What Is a Cloud Access Security Broker? Definition, Pillars, Architecture, and Uses

A cloud access security broker (CASB) is defined as a hardware or software solution that mediates the connection between two layers: the enterprise core, which comprises on-premise data centers, servers, endpoints, users, etc., and the surrounding cloud environment. This article explains how a cloud access security broker works, its types, key pillars, architectural components, and use cases. 

What Is a Cloud Access Security Broker?

A cloud access security broker (CASB) is a hardware or software solution that sits between the enterprise core (on-premise data centers, servers, endpoints, users, etc.) and the surrounding cloud environment (platform, software, and infrastructure “as a service” components) to mediate the connection between these two layers. 

Using cloud access security brokers, organizations can define network, data transmission, and security rules that will govern the interactions between the enterprise core and external cloud components. Its primary purpose is to enforce security policies for the cloud, which the enterprise core can control. 

Gartner first coined the term cloud access security broker in 2011, and it has become a crucial security tool since then. Enterprises rely on cloud access security brokers to gain visibility into their cloud environment, manage data on the cloud, enforce security protocols, and ensure that components outside the enterprise perimeter are managed just as effectively as those within it.

According to Gartner’s 2018 Magic Quadrant for Cloud Access Security Brokers, more than half of all large businesses will use CASB, up from less than 20% in 2018. This could either be through hardware appliances, dedicated software, or cloud access security broker components in cloud security solution suites.

There are multiple ways cloud access security brokers can establish connectivity and governance between on-premise (core) and cloud (external) environments. This gives rise to three types of cloud access security broker solutions: 

• Application programming interface (API) based: The two layers are connected through simple API connections in this type of cloud access security broker. Users can perform simple actions using API-only cloud access security brokers, such as transferring cloud data. 
• Rules-based, first-gen cloud access security broker: The first generation of cloud access security brokers relied on simple business rules pre-configured by the enterprise core. Based on the rules, the cloud access security broker instructs cloud components to behave in a specific manner, neither flexible nor adaptive.
  For example, there could be a set of traffic signatures pre-configured at the core. The cloud access security broker assesses cloud traffic accordingly, without looking at its behavior or any other potentially dangerous indicators.

• Adaptive, next-gen cloud access security broker: The next-gen cloud access security brokers available in the market provide organizations with intuitive and adaptive functionality. Here, the decision-making happens within the cloud access security broker itself, and users don’t need to pre-configure the rules at the enterprise core. Such cloud access security broker solutions may be part of cloud security suite products. 

Cloud access security brokers can also be classified based on where they are hosted: 

• On-premise cloud access security brokers: While cloud access security brokers are intermediaries between the enterprise and the cloud, they also need a physical hosting environment. On-premise cloud access security brokers are hosted closer to the enterprise core, using physical servers or private clouds.
  This type of cloud access security broker is typically rules-based, as users can control fixed business rules more easily if the solution is hosted on-premise.

• Cloud-based cloud access security brokers: Cloud access security brokers can also be hosted in a cloud environment, distinct from the external cloud components that connect to the core.

Typically, next-gen cloud access security broker providers offer cloud-based hosting environments, from where the CASB can operate and connect the user’s enterprise core to their cloud. Cloud-hosted cloud access security brokers are more flexible, can be remotely managed, and are deployed on a software as a service (SaaS) model. 

See More: What Is Cloud Computing? Definition, Benefits, Types, and Trends 

Pillars of Cloud Access Security Broker

Cloud access security brokers have five foundational pillars. 

1. Visibility enablement 

A cloud access security broker allows organizations to conduct a thorough inventory of their cloud environment and reveal previously unmapped components. As an organization evolves and its digital landscape grows, shadow IT and IT sprawl is a rising threat. 

Shadow IT refers to scenarios where employees and users install cloud software “under the radar” without informing or getting approval from IT departments. Sprawl refers to the IT department’s deliberate but unplanned environment expansion without the requisite documentation or testing. 

Cloud access security brokers enable visibility into the end-to-end cloud landscape, including its various SaaS, platform as a service (PaaS), and infrastructure as a service (IaaS) components. It also enables visibility into the precise operations of these components, any correlations, and their data usage patterns. 

2. Compliance enforcement 

The cloud is inherently flexible, making it difficult to enforce compliance and standardization. For example, a hardware storage device will naturally limit the amount of data you can store, forcing users to revisit data storage and retention policies regularly. In contrast, you could store virtually infinite volumes of data on the cloud, adding to cloud storage builds and causing data exposure risks. 

A cloud access security broker makes it possible to enforce a standardized set of compliance rules across all your cloud components. These rules can be customized as per the region where the component is hosted. For instance, cloud data storage hosted in a U.S. data center may be subject to data management rules as per the California Consumer Privacy Act of 2018 (CCPA).

3. Security reinforcement 

Security is a critical pillar for cloud access security broker implementation. It brings the cloud environment within the ambit of core enterprise operations so that security risks are not overlooked. A cloud access security broker reinforces enterprise security in the following ways:

• Map usage: Know exactly how cloud services are used to identify any anomalies and signs of cloud-related security vulnerabilities. 
• Prevent shadow IT: Receive alerts whenever a user installs or attempts to install an unauthorized cloud app that connects with the enterprise network. 
• Limit data exposure: Restrict unauthorized access to sensitive data hosted on the cloud.
• Manage user privilege: Control how users from different departments, roles, and designations interact with the cloud environment so that only users with the appropriate degree of privileges can make configuration and data changes. 

A cloud access security broker allows you to take a proactive stance on security and minimize the risk of cyber threats creeping in in these four ways. 

4. Threat detection

In addition to a proactive stance, a cloud access security broker also aids in defensive security. Like an endpoint detection and response system (EDR) installs local agents on connected devices to monitor its operations for signs of threat, a cloud access security broker performs the same function for cloud components. 

It constantly monitors the cloud components connected to an enterprise and maintains detailed incoming and outgoing data logs, user access, policy changes, etc. Next-gen cloud access security brokers include threat detection rules to identify any instance when the data logs deviate from the acceptable baseline of operations. Cloud access security brokers can also leverage advanced behavioral analytics for this purpose. 

Cloud access security brokers are often a central component in extended detection and response (XDR) systems due to their threat detection capabilities. XDR includes EDR capabilities to protect endpoints and utilizes the cloud access security broker component to protect the cloud. 

5. Enterprise connectivity 

The fifth pillar of cloud access security broker enables enterprise integration by connecting the various core and on-premise elements with surrounding cloud components. Traffic can pass to and from the cloud, as the cloud access security broker enables bidirectional integration with the core. The same data retention policies, user access rules, threat detection baselines, etc., can apply across every environment and location, thanks to the cloud access security broker. 

It allows organizations to evolve and scale with confidence, as new PaaS, SaaS, and IaaS components will be connected to the same unified fabric via the cloud access security broker. For instance, if an organization using Microsoft Azure IaaS wants to diversify into Amazon Web Services (AWS) while using Oracle Cloud PaaS to develop applications, the cloud access security broker simplifies the process. It allows organizations to formulate and pursue a cohesive digital transformation journey. 

See More: How Poor Visibility Over Cloud Apps Can Expose Organizations to Cyber Risks

Architecture of Cloud Access Security Broker

Cloud access security broker implementation relies on 10 architectural components. These architectural components together make up a cloud access security broker implementation, as illustrated below.  

Source: ManagedMethodsOpens a new window

1. Immediate enterprise core 

The immediate enterprise core comprises all the IT infrastructure components on the primary organizational campus. This includes both office environments and data center environments owned and operated by the organization. Within the core, you can have elements like network hardware, on-premise employees, workstations, servers, office equipment like mounted displays, control hubs, etc. 

2. Secondary enterprise core 

The secondary core refers to those components technically owned by the organization but operating from a remote location. In a typical organizational environment, the secondary core can be large and sprawling, spread across every remote employee, mobile device, internet of things (IoT), wireless network, etc. Keep in mind that private cloud storage is not part of the enterprise core, and connectivity to the private cloud should be mediated by a cloud access security broker. 

