What is a Cloud Access Security Broker?
Cloud Access Security Brokers (in short CASB) are local or cloud-based applications, which are placed between cloud service users and cloud service providers to check and implement cloud security guidelines for a company during access to cloud-based resources. Access to cloud applications is tightly controlled by the CASB.
The Task of Cloud Access Security Brokers
Cloud Access Security Brokers consolidate several types of implementations of security guidelines. Examples for security guidelines are:
- Single Sign-On
- Authorisation assignment
- Device profiling
- Malware and ransomware recognition / prevention
An important application for a CASB is recognition, monitoring and protection of a shadow IT. Apps for notes, file sharing or project management are readily downloaded by members of staff and used directly on several end devices, without the IT department being informed and allowing administrators to guarantee safeguarding the data. Here, CASBs can provide a solution by monitoring and controlling user activities, when users access cloud services via a mobile app, a desk top app or another client. They can also regulate access to public cloud services according to device ownership classes, monitor privileged accounts and block non-authorised activities in the cloud.
Consequently, a CASB ensures that the IT department of an organisation gains insight into all cloud programmes, apps, files, data and users. A CASB offers a range of security features which are platform and cloud enabled, but which are all managed from a single access point. A Cloud Access Security Broker acts as a supervisory body, which ensures that the data traffic between cloud provider and users takes places exclusively as per the rules defined by the company. On demand, Cloud Access Security Brokers enables an insight into the use of cloud applications across several cloud platforms. Unauthorised access and use is therefore quickly recognised.
Implementation Options of a Cloud Access Security Broker
Basically, there are two options how Cloud Access Security Brokers can be implemented: Either as an API-based CASB or a central gateway / proxy-based approach.
Implementation of a Cloud Access Security Broker as a central Gateway
The proxy-based CASB approach, which examines web-based data traffic to cloud services and forwards additional network traffic, offers a single gateway or inline mechanism, which enables users to access cloud resources. However, this approach is only scalable in a limited way and due to the additional network latency can compromise users‘ performance who access public cloud resources. Devices, which are not routed via the Inline CASB, can bypass security facilities and guidelines. Despite quick response of a gateway / proxy-based CASB, the lack of security of non-supported data traffic and the loss of performance experienced by end users are big disadvantages in relation to security and scalability.
Implementation of the Cloud Access Security Broker as an API Application
API-based CASBs are the latest approach for the instantiation of a Cloud Access Security Broker. Most of today’s software and public cloud resources by the big providers are geared up towards automation, which enables a programmatic interaction of infrastructure systems with code-based mechanisms. Using a modern API approach for the interaction with public cloud resources, the API-based Cloud Access Security Broker can be seamlessly integrated into the open APIs of the public cloud provider, which are made available for the consumption. This enables the API-based CASB native to enforce the security specifications and guidelines assigned by organisations.
API-based CASBs become a part of the public cloud resources, as opposed to an independent single gateway or “add-on”, which has to be passed before guidelines are applied. It enables dynamic “learning“, analysing data retrospectively and taking measures based on this analysis. In addition, these guidelines and security protocols are applied irrespective of the network path, which an end user is using to reach public cloud sources of the company. No proxy has to be configured on the end user device. There is no impact on performance for users as the Cloud Access Security Broker is natively integrated into the public cloud. It cannot be bypassed through VPNs or other network tools. The API-based CASB solution is simple to integrate and better to scale than a firewall / proxy-based CASB solution.
Conclusion of CASB
Due to the constantly increasing number of cloud applications and internet connections, conventional solutions regarding data loss prevention are now outdated. Cloud Access Security Broker develop themselves to a must for security solutions in organisations, which work with or would like to introduce cloud-based applications. Using a Cloud Access Security Broker, sensitive data is treated flexibly and according to its classification. Through the Cloud Access Security Broker, administrators receive in real-time a detailed overview of all applications in use and information about which data has been accessed. Cloud Access Security Broker also enable individual control of cloud access and are an effective tool to prevent the creation of a shadow IT. However, comprehensive cloud security is only guaranteed by using a combination of different solutions.
- Image 1: © ambercoin | pixabay.com
- Image 2: © Tumisu | pixabay.com
- Image 3: © TheDigitalArtist | pixabay.com