CASB - CLOUD ACCESS SECURITY BROKER
This article aims to bring forward a concise knowledge for those people who are interested to learn about the latest trend of Cloud Broker Security.
A Cloud Access Security Broker (CASB) is a set of new cloud security technologies that addresses the challenges posed by the use of cloud apps and services. They work as tools that sit between an organization's on-premises infrastructure and a cloud provider's infrastructure.
Playing the role of a gatekeeper, they allow the organization to extend the reach of their security policies beyond their own infrastructure.
Classified as:
● On-premises or
● Cloud-hosted software that acts as a control point to support continuous visibility, compliance, threat protection, and security for cloud services.
CASB solutions helps to:
● Identify and evaluate all the cloud apps in use
● Enforce cloud application management policies in web proxies or firewalls
● Provide handling of sensitive information
● Encrypt or tokenize sensitive content to enforce privacy and security
● Detect and block unusual account behaviour indicative of malicious activity
● Integrate cloud visibility and controls with broader security solutions for data loss prevention, access management, and web security
Statistics:
● By 2020, 85% of large enterprises will use a cloud access security broker solution for their cloud services, which is up from fewer than 5% in 2015.
● Through 2020, 95% of cloud security failures will be the customer's fault.
Source: (https://www.skyhighnetworks.com/cloud-security-university/what-is-cloud-access- security-broker/)
How does CASB come into market?
Enterprises are still struggling to understand the data security and compliance impact of aggressive employee and organizational adoption of cloud applications while also trying to determine how to maintain data security and compliance with new data residency laws as their infrastructure moves to the cloud.
This is where a Cloud Access Security Broker (CASB) comes into play. Since data residency means that sensitive data should never go outside the country, CASB provides cloud encryption with the option to have control over their own encryption keys, so access to data without the enterprise’s knowledge is ruled out.
Though some cons include reduced application functionality due to lack of encrypted data processing by SaaS servers, it is managed to a large extent by cyclic ciphers. On the road ahead, this is still a developing technology which will bring out better measures in time.
How is CASB presented?
CASB technology is available as an SaaS application or on-premises via virtual or physical appliances, or both, using a hybrid combination of on-premises and cloud-based policy enforcement points.
Observations:
● The wide adoption of identity and access management into the cloud, delivering cloud single sign-on, has reduced the friction in adopting cloud services and related security controls, like cloud access security brokers (CASBs).
● Many enterprise business units are acquiring cloud services directly without IT's involvement. This form of "shadow IT" is fuelling growth in cloud service adoption as well as security risks.
● The CASB market has evolved rapidly since its gestation period in 2012 and includes a number of high-profile acquisitions.
● Today, CASBs primarily address back-office applications delivered as SaaS.
CASBs work by ensuring that network traffic between on-premises devices and the cloud provider complies with the organization's security policies.
Fundamental Capabilities of CASB
● Cloud App Discovery and Analysis
Provide Shadow IT discovery and risk analysis including detailed cloud app ratings, usage analytics, and continuous reporting.
● Data Governance and Protection
Provide the ability to enforce data-centric security policies to prevent unwanted activity such as inappropriate sharing of content. Support encryption and tokenization of compliance-related data.
● Threat Protection and Incident Response
Prevent malicious activity such as data exfiltration due to account takeover, session hijacking, or insider activity through continuous monitoring of user behavior. Identify and block malware being uploaded or shared within cloud apps and provide tools for incident response.
● Compliance and Data Privacy
Assist with data residency and compliance with regulations and standards, as well as identify cloud usage and risks of specific cloud services.
CASB’s Most Prominent Functionalities
● Visibility
CASBs provide both shadow and sanctioned IT discovery, as well as a consolidated view of an organization's cloud service usage and the users who access data from any device or location.
● Compliance
CASBs assist with data residency and compliance with regulations and standards, as well as identify cloud usage and the risks of specific cloud services.
● Data Security
CASBs provide the ability to enforce data-centric security policies to prevent unwanted activity based on data classification, discovery and user activity monitoring of access to sensitive data or privilege escalation.
● Threat Protection
CASBs prevent unwanted devices, users and versions of applications from accessing cloud services by providing adaptive access controls. Other examples in this category are user and entity behaviour analytics (UEBA) for determining anomalous behaviour, the use of threat intelligence, and malware identification.
Comprehensive CASB solutions leverage the following:
● Application Specific Security
The top cloud apps have well-defined APIs that a CASB can leverage to monitor activity, analyse content, and modify settings within accounts on that cloud app.
