This document discusses Cloud Access Security Brokers (CASBs). It defines a CASB as a set of cloud security technologies that sits between an organization's on-premises infrastructure and a cloud provider's infrastructure to extend security policies to third-party software and storage. CASBs help identify and manage cloud apps, enforce policies, provide data security through encryption and activity monitoring, and integrate with other security solutions. The document discusses how CASBs work using proxies or APIs, compares architectural choices, and lists some leading CASB providers like Microsoft, Imperva, Bitglass, and Cisco CloudLock.

1. What is CASB?
THIS PRESENTATION AIMS TO BRING FORWARD A CONCISE KNOWLEDGE FOR THOSE
PEOPLE WHO ARE INTERESTED TO LEARN ABOUT THE LATEST TREND OF CLOUD BROKER
SECURITY.
A CLOUD ACCESS SECURITY BROKER (CASB) IS A SET OF NEW CLOUD SECURITY
TECHNOLOGIES THAT ADDRESSES THE CHALLENGES POSED BY THE USE OF CLOUD APPS
AND SERVICES. THEY WORK AS TOOLS THAT SITS BETWEEN AN ORGANIZATION'S ON-
PREMISES INFRASTRUCTURE AND A CLOUD PROVIDER'S INFRASTRUCTURE.
THEY ALLOW THE ORGANIZATION TO EXTEND THE REACH OF THEIR SECURITY POLICIES
BEYOND THEIR OWN INFRASTRUCTURE TO THIRD-PARTY SOFTWARE AND STORAGE.
17th June 2017

2. Classified as:
 On-premises or
 Cloud-hosted software that act as a control point to support continuous visibility,
compliance, threat protection, and security for cloud services.

3. CASB solutions helps to:
• Identify and evaluate all the cloud apps in use
• Enforce cloud application management policies in web proxies or firewalls
• Provide handling of sensitive information
• Encrypt or tokenize sensitive content to enforce privacy and security
• Detect and block unusual account behaviour indicative of malicious activity
• Integrate cloud visibility and controls with broader security solutions for data
loss prevention, access management, and web security

4. USAGE STATS
 By 2020, 85% of large enterprises will use a cloud access security broker solution
for their cloud services, which is up from fewer than 5% in 2015.
 Through 2020, 95% of cloud security failures will be the customer's fault.
 Source: (https://www.skyhighnetworks.com/cloud-security-university/what-is-
cloud-access-security-broker/)

5. How CASB comes into market?
 To maintain data security and compliance with new data residency laws as their
infrastructure moves to the cloud a Cloud Access Security Broker (CASB) comes
into play.
 CASB provides cloud encryption with the option to have control over their own
encryption keys, so access to data without enterprises knowledge is ruled out.

6. How is CASB presented?
 CASB technology is available as a SaaS application or on-premises via virtual or physical
appliances, or both using a hybrid combination of on-premises and cloud-based policy
enforcement points.
 Observations:
 •The wide adoption of identity and access management into the cloud, delivering cloud single
sign-on, has reduced the friction in adopting cloud services and related security controls like
cloud access security brokers (CASBs).
 •Many enterprise business units are acquiring cloud services directly without IT's involvement.
This form of "shadow IT" is fuelling growth in cloud service adoption as well as security risks.
 •The CASB market has evolved rapidly since its gestation period in 2012 and includes a
number of high-profile acquisitions.
 •Today, CASBs primarily address back-office applications delivered as SaaS.

7. How Does CASB Work? A high level
understanding:
 CASBs works by ensuring that network traffic between on-premises devices and
the cloud provider complies with the organization's security policies.

8. Image Source: Gartner’s blog: security musings

10. Fundamental Capabilities of CASB?
 Cloud App Discovery and Analysis
 Provide Shadow IT discovery and risk analysis including detailed cloud app ratings, usage analytics,
and continuous reporting.
 Data Governance and Protection
 Provide the ability to enforce data-centric security policies to prevent unwanted activity such as
inappropriate sharing of content. Support encryption and tokenization of compliance-related data.
 Threat Protection and Incident Response
 Prevent malicious activity such as data exfiltration due to account takeover, session hijacking, or insider
activity through continuous monitoring of user behavior. Identify and block malware being uploaded
or shared within cloud apps and provide tools for incident response.
 Compliance and Data Privacy
 Assist with data residency and compliance with regulations and standards, as well as identify cloud
usage and risks of specific could services.

11. CASBs most prominent functionalities
• Visibility
CASBs provide both shadow and sanctioned IT discovery, as well as a consolidated view of an organization's cloud service
usage and the users who access data from any device or location.
• Compliance
CASBs assist with data residency and compliance with regulations and standards, as well as identify cloud usage and the
risks of specific cloud services.
• Data Security
CASBs provide the ability to enforce data-centric security policies to prevent unwanted activity based on data classification,
discovery and user activity monitoring of access to sensitive data or privilege escalation.
• Threat Protection
CASBs prevent unwanted devices, users and versions of applications from accessing cloud services by providing adaptive
access controls. Other examples in this category are user and entity behaviour analytics (UEBA) for determining anomalous
behaviour, the use of threat intelligence, and malware identification.

