Organizations that have migrated to Microsoft 365 may already be using a Microsoft-developed Cloud Access Security Brokers (CASB), either Microsoft Cloud App Security or Office 365 Cloud App Security, and not realize it. The former is a standalone CASB that uses multiple data sources and allows a variety of actions, while the latter is a junior version with fewer features, but is built directly into Microsoft 365 pricing. Both solutions have useful capabilities but, because many businesses are unfamiliar with CASBs and how they work, are often ignored or mismanaged.
Today’s top enterprises have embraced CASBs to secure cloud applications, but often fail to truly manage the SaaS solutions they own. There are several things that help secure cloud or web applications access, from the old standard firewalls, to more specific firewalls such as web application firewalls, proxy servers, DNS gateways, secure web gateways, and more. CASBs are one of many options in a market that can be confusing even for sophisticated cybersecurity teams.
Rock the CASB
The primary functions CASBs perform for businesses are discovery, data protection, threat protection, and (less commonly) identity. Discovery tells businesses what cloud apps people are communicating with in the corporate environment. Data protection prevents employees from sending sensitive data externally. Threat protection guards against malware. Finally, identity validates that the person accessing business apps are, in fact, the employee authorized to do so. That last capability is rare among CASBs probably because there are identity and access management solutions that specialize in that functionality.
How do CASBs work? Let us assume a business has employees on different devices and they all want to access cloud apps. Ordinarily, there are multiple paths for them to interact with those cloud apps, either directly to lucidchart.com or workday.com, for example, or they might be routed through another device. A CASB manages user sessions with the cloud app, analyzes which device or user is communicating, from where, and at what time to authorize the connection. Most CASBs can also act as proxy servers, whether a reverse proxy or forward proxy. Proxying is similar to going through a VPN, except it is invisible if you are inside the corporate firewall. Your request goes through a proxy server, that proxy server collects the request, and communicates with sites and apps on the internet.
Any given organization might have other tools that monitor or control communications, such as a standalone firewall or proxy server. Imagine a scenario where the org has a firewall, a proxy server, and a CASB. If a user goes to something like Salesforce, their traffic would likely be routed through the firewall AND the proxy server AND the CASB to get to the Salesforce app. Note that it doesn't necessarily have to go through the CASB itself in this scenario, but even if it didn't, the other devices might be configured to report what happened to the CASB. So they will share logs with the CASB, and the CASB can include that information in reports and potentially in actions.
While CASBs definitely have benefits, it is important to understand CASBs’ limitations or what they CANNOT do for your business. A few examples of we have seen organizations want to supplement their CASBs include:
- Usage details: CASBs find some information, but are not great at showing IT and security pros usage stats for specific employees. For instance, let’s say there are 20 different Slack instances with 40 different teams. Who owns the Slack subscription? Who are the organizers of those 20 instances? A CASB is unable to answer those questions.
- License information: Similarly, CASBs offer visibility into apps that are plugged into the corporate IT environments but don’t reveal license details. Are your employees limited by using underpowered license levels business apps that have vulnerabilities? Are employees using all of the apps available under their Microsoft 365 license?
- Financial information: CASBs are oriented toward security so financials are a blind spot. Many organizations want to understand costs so they can accurately calculate and apportion chargebacks and they want to know when subscriptions renew to avoid surprise bills.
- Security: Although CASBs are great security devices, they are not a single solution to avoid all risks. Other solutions are needed to address other vulnerabilities.
- Adoption: CASBs can tell you generally which apps are in use, but don't help at all in getting the RIGHT apps to be used.
Businesses today are proactively searching for ways to secure their data and infrastructure while leveraging licenses and maximizing collaboration by using the right tools. CASBs, particularly the ones built within Microsoft Office 365, help IT and security practitioners tick the first two security boxes. Understanding how these CASBs work and how they fit into the technical environment is an important step in maximizing their value.