● Inline Security with Gateways
Sitting between the users and their cloud apps, a CASB gateway can provide valuable insights into cloud activity and provide a vehicle for real-time policy enforcement, such as blocking data exfiltration or protecting information with encryption.
● Shadow IT Analysis
Existing security devices, such as secure web gateways and firewalls, have log data that can be used to help analyse Shadow IT.
● Access Control
Endpoint agents offer another option to manage cloud activity and enforce policies.
Initially, the market was segregated between providers that delivered their CASB features via forward- and/or reverse-proxy modes and others that used API modes exclusively.
Increasingly, a growing number of CASBs offer a choice between the proxy modes of operation and also support APIs (multimode CASBs).
● Reverse proxy
This can be deployed as a gateway on-premises or as the more popular method, as SaaS.
This is performed by changing the way authentication works by telling the cloud service that the CASB passes the authentication onto the IDaaS provider, but, importantly, leaves the URL as belonging to the CASB and not the cloud service.
IDaas is defined as IDentity-as-a-Service ("IDaaS").
This is a cloud-based service that provides a set of identity and access management functions to target systems on customers' premises and/or in the cloud.
For people interested to learn more about IDaas, see:
(https://www.centrify.com/solutions/cloud/identity-as-a-service-idaas/)
This is one way to provide the ability to insert the CASB in front of end users accessing the SaaS service (with the exception of mobile native apps using certificate pinning) without having to touch the endpoint's configuration.
It also allows for control over key management and application of cryptography solutions on-premises with no access by a cloud-based CASB or cloud service provider. With hosted reverse proxy, there may be indirect access to the key management system and keys/tokens being used in the cloud by the CASB and/or CSP.
● Forward proxy
This can be deployed as a cloud or on-premises, and some vendors may deploy software agents on endpoint devices or pass profiles for enterprise mobile management (EMM) to enforce or use other methods like DNS and proxy auto-configuration (PAC) files.
● API mode
This leverages the native features of the SaaS service itself by giving the CASB permission to access the service's API directly.
This mode also allows organizations to perform a number of functions, like log telemetry, policy visibility and control, and data security inspection functions on all data at rest in the cloud application or service.
The CASB may offer on-premises or hosted key management options.
API mode makes it possible to take advantage of both CASB-native, and a growing number of SaaS service data protection. Features offered by the SaaS provider itself (for example, Salesforce Shield) perform encryption/tokenization functions, but the end users still control the keys. However, the SaaS provider still has access to the keys, and data is unencrypted while used by the application.
If the SaaS is hosted by another CSP's infrastructure (for example, Amazon or Microsoft), it is available in the memory of the IaaS provider and may not meet strict data residency or compliance requirements.
Summarizing the above in a high-level table, we can deduce the following features with respect to functionality:
Re-created table source:
https://www.skyhighnetworks.com/cloud-security-blog/new-ebook-which-casb-deployment-architecture-is-right-forme/
Some use cases for CASB Implementation:
● Early anomaly detection: Leveraging data on the go can be used to detect anomalous behaviours and potential.
● Reporting and auditing: CASB offers enhanced granular visibility with detailed activity logs and other reports useful for compliance auditing and forensic purposes.
● DLP: Content validation by public cloud applications, blocking, watermarking, password protecting and encryption will prevent data content from being exposed.
● Encryption: CASBs can encrypt objects pre-upload/post-download giving end-to-end data privacy and regulatory compliance.
➢ Microsoft (Adallom)
In September 2015, Microsoft completed its acquisition of Adallom, a CASB that had been shipping since early 2013.This brought CASB to Microsoft's Enterprise Mobility + Security (EMS) suite and added new capabilities to Office 365.
➢ Imperva
Founded in November 2002 and has been shipping a CASB product since January 2014, when it acquired Skyfence.Imperva focuses on providing detailed user activity monitoring, cloud DLP, access control and threat protection.
➢ Bitglass
Founded in January 2013 and has been shipping a CASB product since January 2014.Bitglass integrates several mobile data management (MDM) and IAM capabilities into its offering, such as remote wipe, single sign-on (SSO) and dual Security Assertion Markup Language (SAML) proxy, providing basic MDM and IDaaS capabilities.
➢ Palo Alto Networks
Palo Alto Networks was founded in 2005 and has been shipping a CASB product since September 2015. In May 2015, Palo Alto Networks acquired CirroSecure, an API-only based CASB provider more focused on discovery, SaaS policy and security management for the product now called Aperture.
