Cloud applications have changed the way organizations do business, introducing new security risks in the process. These applications are easy to set up and use for collaboration, and as a result, the volume and sensitivity of data being transferred, stored and shared in these cloud environments continues to increase. Simultaneously, users are constantly moving to different physical locations and using multiple devices, operating systems, and application versions to access the data they need.
These are significant shifts in work habits and technology, and traditional security tools have not been able to keep pace. The push to address these security gaps has led to new technologies and ways to describe them, including the cloud access security broker (CASB) category.
According to Gartner, “CASBs are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement.”
CASBs provide organizations with three key SaaS security functions and have seen rapid evolution and adoption as a result: (1) visibility into SaaS usage; (2) granular control over SaaS access, and (3) compliance and security for your cloud-based data. There are different deployment modes by which a CASB can deliver its functions, including inline and API mode. We’ll explore these in a bit more detail below, as well as highlight a simpler, more effective approach: NGFW for inline CASB.
Addressing the CASB Need
The definition of CASB at the time of its inception with the use of the term “broker” implied that CASBs were in the path of your cloud traffic. Since then, CASB technology has evolved and now includes two key components: inline and API mode. Let us look at these two modes briefly.
Inline CASB can be further broken down into two modes: forward proxy and reverse proxy. With forward proxy, CASB vendors need to forward cloud traffic over to an appliance or service that can provide app visibility and control capabilities. It is also important to note that forward proxy capabilities are not limited to proxies alone. Powerful next-gen app control capabilities can be enforced using NGFW appliance or services as well. This is ideal for multiple reasons as many customers already have NGFW deployed as an internet gateway for on-premises or remote users. If customers prefer to use a true proxy (offered by most CASB vendors), it often introduces additional management overhead and complexity. It is important for customers to consider if their existing NGFW already solves their inline CASB needs without additional cost. In the case of a reverse proxy, CASB vendors use SSO (or sometimes DNS) to re-route users to an inline CASB service to ensure that policies are enforced.
The API-based approach allows CASB vendors to access the customer’s data within the cloud application without being “in between” the cloud traffic. It is an out-of-band approach to perform several functions, including granular data security inspection on all data at rest in the cloud application or service, as well as ongoing monitoring of user activity and administrative configurations. The cloud application user experience is preserved as the API is non-intrusive and does not interfere with the data path to the cloud application. In addition to applying policies for any future violations, an API-based CASB is the only way to crawl through existing data stored in the cloud, and remediate any DLP violations and threats. This is particularly important as enterprises end up “sanctioning” an app before they have figured out how to secure it, and there is almost always existing content that needs to be investigated. We will cover API-based CASB in much more detail in an upcoming blog post.
We Have a Simpler Approach: NGFW for Inline CASB
A next-generation firewall combines user, content and application inspection features within firewalls to enable CASB functions. The inspection technology is then capable of mapping users to applications to deliver granular control over cloud application usage – regardless of location or device. Relevant features to CASB within NGFW include granular app control (including SaaS and on-premise apps), app-specific function control, URL and content filtering, policies based on application risk, DLP, user-based policies, and preventing known and unknown malware.
Customers who choose an NGFW-based approach should have deployment flexibility, using one or a combination of the following scenarios:
- NGFW as an appliance: Beyond physical appliances that may already be in place, virtual firewalls can act as gateways in the cloud to ensure maximum global coverage for remote users, eliminating the overhead of deploying additional hardware. Most customers already have this component deployed for on-premise users.
- NGFW as a cloud service: In this scenario, the multi-tenant, cloud-based security infrastructure should be managed and maintained by the security vendor. For example, the Palo Alto Networks GlobalProtect cloud service enables customers to utilize the preventive capabilities of the Palo Alto Networks Next-Generation Security Platform to secure remote networks and mobile users. The service can be a simple extension to their existing NGFW deployment to prevent the exfiltration of sensitive data across all apps, SaaS-based or not. Customers can reduce the complexity and cost of managing global deployments, and gain consistent protection across cloud environments.
What’s more, when an inline NGFW approach is used as part of an integrated, prevention-first, next-generation security platform – including an NGFW, threat intelligence cloud, API-based SaaS security service and advanced endpoint protection – customers can stop data leaks from their cloud apps; reduce threat exposure by controlling sanctioned and unsanctioned application usage; prevent known and unknown threats within allowed traffic and ensure that their cloud application adoption remains compliant.
A next-generation security platform, in fact, provides complete cloud protection at a lower total cost of ownership than typical CASBs.
To learn more, check out the following resources:
[Palo Alto Networks Research Center]