What Is CASB (Cloud Access Security Broker)?
Fortinet is recognized as a Gartner® Peer Insights™ Customers' Choice for Security Service Edge (SSE)
Single-Vendor SASE for Dummies Vol 2 Speak with an Expert
CASB Definition
Cloud Access Security Broker (CASB), coined by Gartner back in 2012, was created to address the growing adoption of SaaS applications. In essence, CASB provides threat protection for users accessing SaaS applications, prevents users accessing unauthorized applications along with providing risk scores to users and applications thus allowing SOC teams visibility on risky users and applications on their network.
Gartner's CASB Definition:
Gartner defines CASBs as “on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement.”
Distinguishing CASB vs SASE
CASB as stated above was coined in 2012 and there have been a few vendors that have specialized to sell only CASB functionality. Secure Access Service Edge (SASE) was coined in 2019 by Gartner, with the core emphasis on vendor consolidation to include capabilities such as CASB, Secure Web Gateway (SWG), Firewall-as-a-service (FWaaS), Zero Trust Network Access (ZTNA) and SD-WAN. Standalone CASBs would not be required as CASB functionalities would be embedded as part of a SASE offering. The security market has evolved over the last few years and for any new security problem, there has either been a new startup to address that problem or a large company building a product to solve that problem. SASE helps to combine those niche security features into a consolidated platform-based offering.
What Is CASB In Cybersecurity?
CASBs are increasingly being used to protect against cloud security risks, comply with data privacy regulations, and enforce corporate cybersecurity policies. They are increasingly important to organizations as employees use personal, unmanaged devices to access corporate networks from new, disparate locations, which creates even more cloud security risks.
The concept of CASB first emerged as the rise of cloud computing created the need for more consistent security across multiple cloud environments. Using CASBs, organizations were able to gain deeper visibility into what was happening in their cloud and Software-as-a-Service (SaaS) deployments and protect all user and sensitive corporate data in these environments.
With the threat landscape rapidly evolving with blended threats, multiple exploits, and obfuscation technologies that make detection more difficult, organizations need solutions that make protecting their data and users easier. CASBs are increasingly important to providing cybersecurity protection against malware and phishing attacks, securing access to cloud services, and ensuring cloud application security.
What does a CASB do?
CASBs ensure that traffic between user devices and cloud providers complies with organizations’ security policies. They provide insight into cloud application usage across cloud platforms, which is crucial in highly regulated industries with large, disparate workforces accessing multiple on-premises and cloud environments. CASB allows organizations better visibility, compliance, data security and threat protection for all users accessing SaaS.
How Does A CASB Work?
A CASB employs an auto-discovery process to identify the cloud applications being used, then pinpoints the applications, users, and other factors that pose a risk to the organization. The CASB cloud tool can then impose various access controls, compliance reporting tools, and other technologies to protect data and users. These include encrypting data the moment it is created until it sits at rest in the cloud, single sign-on (SSO) to provide one-time access across multiple applications, and user behavior analytics that identifies suspicious activity or signs of a potential cyberattack or data breach.
CASBs allow organizations to control and visualize the threats their cloud environments face. They use a three-step process to ensure organizations meet their enterprise security requirements:
Step 1—Discovery
A CASB solution uses an auto-discovery feature to list all the third-party cloud services being deployed by an organization, as well as all the employees using those services.
Step 2—Classification
The CASB will determine the level of risk of each cloud application the organization has deployed. It does this by assessing what the cloud application is, the sort of data it contains, and how data is being shared by users.
Step 3—Remediation
After assessing the risk of each application, CASB tools will use that information to create a policy that meets the organization’s security requirements. This will include data and user access policies, and the CASB will automatically act if an event violates those policies.
Two Flavors For CASB
Originally deployed as on-premises hardware, CASBs provide visibility into an organization’s cloud services, including managed and unmanaged locations and devices. However, CASB technology has evolved and now includes inline and API capabilities.
