What is a CASB?
I am attending the Gartner Security and Risk Management Conference this week and both analysts and customers are seeing a change in the cloud security marketplace. It is no longer about monitoring web traffic and blocking unwanted SaaS, but true data security and data loss prevention, threat protection and compliance enforcement.
When Gartner first defined the term Cloud Access Security Broker (CASB) in 2011, most IT applications were hosted in the data center, few companies trusted the cloud and online services were primarily aimed at the consumer. CASB products were designed to limit employee access to cloud services and prevent corporate data from leaving the network.
Today, organizations have embraced the cloud, replacing many of their datacenter applications with Software as a Service (SaaS) or moving much of their IT into infrastucture (IaaS) providers like Amazon or Azure. Instead of limiting access, CASB's have evolved to protect cloud-hosted data and provide enterprise-class security controls so that organizations can incorporate SaaS and IaaS into their existing security architecture.
CASB's provide four basic security services:
- Visibility: a CASB identifies all the cloud services (both sanctioned and unsanctioned) used by an organization's employees. Originally, this only included the services they would use directly from their computer or mobile device, often called "Shadow IT". Today, it is possible for an employee to connect an unsanctioned SaaS directly to a an approved SaaS via API. This "Shadow SaaS" requires more advanced visibility tools.
- Data Security: a CASB enforces data-centric security policies by offering granular access controls or encryption. It incorporates role-based policy tools, data classification and loss prevention technologies to monitor user activity and audit, block or limit access. Once, these were stand-alone systems. Today it is vital that they are integrated into the organization's data policy architecture.
- Threat Protection: a CASB protects cloud services from unwanted users or applications. This might include real time malware detection, file sandboxing or behavior analytics and anomaly detection. New threats require new protections, so the list should include anti-phishing, account-takeover detection and predictive (A.I.) malware technologies.
- Compliance: Regulated organizations require auditing and reporting tools to demonstrate data compliance and a CASB should provide all the necessary auditing and reporting tools. More advanced solutions offer policy controls and remediation workflows that enforce regulatory compliance in real time.
The future of cloud security is no longer about limiting SaaS access, but protecting your data within the cloud infrastructure.
The Avanan CASB Platform
The Avanan platform is a complete CASB solution, providing the full feature set that you would expect from any cloud access security broker. In addition, we have partnered with the industry's best security vendors to provide more advanced data security and threat protection than any single company could provide.
Avanan provides both Shadow IT and Shadow SaaS monitoring to identify unapproved cloud applications without the need to reroute traffic through a proxy or install an additional appliance.
- Shadow IT Monitoring: Avanan connects to any existing enterprise firewall to monitor all outbound traffic for unapproved SaaS applications. It can capture data from your DNS or DNS management systems or connect to advanced perimeter gateways via API to capture real-time web activity. Avanan's email filtering solutions also monitor your user's inbox for rogue SaaS communication, providing additional admin and user information.
- Shadow SaaS Monitoring: The Avanan platform connects to your approved SaaS and IaaS provider to monitor all third party SaaS applications that users might connect to your service. It identifies both the service as well as the level of access the user has provided.
The Avanan platform, by itself, is a complete data security solution that provides a full suite of policy enforcement tools to protect confidential information. By partnering with leading security vendors, it offers additional capabilities that make it the most advanced cloud data security solution available today.
- Data Classification: Avanan's SmartSearch tools identify personally identifiable information (PII) and other confidential text within every file, email or message. If you have already deployed a Data Security/Data Leak Prevention tool in your own network, Avanan has partnered with every major vendor so you can apply the same policies across all your cloud services.
- Data-Centric Access Management: Avanan can manage granular file permissions based upon the user's role and the type of data the file contains using cloud-aware enforcement options that work within the context of the cloud service. Remediation workflows ensure that securing data does not affect business, offering real time enforcement that does not require IT intervention.
