Separator

Demystifying CASB - The Frontline Defense for Organizations against Data Leakage

Separator
An IIM Tiruchirapalli alumnus, Karthik is a highly skilled technology professional with over 13 years of experience across diverse enterprise security functions, especially in the areas of cloud.

With most of the organizational assets being on cloud today, firms are now focusing on their core product without compromising on security or regulatory obligations and are looking out for commercial off-the-shelf security products like Cloud Access Security Broker (CASB). Also, the emergence of remote and hybrid working post covid has enhanced enterprise risk in the form of shadow IT adoption and geometric progression in BYOD. Adding further fuel to this is the increased difficulty in insider threat detection which has become a murky mist whose containment is untenable. Thus, CASB is now inevitable and an integral part of enterprise security.

Cloud Access Security Broker

CASB is a hybrid software that works on-premise to monitor cloud usage between cloud network users and cloud applications through centralized policy enforcement based on organizational business context. It enhances cloud safety significantly by tracking and protecting the movement of sensitive information and helps organization abide by regulatory frameworks, convoys firms from attacks, and prevents employees from introducing more risks to the organization. To do so, CASB first performs Auto Discovery and detects the list of all third-party Cloud Service that are being used in the organization and details of employees who are using the same. Post this, CASB determines the risk severity of the application based on various factors such as functionality of the application, data that are being stored, and how it is transmitted. The monitoring of such cloud applications and the risk associated with them are alerted by integrating with SIEM, SOAR or other notification tools through use case automation. The security teams can analyze the alerts and remediate the same by taking appropriate and timely action.

CASB can be deployed in three different ways Reverse Proxy, Forward Proxy and API-Control. Used for gaining insights into outbound web traffic, Forward Proxy is placed in the middle between the user and the internet, thereby introducing an additional layer of defense. Similar to forward proxy, Reverse Proxy helps with filtering incoming traffic and routes it to the appropriate servers. On the other hand, API based CASB provides ready to fit/plug-in integration with other SaaS or Cloud Service Providers and helps with monitoring and controlling data usage in cloud. There is an enhanced model wherein two of the above CASB models can be clubbed and deployed in multimode. Industry is experiencing a major spike in the adoption of SaaS based multi-mode CASB deployments model.

CASB Use Cases for Organizations

Out of Band CASB helps in scanning all the sensitive data, across all different repositories and internal pages. In line CASB prevents users from sharing, uploading and posting any company’s internal sensitive and confidential information from social media websites via company provided managed assets where CASB agents are deployed. Also, detecting usage of shadow IT by employees to convert sensitive documents to words and vice versa, downloading anything from any random unauthentic websites, and installation of freeware by employees which could land the organization in license issues/fines are some of the classic scenarios which can be prevented via CASB. Additionally, CASB prevents end users from browsing uncategorized/risky websites via the organization provided assets and restricts them from sending data from any unmanaged devices via BYOD where organizations allow employees to access the company repositories and resources. Furthermore, CASB helps in identifying the compromised accounts using in-built and custom anomaly detection by alerting the administrators on various unusual behavioral patterns. These alerts when configured via CASB can help administrators to take immediate actions to quarantine specific user accounts to prevent any potential harm to the organization.

CASB enhances cloud safety by tracking movement of sensitive information and helps organization abide by regulatory frameworks, convoys them from attacks, and prevents employees from introducing more risks to the organization


CASB Integration with SIEM & SOAR

CASB tools can be integrated with SIEM (Security Information and Event Management) tools for forwarding all the DLP (Data Leakage Prevention) Logs. These logs can be correlated with other logs to detect, analyze and assess potential risk to the organization and prevent them from any serious data breach/ internal and external attack attempts. Similarly, integrating CASB with SOAR platforms (Security Orchestration, Automation and Response) facilitates DLP related threat & vulnerability management, incident response, raising tickets automatically in the ticketing systems, and also auto-closes it by referring to automated steps for standard use cases based on the pre-developed guidelines from the organization.

CASB solutions can detect, alert and prevent data leakage from endpoint and mobile devices by embedding the Endpoint DLP and MDM (Mobile Device Management) capabilities to existing features. Also, CASB provides detection, alert and prevention of copy of a specific cell, row or column from structured data sources like Relational Databases via a feature named EDM (Exact Data Match). Unstructured data storage sources like file storage or non-relational databases which store data in the form of key-value pair can also be prevented by using a feature called IDM (Index Data Match), wherein the content that is being posted/shared/copied/pasted is compared against the fingerprinted non-relational databases and file storage on the percentage basis. Any of the internal users or external attacker attempting to copy data from fingerprinted relational databases, non-relational databases or file storage will trigger DLP alerts to the security administrator.

Most of the time, organizations look at protecting the information assets from external threats and overlook the data leakage possibilities from insider threats like disgruntled employees. Some of the prominent attacks so far have happened because of insiders due to misconfiguration, negligence and lack of security awareness of employees. To prevent all the above, organizations can look at embedding CASB solutions as part of their security strategy and prevent data leakage from all the possible sources.