Export PDF
What Is a Cloud Access Security Broker (CASB)?
The Cloud Access Security Broker (CASB) is a security solution designed to safeguard enterprises' Software as a Service (SaaS) applications. By serving as a monitoring and control point between users and cloud service providers, CASBs ensure secure data transmission and access control. CASBs provide full visibility into SaaS applications, enabling enterprises to monitor and manage access to these applications to prevent data leakage and non-compliance. CASBs enable fine-grained control of SaaS applications to prevent internal threats, shadow IT, and high-risk data sharing.
Why Do We Need CASBs?
What Is a SaaS Application?
SaaS is a cloud-based software delivery model that allows users to directly access the software hosted by SaaS providers on the cloud over the Internet, without the need to install software on their local computers. This model enables users to subscribe to specific software services on demand, rather than purchasing a complete software package. SaaS applications are accessible and convenient, allowing users to use software over the Internet anytime and anywhere. SaaS applications are widely used in various service scenarios, including cloud storage, online conferencing, customer relationship management (CRM), enterprise resource planning (ERP), email marketing, accounting, and human resource management. One of the key benefits of SaaS is that enterprises can use the latest technologies and tools without investing in expensive hardware and software infrastructure. Additionally, SaaS allows users to access the same application through different devices and operating systems, ensuring the continuity and efficiency of the workflow. In summary, SaaS provides an efficient, scalable, and cost-effective way of using software, which has made it a significant driving force for digital transformation in contemporary businesses.
Threats from SaaS Applications
SaaS applications break through the original physical security boundaries of enterprises and store a large amount of sensitive enterprise information on public servers. If no dedicated security protection is implemented, the sensitive information may be disclosed. What's more, SaaS applications may lack strict permission control, allowing some users to access data not required by their role, which may cause information leakage. Additionally, quick switchover between an enterprise account and an individual account may blur the boundaries between the two kinds of accounts for data access and management, increasing the risk of information leakage.
Challenges to SaaS Application Security
1. Service cloudification
Service cloudification poses a series of security challenges to SaaS applications, including data protection, access control, identity authentication, and application-based security configurations. The first challenge is data protection. Because data is no longer stored on local servers, but in the infrastructure of cloud service providers, data must be encrypted for security purposes during data transmission and storage. Another key challenge is that access control is becoming increasingly complex, with users now able to access SaaS applications from anywhere. As such, preventing unauthorized access calls for stronger authentication and authorization mechanisms. In addition, because the cloud environment is ever-changing, security configurations need to be continuously updated accordingly, making management a highly complex task. The final key challenge is misconfiguration, which is one of the major causes of security events. Related organizations need to perform automated and continuous scanning to prevent such events. Some of the reasons for misconfigurations are a lack of visibility into changes of SaaS security settings and too many departments having the permission to access the data.
2. Branch office
SaaS applications in multi-region collaborative office environments also face a series of unique security challenges. The first challenge arises from multi-region collaboration scenarios, where employees in different regions require varying levels of access permissions, complicating permission management. The second challenge involves complying with data protection laws and regulations in different regions. Enterprises must ensure that their SaaS applications comply with the laws and regulations of all related regions. Another challenge is insufficient investment. Many organizations prioritize investment in business-critical SaaS applications over SaaS security tools and personnel. As a result, existing security teams take on more monitoring responsibilities without sufficient resources to support their work. Using automatic technologies for monitoring SaaS security can help alleviate this pressure, but few organizations currently take this approach. However, misconfiguration of SaaS security is closely related to data leakage prevention, access control, password management, and multi-factor authentication. To avoid unauthorized access to and disclosure of important company data, it is crucial to provide the security team with the ability to visualize SaaS applications security settings. This visibility enables multiple departments to maintain their access permissions without causing unintended changes, thereby protecting organizations against attacks.
3. Mobile office
In mobile office scenarios, SaaS applications face a number of security challenges, including device loss or theft, data leakage, system fragmentation, application market security risks, mobile phone viruses, and the mixed use of public and private data. The portability of devices makes them easy to lose, which increases the risk of enterprise data leakage. There is also a risk of employees disclosing information unintentionally or maliciously, which may cause data loss to enterprises. In addition, the fragmentation of mobile operating systems makes unified management difficult, and the security risks associated with application markets cannot be ignored. The spread of malware can turn mobile devices into a springboard for attacking enterprise networks, while the mixed use of public and private data raises concerns about personal privacy and enterprise data security.