- Policy-based Encryption: Avanan makes it simple to deploy your choice of encryption across all your cloud services using role-based, context-aware policies that eliminate the need to encrypt everything, but ensures data security, even after files leave the cloud.
Avanan is the most complete threat protection solution for the cloud, with multiple security layers from the top vendors in the industry. It is as advanced as the security stack that a company might deploy in their own datacenter.
- Anti-phishing Protection: Phishing attacks were the #1 source of data breaches last year, but only Avanan offers phishing protection for cloud-based email. Machine learning algorithms combine with role-based, contextual analysis of previous conversations to identify the threats that Gmail and Office 365/Outlook miss.
- URL Analysis: Web-based threats are blocked before the malicious URL reaches the user's inbox.
- Real Time Malware Detection: Every email and file is instantly scanned for active code and malicious content using multiple analysis engines.
- Advanced Threat Sandboxing: Emulation analysis is the industry standard for identifying zero-day threats and Avanan has partnered with the leading vendors to provide fast and accurate protection.
- Active Content Analysis: Next generation malware detection offers zero-day protection with real-time results.
Avanan scans every file, message or other cloud-based asset with all categories of threat protection technology in parallel and uses machine learning algorithms to interpret the results and decide upon a response. This both increases the odds of catching the next zero-day threat while decreasing the noise of false positives.
Avanan makes it possible to extend an organization's existing audit, policy and compliance enforcement architecture to the cloud. Because it captures every user, file permission and configuration change in realtime and can access a complete history from each SaaS account, it is possible measure historical compliance, enforce realtime policy
- SIEM Integration: Avanan gathers and correlates event information from every SaaS and from every security vendor on the platform and can stream it to an existing logging server or SIEM.
- Audit: Both historical and realtime event information can be compared to policy in order to create historical compliance reports and, more importantly, provide a realtime measure of regulatory compliance.
- Enforcement: Avanan can enforce compliance in realtime because of its tight integration with each SaaS to control access permissions, move, quarantine and encrypt files, block and edit email and communicate with both users and administrators.
- Remediation Workflow: Beyond enforcement, Avanan's policy engine offers remediation workflows that make it possible for the user to return to compliance without IT intervention or business interruption.
How Avanan Delivers the CASB Solution
While there are many CASB vendors, each specialized in just one or two of the four pillars of cloud security. Some specialize in Shadow IT. Others offer data leak prevention, but only for users that connect via their proxy. Very few offer Avanan's complete threat protection security stack and none protect against the #1 threat to the cloud: email phishing.
Best of Breed Security
Avanan leverages best of breed security to help meet CASB requirements. This means simply if you are using Symantec DLP within your network, you can easily extend it to scan and control the sharing of sensitive data via the cloud with Avanan. Using FireEye in your datacenter? Avanan lets you leverage the same technology to scan your files in OneDrive, SharePoint, Dropbox, Box, etc.
Avanan is 100% API-based, meaning there is no hardware or software to install, no rerouting of traffic and no agent to deploy. With today's mobile workforce, forcing all your user's traffic through a proxy gateway, even if it is in the cloud, does not scale. Avanan's connection to each SaaS's infrastructure provides 100% visibility into every user, file, permission and configuration change, both in real time an historical. More importantly, it offers much greater and more granular control to enforce policy and remediate within the context of the cloud's on infrastructure. A proxy offers a very narrow view of the cloud and is limited in its ability to enforce policy, except block at the bottleneck.
At the end of the day, our customers validate our approach in solving the CASB requirements. Because CASB is only a subset of the Avanan platform, it offers a much more complete cloud security solution. As a CISO in a F100 financial told us “Avanan not only meets our CASB based requirements, but also solves the number one challenge we are having with Office 365—email based phishing and malware attacks.”
This is our mission. To provide the security that organizations need to protect their users and their data in the cloud no matter the industry 'category'. No one company can be the best at all things. We will continue to seek out new technology to solve tomorrow's security concerns in order to stay ahead of the security threat.