Before going into what a CASB (cloud application security broker) is and explaining the value it can bring to companies – let’s take a step back and look at how IT evolved from companies having “data-silos” to a distributed data collection that stretches as far as the internet.
Computers became popular because enterprises saw the benefits of having a reliable and efficient way to process data. Physical security was the only real concern back then. Mainly, because the data was processed locally, and company data was not publicly reachable. Security was an afterthought in many cases and later, protocols and standards had to be redesigned to make them secure(r). The regulations and laws that we have today around data and cybercrimes were not defined from the get-go either.
With the internet and as technologies evolved, so did the way we access company data. Businesses started to adopt having remote access to their servers, not only for employees but also to connect servers together to be able to share data between remote company branches for example.
At this point, having a strong receptionist who knows kung-fu wasn’t enough anymore to protect company data. Network security technologies like VPN and firewalls were adopted to secure company data from unwanted access.
The next big security perimeter change came with cloud technologies. Enterprises realized the benefits of working with cloud environments, such as:
- Flexibility in scaling up or down infrastructure and services
- Simplicity of the internal IT (maintenance and patching are done by the cloud provider)
IaaS, PaaS and SaaS (Infrastructure/Platform/Software as a Service) rapidly became popular and every modern organization uses a combination of them by now.
For an average employee, the above picture changed to something like this:
This is nothing new but during a pandemic where everyone is working from home regardless of task or role it becomes crucial that the security teams have these federated authentications and the decentralized company data secured and under control.
CASB – Cloud application security broker
Now, where do companies have the biggest risks when it comes to data security? It all starts with visibility. If you do not know what to protect, you can’t possibly protect it the right way. An average company has traffic going to over 1000 different cloud services per year. That’s not an easy task to manually analyze or understand. Because of this, CASB (cloud application security broker) solutions are becoming the standard security tool to achieve this visibility and more. A CASB will analyze the traffic between a user and a cloud application and enforce policies to either alarm or block unwanted actions. The policies define the acceptable use of cloud applications and prevent, for example, downloading malware or exfiltration of company data by having DLP (data loss prevention) mechanisms in place.
CASB solutions differentiate company owned devices from devices that are external or privately owned and cloud accounts that are company owned compared to cloud accounts that are privately used by users. For this CASB vendors came up with their own terminology:
Managed Device
The traditional work device that companies give to their employees to work on. These devices usually come with anti-malware and a client-side firewall activated while limiting privileges of users to prevent configuration modification.
Unmanaged Device
Compared to a managed device, an unmanaged device is usually owned by the employee and used privately. But it can also be a work device of a contractor or temporary employee. There is a need to identify unmanaged devices on your company cloud account and block actions if needed.
Sanctioned Cloud Application
Sanctioned cloud applications are cloud accounts that are company owned and therefore can be fully steered to a CASB solution for traffic analysis.
Unsanctioned Cloud Application
Any other “unmanaged” cloud account that employees use.
Shadow IT
Any kind of cloud usage of employees and IT processes that the internal security team is either unaware of or has no control into activities.
Commonly, CASB is known to provide three functionalities, each covering specific use cases – focused on accessing, using and securing cloud applications.
Forward proxy:
A CASB forward proxy steers the traffic from a user through a secure proxy applying inline policies.
Example use cases:
- Blocking insecure cloud applications
- Web filtering
- Preventing data from being leaked (real time)
- Preventing users from downloading malicious looking data
- Giving insight of what your managed devices are using and how (shadow IT)
Best suited for: Managed devices
Reverse proxy:
The other inline deployment of CASB is a reverse proxy. When attempting to access a cloud application that is owned by the enterprise, the user gets redirected to the reverse proxy which will authorize the user against the cloud application on the user’s behalf and then brokers the traffic between user and cloud application.
Example use cases:
- Preventing data from being leaked (real time)
- Preventing users from uploading malicious looking data
- Preventing unwanted cloud usage from unmanaged devices
Best suited for: Unmanaged devices
API scanner:
An API scanner is usually the third CASB deployment option. A CASB API scanner is not inline or between user and cloud application – this is also known as “out of band”.The API scanner will periodically perform tasks to verify and check the cloud application security posture, configuration or compliance.
Example use cases:
- Deleting or quarantining sensitive information and malware from cloud applications
- Giving visibility to internet exposed data (configuration checks)
- Blocking uploads of malicious content (near real time)
Best suited for: Scanning data that is already on cloud applications.
Conclusion:
At the Swisscom Outpost, we are currently validating CASB products together with Swisscom.
Compared to how IT started with basically no security in mind, we will nowadays continue to see more security features being embedded in solutions. Building future technologies will in some way or form always include security.
In the last two years of security scouting on behalf of Swisscom, the Swisscom Outpost engaged with and evaluated various modern security solutions like asset database tools that suddenly became network scanners and vulnerability analyzers. Another example are SDN controllers (software defined network) that added intrusion detection system features next to having a centralized firewall (VMware released IDS functionalities with NSX-T 3.0). Or a remote access solution that granularly checks the permissions of a user and so eliminates lateral movement and block unwanted actions in real time (Odo.io).
In the end, one of the Outpost’s goals is to help Swisscom expand their security portfolio by scouting and validating security solutions like CASB.
Please do not hesitate to reach out if you have any questions.
Beni Eugster, Cloud Operation Engineer @ Swisscom Outpost, Palo Alto, California, US, beni.eugster@swisscom.com
November 11, 2020