A cloud access security broker (CASB) sits between an organization's network and cloud providers to extend security policies to third-party cloud services and applications. CASBs allow organizations to identify and control cloud app usage, enforce data security policies, and protect against threats. CASBs are increasingly adopted due to growth in cloud services and the need to secure data outside of an organization's network. Common CASB functions include visibility, compliance, data security, and threat protection for cloud apps and services.

1. WhatisCASB?
A CLOUD ACCESS SECURITY BROKER (CASB) IS A SET OF NEW CLOUD
SECURITY TECHNOLOGIES THAT ADDRESSES THE CHALLENGES POSED BY THE
USE OF CLOUD APPS AND SERVICES. THEY WORK AS TOOLS THAT SITS
BETWEEN AN ORGANIZATION'S ON- PREMISES INFRASTRUCTURE AND A
CLOUD PROVIDER'S INFRASTRUCTURE.
THEY ALLOW THE ORGANIZATION TO EXTEND THE REACH OF THEIR
SECURITY POLICIES BEYOND THEIR OWN INFRASTRUCTURE TO THIRD-PARTY
SOFTWARE AND STORAGE.

2. Classifiedas:
On-premises or
Cloud-hosted software that act as a control point to support continuous visibility,
compliance, threat protection, and security for cloud services.

3. CASBsolutionshelpsto:
•Identify and evaluate all the cloud apps in use
•Enforce cloud application management policies in web proxies or firewalls
•Provide handling of sensitive information
•Encrypt or tokenize sensitive content to enforce privacy and security
•Detect and block unusual account behaviour indicative of malicious activity
•Integrate cloud visibility and controls with broader security solutions for data
loss prevention, access management, and web security

4. USAGE STATS
 By 2020, 85% of large enterprises will use a cloud access security broker solution
for their cloud services, which is up from fewer than 5% in 2015.
 Through 2020, 95% of cloud security failures will be the customer's fault.

5. HowCASBcomesintomarket?
 T
o maintain data security and compliance with new data residency laws as their
infrastructure moves to the cloud a Cloud Access Security Broker (CASB) comes
into play.
 CASB provides cloud encryption with the option to have control over their own
encryption keys,so access to data without enterprises knowledge is ruled out.

6. How is CASB presented?
 CASBtechnology is available as a SaaSapplication or on-premises via virtual or physical
appliances, or both using a hybrid combination of on-premises and cloud-based policy
enforcement points.
 Observations:
 •The wide adoption of identity and access management into the cloud, delivering cloud
single sign-on, has reduced the friction in adopting cloud services and related security
controls like cloud access security brokers (CASBs).
 Many enterprise business units are acquiring cloud services directly without IT's involvement.
This form of "shadow IT" is fuelling growth in cloud service adoption aswell as security risks.
 •The CASBmarket has evolved rapidly since its gestation period in 2012 and includes a
number of high-profile acquisitions.
 •Today, CASBsprimarily address back-office applications delivered as SaaS.

7.  CASBs works by ensuring that network traffic between on-premises devices
and the cloud provider complies with the organization's security policies.
How Does CASBWork? A High Level
Understanding

8. ImageSource:Gartner’s blog: securitymusings

10. FundamentalCapabilitiesofCASB?

11. CASBsmostprominentfunctionalities
• Visibility
CASBs provide both shadow and sanctioned ITdiscovery, as well as a consolidated view of an organization's cloud service
usage and the users who access data from any device or location.
• Compliance
CASBs assist with data residency and compliance with regulations and standards, as well as identify cloud usage and the
risksof specific cloud services.
• Data Security
CASBs provide the ability to enforce data-centric security policies to prevent unwanted activity based on data classification,
discovery and user activity monitoring of access to sensitive data or privilegeescalation.
• Threat Protection
CASBs prevent unwanted devices, users and versions of applications from accessing cloud services by providing adaptive
access controls. Other examples in this category are user and entity behaviour analytics (UEBA)for determining anomalous
behaviour
, the use of threat intelligence, and malwareidentification.

13. ComprehensiveCASBsolutionsleveragethe
following:
ApplicationSpecificSecurity
Thetopcloudappshavewell-definedAPIsthataCASBcanleveragetomonitoractivity,analyse content,and
modifysettingswithinaccountsonthatcloudapp.
InlineSecuritywithGateways
Sittingbetweentheusersandtheircloudapps,aCASBgatewaycanprovidevaluableinsightsinto cloudactivityand
provideavehicleforreal-timepolicyenforcement,suchasblockingdata exfiltrationorprotectinginformationwith
encryption.
ShadowITAnalysis
Existingsecuritydevices,suchassecurewebgatewaysandfirewalls,havelogdatathatcanbe used
tohelpanalyseShadowIT
.
AccessControl
Endpointagentsofferanotheroptiontomanagecloudactivityandenforcepolicies.

