Cloud access security brokers (CASBs) is a cloud-based security policy enforcement points between cloud service consumers and cloud service providers which monitors all activity and enforces enterprise security policies. CASBs combine different types of security policy enforcement which includes authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention, and so on.
CASB Life cycle
CASB Life cycle involves a complete solution that protects corporate data.
In the Cloud
Using a CASB for cloud encryption, it allows the enterprise to have control over their encryption keys. Without knowledge of the enterprise, nobody can gain access to corporate data.
The limitations of using a CASB for cloud encryption is that the SaaS application servers cannot process one encrypted data, and the encrypted data cannot be searched.
CASB products rely on hand-coded logics for SaaS applications that use client-side AJAX for most of its UI, and the challenge is that application usually breaks when it is updated.
At Access CASBs works as a proxy between cloud apps and users, and it can view all traffic to those cloud apps to inspect and secure data. CASBs at access provide Visibility, Identity, Access Control, and Data Protection.
On the Device
CASBs need to protect data stored in the cloud, access to the cloud and as well as cloud data on the consumption that include:
On the Network If you have a secured web gateway or the latest firewall, then you would be having a source for this data. CASBs vendors offer some of the free and paid commercial services as an ancillary service for identifying cloud apps via log analysis.
Proxy vs API based solution
Cloud Access Security Brokers can be implemented in two ways, Proxy or Firewall based approach and API Based CASB and both the methods are different in its approach and limitations. API Based approach is the most effective method for CASB implementation.
An Inline proxy solution through a single gateway checks and filters known users and devices as all traffic flows through the same checkpoint and helps to take security action in real-time.
This real-time security action is only effective if users are crossing the proxy to access cloud resources. If the users are not configured well to access the public cloud through the proxy-based CASB or having an outdated/unsupported devices that fail to take advantage of proxy-based CASB, then the traffic which could be out of compliance resulting in unseen or unfiltered by the CASB.
The lack of visibility into unsupported traffic impacts on the performance of the end-users despite the quick response. This would be a major drawback in security and scale.
It also slows network performance, and only secures known users. Further, proxy-based solutions only secure SaaS cloud services, leaving IaaS and PaaS clouds vulnerable.
API Based Solution
An API-based CASB is an Out-of-Band solution that does not follow the same network path as data. Since the solution integrates directly with cloud services, API-Based solutions have no performance degradation, and they secure both managed and unmanaged traffic across SaaS, IaaS, and PaaS cloud services.
API-Based CASB platform is the most powerful and modern approach to instantiating a CASB. API-Based CASB can integrate flawlessly with the public cloud vendor open APIs made available for consumption allowing it to enforce security and policy baselines assigned by organizations naturally.
It becomes part of the public cloud resources, as opposed to be a single standalone gateway or “add-on” that must be passed before security and policy are applied. Data can be analyzed retroactively, and actions can be taken based on the analysis.
Enforcement of policies and security protocols are applied regardless to whichever network path an end-user take to reach company public cloud resources.
No need for proxy configuration to be made on the end-user device and no performance is affected for the end-user since CASB integrates naturally with the public cloud vendor. It restricts VPNs, or another network means from bypassing it. The API case CASB solution integrates and scales much better than proxy-based CASB.
Some industry experts recommend a multimode approach, which is a CASB architecture that supports both API and proxy approaches. Both API and proxy approaches achieve multimode functionality, though they do it differently.
As enterprises move more business-critical functions to the cloud, implementing a CASB has become a mandatory control. Before choosing a CASB, it is important to know the facts on the alternatives so you can make the choice that is best for you.