Gartner coined the term Cloud Access Security Brokers (or CASB) a few years ago now, and placed it atop of their
security technology trends of 2014.
As defined by Gartner, CASB solutions are on-premises,
or cloud-based security policy enforcement points, placed between consumers and cloud service providers that offer monitoring and control across multiple cloud services.
Most Cloud Access Security Brokers focus on specific cloud and SaaS applications for their data
protection solutions and include standard security policies such as authentication, single sign-on and encryption.
Cloud Access Security Brokers should be application agnostic, being able to
integrate with any cloud or SaaS application, and offer an array of additional and more advanced layers of security such as device profiling, user behavioral analysis,
system logging and monitoring, alerting and the deployment of defensive countermeasures.
Positioned on the right is a quick checklist for you to consider when evaluating CASB vendors. Work through this list and tick off the boxes to ensure your CASB is
providing you with the best possible security for your sensitive data.
Your CASB should interact directly with users, performing identity checks such as device fingerprinting, geo-locking and behavioral analysis to ensure that users who have
the correct credentials are who they say they are.
A good CASB will follow an interoperable approach and integrate seamlessly with common enterprise systems, including SAML, Single Sign-On (SSO), Active Directory, policy
enforcement (Groups/Users), Okta, Ping etc.
Utilizing cloud applications can sometimes create SIEM blind-spots. Having a Cloud Access Security Broker that provides cloud app monitoring functions can help remove these
blind spots. Look for features such as the provision of real-time access logs, data consumption, usage patterns, device profiles, time, location, etc. Viewing all of this
information through a unified monitoring interface will give you complete visibility across all of your cloud applications.
Selectively encrypting your data before it is sent to the cloud ensures that the end cloud application never stores your sensitive information as plain text. This is important,
not only if the cloud app vendor ever incurs a data breach, but also with data residency and privacy regulations (see below) - your data is encrypted before it gets to the
cloud and is unreadable should it be accessed by an unauthorized party. Having a CASB that supports policy-based decryption will prevent inappropriate sharing or leaking of data.
Second generation CASBs continually compile and build security profiles on each user passing through their cloud gateways. Each time a user enters the gateway, their behaviour is
benchmarked against their historical patterns as well as their colleagues. This Behavioral Analysis is crucial in detecting security anomalies, significant changes in behaviour or
outliers that could be the result of user credential theft or an insider threat.
A CASB's ability to detect a threat is not enough to prevent a data breach. CASBs should have the capability to deploy automated countermeasures to ensure that threats are not only
detected, but thwarted. A flexible countermeasure engine can respond depending on the severity of the threat, and has a wide range of rules that can be configured to meet your
defined data protection policies; including specific platform or geolocation locks, behavioral analysis, or automatically deleting inactive user accounts.
Meeting strict privacy, residency and data security requirements whilst using cloud applications can be difficult. However, a good Cloud Access Security Broker can be used to
meet access control, monitoring, encryption and other compliance requirements outlined in legislation such as HIPAA. Be sure to check vendor claims carefully to ensure full
compliance with industry specific regulations.
7. Single Cloud Security Solution
Having multiple security solutions for multiple cloud applications is a nightmare - some only offer a limited number of features and others only work with specific apps.
Try to find a Cloud Access Security Broker that offers a complete solution that not only ticks all of the boxes above, but also integrates with all your cloud and SaaS
applications. One that is truly cloud and SaaS application agnostic is ideal as it allows you to add additional apps in the future, without compatibility issues.
By analyzing CASB vendors against the seven criteria detailed, organizations have a good chance of selecting an appropriate vendor that will scale with their cloud
1. [Cloud Access Security Brokers]
2. [Gartner CASB definition]
3. [StratoKey: Cloud Access Security Broker]