The above two components form the “organization” layer of a cloud access security broker implementation. 

3. Platform as a service (PaaS) 

PaaS is a cloud component that allows organizations to develop and run applications without interacting with the enterprise premise. On a monthly subscription model, all the computing power needed to build and provision apps are available via PaaS. Some of the world’s leading PaaS providers include IBM Bluemix, Force.com by Salesforce, and Oracle Cloud PaaS. Large managed service providers also offer PaaS solutions of their own. 

4. Infrastructure as a Service (IaaS) 

IaaS refers to cloud components that replicate on-premise equipment such as storage devices and network appliances on the cloud. Unlike PaaS, IaaS is almost always provided by a public cloud vendor like AWS or Microsoft Azure. Organizations rely on IaaS for day-to-day business operations and support their PaaS applications. For instance, IaaS helps run the data analysis required for applications executed on PaaS. Since it houses large volumes of sensitive data, it is critical to protect IaaS through a cloud access security broker. 

5. Software as a service (Saas)

SaaS is the fastest-growing architectural component in a cloud access security broker implementation plan. It refers to all the cloud-based applications deployed by enterprise users, which could be housed across many cloud environments. For instance, the Office Productivity Suite uses Azure as its foundational environment, while a popular business app like Monday.com is hosted on AWS and Google Cloud Platform.

Depending on the number of SaaS tools in use, the cloud access security broker might have to connect to various cloud environments. For this reason, a new solution category called cloud application security platform (CASP) is gradually gaining popularity. 

The above three components form the “external cloud” layer to which a cloud access security broker must connect. 

6. The connectivity gateway 

The connectivity gateway allows users to establish connections between the enterprise core and different cloud components. Typically, a cloud access security broker includes an auto-discovery capability, which means that it will automatically detect any cloud service interacting with the enterprise.

Even if your cloud environment is not fully mapped, the cloud access security broker will highlight all the components and drive visibility. The connectivity gateway also makes it easier to add new components and cloud services so that you can govern the entire landscape seamlessly. 

7. Security and compliance rules 

There are two types of business rules supported by cloud access security brokers – pre-configured rules and dynamic ones. You can have pre-configured rules like a set of blacklisted and whitelisted users who are allowed to access a particular cloud service. Dynamic rules refer to business rules that use contextual data to allow or deny access. For instance, the cloud access security broker may monitor the behavior of a specific user in the cloud environment and automatically block access if it detects any anomaly. 

Compliance rules are typically pre-configured and fixed based on the regulations and laws relevant to a specific cloud region. Security tools are dynamic and often leverage machine learning (ML) to become more effective over time. These rules are stored on the cloud access security broker and implemented across the core organization and cloud environments. 

8. Bidirectional integration 

A cloud access security broker enables secure bidirectional data to flow between the organization and the cloud. Without a cloud access security broker, data and processes can flow to and from the cloud without any restrictions, causing significant security vulnerabilities. 

However, the cloud access security broker sits between the two layers, so end-users, devices, and administrator traffic move first into the cloud access security broker solution. Here, the rules and policies are applied before they can pass on to the next layer. If there are any anomalies or threats, the cloud access security broker will highlight them through an administrator interface. 

9. Traffic 

Traffic is the architectural component that the cloud access security broker aims to mediate. Information, processes, and workflows will continuously move to and from the cloud in a modern enterprise environment. For example, an employee in your accounts payable team may maintain an Access database on their local device and periodically synchronize it with cloud-based database software. The data transfer and workflows that cut across different environments comprise “traffic,” which is inspected by a cloud access security broker. 

10. Cloud usage analytics 

Analytics insights are available through the cloud access security broker admin interface, and they keep IT administrators informed about the state of the cloud landscape. A cloud access security broker tracks every user access event and policy change via detailed logs, and key trends from these logs are conveyed via analytics insights. Users can recognize shadow IT elements, know which cloud components are most heavily used (and which ones are sitting idle), estimate cloud costs, and predict security risks. 

