Most organizations have CASB, as a consequence of Covid, migrated their entire application base from on-prem to cloud. They are also simultaneously migrating critical internal applications such as their CRM-based or HR modules to the cloud. Nowadays, many organizations are running the vast majority of their application operations through the cloud. As a result, it’s essential that IT and administrative teams remain vigilant when it comes to their organization’s application security posture.
Despite the growing popularity of the cloud for application deployment, there are still very few easily accessible security solutions for larger organizations that also require audits, and compliances like PCI/DSS, HIPAA, FedRAMP and ISO. All of the above procedures necessitate excessively large amounts of information, which should be provided by the participating organization. Unfortunately, this transfer of information is simply not occurring in a secure fashion on the cloud.
Enter Cloud Access Security Brokers or CASBs.
Who or what is a CASB?
Gartner defines Cloud access security brokers (CASBs) as “on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Examples of security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.”
Currently, enterprises are opting for CASB solutions thanks to the unparalleled protections and subsequent peace of mind afforded by their respective policies. By providing greater insights and increased visibility, CASB enables admin teams and stakeholders to remain in control of all aspects of security as it pertains to cloud resources and applications.
Companies such as McAfee and Trend Micro, known for their end-point detection solutions, have also begun to break into the space with offerings such as McAfee’s MVISION Cloud.
Why do enterprises need CASB?
Major organizations follow a multi-level or hybrid approach, using multiple CSPs (Cloud Solution Providers). In most cases, they’ll have a few of their applications, resources, or workloads running on one CSP while other applications are deployed to a different region under a separate CSP. At present, there are no solutions on the market that are able to streamline this process while providing solutions to the following critical security questions:
· How are we authenticating?
· Where are our organization’s resources being utilized and who is consuming said resources?
· What sort of data is being retrieved from applications?
· What is the most suitable security implementation based on application type and region?
CASB solutions sit in the sweet spot between oversight and optimal performance, thanks to their improved visibility and ease of information. With the scale of data accessibility, these solutions will also have machine learning and artificial intelligence-based engines built within. By providing the right set of details to these solutions and by training them on existing data, they will eventually detect anomalies, unusual patterns and events while providing insights to admin teams. Alerts would be generated and provided as feedback to the IT teams for them to act upon existing threats.
This is akin to the activity of a Security Operations Center. In a SOC, there are teams specifically monitoring any anomalies or unusual patterns 24/7, identifying and subsequently preventing them. They also write new prevention mechanisms and policies configured for specific cases to counter those attacks, particularly, designed at preventing future attacks.
As organizations grow, applications and their environments acquire greater complexity. They work in multi-mode, multi-regional environments, making it hard to monitor security at a granular level. Implementing such solutions within their cloud environments could provide more details, and teams can rely on this information and act accordingly. They could define new policies based on growing requirements or security concerns to counter-attack these scenarios.
Once enterprises understand how CASB solutions work, the modes of deployment, how they can gather insights, etc. the benefits received could be manifold.
How does CASB work?
CASB solutions can be configured in three deployment modes – reverse proxy, forward proxy and API mode. You will need to understand your requirement to select which mode works best. Each mode has its pros and cons. For instance, if I go with the API-based mode, it doesn’t offer real-time detection.
In forward proxy mode, CASB sits between cloud-based applications and the end user. All traffic is routed through CASB to the apps. As an example, Entersoft’s Vulnerability Management System (VMS) is a private application. Only specific users are allowed to access the details.
In the API mode, it is direct API integration from cloud applications to the provider. When it comes to the reverse proxy mode, the user attempts to establish communication directly with the cloud application in the first place before being routed through CASB. CASB authenticates the user and then establishes communication to cloud apps.
In all three modes, CASB monitors every activity pertaining to the whereabouts of the user trying to access cloud apps from – browser type, IP address, a laptop used, if these are regular login patterns for a particular application, etc. All of this data will be recorded – CASBs maintain these logs and also rely on cloud trails. The CASB acts as a man-in-the-middle. Since it is configured with your CSP’s environment, it can access all the above mentioned critical information while also analyzing patterns. It monitors every request and response, going back and forth between cloud apps and end users.
Rules for all security-related activities such as authentication, authorization, logs, etc. are all defined on CASB. Nowadays, with ‘work from anywhere’ becoming the norm, it is hard for network teams to define strict policies. CASB is a solution they could rely on to write any level of policies. For instance, the IT admin could set a rule that whenever Mr. A is trying to connect through an insecure hotspot, he will not be allowed to access the organization’s cloud resource.
Data security with CASBs
There are many use cases with CASB – right up to application-level authentications.
Data is another critical focus CASBs. Most organizations, predominantly, rely on CASBs for tokenization and data security as there are a lot of sensitive details for different applications. For particular data elements that they wish to protect, most organizations now rely upon DLP or data loss prevention solutions. They define specific rules, for example, stating that when a certain person is trying to exchange some email communication with an external entity, only files tagged as ‘non-sensitive’ are allowed to be shared.