➢ CensorNet
Founded in February 2007 and has been shipping a CASB product since April 2015. CensorNet is one of the newer entrants into the CASB market, and its CASB offering complements its existing email and web security products. It also recently acquired a two-factor authentication company (SMS Passcode) to complement its product portfolio.
➢ CipherCloud
Founded in October 2010 and has been shipping a CASB product since March 2011. CipherCloud was an early entrant in the CASB market, with an initial focus on the encryption and tokenization of data in popular enterprise cloud services, like Salesforce.
➢ Cisco CloudLock
Founded in January 2011 and has been shipping a CASB product since October 2013; it was acquired by Cisco in June 2016. It uses an API-only approach to the CASB market. It leverages APIs from cloud services (SaaS, PaaS, IaaS).
➢ FireLayers
Founded in November 2013 and has been shipping a CASB product since April 2014. FireLayers is a multimode CASB delivering API, forward and reverse proxy, plus an SAML gateway. It provides cloud application discovery, but not SaaS service security posture assessments. Instead, it focuses on threat protection, behavior analytics, contextual access control and detailed activity monitoring.
➢ Netskope
Netskope was founded in October 2012 and has been shipping a CASB product since October 2013. It focused on user behavior analytics, within managed and unmanaged SaaS applications, including extensive user activity monitoring and DLP/DCAP capabilities.
➢ Palerra
Palerra was founded in July 2013 and has been shipping a CASB product since January 2015. In September 2016,Oracle announced its intention to acquire Palerra. Palerra takes an API-based approach to CASB and covers SaaS, PaaS and IaaS services.
➢ Skyhigh Networks
Skyhigh Networks was founded in December 2011 and has been shipping a CASB product since January 2013. Skyhigh was one of the first CASB providers to emphasize the shadow IT problem with a large cloud service discovery database; and cloud service security posture and risk assessment was an initial and still critical use case for CASB technology.
Further reading and references:
• https://www.bluecoat.com/products-and-solutions/casb-cloud-access-security-broker
• http://security-musings.blogspot.in/2015/04/comparing-cloud-access-security-broker.html
• http://www.bitglass.com/blog/cloud-access-security-brokers-post5
• https://www.ciphercloud.com/blog/casb-101-cloud-access-security-brokers/
What is CASB?
A Cloud Access Security Broker (CASB) is a set of new cloud security technologies that addresses the challenges posed by the use of cloud apps and services. They work as tools that sit between an organization's on-premises infrastructure and a cloud provider's infrastructure.
Playing the role of a gatekeeper, they allow the organization to extend the reach of their security policies beyond their own infrastructure.
Classified as:
● On-premises or
● Cloud-hosted software that acts as a control point to support continuous visibility, compliance, threat protection, and security for cloud services.
CASB solutions helps to:
● Identify and evaluate all the cloud apps in use
● Enforce cloud application management policies in web proxies or firewalls
● Provide handling of sensitive information
● Encrypt or tokenize sensitive content to enforce privacy and security
● Detect and block unusual account behaviour indicative of malicious activity
● Integrate cloud visibility and controls with broader security solutions for data loss prevention, access management, and web security
Statistics:
● By 2020, 85% of large enterprises will use a cloud access security broker solution for their cloud services, which is up from fewer than 5% in 2015.
● Through 2020, 95% of cloud security failures will be the customer's fault.
Source: (https://www.skyhighnetworks.com/cloud-security-university/what-is-cloud-access- security-broker/)
How does CASB come into market?
Enterprises are still struggling to understand the data security and compliance impact of aggressive employee and organizational adoption of cloud applications while also trying to determine how to maintain data security and compliance with new data residency laws as their infrastructure moves to the cloud.
This is where a Cloud Access Security Broker (CASB) comes into play. Since data residency means that sensitive data should never go outside the country, CASB provides cloud encryption with the option to have control over their own encryption keys, so access to data without the enterprise’s knowledge is ruled out.
Though some cons include reduced application functionality due to lack of encrypted data processing by SaaS servers, it is managed to a large extent by cyclic ciphers. On the road ahead, this is still a developing technology which will bring out better measures in time.
How is CASB presented?
CASB technology is available as an SaaS application or on-premises via virtual or physical appliances, or both, using a hybrid combination of on-premises and cloud-based policy enforcement points.
