What is a Cloud Access Security Broker (CASB)?

A cloud access security broker (CASB) is a software security service that acts as an intermediary between business cloud users and cloud providers. CASBs monitor data flow to and from cloud platforms, ensuring that cloud use comply with information security policies and regulations.  Much as a firewall enables businesses to enforce security policies for incoming and outgoing network traffic, a CASB enables them to enforce infrastructure and information security policies for cloud use. 

Before the advent of cloud computing, IT infrastructure was hosted in on-premise or colocated data centers. IT and security professionals could enforce security policies because they controlled the hardware and software stack. Businesses have less control over hardware and software in the cloud era, but a CASB allows them to extend security policies from on-premise environments to cloud environments.

What Does a Cloud Access Security Broker Do?

A CASB is a security service hosted either on-premise or in the cloud. It mediates connections between devices used by employees and cloud services. The primary purpose of CASB security systems is to reduce the risk of sensitive data being insecurely stored, accessed, and processed on cloud platforms. 

CASBs are sophisticated platforms that can enforce a broad range of security controls. CASB capabilities include:

  • Authentication and identity management with SSO and IAM integration
  • Risk assessment and data governance in line with regulatory frameworks
  • App discovery to ensure the business is aware of cloud applications accessed by employees
  • User activity monitoring
  • Behavioral analytics to identify and mitigate threats
  • Cloud configuration auditing
  • Malware detection
  • Encryption
  • Key management
  • Monitoring and alerting
  • Device profiling

CASBs are designed to solve a specific set of problems, so they may not include all of the features in this list. When selecting a CASB, businesses first assess their needs and then choose a CASB security solution that addresses their use case. Platform compatibility is one of the most critical factors. CASBs interact with cloud providers via APIs, which differ between platforms. For example, a business that uses AWS will choose a CASB that supports Amazon’s cloud platform, such as Bitglass.

Why Do Cloud Users Need a CASB?

Cloud platforms—whether SaaS, PaaS, or IaaS—attract businesses and employees because they reduce complexity, offer a versatile range of services, and are less expensive than self-managed infrastructure. However, companies quickly discover that a lack of “walled garden” control makes securing cloud environments more complex. 

Employees often use unsanctioned cloud services to circumvent security restrictions and limitations in approved software. This is the well-known shadow IT problem. In 2019, a McAfee study showed that businesses use hundreds more cloud services than they know about. These services are not subject to security policies, compliance oversight, or internal governance processes. 

CASBs were initially developed to address the shadow IT problem by helping businesses to gain visibility into the cloud applications employees use. Over time, they have been enhanced with numerous other features that empower businesses to take back control of infrastructure security and cloud compliance.

What Are the Four Pillars of CASB?

The Gartner IT research consultancy describes CASB solutions as having four main pillars of functionality:

  • Compliance. Cloud platforms provide IT services, but businesses are responsible for using them in compliance with relevant regulatory frameworks. CASB solutions help businesses identify potential compliance risks for regulations such as HIPAA and PCI DSS.
  • Visibility. CASBs monitor cloud services and applications for use that contravenes data security policies. They provide risk analyses and allow businesses to control, limit, or prevent access depending on the application, the user’s access levels, and other factors.
  • Data security. CASBs offer data security features to observe and protect data as it moves between on-premises infrastructure and cloud environments.
  • Threat protection. Because CASBs have visibility into data and app usage patterns, the software can identify and mitigate potential threats such as unauthorized access, data exfiltration attempts, and malware infections.

How Does a CASB Promote Compliance in the Cloud?

Cloud access security brokers facilitate secure and compliant cloud use. Because CASBs provide visibility into and control over data use in the cloud, businesses can more effectively enforce cloud security controls that support regulatory compliance goals. 

However, CASBs are only part of a comprehensive cloud security program. They are one component of a layered approach to cloud security that also includes security awareness training and cloud security audits conducted by qualified information security auditors. 

To learn more about cloud security and cloud compliance audits, visit KirkpatrickPrice’s cloud security resources, including dozens of educational videos and our free AWS security scanner.

Ask the Expert: Penetration Testing

Penetration Testing for HIPAA Compliance

Penetration testing is a critical line of defense when protecting your organization’s sensitive assets – especially Electronic Protected Health Information (ePHI). Penetration testing is the process of performing authorized security testing of an environment to identify and exploit weaknesses associated with the targeted systems, networks, and applications before those weaknesses can be exploited by a real attacker. When performed in support of HIPAA compliance, the goal is to identify issues that could result in unauthorized access to ePHI.

In this webinar, KirkpatrickPrice’s Lead Penetration Tester answers your questions about penetration testing, including:

  • What is the difference between penetration testing and vulnerability scanning?
  • Should penetration testing include a human element or can it be done using tools alone?
  • Do I have to hire a third party to perform penetration testing?
  • How often should I have penetration testing done when preparing for a HIPAA assessment?
  • Should I retest after remediation?  Should that be included from the firm I work with?
  • How do I know which level of penetration testing is right for me?  What are the options?
  • How do you choose targets in large IP address spaces?
  • What is the difference between web application penetration testing and network penetration testing?
  • Does penetration testing include API testing?
  • How do you balance applying automated tools to the target vs something manual to the target, like someone at a laptop?
  • As the IT landscape continuously grows, how do you ensure that you get the correct skills on a penetration test, since no one knows everything?
  • How does KirkpatrickPrice price penetration testing engagements?

