SlideShare a Scribd company logo

Cloud Access Security Brokers - CASB

Download as PPTX, PDF
S
Samrat Das

Garage4Hackers Meet 17th June, CASB Presentation-> by Samrat Das

Technology
1 of 25
What is CASB? THIS PRESENTATION AIMS TO BRING FORWARD A CONCISE KNOWLEDGE FOR THOSE PEOPLE WHO ARE INTERESTED TO LEARN ABOUT THE LATEST TREND OF CLOUD BROKER SECURITY. A CLOUD ACCESS SECURITY BROKER (CASB) IS A SET OF NEW CLOUD SECURITY TECHNOLOGIES THAT ADDRESSES THE CHALLENGES POSED BY THE USE OF CLOUD APPS AND SERVICES. THEY WORK AS TOOLS THAT SITS BETWEEN AN ORGANIZATION'S ON- PREMISES INFRASTRUCTURE AND A CLOUD PROVIDER'S INFRASTRUCTURE. THEY ALLOW THE ORGANIZATION TO EXTEND THE REACH OF THEIR SECURITY POLICIES BEYOND THEIR OWN INFRASTRUCTURE TO THIRD-PARTY SOFTWARE AND STORAGE. 17th June 2017
Classified as:  On-premises or  Cloud-hosted software that act as a control point to support continuous visibility, compliance, threat protection, and security for cloud services.
CASB solutions helps to: • Identify and evaluate all the cloud apps in use • Enforce cloud application management policies in web proxies or firewalls • Provide handling of sensitive information • Encrypt or tokenize sensitive content to enforce privacy and security • Detect and block unusual account behaviour indicative of malicious activity • Integrate cloud visibility and controls with broader security solutions for data loss prevention, access management, and web security
USAGE STATS  By 2020, 85% of large enterprises will use a cloud access security broker solution for their cloud services, which is up from fewer than 5% in 2015.  Through 2020, 95% of cloud security failures will be the customer's fault.  Source: (https://www.skyhighnetworks.com/cloud-security-university/what-is- cloud-access-security-broker/)
How CASB comes into market?  To maintain data security and compliance with new data residency laws as their infrastructure moves to the cloud a Cloud Access Security Broker (CASB) comes into play.  CASB provides cloud encryption with the option to have control over their own encryption keys, so access to data without enterprises knowledge is ruled out.
How is CASB presented?  CASB technology is available as a SaaS application or on-premises via virtual or physical appliances, or both using a hybrid combination of on-premises and cloud-based policy enforcement points.  Observations:  •The wide adoption of identity and access management into the cloud, delivering cloud single sign-on, has reduced the friction in adopting cloud services and related security controls like cloud access security brokers (CASBs).  •Many enterprise business units are acquiring cloud services directly without IT's involvement. This form of "shadow IT" is fuelling growth in cloud service adoption as well as security risks.  •The CASB market has evolved rapidly since its gestation period in 2012 and includes a number of high-profile acquisitions.  •Today, CASBs primarily address back-office applications delivered as SaaS.
How Does CASB Work? A high level understanding:  CASBs works by ensuring that network traffic between on-premises devices and the cloud provider complies with the organization's security policies.
Image Source: Gartner’s blog: security musings
Fundamental Capabilities of CASB?  Cloud App Discovery and Analysis  Provide Shadow IT discovery and risk analysis including detailed cloud app ratings, usage analytics, and continuous reporting.  Data Governance and Protection  Provide the ability to enforce data-centric security policies to prevent unwanted activity such as inappropriate sharing of content. Support encryption and tokenization of compliance-related data.  Threat Protection and Incident Response  Prevent malicious activity such as data exfiltration due to account takeover, session hijacking, or insider activity through continuous monitoring of user behavior. Identify and block malware being uploaded or shared within cloud apps and provide tools for incident response.  Compliance and Data Privacy  Assist with data residency and compliance with regulations and standards, as well as identify cloud usage and risks of specific could services.
CASBs most prominent functionalities • Visibility CASBs provide both shadow and sanctioned IT discovery, as well as a consolidated view of an organization's cloud service usage and the users who access data from any device or location. • Compliance CASBs assist with data residency and compliance with regulations and standards, as well as identify cloud usage and the risks of specific cloud services. • Data Security CASBs provide the ability to enforce data-centric security policies to prevent unwanted activity based on data classification, discovery and user activity monitoring of access to sensitive data or privilege escalation. • Threat Protection CASBs prevent unwanted devices, users and versions of applications from accessing cloud services by providing adaptive access controls. Other examples in this category are user and entity behaviour analytics (UEBA) for determining anomalous behaviour, the use of threat intelligence, and malware identification.
Comprehensive CASB solutions leverage the following:  Application Specific Security  The top cloud apps have well-defined APIs that a CASB can leverage to monitor activity, analyse content, and modify settings within accounts on that cloud app.  Inline Security with Gateways  Sitting between the users and their cloud apps, a CASB gateway can provide valuable insights into cloud activity and provide a vehicle for real-time policy enforcement, such as blocking data exfiltration or protecting information with encryption.  Shadow IT Analysis  Existing security devices, such as secure web gateways and firewalls, have log data that can be used to help analyse Shadow IT.  Access Control  Endpoint agents offer another option to manage cloud activity and enforce policies.
