What is a CASB or Cloud Access Security Broker?

Man tapping a cloud icon
(Image credit: Shutterstock)

In the old days, companies commonly stored and safeguarded all of their software and data in a single on-site data center. This made security challenges more straightforward to overcome. The companies had complete visibility over their devices and those who had access to their applications and sensitive data, meaning they had virtually complete control over everything and everyone entering and exiting their data centers. 

Now, decades after the rise of cloud computing, it’s a completely different story. As companies moved their apps, data access, and data storage to the cloud, new security gaps started to emerge.

How to overcome the lack of visibility with cloud apps? How to compensate for incomplete control over who can access the data? What’s the best way of dealing with denial-of-service (DoS) attacks? How to stop the hijacking of user accounts? What about human error and insider misuse? And the list of cloud security vulnerabilities goes on and on.

These newly created security gaps had to be filled with some sort of cloud-based and cloud-delivered security solution which is specially designed with software-as-a-service (SaaS) apps in mind. This solution should add a new layer of security to make sure all activities across public and custom clouds are kept under a watchful eye and in complete control. One solution that can serve this purpose is Cloud Access Security Broker (CASB) and we need to talk about it. 

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey
TechRadar needs yo...

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Perimeter 81 is one of TechRadar's choices for the best SWG providers

Perimeter 81 is one of TechRadar's choices for the best SWG providers

Protect your employees and network from web-based attacks with a Secure Web Gateway. Filter out malicious threats. Monitor all employee activity. Streamline compliance. Secure your entire workforce, whether on-prem or remote with Perimeter 81, TechRadar's top-rated business VPN. Deploy in minutes. Start now.

What is a CASB? 

A CASB is a cloud-based or on-premises platform that monitors traffic between cloud service providers and cloud service consumers with a mission to enforce the companies’ security, compliance, and access policies linked to cloud-based resources. In simplest terms, it’s a checkpoint between cloud-based apps and their end-users.

Before CASBs came into existence, there was no visibility into the ways in which all company’s data was protected. With the increasing popularity of smartphone use and more companies allowing personal phones and other devices into their networks, the cyber risks started to rise as well. When cloud computing took off, the need for a solid security solution that could provide consistent security across multiple clouds while protecting its users was at its peak.

For every problem, there is a solution, however, and the one that is supposed to solve the major cloud security challenges would be a CASB. It usually comes with services such as cloud auditing, discovering shadow IT apps, malware detection, encrypting data, preventing data leaks or data loss, monitoring user activity, and alerting administrators of potential cybersecurity threats.

The four pillars of CASB 

The security features ingrained in a CASB solution can be categorized into four main areas (also known as the four pillars of CASB) and they include visibility, compliance, data security, and threat protection.

1. Visibility

By offering comprehensive visibility of cloud apps usage (both sanctioned and unsanctioned), CASB assists companies in safeguarding sensitive data, intellectual property, and their users.

In addition to this, CASB also conducts a cloud discovery analysis by going through the traffic and ranking the apps according to various risk factors to secure ongoing visibility into cloud use, control over shadow IT, and risks it could pose for your company. 

For instance, if a user tries to access an app from two different geographical locations at the same time, a CASB would flag this as a potential risk and notify the cloud security staff to take further action.

2. Compliance

With new and stricter privacy laws coming into force across different countries, regions, and industries, ensuring compliance has become all the more challenging. This is particularly true now when the companies are starting to transfer their systems and data to the cloud. With the support of CASB, companies can maintain compliance in the cloud by performing comprehensive monitoring, access control, and data loss prevention (DLP). Also, CASB will help in identifying potential compliance risks, thus ensuring regulatory compliance across all levels.

3. Data security

Although a CASB isn’t a complete data security system, it can complement a company's DLP solutions by extending its reach to cloud security services. It doesn’t come into direct contact with data but rather scrutinizes the data that “travels” through CASB software. So, by intercepting sensitive data that’s in transit, CASB can deny access to websites it classed as a potential security risk, which has its upsides and downsides.

4. Threat detection

A CASB is also created to protect a company from all sorts of cloud risks such as malware and other cyber threats that can enter into a company's systems via apps and access. One way CASB strengthens security is by making sure that unwelcome users, apps, and devices aren’t allowed access to cloud services.

Based on this, CASB takes care of URL filtering, account takeover protection, malware detection, and removal, and blocks phishing attacks.

Who should use CASB? 

If you’re part of a company that uses the cloud, utilizing a CASB could be crucial for its success. Unfortunately, too many companies suppose that their cloud services provider will take care of all security for them, but this is seldom the case. Actually, although all respectable cloud services providers will take complete responsibility for the security of your cloud, you’ll be the one in charge of the safety of your content on it.

Another bad news is that enterprise security information and event management (SIEM) doesn’t ordinarily include CASB or other cloud security solutions. However, since CASB can be integrated into your current SIEM, all hope is not lost.

In short, if your company’s current security staff can’t guarantee the four pillars of CASB we’ve talked about above (visibility, compliance, data security, and threat detection) then it’s high time to upgrade your security with a solution that can get the job done.

What to consider when choosing a CASB? 

With CASBs there is no one-size-fits-all sort of solution, which means you’ll have to choose what’s right for your company’s current and projected requirements. You should also keep in mind that there are two types of CASB providers: proxy-based CASBs, which utilize legacy network technology to secure access and data) and API-based CASBs. The latter use each cloud application's native APIs to do the same thing in a more secure and superior way.

So, before choosing one CASB solution over the other you should set your priorities straight and search for the best-suited solution available on the market.

The first thing you want to check out is whether CASB providers qualify in terms of their support for the four pillars of CASB. Then compare sets of features that offer those that do. Also, it’s always advisable to research the provider’s track record, user reviews, and see if they provide a free trial or any form of refund policy.

All in all, CASB solutions can improve visibility, compliance, data security, and threat protection necessary to protect your company from cloud-based threats and secure cloud compliance. As such, they are an indispensable piece of a modern-day security puzzle you can hardly afford to ignore.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.