Inline CASB
Inline CASBs act as a gateway, protecting data in motion, sitting between the device accessing information and the cloud storage location or application. An inline CASB can be either:
- Forward proxy-based: Usually agent-based, this deployment sits closer to the user and uses a tunnel architecture that forwards traffic to the CASB then to the cloud.
- Reverse proxy-based: Usually agentless, this deployment sits closer to the cloud and traffic directly flows from the device requesting access to the cloud or application and then to the CASB.
Because some SaaS applications lack a way to redirect traffic to a proxy-based CASB, organizations can face challenges such as incomplete visibility, inability to provide holistic security protection, increased complexity, and management overhead.
Some firewalls can be configured so their zero-trust network access (ZTNA) access proxy can act as an inline CASB by providing access control to software-as-a-service (SaaS) applications using ZTNA access control rules. The CASB sits between users and their cloud service to enforce security policies as they access cloud-based resources. With an inline CASB, organizations gain:
- Real-time scanning of usage and data flowing to/from the SaaS provider (shadow-IT)
- Visibility and control over sensitive data (DLP)
- Protection against known and unknown threats (anti-malware and IPS)
API-based CASB
Cloud-native CASB services protect data at rest within SaaS using APIs for SaaS applications to monitor all activity and configurations across SaaS services, which includes providing complete visibility of usage, monitoring for malware and data loss. Because there isn’t a need to reroute traffic, an API-based CASB can enforce security policies across multiple SaaS and IaaS without impacting user connectivity.
Using direct API access, these CASB services provide visibility, compliance, data security and threat protection for cloud-based services. They enable deep inspection and policy management for data stored in SaaS and IaaS applications with advanced tools that provide detailed user analytics and management to ensure policies are enforced. With an API-based CASB, organizations gain:
- Insights into usage and data within a SaaS application
- Ability to inspect historical and new/modified data stored in the cloud
- Detailed information about data, users, permissions, and behaviors within a SaaS application
- Easy, one-step access without complicated configurations and deployments
CASB Benefits For Businesses
CASBs provide additional functionalities and protection, such as authentication to verify user identities and ensure only the right people get the right level of access to corporate resources, DLP to prevent users from leaking sensitive information outside the organization, and firewalls or web application firewalls (WAFs) to scan for, identify, and prevent malware.
They are also particularly useful to organizations that have shadow IT operations or allow users to procure and manage their own cloud environments. That is because CASBs can collect data that is useful not just for security but also for monitoring the usage of cloud services for budgeting purposes.
CASB benefits can be split into four pillars (or functions) that keep organizations' cloud services secure:
Visibility
Organizations must have visibility into user activity across their cloud applications, including on sanctioned and unsanctioned applications, known as shadow IT. A particular risk of cloud usage is activity that takes place beyond IT’s line of sight because the organization’s data is no longer covered by its compliance, governance, and risk policies. So, CASBs are crucial to identifying this high-risk behavior that IT teams may not see.
A CASB solution provides the comprehensive visibility of cloud application usage, such as device and location information, to help organizations safeguard data, intellectual property, and users. It also provides cloud discovery analysis, which enables organizations to assess the risk of cloud services and decide whether to grant users access to applications. This allows the organization to establish more granular control over their cloud environments by providing different levels of access based on a user’s device, location, and role within the business.
Threat protection
Organizations face an ever-increasing threat from outside hackers through stolen credentials and insider attacks. As such, companies must be able to detect and prevent suspicious behavior, including that of authorized users.
CASBs enable organizations to specifically protect against insider attacks from authorized users by creating a comprehensive regular usage pattern that can be used as a comparison point. Using machine-learning techniques, CASBs can then detect unusual activity as soon as a user gains improper access or attempts to steal data. They also use technologies and techniques like adaptive access control, dynamic and static malware analysis, and threat intelligence to block and prevent malware attacks.