Architectural Choices (forward / reverse proxy/APIs) Initially, the market was segregated between providers that delivered their CASB features via forward- and/or reverse-proxy modes and others that used API modes exclusively. Increasingly, a growing number of CASBs offer a choice between the proxy modes of operation and also support APIs (multimode CASBs)
Reverse proxy  This can be deployed as a gateway on-premises or as the more popular method, as SaaS.  This is performed by changing the way authentication works by telling the cloud service that the CASB passes the authentication onto the IDaaS provider, but, importantly, leaves the URL as belonging to the CASB and not the cloud service.  IDaas is defined as identity-as-Service ("IDaaS").  For people interested to learn more about IDaas (https://www.centrify.com/solutions/cloud/identity-as-a-service-idaas/)
 This is one way to provide the ability to insert the CASB in front of end users accessing the SaaS service (with the exception of mobile native apps using certificate pinning) without having to touch the endpoint's configuration.  It also allows for control over key management and application of cryptography solutions on-premises with no access by a cloud-based CASB or cloud service provider. With hosted reverse proxy, there may be indirect access to the key management system and keys/tokens being used in the cloud by the CASB and/or CSP.
Forward proxy  This can be deployed as a cloud or on-premises, and some vendors may deploy software agents on endpoint devices or pass profiles for enterprise mobile management (EMM) to enforce or use other methods like DNS and proxy auto- configuration (PAC) files.
API mode  This leverages the native features of the SaaS service itself by giving the CASB permission to access the service's API directly.  This mode also allows organizations to perform a number of functions like log telemetry, policy visibility and control, and data security inspection functions on all data at rest in the cloud application or service.  The CASB may offer on-premises or hosted key management options.  API mode makes it possible to take advantage of both CASB-native, and a growing number of SaaS service data protection, features offered by the SaaS provider itself (for example, Salesforce Shield), whereby it performs encryption/tokenization functions, but the end users still control the keys. However, the SaaS provider still has access to the keys, and data is unencrypted while used by the application.
 If the SaaS is hosted by another CSP's infrastructure (for example, Amazon, Microsoft), it is available in the memory of the IaaS provider and may not meet strict data residency or compliance requirements
Some use cases for CASB Implementation: • Early anomaly detection: Leveraging data on the go can be used to detect anomalous behaviours and potential • Reporting and auditing: CASB offers enhanced granular visibility with detailed activity logs and other reports useful for compliance auditing and forensic purposes. • DLP: Content validation by public cloud applications, blocking, watermarking, password protecting and encryption will prevent data content from being exposed. • Encryption: CASBs can encrypt objects pre-upload/ post-download giving end-to- end data privacy and regulatory compliance.
Leading choices for CASB:  Microsoft (Adallom)  In September 2015, Microsoft completed its acquisition of Adallom, a CASB that had been shipping since early 2013. This brought CASB to Microsoft's Enterprise Mobility + Security (EMS) suite and added new capabilities to Office 365.  Imperva  Founded in November 2002 and has been shipping a CASB product since January 2014, when it acquired Skyfence. Imperva focuses on providing detailed user activity monitoring, cloud DLP, access control and threat protection.  Bitglass  Founded in January 2013 and has been shipping a CASB product since January 2014.  Bitglass integrates several mobile data management (MDM) and IAM capabilities into its offering, such as remote wipe, single sign-on (SSO) and dual Security Assertion Markup Language (SAML) proxy, providing basic MDM and IDaaS capabilities.
 Cisco CloudLock  Founded in January 2011 and has been shipping a CASB product since October 2013; it was acquired by Cisco in June 2016. It uses an API-only approach to the CASB market. It leverages APIs from cloud services (SaaS, PaaS, IaaS).  FireLayers  Founded in November 2013 and has been shipping a CASB product since April 2014. FireLayers a multimode CASB delivering API, forward and reverse proxy, plus a SAML gateway. It provides cloud application discovery, but not SaaS service security posture assessments. Instead, it on threat protection, behavior analytics, contextual access control and detailed activity monitoring.
Further reading and references: https://www.bluecoat.com/products-and-solutions/casb- cloud-access-security-broker http://security-musings.blogspot.in/2015/04/comparing- cloud-access-security-broker.html http://www.bitglass.com/blog/cloud-access-security-brokers- post5 https://www.ciphercloud.com/blog/casb-101-cloud-access- security-brokers/
THANKS Samrat is a security researcher currently working for Secure Layer 7 India as a Security Consultant. His research interests involve: Penetration Testing, Secure Coding, and Reverse Engineering & Malware Analysis. He can be reached on twitter: @Samrat_Das93 or LinkedIn: https://in.linkedin.com/in/samrat18