More Penetration Testing for HIPAA Compliance Resources

HHS.gov HIPAA Security Rule for Professionals

164.308(a)(8) Standard: Evaluation

NIST SP800-66 – (HIPAA Implementation Guidance)

National Institute of Standards and Technology (NIST) SP800-115

Open Source Security Testing Methodology Manual (OSSTMM)

Open Web Application Security Project (OWASP)

Penetration Testing Execution Standard (PTES)

Penetration Testing Framework

Internal vs. Third-Party Audits: Why You Need to be Leveraging Both

Internal Audits vs. External Audits

Is an internal audit enough? Should you utilize both internal and external audits? This is an ongoing conversation in our arena. But at KirkpatrickPrice, we know that there is power in having both perspectives, especially when it comes to conquering your compliance goals. If you want to prove to your stakeholders that you’re willing to do everything you can to take control of the cyber risks your organization is faced with, listen as KirkpatrickPrice’s Founder and President, Joseph Kirkpatrick, discusses the real differences between internal and external audits and how the difference could impact your organization’s compliance efforts.

According to the Institute of Internal Auditors, “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. While internal audits are useful in that they are closely aligned with your organization’s objectives, are conducted by experts in your unique business rules and applications, and are also familiar with your organization’s personalities, relationships, and histories, they also shouldn’t be solely relied upon. In fact, internal audits are often weakened because tunnel vision develops by internal audit staff; it can be difficult to maintain current trends and issues; there’s limited staff and resources that can hold back adoption of new techniques; and lastly, their voice can lose influence over time.

On the other hand, external audits can strengthen your internal audit processes, as they offer independence and objectivity, subject matter experts, enhanced credibility with partners and stakeholders, and a wide array of resources to address your unique challenges.

Investing in external audits can be challenging depending on your size, personnel, experience, time, and financial resources, but at the end of the day, they can enhance your internal audit program and give you the third-party assurance you need to validate the accuracy of your internal audit findings.

Watch the full webinar on-demand now to learn more about the differences between internal audits and external audits, find out tools internal auditors should be equipped with, and more.

Top Mistakes C-Level Execs Make When It Comes to Security and Compliance

How Can C-Levels Overcome Compliance Challenges?

The growth and maturity of the security function will only rise as far as its leader’s capacity. Cyber and compliance threats are advancing, threatening our organizations’ financial and human resources. Because of this, business leaders must learn how to overcome the potential mistakes they make when it comes to information security and compliance and develop our leaders to face the potential mistakes we make when it comes to information security and compliance. What are some of the common mistakes C-level executives make when it comes to overseeing security and compliance? In this webinar, Joseph Kirkpatrick will teach executives how to conquer challenges like implementing a culture of security throughout your organization, overcoming the language barrier of cybersecurity and technology, common misconceptions around security and privacy, and developing the talent of your personnel.

The First Mistakes Executives Need to Overcome

When first establishing your business culture, what did you want it focus on? Integrity? Team-oriented atmosphere? Maybe even fun? While these are all notable components to a business culture, if security is remotely of any interest to you, you’ll also include it the culture you establish. Why? Because whatever you base your culture on – whether it’s teamwork or security – it’ll be something you’ll train on regularly, discuss often, and your personnel will be more likely to actively participate in the culture. How can you do this? By creating a cybersecurity culture management plan. This plan should define your organization’s security objections, establish education and training requirements, and place personal responsibility on employees to ensure security. After all, everyone – regardless of your position in the company – plays a role in security.

Culture Training is a Necessity

If you aren’t conducting some type of culture training, you should be. As millennials become a bigger portion of the workforce, businesses are experiencing increasing security incidents. While in the past, it was considered that the older generations – those with less technology experience – were more like to fall victim to social engineering attempts, millennials are the ones that pose the greatest threat to your business as they’re more likely to share and connect with strangers online. Because of this, you must adjust your training. Ask yourself: Are you providing the necessary and the right training to the newest members of your workforce? Do you millennial-aged personnel know not to share sensitive information online? What happens if they do?

Is your security culture non-existent? Need more information on culture training? It’s never too late to address the culture of security at your organization. Learn more about conquering this challenge and how to overcome four other mistakes by watching the full webinar now.

Fact or Fiction: Everything You Need to Know about Leading Compliance Initiatives

Why is Compliance is a Top 3 Initiative?

It’s no secret that the cyber threat landscape is evolving at an alarming rate. Now more than ever, businesses must implement compliance initiatives to avoid the growing threats of a cyberattack in the new decade. As a leader of your organization, it’s your responsibility to see this through. In this webinar, you’ll learn from KirkpatrickPrice President, Joseph Kirkpatrick, about everything you need to know about leading compliance initiatives.

According to a 2019 survey conducted by The Conference Board, “U.S. CEOs rank cybersecurity as their #1 concern.” Now, why is that? Take a look at just a few statistics that IBM’s 2019 Cost of a Data Breach report included:

  • The global average total cost of a data breach is $3.92 million
  • The global average size of a data breach is 25,575 records
  • The global average time to identify and contain a breach is 279 days
  • Inadvertent data breaches from human error and system glitches are still the root cause for nearly half (49%) of the data breaches studied in the report
  • If a third party caused the data breach, the cost increased by more than $370,000

As security incidents and data breaches are on the rise, C-suite executives must carry more of the responsibility to ensure that their organizations are prepared for the advancing threats of malicious individuals and groups.

6 Steps for Leading a Successful Compliance Initiative

While this list isn’t exhaustive and should be formatted to meet your business and industry needs, the following six steps can guide executives toward leading a successful compliance initiative, help prepare organizations against cyber threats, and ensure compliance.

  1. Connect the goal to your business’ purpose
  2. Accept responsibility
  3. Define priorities
  4. Choose the team
  5. Determine S.M.A.R.T. goals
  6. Enforce accountability

Want to dive deeper into these insights? Watch the full webinar on-demand now!