A cloud access security broker (CASB) is a type of software that helps make cloud services secure. The security software is placed between the cloud service provider and the organization using the cloud services. CASBs secure cloud applications by providing the necessary visibility, compliance, and security necessary to comply with government regulations and internal policies.
With the rise of BYOD policies, enterprises are discovering that often time, employees will download sensitive corporate data to their personal devices that are unmanaged. This is a risky behavior because, for the most part, unmanaged personal devices lack even the most basic security capabilities. For example, if the device is lost or stolen, any sensitive data stored in the device would be at risk of being exposed or lost due to lack of encryption. A CASB can detect instances of unmanaged devices attempting to access a cloud application. In such instances, the CASB can either limit the access to a read only view or simply block the access attempt.
Security measures like encryption are essential to protecting your data. Though most cloud service providers offer some levels of data security, CASB services add even more. Enterprises can encrypt data in a cloud application using their own encryption keys. Alternatively, they can tokenize information before it goes to the cloud. Additionally, organizations have control over who accesses what in the cloud and can apply information rights management technology that prevents unauthorized users from viewing sensitive data no matter where the data ends up.
Image via Flickr by perspec_photo88
Threats come from both, outside and inside your cloud services. Sometimes user accounts get compromised, while other times users are lazy or careless with how they use the cloud service. They may, for example, unknowingly share a file containing regulated information to an unauthorized 3rd party partner. Other times, a malicious insider may attempt to download highly sensitive data for monetary gain.
Threat detection includes constant monitoring of all cloud activity to create a model of typical user behavior. Whenever something doesn’t fit within this model, CASB services tag it as a potential threat that should be further investigated. CASBs deliver a complete audit trail of user behavior that helps accelerate post incident forensic investigations.
CASBs can also detect compromised accounts in the form of brute-force attacks and stolen credentials.
When you upload a sensitive or private file to the cloud, CASB software will enforce your DLP (data loss prevention) policies to ensure that data remains in your cloud and only in your cloud. If employees try to download or send the sensitive data outside the cloud, they won’t be able to. Your sensitive data is that much more secure because accidents like employee carelessness are preventable.
If any employees of your organization are using unapproved cloud services or software, or shadow IT, CASB will catch those uses and give you visibility. You get to see who is using the shadow IT, what kind of technology it is and whether this IT adds security problems to your cloud services. Shadow IT is typically very hard to control; CASB technology is one of the best ways to monitor and take care of it.
Multiple users in a cloud account containing sensitive data will always pose security risks. A cloud access security broker is a smart solution to adding extra protection against those risks, both internal and external. For anyone worried about sensitive company files or employee behavior regarding business cloud services, CASBs are the simplest way to monitor and control that cloud system.