Recommended

PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security Tripwire
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Cloudflare
 
Zero Trust Network Access
Zero Trust Network Access Zero Trust Network Access
Zero Trust Network Access Er. Ajay Sirsat
 
Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​AlgoSec
 
Data loss prevention (dlp)
Data loss prevention (dlp)Data loss prevention (dlp)
Data loss prevention (dlp)Hussein Al-Sanabani
 
Palo Alto Networks CASB
Palo Alto Networks CASBPalo Alto Networks CASB
Palo Alto Networks CASBAlberto Rivai
 

Recommended

PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security Tripwire
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Cloudflare
 
Zero Trust Network Access
Zero Trust Network Access Zero Trust Network Access
Zero Trust Network Access Er. Ajay Sirsat
 
Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​AlgoSec
 
Data loss prevention (dlp)
Data loss prevention (dlp)Data loss prevention (dlp)
Data loss prevention (dlp)Hussein Al-Sanabani
 
Palo Alto Networks CASB
Palo Alto Networks CASBPalo Alto Networks CASB
Palo Alto Networks CASBAlberto Rivai
 
Technology Overview - Symantec Endpoint Protection (SEP)
Technology Overview - Symantec Endpoint Protection (SEP)Technology Overview - Symantec Endpoint Protection (SEP)
Technology Overview - Symantec Endpoint Protection (SEP)Iftikhar Ali Iqbal
 
Zero trust in a hybrid architecture
Zero trust in a hybrid architectureZero trust in a hybrid architecture
Zero trust in a hybrid architectureHybrid IT Europe
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation PrasadThorat23
 
Microsoft Office 365 Advanced Threat Protection
Microsoft Office 365 Advanced Threat ProtectionMicrosoft Office 365 Advanced Threat Protection
Microsoft Office 365 Advanced Threat ProtectionDavid J Rosenthal
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:Anton Chuvakin
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations♟Sergej Epp
 
Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Iftikhar Ali Iqbal
 
Email_Security Gateway.pptx
Email_Security Gateway.pptxEmail_Security Gateway.pptx
Email_Security Gateway.pptxssuser651fd4
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC ReportMcAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC ReportIftikhar Ali Iqbal
 
Microsoft Zero Trust
Microsoft Zero TrustMicrosoft Zero Trust
Microsoft Zero TrustDavid J Rosenthal
 
Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityAndrew Wong
 
What is Zero Trust
What is Zero TrustWhat is Zero Trust
What is Zero TrustOkta-Inc
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
Zero trust deck 2020
Zero trust deck 2020Zero trust deck 2020
Zero trust deck 2020Guido Marchetti
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to PracticeAlgoSec
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss PreventionReza Kopaee
 
CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applicationsForcepoint LLC
 
casb_by_.pptx
casb_by_.pptxcasb_by_.pptx
casb_by_.pptxshahnawaz_pirates
 
Comprehensive Information on CASB
Comprehensive Information on CASBComprehensive Information on CASB
Comprehensive Information on CASBHTS Hosting
 

More Related Content

What's hot

Technology Overview - Symantec Endpoint Protection (SEP)
Technology Overview - Symantec Endpoint Protection (SEP)Technology Overview - Symantec Endpoint Protection (SEP)
Technology Overview - Symantec Endpoint Protection (SEP)Iftikhar Ali Iqbal
 
Zero trust in a hybrid architecture
Zero trust in a hybrid architectureZero trust in a hybrid architecture
Zero trust in a hybrid architectureHybrid IT Europe
 
Microsoft Office 365 Advanced Threat Protection
Microsoft Office 365 Advanced Threat ProtectionMicrosoft Office 365 Advanced Threat Protection
Microsoft Office 365 Advanced Threat ProtectionDavid J Rosenthal
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations♟Sergej Epp
 
Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Iftikhar Ali Iqbal
 
Email_Security Gateway.pptx
Email_Security Gateway.pptxEmail_Security Gateway.pptx
Email_Security Gateway.pptxssuser651fd4
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC ReportMcAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC ReportIftikhar Ali Iqbal
 
Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityAndrew Wong
 
What is Zero Trust
What is Zero TrustWhat is Zero Trust
What is Zero TrustOkta-Inc
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to PracticeAlgoSec
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss PreventionReza Kopaee
 
CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applicationsForcepoint LLC
 

What's hot (20)

Technology Overview - Symantec Endpoint Protection (SEP)
Technology Overview - Symantec Endpoint Protection (SEP)Technology Overview - Symantec Endpoint Protection (SEP)
Technology Overview - Symantec Endpoint Protection (SEP)
 
Zero trust in a hybrid architecture
Zero trust in a hybrid architectureZero trust in a hybrid architecture
Zero trust in a hybrid architecture
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
 
Microsoft Office 365 Advanced Threat Protection
Microsoft Office 365 Advanced Threat ProtectionMicrosoft Office 365 Advanced Threat Protection
Microsoft Office 365 Advanced Threat Protection
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations
 
Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)
 
Email_Security Gateway.pptx
Email_Security Gateway.pptxEmail_Security Gateway.pptx
Email_Security Gateway.pptx
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC ReportMcAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
 
Microsoft Zero Trust
Microsoft Zero TrustMicrosoft Zero Trust
Microsoft Zero Trust
 
Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep Security
 
What is Zero Trust
What is Zero TrustWhat is Zero Trust
What is Zero Trust
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
 
Zero trust deck 2020
Zero trust deck 2020Zero trust deck 2020
Zero trust deck 2020
 
Splunk workshop-Threat Hunting
Splunk workshop-Threat HuntingSplunk workshop-Threat Hunting
Splunk workshop-Threat Hunting
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills Audit
 
5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice5 Steps to a Zero Trust Network - From Theory to Practice
5 Steps to a Zero Trust Network - From Theory to Practice
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
 
CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applications
 

Similar to Cloud Access Security Brokers - CASB

Comprehensive Information on CASB
Comprehensive Information on CASBComprehensive Information on CASB
Comprehensive Information on CASBHTS Hosting
 
8 major facts you must know before you buying a casb
8 major facts you must know before you buying a casb8 major facts you must know before you buying a casb
8 major facts you must know before you buying a casbciphercloud1
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsDr. Sunil Kr. Pandey
 
SaaS Security.pptx
SaaS Security.pptxSaaS Security.pptx
SaaS Security.pptxchelsi33
 
saassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdfsaassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdfSahilSingh316535
 
Cloud Application Security --Symantec
Cloud Application Security --Symantec Cloud Application Security --Symantec
Cloud Application Security --SymantecAbhishek Sood
 
SaaS Platform Securing
SaaS Platform SecuringSaaS Platform Securing
SaaS Platform SecuringLeo TechnoSoft
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDSweta Kumari Barnwal
 
Cloud Security (CASB) for Slack
Cloud Security (CASB) for SlackCloud Security (CASB) for Slack
Cloud Security (CASB) for SlackSachin Yadav
 
