What is a CASB and How Do You Even Say It?

Caleb Mast, Regional Sales Director, Bitglass

These are some of the questions that I asked as I went through the recruiting process with Bitglass. My goal was to understand the product completely before going out and pitching it to prospective clients. So, what exactly is a Cloud Access Security Broker (CASB)? By Gartner’s definition, CASBs (Cloud Access Security Brokers) are “on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed.

CASBs consolidate multiple types of security policy enforcement, just like a top rated college football program (such as Penn State) leverages skilled players at all positions to thwart the best efforts of competitors’ offenses (and as they’ll demonstrate against Ohio State on November 23 of this year).

Example CASB security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.”* If you’re like me, even after reading the official definition, you may be slightly confused. My hope is that this article will give you a better understanding of how a CASB may benefit your corporate security strategy.

It’s pronounced caz-bee by the way.

At the broadest level, a CASB provides risk mitigation controls that help organizations protect data as they adopt cloud applications. There are four critical security gaps in cloud applications that CASBs defend against:

Data Protection Beyond the Firewall: Pop quiz – if someone on an unmanaged device connects to Office 365 via wifi from a coffee shop, which security product in your stack protects this session? If you’re at a loss, you aren’t alone.

In the pre-cloud world, your security stack offered insight, security controls, data loss prevention, and threat protection to the IT staff in order to fully monitor and secure corporate data. However, this is under the assumption that the information traversed through at least some part of your corporate network. With the introduction of cloud into our corporate environments, employees now access company data outside of the four walls of the office with applications like Office 365, GSuite, Box, Salesforce, and so on and so forth. CASBs are architected to ensure security for any application, anywhere.

Bring Your Own Device: Once employees discovered how easy it was to access their company information from the cloud, they began doing so from their own personal devices (laptops, smartphones, tablets, et cetera). While many organizations want to provide flexibility and allow employees to work from any device, they shudder at the idea of sensitive corporate data syncing to a totally unmanaged (and potentially insecure or compromised), personal device. Once the information is on the user’s device, it becomes very difficult to have any control – cue the CASB.

Unmanaged Applications: Also known as shadow IT, these are applications over which IT has no visibility. Though these applications may not be inherently bad, they allow files to be stored and shared in an uncontrolled environment. This is a massive compliance violation at best, and a nightmare to any CISO. How should your organization address this problem? You guessed it.

Malicious Users: Pre-CASB, a malicious user would have to get through the corporate security stack undetected in order to get company information. Now that information resides in cloud applications, all parties, good and bad, can knock at the front door authentication prompt. Additionally, cloud usage balloons quickly – once an organization becomes cloud friendly, their cloud footprint expands rapidly. As such, malicious users (whether they are disgruntled insiders or hackers with compromised credentials), can easily exfiltrate data via cloud apps when proper security is not in place.

Organizations that utilize CASBs find that they are able to store sensitive information in the cloud without compromising on security. CASBs enable malware detection and remediation, geofencing, data encryption, session management, and more. What are you doing to protect corporate data across your cloud footprint? I would love to hear your strategies.

Rocks, Pebbles, Shadow IT

By Rich Campagna, Chief Marketing Officer, Bitglass

Way back in 2013/14, Cloud Access Security Brokers (CASBs) were first deployed to identify Shadow IT, or unsanctioned cloud applications. At the time, the prevailing mindset amongst security professionals was that cloud was bad, and discovering Shadow IT was viewed as the first step towards stopping the spread of cloud in their organization.

Flash forward just a few short years and the vast majority of enterprises have done a complete 180º with regards to cloud, embracing an ever increasing number of “sanctioned” cloud apps. As a result, the majority of CASB deployments today are focused on real-time data protection for sanctioned applications – typically starting with System of Record applications that handle wide swaths of critical data (think Office 365Salesforce, etc). Shadow IT discovery, while still important, is almost never the main driver in the CASB decision making process.

Regardless, I still occasionally hear of CASB intentions that harken back to the days of yore – “we intend to focus on Shadow IT discovery first before moving on to protect our managed cloud applications.” Organizations that start down this path quickly fall into the trap of building time consuming processes for triaging and dealing with what quickly grows from hundreds to thousands of applications, all the while delaying building appropriate processes for protecting data in the sanctioned applications where they KNOW sensitive data resides.

This approach is a remnant of marketing positioning by early vendors in the CASB space. For me, it brings to mind Habit #3 from Stephen Covey’s The 7 Habits of Highly Effective People -“Put First Things First.” 

Putting first things first is all about focusing on your most important priorities. There’s a video of Stephen famously demonstrating this habit on stage in one of his seminars. In the video, he asks an audience member to fill a bucket with sand, followed by pebbles, and then big rocks. The result is that once the pebbles and sand fill the bucket, there is no more room for the rocks. He then repeats the demonstration by having her add the big rocks first. The result is that all three fit in the bucket, with the pebbles and sand filtering down between the big rocks.

Now, one could argue that after you take care of the big rocks, perhaps you should just forget about the sand, but regardless, this lesson is directly applicable to your CASB deployment strategy:

You have major sanctioned apps in the cloud that contain critical data. These apps require controls around data leakage, unmanaged device access, credential compromise and malicious insiders, malware prevention, and more. Those are your big rocks and the starting point of your CASB rollout strategy. Focus too much on the sand and you’ll never get to the rocks.

Read what Gartner has to say on the topic in 2018 Critical Capabilities for CASBs.