If I had to guess which topic Enterprise Architecture Research Group (EARG) discusses most often with clients, regardless of organization size, it would have to be network visibility. But it isn’t just our clients that want to know more on this topic, enterprises throughout the US lack visibility into what’s happening on their networks.
The adoption of cloud services has added to the lack of network visibility enterprises are experiencing, and we aren’t just talking about software as a service (SaaS). According to our NSS Labs 2017 Cloud Security Study, 62.9% of US enterprises consume SaaS, 48.3% utilize platform as a service (PaaS), and 41.0% have an infrastructure as a service (IaaS) footprint in the cloud. Each of these cloud service models presents unique visibility challenges that range from the unauthorized use of cloud-based applications to misconfigured permissions on a cloud storage bucket.
The cloud access security broker, or CASB, was created to combat this lack of visibility in the cloud.
What is a CASB?
CASBs are designed to act as security policy enforcement points (PEPs) between cloud consumers and cloud service providers. A CASB should reduce the threat of cloud-based malware propagating by inspecting, and, where necessary, quarantining an enterprise’s critical data stored in the cloud. It should also minimize the impact of data leakage by enabling encryption across all data at rest. Additionally, CASBs should enable compliance with regulatory or organizational standards through the governance of cloud-based applications. Above all, CASBs must enable continuous visibility into employee use of any cloud-based applications.
Interoperability is the name of the game when it comes to CASB deployments. These products often require full integration with existing security technologies to reach their maximum potential in real-world use. However, the effort required to achieve these integrations widely varies. Firewalls, next generation firewalls, secure web gateways, data loss prevention, anti-malware, identity and access management, enterprise digital rights management (EDRM), mobile device management (MDM), security information and event management (SIEM), key management systems (KMS), etc. are often CASBs closest allies.
If CASBs do what they promise, they should be considered the centerpiece of enterprise cloud security deployments. In fact, if an enterprise utilizes cloud services and doesn’t deploy a CASB (or another product that provides visibility into the usage of cloud-based applications), that organization is placing itself at risk from myriad attack vectors.
CASB Form Factors and Deployment Modes
Enterprises have several options when deploying a CASB. Most vendors offer several form factors, including on-premises appliances (both physical and virtual), SaaS applications, or combination of the two.
Four deployment modes exist for a CASB: log collection and API are both out of band, whereas forward proxy and reverse proxy are inline deployments. To maximize their value from a CASB, many organizations deploy two or more modes, commonly referred to as a multi-mode deployment.
These deployment modes, along with integrations with other security technologies, will dictate the use cases that the CASB can solve for.
CASBs target a broad array of use cases of varying complexity, including:
- Continuous visibility into sanctioned and unsanctioned cloud-based application usage
- Content inspection and protection of sanctioned cloud-based applications for sensitive information and malware
- Policy enforcement based on user, device, location, etc. for sanctioned cloud-based applications
- Encryption at rest and tokenization across all sanctioned cloud-based applications
- Identification of security gaps for IaaS and PaaS deployments (e.g., audit user permissions, activity, security configurations, and compare against regulatory requirements, etc.)
Which Organizations Deploy CASBs?
60.7% of the US enterprises that participated in the NSS Labs 2017 Cloud Security Study indicated they deploy a CASB. Additionally, 10.2% indicated they planned to purchase a CASB within the next 12 months.
Breaking down the deployment statistics by horizontal, we found that 58.7% of small and medium-sized enterprises (SMEs) deploy a CASB, compared to 61.5% of large enterprises (LE) and 59.6% of very large enterprises (VLE). 13.0% of SMEs, 7.7% of LEs, and 13.5% of VLEs indicate that their organization will purchase a CASB product in the next 12 months.
A Hot Topic
CASB technology was a hot topic last year and the buzz isn’t going away any time soon. Within the last six months, the CASB has become one of our most requested research topics. Enterprises want to know which features other enterprises are utilizing in their CASB deployments; which form factors and deployment modes provide the best protection for their own use cases; and ultimately, which CASB vendor is considered the best by their peers, in terms of interoperability, management, ease of use, technical support, and overall value.
Stay tuned as we explore these topics and more in the upcoming NSS Labs 2018 CASB Study. Meanwhile, dig into the results of the NSS Labs 2017 Cloud Security Study by reviewing The Shared Responsibility of Securing the Cloud or our recently published Cloud Security Intelligence Brief.
If you would like to contribute to our CASB study, email the EARG at firstname.lastname@example.org.
NSS Labs has released a series of Intelligence Briefs that focus on security controls in the US enterprise, one of which is focused on cloud security. The series will report on security product usage as reported by information security professionals representing US industries. This paper will be available to subscribers to our research library.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.