Compliance
Organizations now have a wide range of cloud supplier options and likely use several different vendors for various solutions. However, organizations remain responsible for ensuring regulatory compliance around the privacy and safety of their data, regardless of whether they outsource services or manage it themselves.
CASBs help organizations ensure compliance with the increasingly stringent, constantly evolving requirements of data and privacy regulations like the California Consumer Privacy Act (CCPA), the European Union’s General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act (HIPAA). CASBs also play an important role in meeting the security requirements of ISO 27001 and the Payment Card Industry Data Security Standard (PCI DSS).
Using a CASB solution allows organizations to pinpoint the compliance risks they face and understand what they need to do to address those risks. Some compliance capabilities that CASBs provide include:
- Automated remediation
- Reporting
- Policy creation and enforcement
By maintaining controls and documenting activities, CASBs enable organizations to achieve their compliance objectives.
Data security
Organizations must ensure they protect their sensitive data even as cloud usage continues to increase and while implementing data loss prevention (DLP) tools. On-premises DLP solutions are effective in protecting data but cannot extend that protection to cloud services.
Organizations therefore must combine a CASB application with their DLP tool to gain visibility of sensitive data moving between and across their on-premises and cloud environments. This enables organizations to monitor user access to confidential information, regardless of where it is on their network. Through a combination of features and technologies like access control, collaboration control, DLP, encryption, information rights management, and tokenization, organizations can minimize the loss of corporate information.
Key reasons why organizations need CASB security
- To govern cloud applications: CASBs provide a centralized view of an organization’s cloud environment, which helps them understand which users are accessing which applications, where they access them from, and the device they use to do so. CASBs also rate cloud services’ risk level and trustworthiness, as well as automated access controls and data permissions, which is crucial to governing cloud applications.
- To defend against cloud-based threats: CASBs monitor suspicious activity, such as excessive logins, and use anti-malware and sandboxing technology to analyze and block potential threats in the cloud. As the sophistication and volume of cloud-based attacks increase, it is vital for organizations to understand the behavior and characteristics of the cloud threats they face and quickly respond to them.
- To secure sensitive data: CASB solutions enable organizations to detect and remove the sharing of sensitive data outside their networks. They can also set policies that ensure only authorized users can access certain types of data.
- To ensure cloud compliance: CASBs are a crucial tool in helping organizations meet increasingly stringent data and privacy regulations. They provide automated remediation, reporting capabilities, and policy creation and enforcement required to comply with industry and government-led mandates, rules, and standards.
How To Choose A CASB Solution
Choosing a CASB solution is reliant on finding the right service that meets the organization’s requirements. Organizations must set out their needs and the goals that a CASB will help them to achieve. They then must research their options by compiling insights from cybersecurity analysts, carrying out reference calls with providers, and perform a detailed proof of concept.
Main areas of consideration
- An important consideration is whether the CASB will grow with the organization and be able to protect it as its threat landscape increases. The right CASB provider will update and evolve the organization’s cloud compliance and security policies.
- A CASB should also be capable of protecting all organizations’ environments. For example, the provider must be able to secure SaaS programs but also safeguard Infrastructure-as-a-Service (IaaS) environments through activity monitoring, DLP, and threat protection.
- A CASB solution differs from a firewall, but it can complement tools like next-generation firewalls (NGFWs), which filter traffic to protect organizations from threats. NGFWs offer protection from external and internal threats through features like packet filtering and network monitoring that ensure deeper inspection capabilities and help identify attacks. When paired with a CASB, this protection ensures next-level, enhanced visibility of an organization's various networks and cloud environments.
