In previous posts, we covered how DNS Filtering and SWGs are just two of the basic building blocks for a Secure Access Service Edge (“SASE”) portfolio. The SASE market continues to evolve as customers demand more comprehensive threat protection for anyone working on anything from anywhere ̶ especially when it comes to the need for malicious detection tools to protect against threats lurking in the cloud. According to a 2021 workplace trend report, 30% of cloud apps adopted during the pandemic are collaboration and consumer apps. And 97% of the cloud apps in use in the average enterprise are cloud “Shadow IT”. From Shadow IT, to BYOD, to the growth of SaaS application traffic and the increased volume of enterprise data stored in the cloud, the need for extending threat protection beyond the reach of DNS Filtering and SWGs gave rise to Cloud Access Security Brokers (CASBs).
What is a Cloud Access Security Broker?
Cloud Access Security Brokers (CASBs) are designed to act as an intermediary between end users and cloud-based applications to close the security gaps and increase threat protection in cloud environments. Per Gartner, CASBs are security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement which may include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention, etc.
CASBs and SWGs are similar in that they function as a centralized security point through which traffic flows, but the use cases are very different. SWGs are used to protect a corporate network and deployed either on-premise or as a cloud-based extension of the network. The SWG also requires that traffic pass through it in order to secure it. This becomes problematic when users connect to cloud-based apps that bypass the corporate network which creates a significant visibility gap. Put simply, SWGs are designed to monitor and secure web traffic on managed devices, while CASBs are designed to monitor and secure SaaS traffic in the cloud on either managed or unmanaged devices. And since enterprise HTTP traffic is a combination of both SaaS application traffic and web traffic, CASBs add the next complementary layer of security in the SASE framework that enables even deeper visibility to apply more nuanced policies and more granular policy controls that go beyond just allowing or blocking applications or traffic.
The Four Pillars of CASB
Visibility. CASB solutions deliver comprehensive visibility that extends beyond the perimeter by monitoring SaaS traffic and cloud app usage on either managed or unmanaged devices. The deep visibility enables administrators to see who is using different cloud services and the ways in which those services are being used to provide Shadow IT discovery and sanctioned application control. CASBs provide an overall assessment of risky traffic – including not only Shadow IT, but malware, anonymizers, and several other categories of traffic indicative of data exfiltration.
Compliance. CASBs assist with data residency and compliance with regulations and standards, as well as identify cloud usage and the risks of specific cloud services. CASBs fill in the visibility gaps offered by most SaaS vendors by inspecting the data in cloud-based applications to help organizations maintain compliance with regulatory requirements like GDPR, HIPAA, ISO 27001, PCI DSS, and more.
Data Security. CASBs monitor sensitive data that travels to or from the cloud, within the cloud, and cloud to cloud. CASBs extend an organization’s ability to minimize data leaks through robust security features like data loss prevention, collaboration control, access control, information rights management, encryption, and tokenization.
Threat Protection. Cloud-delivered malware has eclipsed web-delivered malware. One recent report indicates that malware downloads originating from cloud apps increased to 66% of all malware downloads when compared to traditional websites, up from 46% at the beginning of 2020. To protect against the rise in threats coming from cloud services, CASBs can use capabilities such as adaptive access control, static and dynamic malware analysis, prioritized analysis, and threat intelligence to block malware.
Powering CASBs — The Importance of Quality Data for Threat Protection
As we continue to reiterate throughout this blog series, the potential of a CASB to deliver maximum threat protection hinges upon the quality of threat intelligence data used to power the solution. And similar to how the accuracy of threat detection and content categorization of full-path URLs is crucial for SWGs to protect against web-based threats on shared user content sites, shared hosting sites or compromised hosts, it is just as crucial for CASBs to have fast and highly accurate threat detection and blockable content categorization for full-path URLs.
We’ll repeat the example of google docs used in our previous post. When legitimate sites are compromised, full-path URL level filtering is required to stop the attack. Attackers frequently target docs.google.com or sites.google.com, with the compromised URLs that may look similar to what is shown in the examples below.
While the SWG can protect users that are attempting to access these URLs from within the network perimeter or from a managed device, a CASB is required to extend that same level of threat protection to users that may attempt to access those URLs from outside the perimeter or via the web applications on unmanaged/BYOD devices because those connections bypass the SWG.
Vendors who choose to pursue a maximum protection model are advised to evaluate the same key areas we have recommended previously and included again below with a key focus on focus on threat detections, a highly granular taxonomy for content classifications, and having the very critical capability to block and filter full-path URLs.
- Threat Detection Speed. How quickly are new and emerging threats detected — hours, days, longer? While the average time to detect can be tricky to pinpoint, it can be evaluated by measuring one threat feed provider against another. It goes without saying, the fastest time to detect is crucial to threat protection.
- Accuracy. While the fastest time to detect may be a leading priority, it should not be considered independently of accuracy. A lack of accuracy, or high false positive rate can ultimately work against you.
- Coverage. Your visibility into the threat landscape, and ability to protect users and endpoints, depends on having extensive coverage of the ActiveWeb and global clickstream traffic.
- Curation vs Aggregation. Data curation itself is another fuzzy definition. There are threat feed providers claiming to curate threat feeds, but what they are really doing is aggregating a selection of feeds, as opposed to actually curating the data that comes from those feeds to have maximum coverage with the lowest possible amount of false positives.
- Content Classification. A premium domain database will also have excellent coverage for all forms of objectionable and other content, providing the vendor with the opportunity to offer content-based filtering to supplement the phishing and malicious threat protection.
- Real-Time Detection/Update Capability. What constitutes ‘real-time’ in terms of technology applications can vary from minutes to hours. It’s important to understand how each threat feed provider defines real-time detections, as well as real-time updates (the time between which a threat is detected and the time that threat propagates to deployments).
- URL Level for Blocking. It’s important to have the ability to filter and block URLs at various levels depending on the implementation — domains, subdomains, IPs and full-path. In some cases, blocking at the domain and subdomain is perfectly fine. Other times, full-path URL blocking is necessary to protect against threats more deeply embedded in commonly whitelisted sites like google docs, Dropbox, etc.
Where zvelo Fits with Cloud Access Security Brokers in the SASE Framework
zvelo is the #1 provider of premium cyber threat intelligence data, URL database, and web classification services to SASE vendors. zveloDB is the market’s premier Domain Database with the broadest coverage of phishing, malicious and objectionable content detections, lowest FP rate, fastest time to update, and best lookup performance speed. Additionally, the zveloCTI threat data offers both phishing and malicious detection threat feeds to support the need for full-path threat protection you need to power your CASB, making zvelo a data powerhouse for your DNS Filtering, Secure Web Gateway, CASB and other SASE functions, all available through a single integration.
Up Next in the SASE Blog Series: Firewall-as-a-Service: Next-Gen Firewall for the SASE Framework