SecSecuring Software as a Service Model of Cloud Computing: Issues and Solutions
SecSecuring Software as a Service Model of Cloud Computing: Issues and SolutionsSecSecuring Software as a Service Model of Cloud Computing: Issues and Solutions
SecSecuring Software as a Service Model of Cloud Computing: Issues and Solutionsijccsa
 
ITU-T requirement for cloud and cloud deployment model
ITU-T requirement for cloud and cloud deployment modelITU-T requirement for cloud and cloud deployment model
ITU-T requirement for cloud and cloud deployment modelHitesh Mohapatra
 
Cloud migration services
Cloud migration services Cloud migration services
Cloud migration services harrissmith5
 
A Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud ComputingA Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud ComputingEditor IJCATR
 

Similar to Cloud Access Security Brokers - CASB (20)

casb_by_.pptx
casb_by_.pptxcasb_by_.pptx
casb_by_.pptx
 
Comprehensive Information on CASB
Comprehensive Information on CASBComprehensive Information on CASB
Comprehensive Information on CASB
 
8 major facts you must know before you buying a casb
8 major facts you must know before you buying a casb8 major facts you must know before you buying a casb
8 major facts you must know before you buying a casb
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
 
SaaS Security.pptx
SaaS Security.pptxSaaS Security.pptx
SaaS Security.pptx
 
saassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdfsaassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdf
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Cloud Application Security --Symantec
Cloud Application Security --Symantec Cloud Application Security --Symantec
Cloud Application Security --Symantec
 
SECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESSECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKES
 
SaaS Platform Securing
SaaS Platform SecuringSaaS Platform Securing
SaaS Platform Securing
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
 
Cloud monitoring overview
Cloud monitoring overviewCloud monitoring overview
Cloud monitoring overview
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUD
 
Cloud Security (CASB) for Slack
Cloud Security (CASB) for SlackCloud Security (CASB) for Slack
Cloud Security (CASB) for Slack
 
SecSecuring Software as a Service Model of Cloud Computing: Issues and Solutions
SecSecuring Software as a Service Model of Cloud Computing: Issues and SolutionsSecSecuring Software as a Service Model of Cloud Computing: Issues and Solutions
SecSecuring Software as a Service Model of Cloud Computing: Issues and Solutions
 
ITU-T requirement for cloud and cloud deployment model
ITU-T requirement for cloud and cloud deployment modelITU-T requirement for cloud and cloud deployment model
ITU-T requirement for cloud and cloud deployment model
 
Cloud migration services
Cloud migration services Cloud migration services
Cloud migration services
 
A Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud ComputingA Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud Computing
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
UNIT III - ppt.pptx
UNIT III - ppt.pptxUNIT III - ppt.pptx
UNIT III - ppt.pptx
 

