Blog Data Security

What is CASB? All About Cloud Access Security Brokers

Cloud Access Security Brokers (CASBs) are a great cybersecurity tool. Read on to learn about CASBs work, the solutions they offer and how to choose one.
Michael Buckbee
4 min read
Last updated June 2, 2023

Contents

    Cloud Access Security Brokers (CASB) are a security application that helps organizations manage and protect the data stored in the cloud. Gartner advises organizations to find a “Goldilocks” CASB solution —one that provides just-right capabilities for SaaS applications and Cloud infrastructure.

    In this article, we will talk about what those capabilities are, and how to best utilize CASB as part of your cybersecurity profile.

    Get the Free Pen Testing Active Directory Environments EBook

    How Does a CASB Work?

    cloud access security broker (CASB) illustration of the CASB process

    CASB systems are part filter, part proxy, and part firewall between users and Cloud systems. They have capabilities to detect unsanctioned cloud applications, or “shadow IT,” as well as sensitive data in transit. CASB can also encrypt traffic to Cloud providers, and do much more, as we’ll discuss later.

    Organizations use CASB to address specific use cases with their Cloud providers. They might buy more than one CASB solution, depending on the functionality available in each solution. For example, if an organization uses Salesforce, they will need a CASB solution that supports Salesforce APIs or has functionality designed to protect Salesforce traffic — not all CASBs can do this!

    In short: there are too many SaaS applications for there to be a ‘one-size-fits-all’ CASB solution. We hope this article will help you make a better decision about the feature set you’ll need in a CASB.

    Pillars of CASB

    illustration of the pillars of CASB

    When you start investigating CASB, you’ll come across its four pillars. Let’s learn about them.

    Visibility

    CASB solutions provide a window into the traffic between organizations and their Cloud providers. With CASB, you can see what sanctioned and unsanctioned cloud systems users access. The classic example of how a CASB can help CIOs is by informing them of the number of GBs of company data is uploaded into the cloud by users to unmonitored repositories.

    CASB solutions also help executives learn what systems users actually access, and so they can guide employees to sanctioned alternatives in order to better control and manage critical data.

    Compliance

    With the EU’s GDPR, and new US state privacy and security laws making news, we can expect more data laws and regulations going forward. CASB solutions have some functionality to classify data that passes through the CASB, which can help support compliance programs that govern data.

    Data Security

    Many CASB solutions have capabilities to detect sensitive data, encrypt or tokenize data, and control access to data.

    CASB solutions are not complete data security systems. They are one piece of the puzzle designed to complement other data security solutions in your portfolio. CASB solutions don’t actually touch the data, but rather they inspect data in flight that travels through the CASB software. CASB can intercept sensitive data in transit, or prevent access to certain websites. This does help data security, but it has some drawbacks. For example, you could have data encrypted by the CASB on it’s way to a database. If you expect the database to have a readable name field that includes encrypted data.. well that’s a problem.

    CASB solutions are missing key parts of a data security system, like permissions management, data remediation, and stale data discovery. And as we said, CASB classifies data in flight, so it might not catch all of the sensitive data.

    Threat Detection

    CASB have User Entity Behavior Analytical (UEBA) capabilities to detect insider threats and compromised accounts. CASBs scan network data that passes through them to identify potential threats or attempts to exfiltrate data from your Cloud solutions.

    Why Do I Need a CASB Solution?

    illustration of how CASBs benefit security

    If you use Cloud services — SaaS or storage especially —consider adding a CASB solution to your cybersecurity strategy. With the right CASB, you can add specific security controls and protect your data as it moves between your network and your cloud-based service providers. However, their use cases are limited and the expense might not outweigh the benefits. Also, compare the CASB benefits to the security controls that the Cloud services provide. They might overlap enough you could cover the rest, with Varonis for Office 365, for example.

    Q: Are cloud access security broker solutions vital to security?

    A: CASB solutions are an important value-add to existing security systems when you use Cloud services. However, CASB shouldn’t be your first cybersecurity spend. If you have solutions for data security, endpoint, perimeter security, network security, and threat detection and response already in place, then augment what you have with a CASB.

    Q: What are CASBs used for in security?

    A: CASB solutions have several different capabilities to help protect your cloud data. Here are several from Gartner’s paper “How to Secure Cloud Applications Using Cloud Access Security Brokers.”

    1. Cloud application discovery and risk rating
    2. Adaptive access control
    3. Data loss prevention
    4. User and entity behavior analytics
    5. Threat protection
    6. Client-facing encryption (including integration with digital rights management)
    7. Pre-cloud encryption and tokenization
    8. Bring your own key (BYOK) encryption key management
    9. Monitoring and log management
    10. Cloud security posture management

    Q: How do security teams benefit from CASBs?

