Cloud access security is a term that may not be familiar to everyone. Securing cloud access deals with access control and threat detection in cloud applications such as Google Workspace and Microsoft 365. School technology managers secure cloud access in two basic cases:
Cloud access security covers issues such as risk assessment, policy violations, shadow cloud applications, and account misuse. Unlike a firewall, cloud access security concerns itself with application-specific policies and the actions of apparently legitimate users to protect your data (not just your network perimeter). It is a critical part of building a zero-trust cybersecurity strategy.
This difference is important. When your district moved to the cloud for services like email, file sharing, meeting, learning management, and financial databases, those cloud services need to be secured within the app itself, not just on entry and exit.
Further, weaknesses in security are not limited to malware, phishing, and other types of external malicious threats. Incidents also include risky use of accounts, improper data sharing permissions, malicious mobile apps, and more. These types of activities will not be caught with traditional firewalls alone.
An appliance or software service that manages cloud access security is commonly called a cloud access security broker or CASB. This term covers a variety of approaches.
A traditional CASB uses a proxy or agent that stands between the users and the services. In most cases, it’s a forward proxy, residing on the edge of the local network. All requests that originate locally will pass through the proxy, it can then catch access to unauthorized services (shadow cloud IT), but not access to services from outside the local network.
Deployed as a reverse proxy, a CASB sits in front of one or more cloud services. All access to cloud accounts and resources which use the proxy go through the CASB.
Cloud application security is a newer approach to the analyst-coined term CASB that has many advantages. Cloud application security uses the API of SaaS applications, rather than an agent or proxy. This approach offers several benefits:
CASB terminology is unsettled, it is often used for all these methods. Here, we’ll use CASB for proxy-based technology, as distinguished from API-based cloud access (or application) security. The API-based approach doesn’t sit between the user and the application, but rather is integrated into the application. So, it isn’t really a “broker.”
Using a cloud access security solution provides a number of benefits:
Whether you decide to use a proxy-based CASB or an API-based cloud security solution to secure cloud access for your school district largely depends on your technical requirements. The most important takeaway here is that, if your district is using cloud applications (like Google Workspace or Microsoft 365) and you’re not securing them with a cloud access security solution, your information is vulnerable.