Against this backdrop, the CASB emerges as a solution. It provides a unified security solution for SaaS applications to help enterprises harness the cloud to manage the permissions, data security, and threat protection of SaaS applications in a unified manner.
How Does a CASB Work?
In a CASB, SaaS applications are classified into two types: approved and unapproved. Approved applications are those that have been approved by enterprises based on their service requirements and security evaluation results. Examples of such applications include Office 365 and Google Workspace, which provide an overall office platform, as well as other SaaS applications that provide specific functions such as office automation (OA), HR management systems, and network storage. Unapproved applications are those that have not been approved by enterprises but are used by employees nonetheless. For example, AI applications that have exploded in popularity may be used directly by some employees. CASBs grant different network permissions for the two types of applications.
To effectively manage approved and unapproved applications, CASBs use different working modes: inline CASB and API CASB.
Inline CASB
An inline CASB is embedded in the gateway at the network egress of an enterprise, where it checks, analyzes, and controls the incoming and outgoing traffic of the enterprise. Based on enterprise traffic, the inline CASB displays SaaS application usage reports to be viewed by network administrators. The inline CASB then separates the approved and unapproved SaaS applications, and ranks SaaS applications by their usage and presents statistics from multiple dimensions. This helps network administrators better understand the usage of SaaS applications and identify potential problems. For example, they might identify that a SaaS application is used by a large number of employees. The inline CASB also supports fine-grained control of SaaS applications. Generally, a permit policy is configured for approved SaaS applications so that they can be used normally. But if SaaS applications have complex functions, some enterprises may set more detailed access policies based on the functions of these applications. For example, a cloud storage application may allow file downloads but not uploads. Furthermore, the access policies can be distinguished by account type. For example, only enterprise accounts, instead of individual accounts, are allowed to log in to and use SaaS applications. The inline CASB also filters the file content to be transferred based on specified keywords to prevent data with special enterprise identifiers from being disclosed to external systems.
API CASB
The API CASB does not directly process traffic. Instead, it accesses information (including configuration information, file content, and access logs) from SaaS applications through their APIs for external systems. For approved applications, such as the enterprise email system SendGrid, the API CASB can classify and filter data based on such information, and detect and handle violations or high-risk files. In addition, based on information such as access logs, the API CASB can execute anomaly detection or UEBA algorithms to detect potential risks and generate alarms. For unapproved applications, the API CASB can detect whether the APIs between the internal systems of an enterprise and SaaS applications are invoked, and then prevent employees from using these applications without permission, thereby ensuring data and network security for the enterprise.
What Are the Main Functions of a CASB?
A CASB provides the following main functions:
Four functions of a CASB
1. Visualization and control of SaaS application behavior
A CASB is primarily used to monitor and manage access to SaaS applications. One of the core functions of a CASB is to visualize SaaS application behavior so that enterprises can better understand how users interact with cloud services. A CASB can also provide reports presenting statistics from different dimensions, such as applications, users, devices, and assets, helping users understand the actual usage of SaaS applications in the company. To address the complexity of SaaS applications and the requirements for refined enterprise data access, a CASB can segment and identify sensitive actions such as upload, download, and sharing of SaaS applications. In addition, a CASB can provide a flexible office environment for employees while protecting sensitive data by considering factors such as the access mode, access location, user permission, and device type.
2. Automatic identification of SaaS applications
Managing shadow IT is one of the key features of a CASB. Shadow IT refers to the use of IT resources that are not approved or supervised by the IT department. This is common in enterprises, especially when employees use personal devices or non-work-related applications. Shadow IT may include personal cloud storage applications, communication tools, and other cloud services, all of which may bypass enterprise security measures. A CASB can help to mitigate the security risks by allowing enterprises to discover and manage shadow IT through the visualization of all cloud services. It can identify and evaluate unapproved cloud applications, calculate the risk coefficient, and create customized policies based on the security requirements of enterprises. For example, a CASB can implement security measures such as encryption, access control policies, and malware detection to ensure that employees can securely connect to any cloud asset. Traditionally, a preset library is used to identify SaaS applications, but this approach cannot keep pace with the rapid increase in SaaS applications. The automatic SaaS application identification technology addresses this issue, identifying new SaaS applications without manual intervention. In this way, sensitive enterprise data is no longer at risk of being leaked through unknown SaaS applications. In addition to unapproved SaaS applications, third-party plug-ins in large SaaS applications also present a potential point of information leakage. Besides this, frequent file sharing between multiple SaaS applications may cause the disclosure of sensitive files. A CASB also needs to identify and control such risks.
