What is a CASB? | Cloud access security brokers

What is a cloud access security broker (CASB)?

A cloud access security broker, or CASB, is a company that helps protect other companies' cloud-hosted services. CASBs help keep corporate Software-as-a-Service (SaaS) applications, along with Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) services, safe from cyber attacks and data leaks. Typically, CASBs offer their services as cloud-hosted software, although some CASBs also offer on-premise software or on-premise hardware appliances.

A number of different security technologies fall under the CASB umbrella, and a CASB will typically offer these technologies together in one bundled package. These technologies include shadow IT discovery, access control, and data loss prevention (DLP), among several others.

Think of a CASB as being like a physical security firm that offers a number of services (surveillance, foot patrol, identity verification, etc.) to keep a facility safe, rather than a single security guard. Similarly, CASBs offer a variety of services rather than one, simplifying the process of cloud data protection.

What are the main areas in which CASBs provide security?

Gartner, an influential industry analyst firm, defines four "pillars" for cloud access security brokers:

1. Visibility: CASBs help discover "shadow IT": systems and processes, especially cloud services, that are not officially documented and that may introduce unknown security risks.
2. Data security: CASBs prevent confidential data from leaving company-controlled systems, and help protect the integrity of that data. Relevant technologies for this area include access control and data loss prevention (DLP).
3. Threat protection: CASBs block external threats and attacks, in addition to stopping data leaks. Anti-malware detection, sandboxing, packet inspection, URL filtering, and browser isolation can all help block cyber attacks.
4. Compliance: Because the cloud is so spread out and is not under a company's control, it can be difficult for companies operating in the cloud to meet strict regulatory requirements like SOC 2, HIPAA, or the GDPR. Within certain industries and regions, companies that do not comply are at risk for penalties and fines. By implementing strong security controls, CASBs help companies that store data and run business processes in the cloud achieve regulatory compliance.

What security capabilities do CASBs offer?

Most CASBs will offer some or all of the following security technologies:

• Identity verification: Ensures a user is who they claim to be by checking several identity factors, such as a password or possession of a physical token
• Access control: Controls what users can see and do within company-controlled applications
• Shadow IT discovery: Identifies the systems and services internal employees are using for business purposes without proper authorization
• Data loss prevention (DLP): Stops data leaks and prevents data from leaving company-owned platforms
• URL filtering: Blocks websites used by attackers for phishing or malware attacks
• Packet inspection: Inspects data entering or exiting the network for malicious activity
• Sandboxing: Runs programs and code in an isolated environment to determine whether or not it is malicious
• Browser isolation: Runs users' browsers on a remote server instead of on the users' devices, protecting the devices from potentially malicious code that can run in the browser
• Anti-malware detection: Identifies malicious software

This list is not exhaustive, as CASBs can offer a number of other security products in addition to those listed above. Some of these technologies are included in other types of security products as well. For instance, many firewalls offer packet inspection, and many endpoint security products offer anti-malware. CASBs, however, package these technologies specifically for cloud computing.

To provide a full complement of CASB services, many major CASBs have at some point acquired a product or company that they bundle with their other previously existing products. They may also partner with external companies to offer additional services.

Why do organizations use CASBs?

In cloud computing, data is stored remotely and accessed over the Internet. As a result, companies using the cloud have limited control over where data is stored and how users access it. Users can access cloud data and applications on any Internet-connected device and from any network, not just the internal company-managed network. For instance, a user could log into a company-managed SaaS app from an unsecured network on their personal device, which typically would not be possible for applications that run on on-premise computers and servers (unless remote desktop is used).

Using the cloud also makes it harder to ensure that data stays private and secure, just as it is harder to prevent strangers from eavesdropping when conversing in a public place instead of in a private room.

To fully protect data in the cloud, organizations typically use security services that are cloud-based as well. Sometimes, they obtain these services from different vendors: using one platform for DLP, one for identity, one for anti-malware, and so on. But this approach to cloud security also creates challenges: several contracts have to be negotiated separately, security policies have to be configured numerous times, implementing and managing multiple platforms creates complexity for IT, etc.

CASBs are one solution to these challenges. Purchasing these security measures from one cloud security broker instead of several different vendors means:

1. All the technologies involved work well together.
2. Simplified management of cloud security tools; IT teams can work with one vendor, instead of a half-dozen vendors. Additionally, many CASBs enable their customers to manage all cloud security services from a single dashboard.

What are the challenges of using a CASB?

Scalability: CASBs have to manage a lot of data and multiple cloud platforms and applications. Companies should ensure their CASB vendor is able to scale up with them as they grow.

Mitigation: Not all CASBs offer the ability to stop security threats once they are identified. Depending on the situation, a CASB without mitigation capabilities may be of limited use to a company.

Integration: Companies must ensure their CASB will integrate with all their systems and infrastructure. Without complete integration, the CASB will not have full visibility into unauthorized IT and potential security threats.

Data privacy: Does the CASB vendor keep data private, or are they just one more external party touching sensitive data? If the CASB moves their customers' data to the cloud, how secure and private is it? These are especially important questions for organizations that operate under strict data privacy regulations.

Who needs a CASB?

Most enterprises that rely partially or wholly on the cloud can benefit from working with a CASB vendor. Businesses that are struggling to contain the growth of shadow IT — a major concern for many businesses today — can especially benefit from CASB services.

How do CASBs integrate with SASE?

Secure access service edge, or SASE, is a cloud-based network infrastructure model that consolidates networking and security services into a single service provider, making it simpler for companies to secure and manage network access across all connected devices. In the same way that CASBs bundle a variety of security services, SASE bundles SD-WANs (among other network capabilities) with CASBs, secure web gateways (SWG), zero trust network access (ZTNA), firewall-as-a-service (FWaaS), and other network security functions. SASE solutions are built on top of a single global network.

Does Cloudflare have a CASB offering?

Cloudflare for Teams bundles a number of Cloudflare products to help keep company data secure. Cloudflare Access offers identity-based access control to control access to internally-managed applications that traditionally required a VPN. Cloudflare Gateway protects client devices from malware, blocks malicious websites, and filters content. Cloudflare Gateway also includes browser isolation technology to protect against malicious in-browser JavaScript.

Cloudflare for Teams helps keep both cloud services and the companies that use them secure. Learn more about Cloudflare for Teams, or explore other access control technologies.