Benefits of CASB
There are numerous security and management benefits to deploying a CASB product or service for your organization:
- A central location for consistent policy and governance across multiple cloud services for both users and devices (including BYOD).
- Granular visibility into, and control over, user activities, applications, sensitive data, and SaaS activity.
- Enables secure workforce mobility.
- Monitors and governs use of cloud applications such as Office 365.
- Enables businesses to take a granular approach to sensitive data protection. compliance and policy enforcement—making it possible to safely utilize time-saving, productivity-enhancing, and cost-effective cloud services.
- Protects all device access to SaaS applications as the industry moves away from traditional devices and device management practices to accommodate BYOD.
- Inspects and provides analytics on data, application, and user behavior in cloud services, including the presence of unsanctioned employee cloud use and shadow IT.
- Integrates with an enterprise’s existing identity provider, security information and event management (SIEM) tool, and unified endpoint management (UEM) product.
- Encrypt or tokenize sensitive content to enforce privacy.
- Detect and block unusual behavior indicative of malicious activity.
- Integrate cloud visibility and controls with existing security solutions.
- Operate in a multi-tenant cloud environment.
- Distinguish between corporate and personal instances of cloud services and provide the ability to limit or block the exchange of data between them.
How to Deploy CASB
CASBs can be either on-premises, colocated, or public cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to inject enterprise security policies as the cloud-based data or applications are accessed. CASB architecture is designed for flexibility, meaning a CASB can optionally operate as a virtual or physical appliance.
Deploying the right CASB architecture for your organization’s needs is critical to enable the use of all the features and use cases that you envision. Some features are available only in specific deployment models. When evaluating a cloud access security broker, confirm that the vendor and the solution support the deployment models you need. Enterprises often combine multiple deployment models to achieve complete coverage of their needs.
There are two primary CASB solutions:
Out-of-Band
The CASB does not sit in the traffic path between user and cloud, or cloud-to-cloud. The CASB monitors and logs activity, and may inject policy actions (such as allow, deny, delete, challenge permission) via API access.
While out-of-band CASB solutions can monitor and report on events and activity, they have no visibility into the content of the interactions.
Inline
These CASB solutions use a proxy mode that terminates/re-originates the traffic between the user and the cloud, or cloud-to-cloud. The CASB can be deployed as either a Reverse Proxy (close to the cloud), or a Forward Proxy (close to the user).
Inline CASB solutions can monitor and report, as well as make all policy decisions, and also have full visibility into (and the capability to decrypt and/or intercept) the content of the interactions.
Multimode CASB providers are those who offer a combination of an API and an in-line mode of operation. While some of the most prominent cloud application and service providers publish public APIs, most SaaS applications do not offer this, necessitating a CASB solution with at least one inline capability.