Cloud Access Security Broker
CASB (pronounced /kas-bee/) is the acronym for Cloud Access Security Broker. CASB is an emerging security technology that complements existing security solutions such as NextGen Firewalls (NG-FW), DLP, DPI and others. CASB addresses the issues that arise when companies start using cloud-based applications and data is no longer contained inside company boundaries.
Consider the following example: Your organisation has just decided to start using Box.com to share files and support global collaboration. Compliancy rules such as GDPR prohibit you to share personal data in your organisation outside of certain regions. Also, it is very easy - mistakenly or maliciously -to share a file with Box users outside of your organisation or with anyone on the Internet. Your NG-FW will not prevent specific data from being uploaded to Box.com as access to Box.com has been marked as a sanctioned business application. DLP functionality is limited in that it will drop or allow the transmission based on a rule set, not taking into account who is allowed access to the content from Box.com.
Figure 1: Control what is sent where
Access to certain data on the internal network from the outside can easily be blocked with a Firewall, but what if that data is no longer on the internal network? Issues like this limit the adaptation of cloud technologies and could force companies to continually have to support a limited amount of IT infrastructure and applications in-house. How much will vary per region, per business segment and with changing legislation.
Using a CASB solution can help overcome these concerns and enable a cloud-based IT approach without limiting its extent. Infradata’s networking, cloud and SD-WAN expertise help you choose and design the best solution for your organisation, either as a managed service or as a solution that you operate yourself.
Talk with an Expert
Speak with a solutions expert or architect. Give us a call or leave a message. Our team is ready for your business.
How is CASB implemented?
A CASB solution, like a Firewall, must sit between the origin and the destination of the data that needs protecting. Similar to a Firewall this can be an appliance between the trusted and untrusted parts of the network, on the end point (like Windows Firewall) or in the Cloud (as a service).
Each method has its drawbacks and advantages in terms of what it can achieve, how scalable it is and how complex it is to manage.
What can CASB do for my organisation?
CASB can give insights into what data is leaving your perimeter and where it is sent to. Reports include information about who (user) sent what (content type, format, keywords) where. When expanded with policies, it can also prevent data from leaving the perimeter or only allow it to be sent to specific destinations and formats (encrypted, tokenised).
Consider the Box.com example again. The CASB device or software will sit between the client and the Box cloud. As the connection to Box is using a secure TLS connection, it will need to intercept the data before it is encrypted or act as a man-in-the-middle and intercept the TLS connection with a company trusted certificate. Data sent to Box is then monitored. When a file that is marked as confidential or containing social security numbers (or other sensitive information) is detected it will interrupt the connection and log the event. A CASB solution can also be set up to encrypt the data that leaves the perimeter. This is different from data transport encryption such as SSL. The data is encrypted on the CASB and forwarded (via TLS) to the cloud where it is stored in its encrypted format. Only when the data is retrieved via the CASB will it be decrypted again before being delivered to the user. Stolen credentials or direct access from the Internet only gives access to the encrypted data.
Because of its ability to encrypt data stored in the cloud, CASB can also help achieve GDPR compliance. Encrypted data for which the keys are not stored outside the EU does not fall under GDPR regulations, so you don’t need to worry about the compliancy of your Cloud provider and how they manage or access your data. Some CASB solutions have additional specific SaaS applications. Similar to being able to check the sharing settings for Box.com, some CASBs allow you to set rules for applications like SalesForce.com to always encrypt fields containing credit card, DoB and social security numbers. When accessing the data from outside the organisation, only non-sensitive information fields can be read.
How can Infradata help?
Infradata has 13 years’ experience of deploying and managing security solutions. We can help you asses your current level of security and how the use of cloud applications exposes your organisation to new threats. We can advise if and how a CASB solution can limit these threats. Infradata can help you to select the best CASB solution for you. This can be a Proxy-, Cloud- or Agent based solution. We can also assist you in the implementation to ensure that the policies on the CASB are aligned with the compliancy rules that your organisation must adhere to.