A cloud access security broker (CASB) is a software security service that acts as an intermediary between business cloud users and cloud providers. CASBs monitor data flow to and from cloud platforms, ensuring that cloud use comply with information security policies and regulations. Much as a firewall enables businesses to enforce security policies for incoming and outgoing network traffic, a CASB enables them to enforce infrastructure and information security policies for cloud use.
Before the advent of cloud computing, IT infrastructure was hosted in on-premise or colocated data centers. IT and security professionals could enforce security policies because they controlled the hardware and software stack. Businesses have less control over hardware and software in the cloud era, but a CASB allows them to extend security policies from on-premise environments to cloud environments.
What Does a Cloud Access Security Broker Do?
A CASB is a security service hosted either on-premise or in the cloud. It mediates connections between devices used by employees and cloud services. The primary purpose of CASB security systems is to reduce the risk of sensitive data being insecurely stored, accessed, and processed on cloud platforms.
CASBs are sophisticated platforms that can enforce a broad range of security controls. CASB capabilities include:
- Authentication and identity management with SSO and IAM integration
- Risk assessment and data governance in line with regulatory frameworks
- App discovery to ensure the business is aware of cloud applications accessed by employees
- User activity monitoring
- Behavioral analytics to identify and mitigate threats
- Cloud configuration auditing
- Malware detection
- Key management
- Monitoring and alerting
- Device profiling
CASBs are designed to solve a specific set of problems, so they may not include all of the features in this list. When selecting a CASB, businesses first assess their needs and then choose a CASB security solution that addresses their use case. Platform compatibility is one of the most critical factors. CASBs interact with cloud providers via APIs, which differ between platforms. For example, a business that uses AWS will choose a CASB that supports Amazon’s cloud platform, such as Bitglass.
Why Do Cloud Users Need a CASB?
Cloud platforms—whether SaaS, PaaS, or IaaS—attract businesses and employees because they reduce complexity, offer a versatile range of services, and are less expensive than self-managed infrastructure. However, companies quickly discover that a lack of “walled garden” control makes securing cloud environments more complex.
Employees often use unsanctioned cloud services to circumvent security restrictions and limitations in approved software. This is the well-known shadow IT problem. In 2019, a McAfee study showed that businesses use hundreds more cloud services than they know about. These services are not subject to security policies, compliance oversight, or internal governance processes.
CASBs were initially developed to address the shadow IT problem by helping businesses to gain visibility into the cloud applications employees use. Over time, they have been enhanced with numerous other features that empower businesses to take back control of infrastructure security and cloud compliance.
What Are the Four Pillars of CASB?
The Gartner IT research consultancy describes CASB solutions as having four main pillars of functionality:
- Compliance. Cloud platforms provide IT services, but businesses are responsible for using them in compliance with relevant regulatory frameworks. CASB solutions help businesses identify potential compliance risks for regulations such as HIPAA and PCI DSS.
- Visibility. CASBs monitor cloud services and applications for use that contravenes data security policies. They provide risk analyses and allow businesses to control, limit, or prevent access depending on the application, the user’s access levels, and other factors.
- Data security. CASBs offer data security features to observe and protect data as it moves between on-premises infrastructure and cloud environments.
- Threat protection. Because CASBs have visibility into data and app usage patterns, the software can identify and mitigate potential threats such as unauthorized access, data exfiltration attempts, and malware infections.
How Does a CASB Promote Compliance in the Cloud?
Cloud access security brokers facilitate secure and compliant cloud use. Because CASBs provide visibility into and control over data use in the cloud, businesses can more effectively enforce cloud security controls that support regulatory compliance goals.
However, CASBs are only part of a comprehensive cloud security program. They are one component of a layered approach to cloud security that also includes security awareness training and cloud security audits conducted by qualified information security auditors.