Cloud Access security Broker

Cloud access security brokers have become an essential element of any cloud security strategy, helping organizations govern the use of cloud and protect sensitive data in the cloud.

The cloud access security broker (CASB) market as products and services that provide visibility into general cloud application usage, data protection and governance for enterprise-sanctioned cloud applications (see "Mind the SaaS Security Gaps" ). This technology is the result of the need to secure the significantly increased adoption of cloud services and access to them from users both within and outside of the traditional enterprise perimeter. They deliver capabilities that are differentiated from and generally not available in other security controls such as web application firewalls (WAFs), secure web gateways (SWGs) and enterprise firewalls

CASBs deliver functionality through four pillars:

Visibility. CASBs provide both shadow and sanctioned IT discovery, as well as a consolidated view of an organization's cloud service usage and the users who access data from any device or location. Leading CASBs take this further with a cloud service security posture assessment database to provide visibility into the trustworthiness of the security capabilities and secure operations of the cloud service provider (CSP; see "Unsanctioned Business Unit IT Cloud Adoption Will Increase Financial Liabilities" ).

Data security. CASBs provide the ability to enforce data-centric security policies to prevent unwanted activity based on data classification, on data discovery, and on user activity monitoring of access to sensitive data or privilege escalation. Policies are applied through controls, such as audit, alert, block, quarantine, delete and view-only. Several CASBs provide the ability to encrypt or tokenize and redact content at the field and file level in cloud services. Encryption key management may be integrated with on-premises products. CASBs can perform data loss prevention (DLP) natively on text-based content in structured data and in files, and some can import policies from on-premises or cloud-based DLP tools through either ICAP or RESTful APIs. Some CASBs now offer data-centric audit and protection (DCAP) features and integration with enterprise digital rights management (EDRM).

Threat protection. CASBs prevent unwanted devices, users and versions of applications from accessing cloud services by providing adaptive access controls. Other examples in this category are user and entity behavior analytics (UEBA) for determining anomalous behavior, the use of threat intelligence, malware identification and remediation, and file sandboxing. In some cases, CASB vendors have their own analyst teams researching cloud-specific and cloud-native attacks.

Compliance. Compliance mandates, whether from government legislation, external agency rules, or internal compliance requirements, do not disappear when moving to the cloud (even though a fair amount of on-premises technical debt does). CASBs help organizations achieve and demonstrate compliance with regulations and standards, as well as identify cloud usage and the risks of specific cloud services.