AcademyWhat is a Cloud Access Security Broker (CASB)?

What is a Cloud Access Security Broker (CASB)?

CASBs play a critical role in providing visibility into how businesses use the cloud. They enforce security and governance rules to mitigate the risk that cloud services or SaaS apps could become weak links in an organization’s security posture. Without a CASB, you may not know which applications, services, and data your business has exposed in cloud environments. How would you know if those resources are secure if you don’t know they exist?

Wiz Experts Team

What is a CASB?

A Cloud Access Security Broker is a service that operates as an intermediary between a business and cloud-based applications.

With a CASB, employees who want to use cloud services must first gain clearance through the CASB, which typically requires complying with preconfigured CASB security policy rules, enforcing requirements such as authentication, authorization, and encryption.

Why are CASBs important?

To understand why CASBs matter, you must first understand that while the cloud makes applications and data easy for anyone to access, it also makes it easy for users to make mistakes that lead to security risks.

CASBs help to mitigate these risks by providing visibility into which cloud services are being used, as well as determining whether they are being used in ways that meet security and compliance requirements.

CASB example

As an example of how a CASB could prevent critical security mistakes, imagine that your business’s accounting department chooses to use a cloud-based SaaS application to keep track of sales records that include personally identifiable information (PII) related to customers.

Since SaaS services are hosted in the cloud and require no special technical skills to operate, they can usually be launched in minutes by anyone. This means that the accounting department can start using a SaaS app without notifying the IT or cybersecurity team. As a result, people with expertise in cloud security may not even be aware that the application is being used, let alone whether it’s being used securely.

Meanwhile, because SaaS applications will happily store and manage any data that users upload into them, and your accountants may not be experts in compliance or cybersecurity, there is little to protect your accountants from using the SaaS solution to process PII in a way that violates your organization’s security rules. The SaaS app itself also has no knowledge of what those rules are or which types of security practices your organization requires.

Without a CASB solution in place, an seemingly benign activity like this could lead to a major security risk or compliance violation in the event that the PII is managed in an insecure way.
With a CASB, the accounting department’s attempt to use the SaaS application will be detected. The CASB will then notify the IT or cybersecurity department about the application, so that they can intervene and make sure it’s used in a secure way. The CASB could also potentially validate the specific ways that the accountants interact with the SaaS app and determine automatically whether they are insecure. For example, it could determine whether or not they are attempting to upload PII to the app.

How do CASBs work?

Most CASBs rely on multiple approaches to detecting unauthorized use of cloud services. They might inspect incoming and outgoing network traffic to determine which endpoints employees inside your business are connecting to, then validate whether those endpoints are associated with authorized cloud applications or services. A CASB could also encrypt traffic before it leaves the local network, providing another layer of security.

Advanced CASBs analyze data from a variety of sources in order to profile user behavior and detect deviations from the norm. For example, if a CASB notices that a user account that has previously never moved large volumes of data over the network is suddenly trying to upload hundreds of gigabytes to an external endpoint, it could flag the activity as a possible data exfiltration risk‍.

CASB as one step toward cloud security

While CASBs provide one layer of security to protect cloud environments, they are hardly sufficient on their own to address all types of cloud security threats.

The main purpose of CASB is to defend against the risk of rogue IT, unauthorized or non-compliant use of third-party cloud resources. Most CASBs are not designed to detect other types of cloud security risks, such as vulnerabilities within applications that businesses deploy using a cloud IaaS service or misconfigurations within cloud IAM rules. The latter types of risks are addressed by Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) solutions. 

So, while any business that uses SaaS applications or other third-party cloud resources can and should deploy a CASB solution as one pillar of its security strategy, it’s important to think holistically about cloud security and the other services needed to keep your organization safe.