A common question that arises as IT teams begin to look at cloud access security broker (CASB) products goes something like, “we already have a web proxy and/or firewall, how is this different?” or “does CASB replace my web proxy / firewall?” These are natural questions because web proxies and firewalls have visibility into all traffic over the corporate network including traffic to and from cloud services. However, there are significant differences between existing network security solutions and a CASB. Let’s first dispel a major misconception: a CASB is not a replacement for existing network security tools, and vice versa.

[CASBs] deliver capabilities that are differentiated and generally unavailable today in security controls such as Web application firewalls (WAFs), secure Web gateways (SWGs) and enterprise firewalls

– Gartner Market Guide for Cloud Access Security Brokers, Craig Lawson, Neil MacDonald, Brian Lowans, 22 October 2015

CASB is a separate, and differentiated market from proxies and firewalls. While CASBs can be deployed in forward or reverse proxy mode to enforce inline controls, the similarities to web proxies stops there. Unlike network security solutions that focus on a wide variety of inbound threats and filtering for millions of potentially illicit websites, a CASB is focused on deep visibility into and granular controls for cloud usage. A CASB can also be deployed in an API mode to scan data at rest in cloud services and enforce policies across this data. Here are some of the high-level functions of a CASB not available in existing network security solutions:

  • Provide a detailed, independent risk assessment for each cloud service (e.g. compliance certifications, recent data breaches, security controls, legal jurisdiction).
  • Enforce risk-based policies (e.g. block access to all high-risk file sharing services and display a real-time coaching message directing users to a company-approved service).
  • Control access to individual user actions based on context (e.g. prevent users from downloading reports to unmanaged devices on remote networks).
  • Enforce data-centric security policies (e.g. encrypting data as it is uploaded to the cloud or applying rights management protection to sensitive data on download).
  • Apply machine learning to detect threats (e.g. an IT user downloading an unusual volume of sensitive data and uploading it to a personal account in another cloud app).
  • Respond to cloud-based threats in real time (e.g. terminating account access in the face of an insider threat or requiring additional authentication factors to continue using a cloud service in the face of a compromised account).
  • Enforce policies for data at rest in the cloud (e.g. revoking sharing permissions on files shared with a business partner or retroactively encrypting sensitive data).

Limited Time Offer: Forrester Wave Report

Download a complimentary copy of the Forrester Wave ranking the top CASB vendors.

Download Now

Cloud-related functions of web proxies / firewalls

Web proxies and firewalls offer broad protection against network threats and, as part of this protection, they do offer some limited visibility into cloud usage, even without integrating to a CASB. For example, although these solutions may have difficulty mapping URLs users access to cloud services, they track cloud access over the corporate network. Some customers use their network security solutions to terminate SSL and inspect content for malware. Proxies and firewalls also bucket cloud services into high-level categories (e.g. Technology/Internet, Business/Economy, Suspicious); however, these categories generally do not reflect the underlying function of the service such as file sharing, CRM, or social media.

One of the primary use cases of network security solutions is categorizing and enforcing access to millions of illicit websites that contain pornography, drugs, gambling, etc. Web proxies can redirect access attempts to specific URLs to an alternate webpage hosting a notification that the URL was blocked. Similarly, firewalls can be configured to block access to specific IP addresses. Both solutions lack detailed and up-to-date cloud registries with cloud service URLs and IP addresses to extend this access control functionality to cloud services. Enterprises often find that while they may have initially blocked a cloud service, cloud providers routinely introduce new URLs and IPs that are not blocked. This results in the widespread phenomenon of “proxy leakage” in which employees regularly access cloud services that IT intends to block.

The focus on IP reputation is also not directly applicable to cloud services. A cloud service may have a high IP reputation, but due to its security controls, or lack thereof, it may also be unsuitable to store corporate data. For example, take a file sharing service with a good IP reputation that allows anonymous use, shares customer data with third parties, is hosted in a privacy-unfriendly country, and experienced a password breach three months ago. Few IT leaders would want sensitive corporate data uploaded to this service. Without a registry of these attributes, network security solutions are unable to enforce risk-based policies. Moreover, since many cloud services do not use standard content disposition headers, network security solutions are unable to enforce data loss prevention (DLP) policies to prevent the upload of sensitive data.

How CASB integrates with web proxies / firewalls

CASB is a complementary technology to web proxies and firewalls. By integrating with these solutions, a CASB can leverage existing network infrastructure to gain visibility into cloud usage. Simultaneously, a CASB enhances the value of these investments by making them cloud-aware. There are three primary methods a CASB uses to integrate with network security solutions: log collection, packet capture, and proxy chaining.

Log Collection

Web proxies and firewalls capture data about cloud usage occurring over the network, but they may not differentiate cloud usage from Internet usage. A CASB can ingest log files from these solutions and reveal which cloud services are in use by which users, data volumes uploaded to and downloaded from the cloud, and the risk and category of each cloud service. In effect, a CASB makes existing infrastructure cloud-aware. CASBs detect enforcement gaps with existing egress infrastructure and can push access policies to them with up-to-date cloud service URLs to close enforcement gaps. For customers that terminate SSL, a CASB can also gather additional detail from these logs on the actions users take within cloud services. Using machine learning, a CASB can detect malware or botnets using the cloud as a vector for data exfiltration.

blog image - log collection 850a

Packet capture

In the packet capture deployment mode, a CASB ingests a feed of traffic from existing network security solutions to gain visibility into the content of data. For example, a CASB can integrate with a web proxy via ICAP. The web proxy is configured to copy and forward cloud traffic to the CASB to evaluate data loss prevention (DLP) policies in a monitor-only configuration. Many cloud services use custom content disposition headers in an effort to improve the performance of their applications. These custom headers have the unintended side effect of preventing network security solutions (and on-premises DLP solutions that integrate to them via ICAP) from inspecting content for DLP. CASBs leverage detailed cloud service signatures to inspect cloud traffic, evaluate DLP policies, and generate alerts for DLP policy violations.

blog image - packet capture 850

Proxy Chaining

A CASB can be deployed as a forward proxy. Many organizations already have a web proxy, and they do not want to deploy another endpoint agent. In proxy chaining mode, the downstream web proxy is configured to route all cloud traffic through the CASB. In this deployment mode, the CASB can enforce real-time governance and security policies. For instance, a CASB can enforce access control policies limiting specific cloud service functionality and displaying educational messages when a user accesses a service outside of policy with options to notify, justify access, and direct users to approved cloud services. Unlike packet capture, this deployment mode enables a CASB to enforce inline DLP policies to prevent policy violations.

blog image - proxy chaining 850

Taken together, CASBs enhance the value of investments enterprises have made in network security solutions. Rather than forcing a rip and replace of existing solutions, CASBs integrate with and extend their capabilities to the cloud. There are clear differences in the functionality of web proxies / firewalls and CASB. Neither is a replacement for the other, but together they deliver better visibility into cloud usage and the ability to enforce compliance and governance policies to protect corporate data as it moves to the cloud. To learn more about the cloud access security broker (CASB) market, download a free copy of the latest Gartner How to Evaluate and Operate a Cloud Access Security Broker, Neil MacDonald, Craig Lawson, 8 December 2015 here.