Businesses use many different types of security software. While they all provide necessary security features, they don’t always integrate well, and of course the more tools you use, the more costs and management issues you’ll encounter. It’s understandable, then, to be hesitant about introducing yet another type of security software to the business. However, as cloud becomes the predominant way of delivering access to systems and data, and as employees working off-premises becomes the norm, adding a cloud access security broker (CASB) can be a critical step to keeping business data.
Cloud Access Security Broker Functionality
CASBs provide a set of features to help control access to data and systems in the cloud. They help ensure that only authorized users access authorized files and provide authorized functions on them, as well as blocking use of unauthorized cloud services and shadow IT.
With a CASB, you can control whether cloud data can be accessed based on the user’s physical location, the device they’re using, and the application they’re using. Data loss prevention features allow you to limit data sharing and prevent it from being copied or sent to other users.
CASBs also are able to detect and warn of security risks such as malware in the cloud and compromised user accounts.
There are three ways in which CASBs deliver their services.
1. API integration.
With APIs, a CASB is able to connect to enterprise applications such as Office 365. This allows the CASB to access the application and monitor data for policy violations. These issues may be detected through notifications or through periodic polling. This approach is effective in covering all user activity and all user devices, but is limited to certain applications and can only report violations rather than prevent them.
2. Forward proxy.
Forward proxies require agents on endpoints or VPN clients. These proxies intercept the user’s connection to the cloud before the cloud service is reached. As a result, a forward proxy can block unapproved services and prevent other policy violations, but it only works where the agent is installed.
3. Reverse proxy.
Reverse proxies make the CASB look as if it’s an identity provider used by the cloud service. As with the API integration method, it can only work with specific, known cloud services. Unlike the API method, a reverse proxy operates in real-time and can prevent prohibited activities, not just report them.
Choosing a CASB
While all CASBs provide similar functionality, their implementation method can be a distinguishing criterion. In particular, they differ in how agents are deployed and managed, which can have operational impacts on your IT team.
If the CASB offers only API or reverse proxy implementations, make sure they handle the applications you’re concerned with. If a CASB offers more than one implementation method, the features available may depend on which method is used. It’s important to understand exactly what coverage will be available with the implementation method you prefer.
Another consideration is choosing a CASB is how it works with all those other security tools already deployed in your business. Consider how the CASB will interact with firewalls, gateways, and other important technologies. In particular, assess if the CASB will work with data loss prevention policy rules.
In addition to these considerations, network performance is also a factor in selecting a CASB. Because proxy-based CASBs examine all cloud traffic, they can create a performance impact visible to end users.