Organisations need CASB security to discover and control shadow IT, enforce cloud data policies, and protect SaaS apps against advanced threats. This requires granular visibility and the ability to detect threats on managed and unmanaged mobile, IoT, and desktop devices.
When evaluating a CASB solution, consider whether it provides the following features:
Threat Detection
For organizations that use the cloud for storage, CASBs protect the data moving into and out of the environment by monitoring access logs and detecting suspicious behavior. These tools can also help identify shadow IT services or unauthorized devices that might be used to access company data. In this way, a CASB helps prevent threats that IT teams might not see and mitigates breaches when they occur.
Many CASBs offer security functions, including DLP, adaptive access control (AAC), and encryption or tokenization, to ensure compliance with regulatory requirements. However, these capabilities are only sometimes integrated or integrated in a way that makes them easy to deploy and manage. As such, they may be less effective than they are for an organization that wants to secure the full range of its cloud-based applications.
CASBs often use user entity and behavior analysis to identify regular activity patterns, create a baseline, and flag any deviation from that norm. In this way, a CASB can detect suspicious behaviors, such as a hacker using stolen credentials or an insider trying to exfiltrate data.
A CASB security can also alert administrators when risky infrastructure configurations are detected, even when not explicitly configured as a breach point. This enables organizations to address risks that might go undetected, such as misconfigured databases or lost laptops.
Malware Detection
CASBs detect malware within cloud applications or as it is uploaded. They then block, remove, quarantine, or encrypt (with information rights management and tokenization) the data when flagged as suspicious behavior. They also identify external threats by monitoring user behaviors, identifying abnormalities, and alerting administrators to activities requiring attention.
Organizations use a CASB primarily to gain visibility into sanctioned and unsanctioned cloud services. This enables IT teams to reduce the risk of shadow IT, which refers to applications and infrastructure used outside IT’s line of sight. For example, developers may spawn workloads to their accounts in a DevOps environment to speed up development. This could result in sensitive files being uploaded to unauthorized locations.
With today’s threat landscape containing multiple exploits, obfuscation technologies, and dynamic malware, CASBs must offer advanced capabilities that make detecting malicious activity easier. This includes detecting and blocking malicious activity from compromised users, whether they are employees or third parties. To do this, CASBs must be able to recognize anomalous behaviors based on continual traffic patterns and machine learning. Then, they must be able to compare these behaviors against benchmarks and other threat intelligence sources to detect malware. This information is then passed to the rest of an organization’s security infrastructure through out-of-the-box integrations and workflows.
Data Loss Prevention
As services once offered on-premises continue to migrate to the cloud, organizations are increasing the formal adoption of various IaaS, PaaS, and SaaS resources. This erodes the existing centralized control and exposes data to risk as employees move data between managed and unmanaged apps. CASBs can help identify these high-risk cloud usage patterns and provide control without impeding employee productivity by providing visibility into and protecting sensitive information from unauthorized locations and devices.
CASBs can discover and detect shadow IT and other gaps in security, and they can also help to identify the sensitivity of shared files to prioritize protection actions such as encryption. Encryption prevents the eavesdropping of sensitive data that might be intercepted across public networks, and it also protects data from theft after an employee leaves the company with their personal laptop or smartphone. CASBs can also monitor and analyze file content to find hidden malicious activity that might threaten productivity.
CASBs can combine with sophisticated DLP to safeguard and control sensitive content when it moves within the organization, from the enterprise to the cloud and from the cloud to the enterprise. This ensures that sensitive information is not accidentally exposed to unauthorized locations and can help meet compliance requirements for HIPAA, ISO 27001, and PCI DSS regulations.
Identity and Access Management
With the proliferation of bring-your-own-device policies and unsanctioned software-as-a-service usage (shadow IT), organizations must monitor and manage how employees use productivity-enhancing cloud services. A CASB’s auto-discovery capabilities and monitoring of third-party cloud apps provide visibility into how employees use these tools to ensure they access only the data they need without opening up doors for malware and other threats.
CASB solutions also help prevent data exfiltration by malicious actors with stolen credentials or accidental user mistakes. By combining static and dynamic analysis with UEBA, CASBs create a profile of typical user behavior. Any deviation from this profile triggers an alert to detect and mitigate a breach immediately.
In addition, CASBs can encrypt or tokenize sensitive data destined for the cloud to protect it further and reduce exposure in the event of a breach. However, this requires significant subject matter expertise outside the CASB’s core functionality. Moreover, most CASBs that offer these features require significant infrastructure, configuration complexity, and a high level of ongoing management. As a result, these features have mostly been restricted to a small set of the most popular cloud apps.