    A: Security teams see several advantages when they use CASB.

    CASB allows security teams to:

    • Determine risk of unapproved cloud solutions
    • Increase security of approved cloud applications with APIs that support data loss prevention (DLP), UEBA, and adaptive access control (AAC)
    • Monitor usage and adoption of approved cloud services
    • Manage managed and unmanaged device access to cloud services
    • Gain visibility into compliance risk
    • Add threat detection capabilities to your cloud services

    Selecting the Best CASB Solution

    illustration of implementing a CASB

    Here are some things to think about when you select your CASB:

    • Start your CASB implementation with the most important cloud application in your portfolio. Find a CASB that provides API level support for that cloud application.
    • Decide if you want to integrate your CASB with your existing IAS or SSO systems, and select a CASB that supports those integrations.
    • Determine which CASB modes —Forward Proxy, Reverse Proxy, both — you need for your cloud applications.
    • And of course, balance the cost of the CASB versus the benefit to your security profile.

    Checklist: Questions to Ask Cloud Access Security Brokers

    • How does this CASB discover cloud services?
    • Where are the CASB logs stored?
    • Does this CASB do sensitive data discovery? How?
    • How does this CASB determine risk scores?
    • What cloud services does this CASB monitor out-of-the-box?
    • How does this CASB monitor new cloud services?
    • Does this CASB share analytics with other systems (i.e. SIEM)?

    CASB Vendors and Resources

    Here are the top CASB vendors from Gartner with a highlight of their strengths.

    • Bitglass CASB – Several deployment options and strong AAC and DLP functionality
    • McAfee MVISION – dynamic peer group profiling to detect user behavior anomalies
    • Microsoft Cloud App Security – native integrations with Azure AD, Azure Information Protection, and Microsoft Intune
    • Netskope CASB – strong multimode deployment with endpoint software to protect roaming users
    • Symantec CloudSOC Cloud Access Security Broker (CASB) – strong DLP software across the Symantec infrastructure

    CASB Vendors and Varonis

    Varonis and CASB play well together, but there are no specific product tie-ins or integrations. Varonis will protect your unstructured data on-prem and in the cloud by classifying sensitive data, highlighting and fixing permissions issues, and monitoring user activity to alert on abnormal user behavior patterns.

    Varonis monitors and protects the data that lives on your cloud systems, including SharePoint Online, OneDrive, and Azure AD. Your CASB works with the data that flows through the CASB system on its way between users and Cloud services. Varonis monitors the data itself, and detects behaviors on those Cloud systems to uncover malicious insiders and cyberattacks.

    CASB solutions are good at detecting, preventing, and enforcing access to SaaS websites, but they aren’t as good at the data protection and threat detection and analysis as Varonis.

    Want to see how Varonis is different from other security solutions? Check out the Live Cyber Attack Workshop and see for it for yourself.

    What should I do now?

    Below are three ways you can continue your journey to reduce data risk at your company:

    1

    Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

    2

    See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

    3

    Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

    Michael Buckbee
    Michael Buckbee Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    what-is-managed-data-detection-and-response-(mddr)?
    What is Managed Data Detection and Response (MDDR)?
    what-is-managed-data-detection-and-response-(mddr)?
    Mike Thompson
    March 27, 2024
    XDR and MDR offerings are threat-focused and leave you data-blind. Varonis MDDR helps mitigate complex threats to your most valuable asset: data.
    going-back-to-sql-server-2008-in-order-to-move-ahead
    Going Back To SQL Server 2008 In Order To Move Ahead
    going-back-to-sql-server-2008-in-order-to-move-ahead
    Michael Buckbee
    February 5, 2015
    Last year, Microsoft ended its support for SQL 2008/R2. Customers with an enterprise agreement are still supported, but it’s a good idea to start planning your upgrade. Upgrading your production...
    i’m-alan-cizenski,-corporate-systems-engineer-at-varonis,-and-this-is-how-i-work
    I’m Alan Cizenski, Corporate Systems Engineer at Varonis, and This is How I Work
    i’m-alan-cizenski,-corporate-systems-engineer-at-varonis,-and-this-is-how-i-work
    Michael Buckbee
    December 22, 2016
    Alan Cizenski is a Corporate Systems Engineer at Varonis. Based in our New York City office, he is responsible for making sure Varonis solutions work smoothly for our prospective customers....
    how-the-moveit-vulnerability-impacts-federal-government-agencies
    How the MOVEit Vulnerability Impacts Federal Government Agencies
    how-the-moveit-vulnerability-impacts-federal-government-agencies
    Megan Garza
    June 29, 2023
    Our latest State of Cybercrime episode examines the MOVEit vulnerability and its impact on victims, including federal government agencies.