Recently uploaded

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 

Recently uploaded (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 

Cloud Access Security Brokers - CASB

  • 1. What is CASB? THIS PRESENTATION AIMS TO BRING FORWARD A CONCISE KNOWLEDGE FOR THOSE PEOPLE WHO ARE INTERESTED TO LEARN ABOUT THE LATEST TREND OF CLOUD BROKER SECURITY. A CLOUD ACCESS SECURITY BROKER (CASB) IS A SET OF NEW CLOUD SECURITY TECHNOLOGIES THAT ADDRESSES THE CHALLENGES POSED BY THE USE OF CLOUD APPS AND SERVICES. THEY WORK AS TOOLS THAT SITS BETWEEN AN ORGANIZATION'S ON- PREMISES INFRASTRUCTURE AND A CLOUD PROVIDER'S INFRASTRUCTURE. THEY ALLOW THE ORGANIZATION TO EXTEND THE REACH OF THEIR SECURITY POLICIES BEYOND THEIR OWN INFRASTRUCTURE TO THIRD-PARTY SOFTWARE AND STORAGE. 17th June 2017
  • 2. Classified as:  On-premises or  Cloud-hosted software that act as a control point to support continuous visibility, compliance, threat protection, and security for cloud services.
  • 3. CASB solutions helps to: • Identify and evaluate all the cloud apps in use • Enforce cloud application management policies in web proxies or firewalls • Provide handling of sensitive information • Encrypt or tokenize sensitive content to enforce privacy and security • Detect and block unusual account behaviour indicative of malicious activity • Integrate cloud visibility and controls with broader security solutions for data loss prevention, access management, and web security
  • 4. USAGE STATS  By 2020, 85% of large enterprises will use a cloud access security broker solution for their cloud services, which is up from fewer than 5% in 2015.  Through 2020, 95% of cloud security failures will be the customer's fault.  Source: (https://www.skyhighnetworks.com/cloud-security-university/what-is- cloud-access-security-broker/)
  • 5. How CASB comes into market?  To maintain data security and compliance with new data residency laws as their infrastructure moves to the cloud a Cloud Access Security Broker (CASB) comes into play.  CASB provides cloud encryption with the option to have control over their own encryption keys, so access to data without enterprises knowledge is ruled out.
  • 6. How is CASB presented?  CASB technology is available as a SaaS application or on-premises via virtual or physical appliances, or both using a hybrid combination of on-premises and cloud-based policy enforcement points.  Observations:  •The wide adoption of identity and access management into the cloud, delivering cloud single sign-on, has reduced the friction in adopting cloud services and related security controls like cloud access security brokers (CASBs).  •Many enterprise business units are acquiring cloud services directly without IT's involvement. This form of "shadow IT" is fuelling growth in cloud service adoption as well as security risks.  •The CASB market has evolved rapidly since its gestation period in 2012 and includes a number of high-profile acquisitions.  •Today, CASBs primarily address back-office applications delivered as SaaS.
  • 7. How Does CASB Work? A high level understanding:  CASBs works by ensuring that network traffic between on-premises devices and the cloud provider complies with the organization's security policies.
  • 8. Image Source: Gartner’s blog: security musings
  • 9.
  • 10. Fundamental Capabilities of CASB?  Cloud App Discovery and Analysis  Provide Shadow IT discovery and risk analysis including detailed cloud app ratings, usage analytics, and continuous reporting.  Data Governance and Protection  Provide the ability to enforce data-centric security policies to prevent unwanted activity such as inappropriate sharing of content. Support encryption and tokenization of compliance-related data.  Threat Protection and Incident Response  Prevent malicious activity such as data exfiltration due to account takeover, session hijacking, or insider activity through continuous monitoring of user behavior. Identify and block malware being uploaded or shared within cloud apps and provide tools for incident response.  Compliance and Data Privacy  Assist with data residency and compliance with regulations and standards, as well as identify cloud usage and risks of specific could services.
  • 11. CASBs most prominent functionalities • Visibility CASBs provide both shadow and sanctioned IT discovery, as well as a consolidated view of an organization's cloud service usage and the users who access data from any device or location. • Compliance CASBs assist with data residency and compliance with regulations and standards, as well as identify cloud usage and the risks of specific cloud services. • Data Security CASBs provide the ability to enforce data-centric security policies to prevent unwanted activity based on data classification, discovery and user activity monitoring of access to sensitive data or privilege escalation. • Threat Protection CASBs prevent unwanted devices, users and versions of applications from accessing cloud services by providing adaptive access controls. Other examples in this category are user and entity behaviour analytics (UEBA) for determining anomalous behaviour, the use of threat intelligence, and malware identification.
  • 12.
  • 13. Comprehensive CASB solutions leverage the following:  Application Specific Security  The top cloud apps have well-defined APIs that a CASB can leverage to monitor activity, analyse content, and modify settings within accounts on that cloud app.  Inline Security with Gateways  Sitting between the users and their cloud apps, a CASB gateway can provide valuable insights into cloud activity and provide a vehicle for real-time policy enforcement, such as blocking data exfiltration or protecting information with encryption.  Shadow IT Analysis  Existing security devices, such as secure web gateways and firewalls, have log data that can be used to help analyse Shadow IT.  Access Control  Endpoint agents offer another option to manage cloud activity and enforce policies.
