs have to manage a lot of data and multiple cloud platforms and applications. Companies should ensure their CASB vendor is able to scale up with them as they grow.
Mitigation: Not all CASBs offer the ability to stop security threats once they are identified. Depending on the situation, a CASB without mitigation capabilities may be of limited use to a company.
Integration: Companies must ensure their CASB will integrate with all their systems and infrastructure. Without complete integration, the CASB will not have full visibility into unauthorized IT and potential security threats.
Data privacy: Does the CASB vendor keep data private, or are they just one more external party touching sensitive data? If the CASB moves their customers' data to the cloud, how secure and private is it? These are especially important questions for organizations that operate under strict data privacy regulations.
Most enterprises that rely partially or wholly on the cloud can benefit from working with a CASB vendor. Businesses that are struggling to contain the growth of shadow IT — a major concern for many businesses today — can especially benefit from CASB services.
Secure access service edge, or SASE, is a cloud-based network infrastructure model that consolidates networking and security services into a single service provider, making it simpler for companies to secure and manage network access across all connected devices. In the same way that CASBs bundle a variety of security services, SASE bundles SD-WANs (among other network capabilities) with CASBs, secure web gateways (SWG), Zero Trust Network Access (ZTNA), firewall-as-a-service (FWaaS), and other network security functions. SASE solutions are built on top of a single global network.
Cloudflare One integrates CASB, DLP, Zero Trust, SWG, and browser isolation capabilities in a single platform. These services are delivered from the Cloudflare network, as close to end users as possible, and can sit in front of on-premise, cloud, and hybrid networks. Learn more about Cloudflare One.