What is a CASB? | Cloud access security brokers

A cloud access security broker (CASB) offers a number of services to protect companies that use cloud computing from data breaches and cyber attacks.

Share facebook icon linkedin icon twitter icon email icon

CASB

Learning Objectives

After reading this article you will be able to:

  • Define cloud access security broker (CASB)
  • Learn what CASBs do
  • Explore the four CASB pillars

What is a cloud access security broker (CASB)?

casb

A cloud access security broker, or CASB, is a company that helps protect other companies' cloud-hosted services. CASBs help keep corporate Software-as-a-Service (SaaS) applications, along with Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) services, safe from cyber attacks and data leaks. Typically, CASBs offer their services as cloud-hosted software, although some CASBs also offer on-premises software or on-premises hardware appliances.

A number of different security technologies fall under the CASB umbrella, and a CASB will typically offer these technologies together in one bundled package. Think of a CASB as being like a physical security firm that offers a number of services (surveillance, foot patrol, identity verification, etc.) to keep a facility safe, rather than a single security guard.

Why are CASBs necessary?

In cloud computing, data is stored remotely and accessed over the Internet. As a result, companies using the cloud have limited control over where data is stored and how users access it. Users can access cloud data and applications on any Internet-connected device and from any network, not just the internal company network. Using the cloud also makes it harder to ensure that data stays private and secure, just as it's harder to prevent strangers from eavesdropping when conversing in a public place instead of in a private room.

The cloud-specific security measures offered by CASBs can mitigate these risks and protect internal data and processes. Purchasing these security measures from one cloud security broker instead of several different vendors offers a couple of significant advantages:

  1. It ensures that all the technologies involved work well together.
  2. It vastly simplifies management of cloud security tools; IT teams can work with one vendor, instead of a half-dozen vendors. Additionally, many CASBs enable their customers to manage all cloud security services from a single dashboard.

What are the main areas in which CASBs provide security?

casb features

Gartner, an influential industry analyst firm, defines four "pillars" for cloud access security brokers:

  1. Visibility: CASBs help discover "shadow IT": systems and processes, especially cloud services, that are not officially documented and that may introduce unknown security risks.
  2. Data Security: CASBs prevent confidential data from leaving company-controlled systems, and help protect the integrity of that data. Relevant technologies for this area include access control and data loss prevention (DLP).
  3. Threat Protection: CASBs block external threats and attacks, in addition to stopping data leaks. Anti-malware detection, sandboxing, packet inspection, URL filtering, and browser isolation can all help block cyber attacks.
  4. Compliance: Because the cloud is so spread out and is not under a company's control, it can be difficult for companies operating in the cloud to meet strict regulatory requirements like SOC 2, HIPAA, or the GDPR. Within certain industries and regions, companies that do not comply are at risk for penalties and fines. By implementing strong security controls, CASBs help companies that store data and run business processes in the cloud achieve regulatory compliance.

What security capabilities do CASBs offer?

Most CASBs will offer some or all of the following security technologies:

  • Identity verification: Ensures a user is who they claim to be by checking several identity factors, such as a password or possession of a physical token
  • Access control: Controls what users can see and do within company-controlled applications
  • Shadow IT discovery: Identifies the systems and services internal employees are using for business purposes without proper authorization
  • Data loss prevention (DLP): Stops data leaks and prevents data from leaving company-owned platforms
  • URL filtering: Blocks websites used by attackers for phishing or malware attacks
  • Packet inspection: Inspects data entering or exiting the network for malicious activity
  • Sandboxing: Runs programs and code in an isolated environment to determine whether or not it is malicious
  • Browser isolation: Runs users' browsers on a remote server instead of on the users' devices, protecting the devices from potentially malicious code that can run in the browser
  • Anti-malware detection: Identifies malicious software

This list is not exhaustive, as CASBs can offer a number of other security products in addition to those listed above. Some of these technologies are included in other types of security products as well. For instance, many firewalls offer packet inspection, and many endpoint security products offer anti-malware. CASBs, however, package these technologies specifically for cloud computing.

To provide a full complement of CASB services, many major CASBs have at some point acquired a product or company that they bundle with their other previously existing products. They may also partner with external companies to offer additional services.

Does Cloudflare have a CASB offering?

How do CASBs integrate with SASE?

Secure access service edge, or SASE, is a cloud-based network infrastructure model that consolidates networking and security services into a single service provider, making it simpler for companies to secure and manage network access across all connected devices. In the same way that CASBs bundle a variety of security services, SASE bundles SD-WANs (among other network capabilities) with CASBs, secure web gateways (SWG), zero trust network access (ZTNA), firewall-as-a-service (FWaaS), and other network security functions. SASE solutions are built on top of a single global network.

Cloudflare for Teams bundles a number of Cloudflare products to help keep company data secure. Cloudflare Access offers identity-based access control to control access to internally-managed applications that traditionally required a VPN. Cloudflare Gateway protects client devices from malware, blocks malicious websites, and filters content. Cloudflare Gateway also includes browser isolation technology to protect against malicious in-browser JavaScript.

Cloudflare for Teams helps keep both cloud services and the companies that use them secure. Learn more about Cloudflare for Teams, orexplore other access control technologies.