  • 14. Architectural Choices (forward / reverse proxy/APIs) Initially, the market was segregated between providers that delivered their CASB features via forward- and/or reverse-proxy modes and others that used API modes exclusively. Increasingly, a growing number of CASBs offer a choice between the proxy modes of operation and also support APIs (multimode CASBs)
  • 15. Reverse proxy  This can be deployed as a gateway on-premises or as the more popular method, as SaaS.  This is performed by changing the way authentication works by telling the cloud service that the CASB passes the authentication onto the IDaaS provider, but, importantly, leaves the URL as belonging to the CASB and not the cloud service.  IDaas is defined as identity-as-Service ("IDaaS").  For people interested to learn more about IDaas (https://www.centrify.com/solutions/cloud/identity-as-a-service-idaas/)
  • 16.  This is one way to provide the ability to insert the CASB in front of end users accessing the SaaS service (with the exception of mobile native apps using certificate pinning) without having to touch the endpoint's configuration.  It also allows for control over key management and application of cryptography solutions on-premises with no access by a cloud-based CASB or cloud service provider. With hosted reverse proxy, there may be indirect access to the key management system and keys/tokens being used in the cloud by the CASB and/or CSP.
  • 17. Forward proxy  This can be deployed as a cloud or on-premises, and some vendors may deploy software agents on endpoint devices or pass profiles for enterprise mobile management (EMM) to enforce or use other methods like DNS and proxy auto- configuration (PAC) files.
  • 18. API mode  This leverages the native features of the SaaS service itself by giving the CASB permission to access the service's API directly.  This mode also allows organizations to perform a number of functions like log telemetry, policy visibility and control, and data security inspection functions on all data at rest in the cloud application or service.  The CASB may offer on-premises or hosted key management options.  API mode makes it possible to take advantage of both CASB-native, and a growing number of SaaS service data protection, features offered by the SaaS provider itself (for example, Salesforce Shield), whereby it performs encryption/tokenization functions, but the end users still control the keys. However, the SaaS provider still has access to the keys, and data is unencrypted while used by the application.
  • 19.  If the SaaS is hosted by another CSP's infrastructure (for example, Amazon, Microsoft), it is available in the memory of the IaaS provider and may not meet strict data residency or compliance requirements
  • 20. Some use cases for CASB Implementation: • Early anomaly detection: Leveraging data on the go can be used to detect anomalous behaviours and potential • Reporting and auditing: CASB offers enhanced granular visibility with detailed activity logs and other reports useful for compliance auditing and forensic purposes. • DLP: Content validation by public cloud applications, blocking, watermarking, password protecting and encryption will prevent data content from being exposed. • Encryption: CASBs can encrypt objects pre-upload/ post-download giving end-to- end data privacy and regulatory compliance.
  • 21. Leading choices for CASB:  Microsoft (Adallom)  In September 2015, Microsoft completed its acquisition of Adallom, a CASB that had been shipping since early 2013. This brought CASB to Microsoft's Enterprise Mobility + Security (EMS) suite and added new capabilities to Office 365.  Imperva  Founded in November 2002 and has been shipping a CASB product since January 2014, when it acquired Skyfence. Imperva focuses on providing detailed user activity monitoring, cloud DLP, access control and threat protection.  Bitglass  Founded in January 2013 and has been shipping a CASB product since January 2014.  Bitglass integrates several mobile data management (MDM) and IAM capabilities into its offering, such as remote wipe, single sign-on (SSO) and dual Security Assertion Markup Language (SAML) proxy, providing basic MDM and IDaaS capabilities.
  • 22.  Cisco CloudLock  Founded in January 2011 and has been shipping a CASB product since October 2013; it was acquired by Cisco in June 2016. It uses an API-only approach to the CASB market. It leverages APIs from cloud services (SaaS, PaaS, IaaS).  FireLayers  Founded in November 2013 and has been shipping a CASB product since April 2014. FireLayers a multimode CASB delivering API, forward and reverse proxy, plus a SAML gateway. It provides cloud application discovery, but not SaaS service security posture assessments. Instead, it on threat protection, behavior analytics, contextual access control and detailed activity monitoring.
  • 23.
  • 24. Further reading and references: https://www.bluecoat.com/products-and-solutions/casb- cloud-access-security-broker http://security-musings.blogspot.in/2015/04/comparing- cloud-access-security-broker.html http://www.bitglass.com/blog/cloud-access-security-brokers- post5 https://www.ciphercloud.com/blog/casb-101-cloud-access- security-brokers/
  • 25. THANKS Samrat is a security researcher currently working for Secure Layer 7 India as a Security Consultant. His research interests involve: Penetration Testing, Secure Coding, and Reverse Engineering & Malware Analysis. He can be reached on twitter: @Samrat_Das93 or LinkedIn: https://in.linkedin.com/in/samrat18