The Critical Role of Cloud Access Security Brokers (CASBs) – A Mini-Series [Part 3]
Updated: Sep 18, 2020
The CASB market is rounding the corner into the mainstream. Venture backed startups are being acquired and big tech firms are positioning while enterprises are taking a serious look at these solutions. In Information Security Risk Management circles, there are some who understand these solutions, but there are still many people that are not clear on where CASBs fit in an overall Information Security strategy. It’s my goal to provide some background on the topic from a business and technology perspective and start some interesting conversations about these solutions.
This is the third post in a four week, non-product specific educational series on the Critical Role of Cloud Access Security Brokers that will cover the topics outlined below, using short, recorded presentations. This post includes Part 3.
Part 1: What is Cloud Access Security? [link here] – An introduction or refresher on key Information Security concerns when related to public Cloud adoption and the intro of the CASB market Part 2: What is a CASB and how does it work? [link here] – A deeper dive into how CASB’s work, the functions they provide, and how they are provided Part 3: How do CASBs complement other security tools? [THIS POST] – An overview of how CASBs relate to and integrate with other critical components of the Information Security Architecture Part 4: CASB Use Cases and Deployment Strategy – The different approaches of implementation and business integration with these solutions For each of these presentations, including this one, a transcript of what I’m saying is provided in the post If you would like a PDF format of the presentation, which may be freely distributed, please let me know. I hope you find this series to be useful and appreciate any and all feedback. Thank you!
TRANSCRIPT: Hi, My name is Kyle Watson the managing partner of information security at Cedrus and a veteran executive security architect. This is part THREE of FOUR where I will explain the critical role of cloud access security brokers or CASB in your Information Security architecture… Today I’ll provide an overview how CASBs integrate with other technologies. As an important side note, this material builds upon many of the topics in Part 2. If you haven’t been through the Part 2 presentation, I strongly suggest that you go back and review it now. You can find it in my youtube channel or as a link in this post. How do CASBs perform Log Based Discovery. Before an analysis can begin, the logs must be sent to the CASB. Logs may be uploaded manually or an on premise log collector can be configured to retrieve logs and send them to the CASB Most common web proxy and next generation firewall logs are natively supported Log files may be zipped with common compression utilities such as zip and gzip prior to upload How CASBs Integrate with Cloud App APIs. API integration is not proxy driven, rather the CASB interacts directly with the Cloud App Polling model: CASB calls the cloud app using its API, to check for changes and crawl data at rest (this is the most common approach and is supported by most cloud apps). As an example, the BOX storage app provides an admin API that can provide visibility into an enterprise account for all users. The CASB can poll the API to discover if any changes to any account. If so, the BOX events API may then be polled to discover detailed data changes and CASB can then apply policy on the data. Callback model: CASB registers with cloud app via API to be informed of significant events (this must be supported by the cloud app). For example, the Microsoft Office365 Webhooks API How CASBs Integrate with Cloud Apps through Reverse Proxy Configuration happens within the cloud app and your Identity solution. Commonly, SAML flows are used to force redirects… Let’s step through how this happens The user, from a browser client, attempts to connect to the application, say Salesforce.com The cloud app responds to the user’s browser and directs the user to login to an Identity Provider. This is a configuration in the cloud app The user authenticates and a SAML SSO token including another redirect are returned to the user’s browser. The user is directed through the CASB as a proxy to the application The SAML token automatically logs the user into the cloud application and the user is working. Now, the CASB is in line so policy decisions can be made to protect corporate data in real time. This configuration can work for any browser, anywhere, but will not help for native apps. How CASBs integrate to Cloud Apps through Proxy Chaining. An existing proxy, such as a secure web gateway, intercepts outbound traffic Based upon existing web proxy configuration – particular traffic can be forwarded to the CASB as a “chained” proxy The CASB proxies the session to the cloud app and this is all transparent to the end user. again, the CASB is in line so policy decisions can be made to protect corporate data in real time. This configuration can work for enterprise devices that are configured to route through the corporate web gateway, either on premise or through VPN – or, through a CASB installed agent as we’ll see on the next page How CASBs Integrate with Cloud Apps for Non-Managed Devices Endpoint agents can be used to ensure native apps are correctly routed. In addition, endpoint agents cover all apps, not just native ones – although as previously mentioned, web apps can be handled in agentless fashion with a reverse proxy Mobile Device Management (MDM) is used to distribute agent to devices Agent/profile configuration will be setup to push particular app domain ranges to CASB (may have an intermediate proxy if desired) This configuration works well for mobile devices that are not on the corporate network at time of access to enterprise cloud apps. How CASBs and Existing on-Premises Data Classification Solutions Enterprises (should) have data classification levels to identify the most critical data Many enterprises have implemented solutions to “tag” the data, these tags represent classifications such as “confidential” Some CASBs can read the tags and use the classifications to enforce policies So when a user tries to save a document with confidential data The CASB can make a policy decision to, for example, not allow the document to be saved to particular cloud app storage or encrypt it. CASBs and Identity and Access Management. CASB depends very heavily on your existing identity and access management infrastructure. Let’s discuss some of the critical areas that either integrate directly with CASB, or that are necessary prerequisites Access Provisioning: Enterprise – Manage user access for common enterprise apps, including the Identity Provider registry used with CASB configs. So if my enterprise user registry was Active Directory, Enterprise access provisioning tool, such as Sailpoint IIQ, would read the HR data and generate user access in the AD. Access Provisioning: Cloud – manage user access and entitlements for cloud apps, this is particularly important as many business apps are being moved to the cloud, bulk and ongoing provisioning to create the access is required. A common framework is now available for this called [System for Cross Domain Identity Management (SCIM 2)] Identity Provider: The enterprise registry of user identities for authentication and authentication pages where users login SAML and OAuth: Single Sign On (SSO) Token types that allow users that authenticate at the Identity Provider to sign-on to the cloud app without a second login page (typically the this is all part of the identity provider configuration to provide these services but I called it out here because it’s a key point) Attestation / Governance: Providing the correct access to particular users based upon role and validating that access periodically by asset owner and manager. This is not CASB specific, but is important for regulatory mandate compliance such as SOX. CASBs and Security Information and Event Management or (SIEM) SIEMs provide an important risk mitigation function to correlate and elevate risks as events occur across separate networks and systems. CASBs are policy enforcement points and generate violation activity logging CASBs can integrate with SIEM via REST API or via logs Correlate cloud activity with enterprise activity (in real-time with API) providing a more holistic view SIEMs and CASBs can work together to handle insider threats effectively. Well, that’s it for our CASB integration overview. Please look out for part 4, where we’ll look at CASB common use cases and implementation plans. Thank you