June 10, 2023

Understanding the Role of a CASB in Cloud Security Management

Security gaps grew as traditional security services were displaced by users’ cloud applications and data access. A CASB fills these gaps with deep visibility and control. Ensure the CASB you select provides significant visibility into both sanctioned and unsanctioned (shadow) cloud apps. It should also offer considerable threat protection based on UEBA, including logging and alerts of suspicious behavior, and protect sensitive data using encryption, tokenization, or other mechanisms.

Visibility is a core capability that ensures a cloud access security broker can see the data your organization uses in cloud applications. It enables your teams to detect shadow IT — unapproved services — and rogue or compromised accounts. It’s essential for detecting and limiting access to sensitive information in the cloud, including PCI, PHI, and PII data. Security gaps appeared as enterprises accelerated the formal adoption of IaaS, PaaS, SaaS, and FaaS resources. To combat this, CASBs have evolved cloud-focused services and products that provide visibility of multi-cloud traffic. Traditionally, these tools used proxy mode to terminate/re-originate traffic from the network firewall, which created significant architectural and operational complexity with disjointed management. However, a new generation of CASBs offers an alternative approach that combines traffic intercept with threat protection to improve security performance. This next-generation model removes the need for proxy agents and reduces the attack surface through deep threat inspection. It also enables IT to identify and prioritize critical threats based on contextual intelligence instead of relying on hundreds of alerts from separate tools. This dramatically improves the efficiency of security teams and enables them to respond quickly to business risks. In addition, many CASB solutions use machine learning to automate threat alerts and responses — and deliver a more accurate prioritization that addresses the growing problem of alert fatigue.

With the growth of bring-your-own-device programs and unsanctioned employee app usage (Shadow IT), CASBs offer critical visibility into both cloud applications that are deployed by the organization’s IT team (sanctioned apps) and those that are not (unsanctioned apps). With this information, IT teams can enforce policy to ensure compliance with industry security standards, corporate policies, and regulatory requirements such as HIPAA and GDPR and prevent data leaks. To do this, CASBs perform auto-discovery to compile and continuously update a list of all cloud apps used by the organization, their affiliated employees and students, and the sensitive data they contain or share. CASBs then classify each application, determining its risk factor using a combination of heuristics, community trust ratings, and other criteria. They also provide insight into the users of a particular application to identify risks hidden by an otherwise benign use case. Many CASBs are also designed to operate in a hybrid mode, combining proxying with API control. This allows them to leverage the capabilities of a cloud service provider and offers faster deployment, more comprehensive coverage, and support for unmanaged devices. They also allow for more robust protection features such as malware detection, sandboxing, device profiling, and network segmentation. In addition, they enable granular access controls to stop downloads of malicious files on managed devices and apply protection labels to unmanaged devices.

Threat Prevention
Organizations must protect the application layer against cyber threats as they move their sensitive data to the cloud. For this, CASBs need to have solid threat prevention capabilities that can recognize data patterns of known malware and other hazards to detect them quickly. In addition to detecting known threats, CASBs need to be able to identify new, emerging, and sophisticated attacks. This requires them to perform detailed logging, establish consistent operating patterns and use user behavior analytics to find anomalies. Furthermore, they need to have the ability to protect against attacks involving sensitive data, such as payment card industry (PCI), personally identifiable information (PII), or protected health information (PHI). CASBs can use encryption, pseudonymization, and tokenization to replace data with non-sensitive information. Many CASBs have this functionality, but enterprises need to be more robust.

Moreover, they are limited in preventing threats from entering the enterprise over public cloud connections. To overcome this limitation, CASBs can integrate with other security and network technologies to provide comprehensive web and cloud security. For example, they can be paired with secure Web gateways or next-generation firewall-integrated cloud solutions to offer a complete set of features to mitigate against the latest cloud threats.

Security Analytics
Organizations deploying various cloud-based applications to support the business must address the risk associated with unsanctioned apps (shadow IT). The CASB can help by providing visibility into both managed and unmanaged apps. This includes determining what data is being accessed by these applications and identifying potential breaches. Depending on the application, it may be necessary to disconnect from the service to reduce risk. A CASB should provide strong threat protection capabilities to prevent data loss and minimize the impact of a breach. This typically involves detecting sensitive data as it is uploaded to a cloud service – whether sanctioned or shadow – and then blocking, deleting, putting in a legal hold, or quarantining content flagged for policy violation. It also requires the ability to detect malware introduced through cloud sync services or the use of a compromised account or password. The best CASB solutions provide the functionality described above to enable companies to safely support various cloud applications and business practices while meeting the organization’s security requirements. 

No comments:

Post a Comment