Observations:
● The wide adoption of identity and access management into the cloud, delivering cloud single sign-on, has reduced the friction in adopting cloud services and related security controls, like cloud access security brokers (CASBs).
● Many enterprise business units are acquiring cloud services directly without IT's involvement. This form of "shadow IT" is fuelling growth in cloud service adoption as well as security risks.
● The CASB market has evolved rapidly since its gestation period in 2012 and includes a number of high-profile acquisitions.
● Today, CASBs primarily address back-office applications delivered as SaaS.
How Does CASB Work?
A High Level Understanding:
Image Source: Gartner’s blog: security musings
Fundamental Capabilities of CASB
● Cloud App Discovery and Analysis
Provide Shadow IT discovery and risk analysis including detailed cloud app ratings, usage analytics, and continuous reporting.
● Data Governance and Protection
Provide the ability to enforce data-centric security policies to prevent unwanted activity such as inappropriate sharing of content. Support encryption and tokenization of compliance-related data.
● Threat Protection and Incident Response
Prevent malicious activity such as data exfiltration due to account takeover, session hijacking, or insider activity through continuous monitoring of user behavior. Identify and block malware being uploaded or shared within cloud apps and provide tools for incident response.
● Compliance and Data Privacy
Assist with data residency and compliance with regulations and standards, as well as identify cloud usage and risks of specific cloud services.
CASB’s Most Prominent Functionalities
● Visibility
CASBs provide both shadow and sanctioned IT discovery, as well as a consolidated view of an organization's cloud service usage and the users who access data from any device or location.
● Compliance
CASBs assist with data residency and compliance with regulations and standards, as well as identify cloud usage and the risks of specific cloud services.
● Data Security
CASBs provide the ability to enforce data-centric security policies to prevent unwanted activity based on data classification, discovery and user activity monitoring of access to sensitive data or privilege escalation.
● Threat Protection
CASBs prevent unwanted devices, users and versions of applications from accessing cloud services by providing adaptive access controls. Other examples in this category are user and entity behaviour analytics (UEBA) for determining anomalous behaviour, the use of threat intelligence, and malware identification.
Comprehensive CASB solutions leverage the following:
● Application Specific Security
The top cloud apps have well-defined APIs that a CASB can leverage to monitor activity, analyse content, and modify settings within accounts on that cloud app.
● Inline Security with Gateways
Sitting between the users and their cloud apps, a CASB gateway can provide valuable insights into cloud activity and provide a vehicle for real-time policy enforcement, such as blocking data exfiltration or protecting information with encryption.
● Shadow IT Analysis
Existing security devices, such as secure web gateways and firewalls, have log data that can be used to help analyse Shadow IT.
● Access Control
Endpoint agents offer another option to manage cloud activity and enforce policies.
Architectural Choices (forward/reverse proxy/APIs)
Increasingly, a growing number of CASBs offer a choice between the proxy modes of operation and also support APIs (multimode CASBs).
● Reverse proxy
This can be deployed as a gateway on-premises or as the more popular method, as SaaS.
This is performed by changing the way authentication works by telling the cloud service that the CASB passes the authentication onto the IDaaS provider, but, importantly, leaves the URL as belonging to the CASB and not the cloud service.
IDaas is defined as IDentity-as-a-Service ("IDaaS").
This is a cloud-based service that provides a set of identity and access management functions to target systems on customers' premises and/or in the cloud.
For people interested to learn more about IDaas, see:
(https://www.centrify.com/solutions/cloud/identity-as-a-service-idaas/)
This is one way to provide the ability to insert the CASB in front of end users accessing the SaaS service (with the exception of mobile native apps using certificate pinning) without having to touch the endpoint's configuration.
It also allows for control over key management and application of cryptography solutions on-premises with no access by a cloud-based CASB or cloud service provider. With hosted reverse proxy, there may be indirect access to the key management system and keys/tokens being used in the cloud by the CASB and/or CSP.
● Forward proxy
This can be deployed as a cloud or on-premises, and some vendors may deploy software agents on endpoint devices or pass profiles for enterprise mobile management (EMM) to enforce or use other methods like DNS and proxy auto-configuration (PAC) files.
● API mode
This leverages the native features of the SaaS service itself by giving the CASB permission to access the service's API directly.
This mode also allows organizations to perform a number of functions, like log telemetry, policy visibility and control, and data security inspection functions on all data at rest in the cloud application or service.
The CASB may offer on-premises or hosted key management options.