3. Data security in SaaS systems
A CASB's Data Loss Prevention (DLP) feature is designed to protect sensitive enterprise data from being accessed or disclosed by unauthorized users. DLP monitors and controls data transmission to ensure the security of sensitive information, such as financial data, personal identity information, and intellectual property rights, during the storage, use, and transmission of such data. The DLP feature can identify and classify enterprise data, encrypt data, and prevent data from being transmitted to unauthorized recipients. In addition, it can monitor and analyze user behavior to identify potential data leakage risks, such as sensitive information being transmitted through insecure applications or devices. By implementing DLP policies, enterprises can better comply with data protection laws and regulations, such as GDPR and HIPAA, and reduce possible financial losses and brand reputation damage caused by data leakage. As a feature of CASB, DLP is an integral part of modern enterprise cloud security policies. It provides a flexible and effective method of protecting enterprise data from internal and external threats.
4. Threat protection for SaaS systems
CASBs have a threat protection feature for identifying and preventing abnormal behavior and potential threats in a range of cloud applications, such as ransomware, stolen user account details, and malware. By analyzing user behavior and application usage, a CASB can detect abnormal activity patterns and identify potential security threats before they develop. In addition, a CASB can assess the risks of unapproved applications and formulate access policies and corrective measures based on the security requirements of enterprises. With these capabilities, CASBs empower modern enterprises to protect data and applications in the cloud environment, ultimately helping them reduce risks, enforce policies, and maintain regulatory compliance. With the threat protection capability, a CASB can not only detect known security threats, but also identify new and complex attack methods through behavior analysis. This adaptive threat protection mechanism, together with DLP and compliance management, provides a comprehensive security solution for enterprises. Through real-time monitoring and analysis, a CASB can ensure that enterprises can cope with increasingly complex security challenges and ensure workload security in multi-cloud environments.
CASB vs. DLP
DLP is an extensive data security technology that covers various data environments of an enterprise. It is designed to protect enterprise data and prevent data leakage through various channels, such as network transmission and storage devices. A CASB is a security solution dedicated to cloud services. It includes some DLP functions but focuses on SaaS application scenarios. The following figure shows the key differences between the two.
CASB vs. DLP
Functions of the CASB in the SASE Solution
A CASB is an indispensable security function within the SASE solution. It provides access control, policy enforcement, and threat prevention functions to protect cloud resources from unauthorized access and a range of network threats. A CASB works closely with other components of the SASE solution to implement more comprehensive and powerful security capabilities. Together with SWG, the CASB protects web applications accessed by users and prevents malicious operations through browsers. Integrated with ZTNA, the CASB provides fine-grained access control to ensure that only authenticated users and devices can access specific cloud services. In the SASE solution, the CASB is mainly used for enterprises to ensure the security of cloud applications, as well as addressing challenges in cloud access in terms of visibility, control, data protection, and compliance. It works with other components in the SASE solution to build a seamless, efficient, and secure access framework that adapts to modern distributed and cloud-first IT environments.
Huawei Xinghe Intelligent SASE Solution complies with the MEF's SASE standards. It integrates SD-WAN networking, security, and remote access into a unified network-security convergence solution. The solution is logically divided into four layers: management and control, SSE, network, and endpoint. Leveraging flexible modular combination, the SSE layer provides users with security services, including traffic-type and non-traffic-type security capabilities such as ZTNA, FWaaS, SWG, and CASB. For more information on the solution, see Huawei Xinghe Intelligent SASE Solution. For details about solution deployment and maintenance, see Huawei Xinghe Intelligent SASE Solution Documentation.
