The Genesis of CASB Solutions: Block the Cloud
- Blocking services— thus "cloud access",
- With a low a 'security score',
- By rerouting employee traffic through a proxy—thus a "broker",
In short, early CASB's could block Shadow IT, but did not offer any security themselves. They could only block services it deemed insecure.
Eventually, the market changed. Companies began to embrace the cloud and adopt SaaS applications as core to their business infrastructure and the term 'cloud security' now meant more than just blocking unwanted services. CASB vendors added new features like encryption, data leak prevention and malware detection, but they still rely upon the proxy model of deployment.
As employee use of the cloud expanded, CASB visibility and control has become less effective.
First, the proxy model limits a customer's ability to deploy full-stack security. Each vendor only specialized in one or two features but it is not possible to deploy multiple gateways between the user and the cloud. You are locked into the capabilities of one.
Second, the "Shadow IT" threat (users connecting to unwanted SaaS) has been surpassed by "Shadow SaaS"—users connecting approved services directly to unapproved applications via API. Also, today's mobile devices use apps that will bypass a proxy to connect directly the cloud.
Third, CASB systems are blind to partners, collaborators or hackers that never pass through the proxy. They cannot see the confidential messages or malicious files that these users might send.
Some CASB products have tried to regain control by rerouting more traffic through the proxy, forcing all internet traffic through the gateway, even redirecting some partner traffic.
An Example: CASB Cannot Protect SaaS Email
One way to better understand the drawbacks of the CASB Gateway model is to look at the single greatest threat to your cloud: email. Over 90% of all breaches in the last 5 years started with an email, but no CASB vendor discusses their email malware and anti-phishing capabilities for Gmail or Office 365.
This is true of all CASB vendors, but we will look at couple from the top vendors: “Securing Office 365” and "Office 365 Safe Cloud Enablement". Each document describes in detail the protection each company offers for Office 365:
- Identify users that not using Office 365 (Shadow IT),
- Alert you to strange logins and anomolous behavior,
- Identify sensitive data and encrypt files or prevent sharing in One Drive,
- Malware detection for files uploaded or downloaded from One Drive.
Neither mentions email. Neither mentions sharing sensitive information via email or the ability to encrypt attachments. A search for "phishing" or "ransomware" turns up empty.
Email is at the core of Office 365 and GSuite. Email is at the core of business and collaboration. Email is the single most likely target for attackers and the most common way for confidential information to leak out of your organization.
This example is not unique. Most every collaboration tool, from Skype to Slack to Teams can be a vector for data loss, malware and phishing.
The Future of CASB: Where to go from here?
Today, most companies manage the problem of "Shadow IT" using traditional application-aware firewall rules, making redundant the core feature of most CASB vendors.
The malware and data leakage features offered with CASB 2.0 are limited to file sharing apps and have not kept up with the collaboration tools that are the greatest threat to business.
The single greatest threat to the CASB industry, however, is the fact that no single company can be the best at all things.
Threats are changing every day. New attacks, using new vulnerabilities and more aggressive techniques are being devoloped at a rate such that no vendor can possibly keep up.
Because you just cannot deploy more than one CASB proxy, it becomes a challenge to adapt to new threats and impossible to add additional layers of security.
How Avanan is Different
Avanan is more than a CASB. It is a Cloud Security Platform that avoids the drawbacks of the CASB architecture to offer true, full-stack, future-proof security for your cloud.
- Proxy-free deployment, using direct API connections to capture 100% visibility and control
- Full-SaaS control. All of Office 365 and GSuite including file sharing, collaboration and email.
- Full stack security beyond Shadow IT, malware, DLP, phishing, encryption, file sanitization, and more,
- Today's best-of-breed vendors and tomorrow's next-generation technology, whatever it may be.
When people ask the question "Are you a CASB?", my answer is this:
"CASB is just a small part of what we do. We offer Shadow IT, DLP and malware protection, but offer it for all the cloud, not just file sharing. We offer more than a CASB because we have partnered with the industry's best vendors to create a full stack of security for the cloud."
We recently held a webinar that digs more deeply into the ways that Avanan offers complete cloud security that is just not possible using a traditional CASB platform.
I invite you to watch: