Cloud Access Security Broker – safely into the cloud with CASB

Author
Stefan Pfiffner
Published
15. May 2018

Every company will sooner or later have to deal with the advent of public cloud services and their increasing diffusion in the business environment. The main issue is how accesses, data and authorisations can be controlled, secured and audited in the various cloud platforms. Current on-premises network security solutions only offer an insufficient protection for this scope. Why? Because accesses and data flow to public cloud services do not necessarily go through the corporate network, where such security solutions could control them.

 

Definition: what is a CASB anyway?

A Cloud Access Security Broker (CASB) offers a uniform solution for the security of the most diverse cloud services used by an enterprise. According to Gartner, the following four pillars stand in the foreground:

  • Visibility
  • Compliance
  • Data Security
  • Threat Protection

Why does your enterprise need a CASB too

The increasing number of public cloud services and the constant availability of data on the most diverse devices make it utterly impossible to keep all accesses and data under control. From the point of view of classic network security, data in the cloud are invisible, because the data flow does not necessarily pass through existing on-premises solutions. The simple fact that data and services must be accessible at all times and places, including mobile devices, makes existing network solutions incapable of assuring that:

  1. each access is legitimate and
  2. data are not inadvertently removed.


To make things more difficult, most enterprises do not just use a single cloud provider; many use several different providers, depending on business requirements. Hand on heart: what does it look like, in your own business?

For sure, individual providers do offer solutions for data and access security. However, they must all be individually cared for by an administrator. The solution is a CASB, that takes all of these controls into a single point.

The advantages of a CASB at a glance

Is shadow IT a theme for you? I suppose it is because shadow IT is a reality in almost all enterprises. Usually business is much faster in asking for IT solutions, than corporate IT departments in providing them. The result is disastrous: corporate data get spread uncontrollably over the most diverse channels. It begins with simple, inconspicuous services like an online PDF generator or a translator. Then it moves ahead, to the point that a whole infrastructure can be moved to an IaaS platform, e.g. for development and test integrations, sometimes even with production critical data. And since the access to these services usually runs over Web protocols, it is possible that they stay undetected by existing network security infrastructure controls, for a long time. 

Visibility and encryption, the greatest assets

To address this issue, a solution is offered for instance by Skyhigh Networks. A central virtual machine collects log data of existing firewalls, proxies, or directly from an existing SIEM. The data are anonymised or encrypted and sent to Skyhigh for evaluation. This allows for the detection of over 25'000 different cloud services. The data can be subsequently used to increase the security of the existing perimeter. In addition to visibility, a CASB solution can make sure that sensitive data are encrypted independently from the CSP, secured according to pending DLP policies, and not shared without approval. A really useful solution!

1, 2 or 3: possible different ways to integrate a CASB solution

There are several different ways in which you can integrate a CASB solution. The first, which is also the least intrusive, is integrating through an API-interface. The CASB uses the APIs made available by different CSPs in order to implement policies, access control and data security. It is also possible to add protection to data which were already stored at a CSP before the integration of the CASB. On the other hand, this method has the disadvantage that it must work in "near real time" since the API must be queried every time a status or properties must be recalled.

A second possibility consists of the integration by forwarding proxy. In this method, the existing perimeter proxy is configured to pass all requests for the CSP to the CASB first before any access to the CSP is possible. The disadvantage, in this case, is that connections must go through the enterprise network.

Reverse Proxy ‒ the key to success

The third method, which in the opinion of our experts is the most secure, consists of the integration as a reverse proxy. In this case, the end user initially connects directly to the CSP, then is routed to the appropriate identity provider for authentication and authorisation, and from here through the CASB again to the CSP. The great advantage of this variant is obvious: all accesses, even from outside the enterprise network and towards the outside, are always forced to go through the CASB provider. And you can also integrate real time policies for DLP or encryption.

Summary: secure in the cloud with CASB!

I am convinced that with the buyout of Skyhigh Networks, McAfee has taken up a CASB provider of the first hour, and a provider that brings a superb addition to McAfee's WebGateway portfolio. As a current partner of McAfee, InfoGuard can take advantage of Skyhigh Networks' portfolio, and so can you. We can offer you a well proven solution in the field of CASB. Skyhigh Networks offers CASB solutions in the following fields:

  • Shadow IT
  • Sanctioned IT for SaaS and IaaS

 

This results in an ideal solution for all large SaaS and IaaS platforms. Do you want to know more about CASB and the innovative solutions we mentioned? Take advantage of our experts' solid know-how and experience. Call us, we shall be happy to help.

 

I want to learn more about the CASB solutions!

Share article