What is a CASB and How Do You Even Say It?

Caleb Mast, Regional Sales Director, Bitglass

These are some of the questions that I asked as I went through the recruiting process with Bitglass. My goal was to understand the product completely before going out and pitching it to prospective clients. So, what exactly is a Cloud Access Security Broker (CASB)? By Gartner’s definition, CASBs (Cloud Access Security Brokers) are “on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed.

CASBs consolidate multiple types of security policy enforcement, just like a top rated college football program (such as Penn State) leverages skilled players at all positions to thwart the best efforts of competitors’ offenses (and as they’ll demonstrate against Ohio State on November 23 of this year).

Example CASB security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.”* If you’re like me, even after reading the official definition, you may be slightly confused. My hope is that this article will give you a better understanding of how a CASB may benefit your corporate security strategy.

It’s pronounced caz-bee by the way.

At the broadest level, a CASB provides risk mitigation controls that help organizations protect data as they adopt cloud applications. There are four critical security gaps in cloud applications that CASBs defend against:

Data Protection Beyond the Firewall: Pop quiz – if someone on an unmanaged device connects to Office 365 via wifi from a coffee shop, which security product in your stack protects this session? If you're at a loss, you aren't alone.

In the pre-cloud world, your security stack offered insight, security controls, data loss prevention, and threat protection to the IT staff in order to fully monitor and secure corporate data. However, this is under the assumption that the information traversed through at least some part of your corporate network. With the introduction of cloud into our corporate environments, employees now access company data outside of the four walls of the office with applications like Office 365, GSuite, Box, Salesforce, and so on and so forth. CASBs are architected to ensure security for any application, anywhere.

Bring Your Own Device: Once employees discovered how easy it was to access their company information from the cloud, they began doing so from their own personal devices (laptops, smartphones, tablets, et cetera). While many organizations want to provide flexibility and allow employees to work from any device, they shudder at the idea of sensitive corporate data syncing to a totally unmanaged (and potentially insecure or compromised), personal device. Once the information is on the user’s device, it becomes very difficult to have any control – cue the CASB.

Unmanaged Applications: Also known as shadow IT, these are applications over which IT has no visibility. Though these applications may not be inherently bad, they allow files to be stored and shared in an uncontrolled environment. This is a massive compliance violation at best, and a nightmare to any CISO. How should your organization address this problem? You guessed it.

Malicious Users: Pre-CASB, a malicious user would have to get through the corporate security stack undetected in order to get company information. Now that information resides in cloud applications, all parties, good and bad, can knock at the front door authentication prompt. Additionally, cloud usage balloons quickly – once an organization becomes cloud friendly, their cloud footprint expands rapidly. As such, malicious users (whether they are disgruntled insiders or hackers with compromised credentials), can easily exfiltrate data via cloud apps when proper security is not in place.

Organizations that utilize CASBs find that they are able to store sensitive information in the cloud without compromising on security. CASBs enable malware detection and remediation, geofencing, data encryption, session management, and more. What are you doing to protect corporate data across your cloud footprint? I would love to hear your strategies.