Understanding the cloud access security broker

Cloud services grew out of a desire for simplicity and predictability. However, complexity creeps back in as organizations adopt dozens or even hundreds of cloud services, creating potential security challenges.

To help address security vulnerabilities brought on by this complexity, organizations should consider engaging a cloud access security broker (CASB). CASBs are a specialized version of an emerging third-party entity — the cloud broker — which helps cloud customers provision and manage multiple services.

Cloud vendors already take significant steps to protect their own environments, from physical data center hardening to advanced measures against electronic intrusion and denial-of-service attacks. A vendor can only speak to the security of its own cloud. The CASB, however, can add protections by enforcing security policies tailored to the user organization’s specific needs, industry and regulatory requirements, and access policies.

Qualities to look for in a CASB

Not all CASBs are alike. Some CASBs are themselves cloud-based solutions and are delivered as a service. Others are physical, smart-proxy gateways that can be installed and managed in your own data centers. Most of the services they provide are not dependent on the delivery model, but costs and maintenance requirements can differ substantially. When evaluating whether a CASB is a good fit for your enterprise security needs, consider all of these factors:

• Security threat communications: CASBs should explain how they will log not only obvious security threats, but also significant anomalies. A single user credential being used to access different cloud services from different geographic locations, for example, can sometimes be an indication of a security event. Coordinating alerts and responses with administrators and IT leadership is a key CASB duty.
• Emerging device leadership: A CASB must establish itself as a security authority for emerging device categories and assist you in assessing mobile and wearable cloud service access.
• Additional access controls: Although not needed by every organization, a CASB can provide access controls otherwise unavailable through native cloud vendors. This can include time-of-day restrictions, as well as blocking users in certain locations or on certain devices from accessing services.
• Security tests, updates and reports: A CASB should be held accountable for rigorously testing and updating its own security protocols and should provide regular, comprehensive reports. They are a common demand from top-tier clients. The CASB’s internal report should disclose overall security incident metrics and details on specific upgrades or enhancements implemented since the last report.

Cloud vendors can and should be held accountable for their significant role in protecting your data and restricting access to your validated users. That is only the beginning of the journey required to truly secure a complex cloud infrastructure. A reliable CASB can help protect your data every time your users, customers, and devices touch the cloud.