What is a CASB and How Do You Even Say It?

Caleb Mast, Regional Sales Director, Bitglass

These are some of the questions that I asked as I went through the recruiting process with Bitglass. My goal was to understand the product completely before going out and pitching it to prospective clients. So, what exactly is a Cloud Access Security Broker (CASB)? By Gartner’s definition, CASBs (Cloud Access Security Brokers) are “on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed.

CASBs consolidate multiple types of security policy enforcement, just like a top rated college football program (such as Penn State) leverages skilled players at all positions to thwart the best efforts of competitors’ offenses (and as they’ll demonstrate against Ohio State on November 23 of this year).

Example CASB security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.”* If you’re like me, even after reading the official definition, you may be slightly confused. My hope is that this article will give you a better understanding of how a CASB may benefit your corporate security strategy.

It’s pronounced caz-bee by the way.

At the broadest level, a CASB provides risk mitigation controls that help organizations protect data as they adopt cloud applications. There are four critical security gaps in cloud applications that CASBs defend against:

Data Protection Beyond the Firewall: Pop quiz – if someone on an unmanaged device connects to Office 365 via wifi from a coffee shop, which security product in your stack protects this session? If you’re at a loss, you aren’t alone.

In the pre-cloud world, your security stack offered insight, security controls, data loss prevention, and threat protection to the IT staff in order to fully monitor and secure corporate data. However, this is under the assumption that the information traversed through at least some part of your corporate network. With the introduction of cloud into our corporate environments, employees now access company data outside of the four walls of the office with applications like Office 365, GSuite, Box, Salesforce, and so on and so forth. CASBs are architected to ensure security for any application, anywhere.

Bring Your Own Device: Once employees discovered how easy it was to access their company information from the cloud, they began doing so from their own personal devices (laptops, smartphones, tablets, et cetera). While many organizations want to provide flexibility and allow employees to work from any device, they shudder at the idea of sensitive corporate data syncing to a totally unmanaged (and potentially insecure or compromised), personal device. Once the information is on the user’s device, it becomes very difficult to have any control – cue the CASB.

Unmanaged Applications: Also known as shadow IT, these are applications over which IT has no visibility. Though these applications may not be inherently bad, they allow files to be stored and shared in an uncontrolled environment. This is a massive compliance violation at best, and a nightmare to any CISO. How should your organization address this problem? You guessed it.

Malicious Users: Pre-CASB, a malicious user would have to get through the corporate security stack undetected in order to get company information. Now that information resides in cloud applications, all parties, good and bad, can knock at the front door authentication prompt. Additionally, cloud usage balloons quickly – once an organization becomes cloud friendly, their cloud footprint expands rapidly. As such, malicious users (whether they are disgruntled insiders or hackers with compromised credentials), can easily exfiltrate data via cloud apps when proper security is not in place.

Organizations that utilize CASBs find that they are able to store sensitive information in the cloud without compromising on security. CASBs enable malware detection and remediation, geofencing, data encryption, session management, and more. What are you doing to protect corporate data across your cloud footprint? I would love to hear your strategies.

Keeping Your Boat Afloat with a Cloud Access Security Broker

By Prasidh Srikanth, Senior Product Manager, Bitglass

boat on an Alpine lakeIf you were on a sinking ship that was full of holes of various sizes, which ones would you patch first? Probably the big ones. Now, consider this: As an enterprise, you’ve been successfully sailing and securing your corporate data on premises for some time. However, now you’re migrating to the cloud, looking for increased productivity, collaboration, and cost savings. In this new ocean, organizations must decide how to prioritize security concerns so that they can prevent data leakage.

There are two schools of thought on how organizations should accomplish the above. The first entails beginning by securing your most-used SaaS apps (Office 365BoxG SuiteSlack, et cetera). This is ideally done through a multimode cloud access security broker (CASB) that secures data access in real time via proxy, and secures data at rest in the cloud through API integrations. As these major apps are the primary locations to which your data is flowing, they are your first responsibility to address.

From there, a shadow IT discovery tool can be used to identify the other, less frequently used SaaS apps that employees are accessing. When these uncommon, less widely known apps are discovered, you may then choose to perform policy-based remediations; for example, coaching users to sanctioned alternatives, making shadow IT apps read only, or blocking access altogether. In this way, the larger security gaps are addressed before the smaller ones, meaning that your boat is successfully patched and gets to sail onward.

The other approach to cloud security says that organizations should perform shadow IT discovery before they begin to secure major SaaS applications and enforce data protection policies. In other words, you have to identify everything before you can begin securing anything. With this approach, you start by hunting down every minuscule security gap before beginning to address the apps that represent the largest data leakage threats, meaning that your boat is allowed to take on water.

Gaining insight into SaaS app usage is helpful for the enterprise; however, there’s a handful of apps that act as the gateway to your cloud journey. Addressing these commonly used applications first is the right way to secure your cloud migration. Once you have your bases covered in this way, you can further strengthen your security posture by performing shadow IT discovery and securing the other apps that represent the metaphorical small holes in your boat. With this measured and methodical security approach, you can confidently continue to transform your business and sail into the cloud.

How to Do the Impossible and Secure BYOD

By Will Houcheime, Product Marketing Manager, Bitglass

Mission Impossible: Securing BYOD report coverThe use of cloud tools in the enterprise is becoming increasingly common, enabling employees to collaborate and work incredibly efficiently. On top of this, when employees are allowed to work from their personal devices (known as bring your own device or BYOD), it makes it even easier for them to share information and complete tasks. However, BYOD also makes it more difficult for businesses to oversee and protect the flow of corporate data. In light of this, Bitglass surveyed IT experts to learn about what organizations are doing to secure BYOD.

According to the report, 85 percent of organizations enable BYOD, making those that do not grant personal device access the minority. Additionally, BYOD is no longer limited to employees’ personal devices – data is also being accessed by contractors, partners, customers, and suppliers on their own private endpoints. As such, adopting a security solution built for BYOD (like an agentless cloud access security broker) is imperative for any organization seeking comprehensive data and threat protection. While companies are quick to enable BYOD because of its numerous benefits, failing to do so securely will inevitably leave the enterprise exposed to a variety of threats.

Despite the fact that there are many reasons to adopt BYOD, a handful of companies still refuse to do so. Our survey shows that the primary reason for this is an uncertainty over the ability to protect data flowing to personal devices. Employees typically reject the agent-based security tools (MDM, MAM, etc.) that organizations try to install on their personal devices when they want to secure BYOD. This is because agents can invade their privacy and harm their user experience. Our advice: Look for an agentless CASB that gives organizations comprehensive visibility and control over their data – even when it is being accessed by personal devices

In Mission Impossible: Securing BYOD, learn why companies are adopting BYOD, how they are securing it, and much more.