14. ArchitecturalChoices(forward/
reverse proxy/APIs)
Initially, the market was segregated between providers that delivered their CASB
features via forward- and/or reverse-proxy modes and others that used API modes
exclusively.
Increasingly, a growing number of CASBs offer a choice between the proxy modes
of operation and also support APIs (multimode CASBs)

15. Reverseproxy
This can be deployed as a gateway on-premises or as the more popular
method, as SaaS.
This is performed by changing the way authentication works by telling the cloud
service that the CASB passes the authentication onto the IDaaSprovider
, but,
importantly, leaves the URL as belonging to the CASB and not the cloud service.
IDaas is defined as identity-as-Service ("IDaaS").
For people interested to learn more about IDaas
(https://www.centrify.com/solutions/cloud/identity-as-a-service-idaas/)

16. This is one way to provide the ability to insert the CASBin front of endusers
accessing the SaaSservice (with the exception of mobile native apps using
certificate pinning) without having to touch the endpoint'sconfiguration.
It also allows for control over key management and application of cryptography
solutions on-premises with no access by a cloud-based CASBor cloud service
provider. With hosted reverse proxy, there may be indirect access to the key
management system and keys/tokens being used in the cloud by the CASBand/or
CSP
.

17. Forwardproxy
This can be deployed as a cloud or on-premises, and some vendors may deploy
software agents on endpoint devices or pass profiles for enterprise mobile
management (EMM) to enforce or use other methods like DNS and proxy auto-
configuration (PAC) files.

18. APImode
This leverages the native features of the SaaSservice itself by giving the CASB
permission to access the service's API directly.
This mode also allows organizations to perform a number of functions like log
telemetry, policy visibility and control, and data security inspection functions on all
data at rest in the cloud application or service.
The CASB may offer on-premises or hosted key management options.
API mode makes it possible to take advantage of both CASB-native, and a
growing number of SaaSservice data protection, features offered by the SaaS
provider itself (for example, Salesforce Shield), whereby it performs
encryption/tokenization functions, but the end users still control the keys.
However
, the SaaSprovider still has access to the keys, and data is unencrypted
while used by the application.

19. If the SaaSis hosted by another CSP's infrastructure (for
example, Amazon, Microsoft), it is available in the memory
of the IaaS provider and may not meet strict data
residency or compliance requirements

20. SomeusecasesforCASB
Implementation:
•Early anomaly detection: Leveraging data on the go can be used todetect
anomalous behaviours and potential
•Reporting and auditing: CASB offers enhanced granular visibility with detailed
activity logs and other reports useful for compliance auditing and forensic purposes.
•DLP: Content validation by public cloud applications, blocking, watermarking,
password protecting and encryption will prevent data content from being exposed.
•Encryption: CASBs can encrypt objects pre-upload/ post-download giving end-to-
end data privacy and regulatory compliance.

21. LeadingchoicesforCASB:
 Microsoft(Adallom)
 InSeptember 2015,Microsoft completed its acquisition of Adallom, a CASB that had been shipping since early 2013.
This brought CASB to Microsoft's Enterprise Mobility +Security (EMS)suite and added new capabilities to Office 365.
 Imperva
 Founded in November 2002 and has been shipping a CASB product since January 2014,when it acquired Skyfence.
Imperva focuses on providing detailed user activity monitoring, cloud DLP
,access control and threat protection.
 Bitglass
 Founded in January 2013and has been shipping a CASB product since January 2014.
 Bitglass integrates several mobile data management (MDM) and IAM capabilities into its offering, such as remote
wipe, single sign-on (SSO)and dual Security Assertion Markup Language (SAML) proxy,providing basic MDM and
IDaaS capabilities.

22. CiscoCloudLock
FoundedinJanuary2011andhasbeenshippingaCASBproductsinceOctober2013;itwasacquiredbyCiscoinJune2016.
ItusesanAPI-onlyapproachtotheCASBmarket.ItleveragesAPIsfromcloudservices(SaaS,PaaS,IaaS).
FireLayers
Founded in November 2013 and has been shipping a CASB product since April 2014. FireLayers
a multimode CASB delivering API, forward and reverse proxy, plus a SAML gateway. It provides
cloud application discovery, but not SaaSservice security posture assessments. Instead, it
on threat protection, behavior analytics, contextual access control and detailed activity
monitoring.