As organizations increasingly adopt cloud services and applications, securing access to these services becomes crucial to protect sensitive data and maintain compliance. Cloud Access Security Brokers (CASBs) have emerged as a key component in providing comprehensive visibility and control over cloud services. In this post, we'll explore the different deployment modes of CASBs, the time and effort required to set them up, how their core functionality is distinct from the various add-on functionalities CASB providers offer, and how CASBs fit into a broader security ecosystem.
Deployment modes of CASBs: Forward & reverse proxies
CASBs can be deployed using different modes, with forward and reverse proxies being the two most common approaches. Each mode has its advantages and challenges, depending on an organization's requirements and infrastructure.
How a forward proxy works
Using a forward proxy, a CASB acts as an intermediary between the users and cloud services. All traffic from users to the cloud services is routed through the CASB, which enforces security policies and monitors the traffic for potential risks. Forward proxies are generally deployed on-premises or as a virtual appliance within the organization's network. They require the installation and configuration of client software (agents) on users' devices, which can be a challenge in BYOD (Bring Your Own Device) environments.
How a reverse proxy works
In the reverse proxy mode, CASB is deployed between the cloud service providers and the organization's users. The CASB intercepts and inspects the traffic before it reaches the users, applying security policies in real-time. Reverse proxies don't require the installation of agents on users' devices, making them more suitable for BYOD environments. However, they may introduce latency due to the additional layer of communication between the cloud service and the users.
CASBs' Core Functionality vs. Add-on Features
What exactly are CASBs used for? At their core, CASBs focus on cloud access management, ensuring that security policies are consistently applied across all cloud services. This includes visibility into cloud usage, user and device authentication, access control, and threat detection. However, many CASB vendors also offer additional features to enhance their offerings, such as:
- Data Loss Prevention (DLP): CASBs can integrate with existing DLP solutions or provide their own to monitor and prevent sensitive data from being leaked or accessed by unauthorized users. This is, however, often done at the network layer using a reverse proxy. In order to monitor data egress between devices and cloud applications, a CASB must act as a man-in-the-middle of sorts by decrypting all outgoing traffic in order to inspect it. This creates risk while simultaneously breaking application functionality for end-users in some cases.
- Endpoint Security: Some CASBs offer endpoint security features, such as device management, encryption, and remote wipe capabilities, to protect data on users' devices.
- Identity and Access Management (IAM): CASBs may include IAM features, such as Single Sign-On (SSO) and Multi-Factor Authentication (MFA), to enhance security and simplify user access management across multiple cloud services.
While these add-on features can provide additional value, it's important to remember that the primary purpose of a CASB is cloud access management. Organizations should carefully evaluate their needs and requirements before opting for additional features, as these can add complexity and cost to the overall solution.
What are the challenges of using CASBs?
Setting up a CASB solution can be complex and time-consuming, depending on the chosen deployment mode and the organization's cloud environment. Here are some examples of the effort involved in setting up CASBs:
- Forward Proxy: The installation and configuration of agents on users' devices can be time-consuming, especially in large organizations with a diverse range of devices and operating systems. Maintaining and updating these agents can also be challenging.
- Reverse Proxy: Configuring the CASB to work with multiple cloud service providers can be complex, as it may require setting up SSL certificates, custom domain mapping, and API integrations.
Misconfigurations can occur during the setup process, which may lead to security gaps or reduced functionality. Examples of misconfigurations include incorrect policy settings, insufficient access controls, or failure to update and maintain agents.
When should I use a CASB vs Cloud DLP?
[Read our detailed page on Endpoint vs Network vs Cloud DLP]
CASBs are useful for managing user access to resources across networks, or protecting data in transit between devices and cloud environments. However, CASBs are poorly optimized for endpoint and cloud security unless the service provider extensively builds out add-on functionality that addresses these limitations.
For example, because CASBs conduct content inspection via forward or reverse proxy, CASBs can’t leverage machine learning to provide greater accuracy and context regarding sensitive data going into cloud environments. A solution like Nightfall, which uses APIs to connect with cloud services at the application layer can very quickly apply machine learning to increase the efficacy and accuracy of alerts.
CASBs tend to get around this by trying to deploy their own APIs to do cloud layer integrations, but still tend to lack the features that cloud-first DLP solutions offer. Similarly, some CASBs attempt to also deploy endpoint agents to cover endpoint DLP, but run into similar limitations as they’re not built from the ground up to cover this use case.
Ultimately, CASBs play an essential role in securing access to cloud services and applications, providing organizations with much-needed visibility and control. By understanding the different deployment modes, the time and effort involved in setting up a CASB, and the distinction between core functionality and add-on features, organizations can make informed decisions when selecting and implementing a CASB solution.
However, it's crucial to recognize that CASBs are not a one-size-fits-all solution for all security needs. They must work alongside other security tools and technologies, such as Cloud Data Loss Prevention, Endpoint Security, and Identity and Access Management, to provide comprehensive coverage and protection. By integrating CASBs into a broader security ecosystem, organizations can better protect their sensitive data, maintain compliance, and reduce the risk of security breaches in the ever-evolving cloud landscape.