API mode makes it possible to take advantage of both CASB-native, and a growing number of SaaS service data protection. Features offered by the SaaS provider itself (for example, Salesforce Shield) perform encryption/tokenization functions, but the end users still control the keys. However, the SaaS provider still has access to the keys, and data is unencrypted while used by the application.
If the SaaS is hosted by another CSP's infrastructure (for example, Amazon or Microsoft), it is available in the memory of the IaaS provider and may not meet strict data residency or compliance requirements.
Summarizing the above in a high-level table, we can deduce the following features with respect to functionality:
https://www.skyhighnetworks.com/cloud-security-blog/new-ebook-which-casb-deployment-architecture-is-right-forme/
Some use cases for CASB Implementation:
● Early anomaly detection: Leveraging data on the go can be used to detect anomalous behaviours and potential.
● Reporting and auditing: CASB offers enhanced granular visibility with detailed activity logs and other reports useful for compliance auditing and forensic purposes.
● DLP: Content validation by public cloud applications, blocking, watermarking, password protecting and encryption will prevent data content from being exposed.
● Encryption: CASBs can encrypt objects pre-upload/post-download giving end-to-end data privacy and regulatory compliance.
Leading choices for CASB:
➢ Microsoft (Adallom)
In September 2015, Microsoft completed its acquisition of Adallom, a CASB that had been shipping since early 2013.This brought CASB to Microsoft's Enterprise Mobility + Security (EMS) suite and added new capabilities to Office 365.
➢ Imperva
Founded in November 2002 and has been shipping a CASB product since January 2014, when it acquired Skyfence.Imperva focuses on providing detailed user activity monitoring, cloud DLP, access control and threat protection.
➢ Bitglass
Founded in January 2013 and has been shipping a CASB product since January 2014.Bitglass integrates several mobile data management (MDM) and IAM capabilities into its offering, such as remote wipe, single sign-on (SSO) and dual Security Assertion Markup Language (SAML) proxy, providing basic MDM and IDaaS capabilities.
➢ Palo Alto Networks
Palo Alto Networks was founded in 2005 and has been shipping a CASB product since September 2015. In May 2015, Palo Alto Networks acquired CirroSecure, an API-only based CASB provider more focused on discovery, SaaS policy and security management for the product now called Aperture.
➢ CensorNet
Founded in February 2007 and has been shipping a CASB product since April 2015. CensorNet is one of the newer entrants into the CASB market, and its CASB offering complements its existing email and web security products. It also recently acquired a two-factor authentication company (SMS Passcode) to complement its product portfolio.
➢ CipherCloud
Founded in October 2010 and has been shipping a CASB product since March 2011. CipherCloud was an early entrant in the CASB market, with an initial focus on the encryption and tokenization of data in popular enterprise cloud services, like Salesforce.
➢ Cisco CloudLock
Founded in January 2011 and has been shipping a CASB product since October 2013; it was acquired by Cisco in June 2016. It uses an API-only approach to the CASB market. It leverages APIs from cloud services (SaaS, PaaS, IaaS).
➢ FireLayers
Founded in November 2013 and has been shipping a CASB product since April 2014. FireLayers is a multimode CASB delivering API, forward and reverse proxy, plus an SAML gateway. It provides cloud application discovery, but not SaaS service security posture assessments. Instead, it focuses on threat protection, behavior analytics, contextual access control and detailed activity monitoring.
➢ Netskope
Netskope was founded in October 2012 and has been shipping a CASB product since October 2013. It focused on user behavior analytics, within managed and unmanaged SaaS applications, including extensive user activity monitoring and DLP/DCAP capabilities.
➢ Palerra
Palerra was founded in July 2013 and has been shipping a CASB product since January 2015. In September 2016,Oracle announced its intention to acquire Palerra. Palerra takes an API-based approach to CASB and covers SaaS, PaaS and IaaS services.
➢ Skyhigh Networks
Skyhigh Networks was founded in December 2011 and has been shipping a CASB product since January 2013. Skyhigh was one of the first CASB providers to emphasize the shadow IT problem with a large cloud service discovery database; and cloud service security posture and risk assessment was an initial and still critical use case for CASB technology.
Further reading and references:
• https://www.bluecoat.com/products-and-solutions/casb-cloud-access-security-broker
• http://security-musings.blogspot.in/2015/04/comparing-cloud-access-security-broker.html
• http://www.bitglass.com/blog/cloud-access-security-brokers-post5
• https://www.ciphercloud.com/blog/casb-101-cloud-access-security-brokers/