The level of controls for any data tagged as ‘sensitive’ in the CASB solution can be configured in such a way that it cannot be shared in any scenario unless there are proper approvals. Every data element should be identified and classified as ‘sensitive’ or ‘non-sensitive’. Teams could assign tags and have some attributes associated with that particular data. When this data is being transmitted, CASBs try to identify these attributes. If there is a ‘sensitive’ tag and a policy in place which says that in this scenario sensitive details cannot be shared, it will block the request right away. It will prevent the request from even reaching the entity. These alerts are then raised to the admin teams so that they can look into the request and reach out to the particular team/individual. Based on the requirement and necessary approvals, they’ll allow or reject the request. This level of control is entirely possible when incorporating CASB solutions.
CASB and insights gained by the IT team
IT teams require high-level analytical data regarding their request and response cycles. They are concerned only with suspicious patterns and sensitive scenarios. CASB solutions apply certain rules and don’t unnecessarily waste the team’s time by stowing away all the details that could later be filtered out. They also have ML/AI-based engines designed to analyze these patterns.
However, it’s worth noting that these solutions will not give you results on day 1. The general time period in which they mature depends on how the organization’s team is training and providing data and relevant details required by their respective CASB solution. Once they compute, they will provide all the necessary details of anomaly patterns or events considered high risk for the organization.
CASB solutions are designed to frame the whole scenario and project it to admin teams. As an example – Ms. P is not only connecting from a rogue IP address but also consuming some sensitive details and trying to share them with an entity not involved in your organization.
The cloud throws out a whole lot of details, with some filters. The organization has to filter out data, drill it down and recognize the patterns. However, CSPs won’t do this out of the box. For this process, you must have a separate solution integrated into it. On the contrary, Azure has come up with Microsoft Defender for cloud, however, this does come at a premium. If I subscribe to Microsoft Azure Defender for cloud apps, CASB features are integrated and results are subsequently delivered on the Azure dashboards.
Detecting the use of unauthorized software
Many employees use company laptops for personal purposes – unknowingly installing malicious software, running torrents and using rogue apps not vetted by the security team. This poses a potentially huge threat to any organization’s security posture.
McAfee and Trend Micro offer anti-virus programs installed on laptops or enterprise systems, as end-point protection solutions. These solutions also have features that can be configured in CASB allowing only particular apps to run at any given point. A rogue app must be flagged and not allowed access to any resource. Sometimes, the entire PC could be blocked. It is possible for this level of policy to be written to contain each threat.
Embedding CIS baselines
CASB offers a host of possibilities and features.
Enterprises could also have CIS baselines embedded in the CASB solutions. CIS baselines can run through configuration-level issues – misconfigurations in the OS, in network devices, and in application configuration, etc. CASBs can provide these insights, stating that from a compliance perspective, ‘these’ are the scores and ‘this’ is where the organization stands based on configurations across applications and configurations of employee laptops. IT teams can then review and take action; if for example, the score falls below 75-80%.
CASBs also help to gauge whether Zero Day attacks are possible on their organization’s resources – servers or laptops. They also act to evaluate how the organization is performing in terms of security standards, solving questions such as “are they compliant while adhering to CIS baselines?”
What should companies look for when shortlisting a CASB?
A company should first identify where they stand. If you don’t have that level of sensitivity in terms of business operations and resources, then it’s better to stay away from CASB solutions as they’re likely not for you.
CASB is specifically designed for those companies who maintain a lot of sensitive data, operating in a variety of geographical regions and in a hybrid environment where they have the on-premises infrastructure and many different CSPs. In this case, it is the perfect centralized monitoring solution to gain visibility and insights on a micro level.
CASB solutions could also be helpful for your business if:
– You are having a tough time trying to provide security for your cloud applications.
– You’re experiencing difficulty monitoring all of your organization’s resources, particularly those connecting from untrusted regions.
However, in the above situations, you could have certain products integrated that can adequately circumvent the need for CASB. For instance, if you want to avoid data loss prevention, you could simply opt for a DLP solution if it is for a very specific application and for a small set of users, rather than going in for CASB.
The key is for an organization to understand the context first and get the mapping done for the entire user base consuming these resources.
Industries best suited to CASB
If the organization is working in a highly secure environment and all employees are coming to the office space and connecting to resources only through internal networks, then there is realistically no point in incorporating a CASB, unless your cloud applications are hosted across multiple CSPs. It’s essential that IT teams remain vigilant and make any CASB-related decisions based on their network setup. They need to understand their business first, and they should perform a critical evaluation to get the correct picture before making a call on whether to implement a CASB solution.
While we perform Cloud Configuration Audits at Entersoft, some of our customers have also approached us to enquire about centralized management solutions to achieve cloud security or to implement CASB solutions. We offer premium consultation services through our partner in this space – PSR groups. PSR groups have connections with CASB-specific resources and also organizations such as McAfee and Trend Micro. Once customers come to us with these requirements, we delegate this activity to PSR Groups. They come in with their consultants and help set up the most effective CASB solutions for their customers.