13. Comprehensive CASB solutions leverage the
following:
 Application Specific Security
 The top cloud apps have well-defined APIs that a CASB can leverage to monitor activity, analyse
content, and modify settings within accounts on that cloud app.
 Inline Security with Gateways
 Sitting between the users and their cloud apps, a CASB gateway can provide valuable insights into
cloud activity and provide a vehicle for real-time policy enforcement, such as blocking data
exfiltration or protecting information with encryption.
 Shadow IT Analysis
 Existing security devices, such as secure web gateways and firewalls, have log data that can be used
to help analyse Shadow IT.
 Access Control
 Endpoint agents offer another option to manage cloud activity and enforce policies.

14. Architectural Choices (forward / reverse
proxy/APIs)
Initially, the market was segregated between providers that delivered their CASB
features via forward- and/or reverse-proxy modes and others that used API modes
exclusively.
Increasingly, a growing number of CASBs offer a choice between the proxy modes
of operation and also support APIs (multimode CASBs)

15. Reverse proxy
 This can be deployed as a gateway on-premises or as the more popular
method, as SaaS.
 This is performed by changing the way authentication works by telling the cloud
service that the CASB passes the authentication onto the IDaaS provider, but,
importantly, leaves the URL as belonging to the CASB and not the cloud service.
 IDaas is defined as identity-as-Service ("IDaaS").
 For people interested to learn more about IDaas
(https://www.centrify.com/solutions/cloud/identity-as-a-service-idaas/)

16.  This is one way to provide the ability to insert the CASB in front of end users
accessing the SaaS service (with the exception of mobile native apps using
certificate pinning) without having to touch the endpoint's configuration.
 It also allows for control over key management and application of cryptography
solutions on-premises with no access by a cloud-based CASB or cloud service
provider. With hosted reverse proxy, there may be indirect access to the key
management system and keys/tokens being used in the cloud by the CASB and/or
CSP.

17. Forward proxy
 This can be deployed as a cloud or on-premises, and some vendors may deploy
software agents on endpoint devices or pass profiles for enterprise mobile
management (EMM) to enforce or use other methods like DNS and proxy auto-
configuration (PAC) files.

18. API mode
 This leverages the native features of the SaaS service itself by giving the CASB
permission to access the service's API directly.
 This mode also allows organizations to perform a number of functions like log
telemetry, policy visibility and control, and data security inspection functions on all
data at rest in the cloud application or service.
 The CASB may offer on-premises or hosted key management options.
 API mode makes it possible to take advantage of both CASB-native, and a
growing number of SaaS service data protection, features offered by the SaaS
provider itself (for example, Salesforce Shield), whereby it performs
encryption/tokenization functions, but the end users still control the keys.
However, the SaaS provider still has access to the keys, and data is unencrypted
while used by the application.

19.  If the SaaS is hosted by another CSP's infrastructure (for example, Amazon,
Microsoft), it is available in the memory of the IaaS provider and may not meet
strict data residency or compliance requirements

20. Some use cases for CASB Implementation:
• Early anomaly detection: Leveraging data on the go can be used to detect
anomalous behaviours and potential
• Reporting and auditing: CASB offers enhanced granular visibility with detailed
activity logs and other reports useful for compliance auditing and forensic purposes.
• DLP: Content validation by public cloud applications, blocking, watermarking,
password protecting and encryption will prevent data content from being exposed.
• Encryption: CASBs can encrypt objects pre-upload/ post-download giving end-to-
end data privacy and regulatory compliance.

21. Leading choices for CASB:
 Microsoft (Adallom)
 In September 2015, Microsoft completed its acquisition of Adallom, a CASB that had been shipping since early 2013.
This brought CASB to Microsoft's Enterprise Mobility + Security (EMS) suite and added new capabilities to Office 365.
 Imperva
 Founded in November 2002 and has been shipping a CASB product since January 2014, when it acquired Skyfence.
Imperva focuses on providing detailed user activity monitoring, cloud DLP, access control and threat protection.
 Bitglass
 Founded in January 2013 and has been shipping a CASB product since January 2014.
 Bitglass integrates several mobile data management (MDM) and IAM capabilities into its offering, such as remote
wipe, single sign-on (SSO) and dual Security Assertion Markup Language (SAML) proxy, providing basic MDM and
IDaaS capabilities.

22.  Cisco CloudLock
 Founded in January 2011 and has been shipping a CASB product since October 2013; it was
acquired by Cisco in June 2016. It uses an API-only approach to the CASB market. It leverages
APIs from cloud services (SaaS, PaaS, IaaS).
 FireLayers
 Founded in November 2013 and has been shipping a CASB product since April 2014. FireLayers
a multimode CASB delivering API, forward and reverse proxy, plus a SAML gateway. It provides
cloud application discovery, but not SaaS service security posture assessments. Instead, it
on threat protection, behavior analytics, contextual access control and detailed activity
monitoring.

24. Further reading and references:
https://www.bluecoat.com/products-and-solutions/casb-
cloud-access-security-broker
http://security-musings.blogspot.in/2015/04/comparing-
cloud-access-security-broker.html
http://www.bitglass.com/blog/cloud-access-security-brokers-
post5
https://www.ciphercloud.com/blog/casb-101-cloud-access-
security-brokers/

25. THANKS
Samrat is a security researcher currently working for Secure Layer 7 India as a Security Consultant. His research
interests involve: Penetration Testing, Secure Coding, and Reverse Engineering & Malware Analysis. He can be
reached on twitter: @Samrat_Das93 or LinkedIn: https://in.linkedin.com/in/samrat18