There are several CASB vendors for you to choose from—selecting the right one is the difference between security and risk
For a long time, we heard the question: what is CASB? Now, it’s common knowledge that a cloud access security broker (CASB) (or cloud application security platform) is required to secure sensitive data stored and shared in the cloud. As the world has shifted to cloud computing, a variety of CASB vendors and other solutions have sprung into the marketplace to fill inherent cloud computing security gaps.
In short, a CASB helps IT and InfoSec managers secure, monitor and control activity in cloud applications, such as Google G Suite and Microsoft Office 365. Many believe that they are covered by Google and Microsoft for the data that they store in the cloud. But, while both have extremely robust data security infrastructure in place, they do not protect the cloud environment from seemingly approved activity. This means that if there is a malicious account take over, or a misconfiguration that makes sensitive data public, system administrators often have no idea that data is exposed. Not to mention what data specifically is exposed and how the breach occurred.
Cloud access security brokers provide an additional layer of security and control over cloud applications that are not provided in the application itself (or is provided at a much more expensive Enterprise level). CASB security provides organizations using cloud applications with malware threat protection, data loss prevention, and account monitoring and control capabilities that are specifically built for the cloud.
Types of CASB Vendors
When you research CASB vendors, you will find that there are two different types: proxy-based CASBs and API-based CASBs. These refer to the technology used to build the CASB product.
Proxy-based CASBs use legacy network technology to place a proxy agent between traffic and your cloud applications. This proxy will check all incoming and/or outgoing traffic and limit access to the application. It is basically does the same work as your firewall or gateway, but duplicates it in the cloud.
API-based CASBs use the cloud applications’ native APIs to secure access and activity within the app. This technology provides better, more reliable cloud security that is supported by Google and Microsoft. And it does not slow down your networks or end users’ access to information in the cloud.
What to look for in a CASB Vendor
All CASB vendors provide different functions, services, and more. It’s important to know what you and your information security need as you explore your CASB vendor options. Here is a high-level list of some of the most important features of a CASB solution:
Malware & Phishing Threat Protection
Email phishing is certainly the most well-known (and most common) external threat vector for information systems. But, it’s not the only one. One of the few disadvantages of cloud computing is the inherently porous nature of the public cloud. Criminals have also found ways to use file sharing, browser extensions, applications, and more to introduce malware and other threats to cloud environments.
A good CASB vendor will allow system admins to easily identify risks within your cloud environment from all of these threat vectors. It will also provide the function to quickly quarantine and/or delete those risks—either manually or automatically based on your custom system configurations.
Account Management & Security
User accounts can become compromised through external threats (such as those discussed in the section above), as well as through internal threats. Internal threats can be either accidental or malicious (such as in the case of a disgruntled employee). Typical indications of a compromised account include suspicious login locations and timing, massive sharing or downloading, and sharing or downloading particularly sensitive files.
You will want to find a CASB vendor that can detect this type of activity and alert the proper administrators immediately. Most CASBs will also provide the function to set up rules and policies that will automatically lock down an account that exhibits certain risky activities.
Data security is critical for organizations today. Though big companies with millions of customer records get the most attention from data theft, it is happening more often in smaller companies and in the education market. These data breaches represent hundreds of millions of dollars in annual costs, not to mention the toll of dealing with identity theft, ransom threats, and more.
Organizations are required by law to secure data from leaks and breaches. Your CASB vendor must have a robust data loss prevention engine built in. Data loss prevention in the cloud can be tricky due to the inherent open nature of cloud collaboration and computing. But with the right CASB technology to manage and control data policies, system admins can more easily secure sensitive information from accidental and malicious breaches.
Unsanctioned Cloud App Discovery
Your CASB vendor should provide system admins with visibility into what cloud applications are linked to employees’ Google or Microsoft accounts to prevent what is sometimes referred to as “shadow IT”.
Many SaaS cloud applications are inherently risky, due to security gaps built into them that criminals can leverage to infiltrate customer accounts. Some applications have been built by criminals with this very purpose in mind; once an unsuspecting user downloads the application and creates an account using their G Suite credentials, it opens up all kinds of Google permissions to these criminals.
A CASB vendor that has the ability to flag such risky applications is your best bet, as this type of threat can be particularly damaging. A good CASB platform will determine an applications’ risk profile using several methods: level and number of permissions granted, number of users who have sanctioned/unsanctioned the application, and machine learning through third party vendors that have assessed the app.
Impact on Network Performance
The impact on network performance goes back to the discussion around proxy versus API CASB vendors. A proxy-based CASB is going to slow your network down significantly. This is because proxys place a “man in the middle” of your cloud traffic, checking and scanning each request that goes through it. This type of solution is usually favored by highly regulated industries, such as healthcare and finance.
API CASB vendors provide the same level of security without slowing down your network performance. End users rarely realize that a cloud security solution is in place. This benefit allows employees, clients, etc. to access information stored in the cloud without delays.
Affordability & Ease of Use
It goes without saying that the CASB vendor you select will have to fit in your budget. It is important to keep in mind that there will be ancillary costs beyond the license agreement, for example it’s ease of use. When evaluating your CASB vendor options take into consideration:
- Can your current team manage it or will you have to hire an additional resource?
- How much time will it take to implement?
- How many hours of training will be required for your employee/team to learn how to use it?
- Is it reliable or will your system admin spend a ton of time validating accuracy?
These factors and more impact any new platform’s affordability. Before you select your CASB vendor, reach out to current and past customers (if possible) to understand the tool’s strengths, weaknesses, and potential hidden costs.
FERPA, COPPA, CSPC Certifications
K-12 and higher education institutions, in particular, must be sure to select a CASB vendor that has certified that they comply with federal (and, in some cases, state) student data privacy regulations. The Family Educational Rights and Privacy Act (FERPA) and The Children’s Online Privacy Protection Act (COPPA) are critical pieces of federal regulations that outline how children’s data is required to be handled and protected by all types of organizations.
Choosing a CASB vendor that is independently certified in these areas means that schools can feel confident in partnering with a vendor that takes student privacy seriously. It also means that the vendor’s technology has been thoroughly and rigorously vetted by an independent organization to ensure it meets the highest standards of security and compliance.
Any platform or vendor that you decide to partner with is going to create some questions and challenges. An often overlooked selection criteria is the vendor’s customer support reputation. Some CASB vendors will sell a license at a relatively low price—sometimes simply “throwing in” cloud security as part of a broader package. This type of deal can be tempting, but how good is a platform that nobody on your team understands how to use? Is your data really secure if your CASB isn’t set up properly or if there is a bug that doesn’t get fixed because you can’t get someone in customer support on the line?
Customer support often comes as an afterthought, this can prove to be a mortal mistake when it comes to selecting CASB vendors. Remember, when it comes to securing your sensitive regulated information in the cloud, it’s not just about checking a box and saying you tried to do it. It’s about securing the well-being and financial futures of your organization, employees, students, and customers.