Demystifying CASB - The Frontline Defense for Organizations against Data Leakage

An IIM Tiruchirapalli alumnus, Karthik is a highly skilled technology professional with over 13 years of experience across diverse enterprise security functions, especially in cloud computing.

With most of the organizational assets being on the cloud today, firms are now focusing on their core product without compromising on security or regulatory obligations and are looking out for commercial off-the-shelf security products like Cloud Access Security Broker (CASB). Also, the emergence of remote and hybrid working post covid has enhanced enterprise risk in the form of shadow IT adoption and geometric progression in BYOD. Adding further fuel to this is the increased difficulty in insider threat detection, which has become a murky mist whose containment is untenable. Thus, CASB is now inevitable and an integral part of enterprise security.

Cloud Access Security Broker

CASB is a hybrid software that works on-premise to monitor cloud usage between cloud network users and cloud applications through centralised policy enforcement based on organisational business context. It significantly enhances cloud safety by tracking and protecting the movement of sensitive information. It helps organisations abide by regulatory frameworks, convoys firms from attacks and prevents employees from introducing more risks to the organisation. To do so, CASB first performs Auto Discovery and detects the list of all third-party Cloud Services that are being used in the organisation and details of employees who are using the same. Post this, CASB determines the risk severity of the application based on various factors such as its functionality, data being stored, and how it is transmitted. The monitoring of such cloud applications and the risk associated with them are alerted by integrating with SIEM, SOAR or other notification tools through use case automation. The security teams can analyse the alerts and remediate the same by taking appropriate and timely action.

CASB can be deployed in three different ways: Reverse Proxy, Forward Proxy and API control. Used for gaining insights into outbound web traffic, Forward Proxy is placed in the middle between the user and the internet, thereby introducing an additional layer of defence. Similar to forward proxy, Reverse Proxy helps with filtering incoming traffic and routes it to the appropriate servers. On the other hand, API-based CASB provides ready-to-fit/plug-in integration with other SaaS or Cloud Service Providers and helps with monitoring and controlling data usage in the cloud. There is an enhanced model wherein two of the above CASB models can be clubbed and deployed in a multimode. The industry is experiencing a major spike in the adoption of the SaaS-based multi-mode CASB deployments model.

CASB Use Cases for Organizations

Out of Band CASB helps in scanning all the sensitive data across all different repositories and internal pages. In line, CASB prevents users from sharing, uploading and posting any company’s internal sensitive and confidential information from social media websites via company-provided managed assets where CASB agents are deployed. Also, detecting usage of shadow IT by employees to convert sensitive documents to words and vice versa, downloading anything from any random unauthentic websites, and installing freeware by employees, which could land the organisation in license issues/fines, are some of the classic scenarios which can be prevented via CASB. Additionally, CASB prevents end users from browsing uncategorised/risky websites via the organisation-provided assets and restricts them from sending data from any unmanaged devices via BYOD, where organisations allow employees to access the company repositories and resources. Furthermore, CASB helps in identifying the compromised accounts using in-built and custom anomaly detection by alerting the administrators on various unusual behavioural patterns. These alerts, when configured via CASB, can help administrators take immediate action to quarantine specific user accounts to prevent any potential harm to the organisation.

CASB enhances cloud safety by tracking the movement of sensitive information and helps organisation abide by regulatory frameworks, convoys them from attacks, and prevents employees from introducing more risks to the organisation

CASB Integration with SIEM & SOAR CASB tools can be integrated with SIEM (Security Information and Event Management) tools for forwarding all the DLP (Data Leakage Prevention) Logs. These logs can be correlated with other logs to detect, analyse and assess potential risks to the organisation and prevent them from any serious data breach/ internal and external attack attempts. Similarly, integrating CASB with SOAR platforms (Security Orchestration, Automation and Response) facilitates DLP-related threat & vulnerability management, incident response, raising tickets automatically in the ticketing systems, and also auto-closes it by referring to automated steps for standard use cases based on the pre-developed guidelines from the organisation.

CASB solutions can detect, alert and prevent data leakage from endpoint and mobile devices by embedding the Endpoint DLP and MDM (Mobile Device Management) capabilities into existing features. Also, CASB provides detection, alert and prevention of copies of a specific cell, row or column from structured data sources like Relational Databases via a feature named EDM (Exact Data Match). Unstructured data storage sources like file storage or non-relational databases, which store data in the form of key-value pairs, can also be prevented by using a feature called IDM (Index Data Match), wherein the content that is being posted/shared/copied/pasted is compared against the fingerprinted non-relational databases and file storage on the percentage basis. Any internal users or external attackers attempting to copy data from fingerprinted relational databases, non-relational databases, or file storage will trigger DLP alerts to the security administrator.

Most of the time, organisations look at protecting information assets from external threats and overlook the data leakage possibilities from insider threats like disgruntled employees. Some of the prominent attacks so far have happened because of insiders due to misconfiguration, negligence and lack of security awareness of employees. To prevent all of the above, organisations can look at embedding CASB solutions as part of their security strategy and prevent data leakage from all possible sources.