CASB capabilities to evaluate
When selecting a CASB, organizations should look for a dual-mode solution that incorporates both API-based and inline capabilities including:
- Centralized visibility: a single pane of glass for discovering and managing all cloud services and applications
- On-premises and cloud management: the ability to apply separate security policies and routing for in-office and remote connections
- Simplified compliance: automated policy enforcement with the appropriate reporting to manage legal and contractual requirements
- User and Entity Behavior Analytics: monitoring for abnormal user access and activity that indicates a potential security incident
- Access and entitlement management: granular access controls across both network and applications
- Data Loss Prevention: sensitive data detection to prevent users from sharing it outside the organizations
- Advanced threat protection: the ability to block malware from being uploaded or downloaded from SaaS applications and quarantine suspicious files
Fortinet Products and Services
As more organizations undergo digital transformation and incorporate multi-cloud and hybrid cloud environments into their network, it is more important than ever to ensure that IT departments have the capabilities to standardize security policy enforcement on every device and application connected to the network.
There are five delivery models by which CASB can be obtained from Fortinet, and each has its own unique licensing model:
- FortiGate (Hardware or Virtual Machine) - All FortiGate models provide support for in-line CASB without any additional license needed. This feature means that in-line CASB is available when you purchase the FortiGate appliance. All FortiGate hardware models including virtual form factors (public/private cloud) are supported. The inline CASB feature comes as part of the FortiOS which is the core foundation of Fortinet devices
- FortiProxy delivers next-generation secure web gateway capabilities that protect employees from Internet-borne threats. FortiProxy is available in two forms, FortiProxy-Hardware and FortiProxy-VM. SWG protection bundle is required to enable inline CASB with FortiProxy (HW or VM)
- Fortinet Universal ZTNA or the FortiClient (ZTNA agent) is an integral part of the ZTNA solution, which can be provisioned on a per-user or per-endpoint basis and managed from cloud-based console (SaaS) or on-premises depending on corporate requirements. Customers purchasing ZTNA are entitled to use FortiCASB with the same seat count, furthermore these customers are entitled to the equivalent of 1GB of Data at Rest protection for their SaaS applications per user per year.
- FortiCASB is a Fortinet-developed cloud-native Cloud Access Security Broker (CASB) solution designed to provide visibility, compliance, data security, and threat protection for cloud-based services employed by an organization. FortiCASB licensing is based upon user-range. These user SKUs include data security scanning (data amount varies) per year.
- FortiSASE is Fortinet’s cloud-based firewall and secure web gateway as a service, delivered as a hosted service; that provides security driven by FortiGuard labs for remote users regardless of location when accessing the internet, SaaS, or private applications. FortiSASE licensing is based upon user-range (same as ZTNA); and includes Inline CASB and FortiCASB as part of the product. No additional licenses are required to enable CASB when you deploy FortiSASE.
Frequently Asked Questions About CASB
What does CASB mean in cybersecurity?
CASBs are increasingly important to providing protection against malware and phishing attacks, securing access to SaaS applications.
What does a CASB do?
A cloud access security broker (CASB) is software or hardware that sits between users and their cloud service to enforce security policies as they access SaaS applications.
How is CASB different from SWG?
CASB protects traffic going to SaaS whereas SWG is related to protecting traffic going out to Internet with features such as URL filtering.
How do you choose a CASB?
One of the major decision criteria for CASB is feature depth – coverage for both API and inline. Additionally, does it include support for your SaaS application. Also, would SASE be better instead of a standalone CASB offering.
Is cloud-delivered CASB better than on-premise?
This depends on where most of your applications reside. If users are remote, accessing SaaS applications it would be ideal to go down the cloud CASB path. If applications are still at Data center and only a subset (5-10%) is SaaS based, traffic would be steered to on premise CASB and then steered to SaaS applications.
Is CASB only for SaaS?
CASB was invented to solve the security challenges due to SaaS application explosion. So, yes; CASB applies to SaaS only.
Which CASB product would provide holistic feature coverage from Fortinet?
FortiSASE user-based licensing included both in-line CASB as well as API-CASB leveraging FortiCASB. FortiSASE would be the most comprehensive offering which includes all CASB features.
Speak with an Expert
Please fill out the form and a knowledgeable representative will get in touch with you soon.