There are several CASB vendors for you to choose from—selecting the right one is the difference between security and risk
For a long time, we heard the question: what is CASB? Now, it’s fairly common knowledge that a cloud access security broker (CASB) (or cloud application security platform) is required to secure sensitive data stored and shared in the cloud. As the world has shifted to cloud computing, a variety of CASB vendors and other solutions have sprung into the marketplace to plug inherent cloud computing security gaps.
In short, a CASB helps IT and InfoSec managers secure, monitor, and control activity in cloud applications, such as Google G Suite and Microsoft Office 365. Many still believe that they are covered by Google and Microsoft in this area. But, while both have extremely robust data security infrastructure in place, they don’t protect the cloud environment from seemingly approved activity. This means that if there is a malicious account take over, or a misconfiguration that makes sensitive data public, system administrators often have no idea that data is exposed. Not to mention what data is exposed and how the breach occurred.
Cloud access security brokers provide an additional layer of security and control over cloud applications that are not provided in the application itself (or is provided at a much more expensive Enterprise level). CASB security provides organizations using cloud applications with malware threat protection, data loss prevention, and account monitoring and control capabilities that are specifically built for the cloud.
Types of CASB Vendors
As you begin to research CASB vendors, you will find that there are basically two different types: proxy-based CASBs and API-based CASBs. These refer to the technology used to build the CASB product.
Proxy-based CASB uses legacy network technology that places a proxy agent between traffic and your cloud applications. This proxy will check all incoming and/or outgoing traffic and limit access to the application. It is basically doing the same work as your firewall or gateway, but duplicating it in the cloud.
API-based CASB uses cloud applications’ native APIs to secure access to and activity within the app. The technology provides better, more reliable cloud security that is supported by Google and Microsoft. And it does not slow down your networks or end users’ access to information in the cloud.
What to look for in a CASB Vendor
Different CASB vendors provide different functions, services, and more. It’s important to know what is important to you and your information security needs as you explore your CASB vendor options. Here is a high-level list of some of the most important features of a CASB solution.
Malware & Phishing Threat Protection
Email phishing is certainly the most well-known (and common) external threat vector for information systems. But, it’s not the only one. One of the few disadvantages of cloud computing is the inherently porous nature of the public cloud. Criminals have also found ways to use file sharing, browser extensions, applications, and more to introduce malware and other threats to cloud environments.
A good CASB vendor will allow system admins to easily identify risks within your cloud environment from all of these threat vectors. It will also provide the functionality to quickly quarantine and/or delete those risks—either manually or automatically based on your custom system configurations.
Account Management & Security
User accounts can become compromised either through external threats (such as those discussed in the section above) as well as internal threats. Internal threats can be either accidental or malicious—such as in the case of a disgruntled employee. Typical indications of a compromised account include suspicious login locations and timing, massive sharing and/or downloading, or sharing and/or downloading particularly sensitive files.
You will want to find a CASB vendor that can detect this type of activity and alert the proper administrators immediately. Most CASBs will also provide the functionality to set up rules and policies that will automatically lock down an account that exhibits certain risky activities.
Data security is critical for organizations today. Though the big companies will millions of customer records get the most media attention, data theft is happening more often in smaller companies and in the education market. These data breaches represent hundreds of millions of dollars in annual costs, not to mention the human toll of having to deal with identity theft, ransom threats, and more.
Organizations are required by law to secure data from leaks and breaches. Your CASB vendor must have a robust data loss prevention engine built in. Data loss prevention in the cloud can be tricky due to the inherent open nature of cloud collaboration and computing. But, with the right CASB technology to manage and control data policies, system admins can more easily secure sensitive information from accidental and malicious breaches.
Unsanctioned Cloud App Discovery
Sometimes referred to as “shadow IT” (which can mean a lot of different things), your CASB vendor should provide system admins with visibility into what cloud applications are linked to employees’ Google or Microsoft accounts.
Many SaaS cloud applications are inherently risky, with security gaps built into them that criminals can leverage to infiltrate customer accounts. Some applications have been built by criminals with this very purpose in mind. Once an unsuspecting user downloads the applications and creates an account using their G Suite credentials, it opens up all kinds of permissions to these criminals.
A CASB vendor that has the ability to flag such risky applications is your best bet, as this type of threat can be particularly damaging. A good CASB platform will determine an applications’ risk profile using several methods: level and number of permissions granted, number of other users who have sanctioned/unsanctioned the application, and using machine learning through 3rd party vendors that have assessed the app.
Impact on Network Performance
This goes back to the discussion around proxy versus API CASB vendors. A proxy-based CASB is going to slow your network down significantly. That is because it places a “man in the middle” of your cloud traffic, checking and scanning each request that goes through it. This type of solution is usually favored by highly regulated industries, such as healthcare and finance.
API CASB vendors provide the same level of security without slowing down your network performance. End users rarely realize that a cloud security solution is in place. This benefit allows employees, clients, etc to access information stored in the cloud without delays.
Affordability & Ease of Use
It goes without saying that the CASB vendor you select will have to fit in your budget. But beyond the license agreement, there are ancillary costs to keep in mind. For example, it’s ease of use. When evaluating your CASB vendor options take into consideration:
- Can your current team manage it, or will you have to hire an additional resource?
- How much time will it take to implement?
- How many hours of training will be required for your employee/team to learn how to use it?
- Is it reliable, or will your system admin spend a ton of time validating accuracy?
These factors and more impact any new platform’s affordability. Before you select your CASB vendor, reach out to current and (if possible) past customers to understand the tool’s strengths, weaknesses, and potential hidden costs.
FERPA, COPPA, CSPC Certifications
K-12 and higher education institutions, in particular, must be sure to select a CASB vendor that has certified that they comply with federal (and, in some cases, state) student data privacy regulations. The Family Educational Rights and Privacy Act (FERPA) and The Children’s Online Privacy Protection Act (COPPA) are critical pieces of federal regulations that outline how children’s data is required to be handled and protected by all types of organizations.
Choosing a CASB vendor that is independently certified in these areas means that schools can feel confident in partnering with a vendor that takes student privacy seriously. It also means that vendor’s technology has been thoroughly and rigorously vetted by an independent organization to ensure it meets the highest standards of security and compliance.
Any platform or vendor that you decide to partner with is going to create some questions and challenges. An often overlooked selection criteria is the vendor’s customer support reputation. Some CASB vendors will sell a license at a relatively low price—sometimes simply “throwing in” cloud security as part of a broader package. This type of deal can be tempting, but how good is a platform that nobody on your team understands how to use? Is your data really secure if your CASB isn’t set up properly, or if there is a bug that doesn’t get fixed because you can’t get someone in customer support on the line?
Customer support often comes as an afterthought. But this can prove to be a mortal mistake when it comes to selecting CASB vendors. Remember, when it comes to securing your sensitive, regulated information in the cloud, it’s not just about checking a box and saying you tried to do it. It’s about securing the well-being and financial futures of your organization, employees, students, and customers.