See More: Five Major Cloud Security Challenges Businesses Should Prepare for in 2022

Top 7 Uses of Cloud Access Security Broker

The primary purpose of cloud access security broker implementation is to drive integration and strengthen cloud security. However, cloud access security brokers can fulfill several other use cases in an enterprise. 

1. Discover undocumented cloud services 

Remote work and bring your device (BYOD) make it easier for employees to install cloud apps and services without IT approval. According to Netskope’s Cloud and Threat Report – July 2021 Edition, as much as 97% of cloud apps deployed in an enterprise may comprise shadow IT. A cloud access security broker uses auto-discovery and log collection to conduct an end-to-end inventory of the enterprise landscape.

It captures cloud services within and outside of the corporate network, including those unmanaged by IT. It will also provide you with a list of users, IP addresses, and machines using undocumented services. 

2. Assess and manage risk 

Cloud access security brokers can be pre-configured with risk and compliance rules relevant to your organization, industry, and region. For instance, Microsoft CASB (part of the Microsoft Defender suite) supports over 70 risk factors. All cloud applications and services are checked against the relevant risk factors, and the cloud access security broker assigns a risk score to them. IT managers can weigh a service’s risk level against its usage and importance to make informed decisions for risk management. 

3. Reduce service duplication 

There can be two reasons why there are duplicate cloud services for the same task. Different employees and teams could install multiple SaaS apps without informing the IT department, causing an overlap. Natural organizational expansion and IT resource changes can also lead to inadvertent duplication. The cloud access security broker will highlight instances where there is more than one app for a task, consuming duplicate resources and adding to security risks. IT can then consolidate these apps or deploy one single service to reduce duplication. 

4. Protect corporate data 

This is one of the principal uses of cloud access security brokers. They provide complete visibility into corporate data stored in the cloud, detailing where it is located, access privileges, compliance jurisdiction, and vulnerabilities (if any). Users can also implement policies that trigger alerts whenever an unsanctioned app or service tries to access corporate data. This prevents data exfiltration and ensures that only authorized users can access sensitive information. 

5. Standardize compliance and security 

With IT infrastructures spread across SaaS, PaaS, and IaaS, there is a risk of fragmentation in compliance and security. Different teams and locations may deploy disparate policies, and it becomes difficult for the central IT team to oversee the entire environment. You can configure the cloud access security broker with specific compliance policies and data loss prevention rules that apply to the end-to-end IT environment. A cloud access security broker also allows users to update and provision new policies from a centralized console. 

6. Ensure secure collaboration 

Today, large volumes of corporate data are shared over cloud-based collaboration tools like Slack, Dropbox, or Office 365. Using cloud access security brokers, you can extend data protection and compliance rules to these apps. It will automatically scan files when they are uploaded to cloud apps and can block the downloading of sensitive data to local devices. Further, cloud access security brokers can help implement user access controls that restrict employees from performing high-risk collaboration tasks. 

7. Detect and block threats 

Some cloud access security broker solutions act as powerful cloud security tools with threat detection and prevention capabilities. It can analyze cloud logs for signs of compromise and shut down service in case it detects a threat. Cloud access security brokers can protect cloud systems against malware, ransomware, zero-day threats, and advanced persistent threats that enter via APIs. 

See More: Cloud Access Security Broker (CASB): Top 8 Use Cases for Improving Data Security 

Key takeaways 

Originally coined in 2011, cloud access security broker is now a vital technology for cybersecurity and IT infrastructure management. It serves the dual purpose of standardizing the integration between the cloud and the core enterprise and ensuring that the connection remains secure. As organizations plan for cloud access security broker adoption or enhancement in 2022, here are the key takeaways to remember: 

• Cloud access security brokers can be of three types. Next-gen, cloud-based cloud access security brokers are the most flexible and adaptive. 
• The functioning of a cloud access security broker relies on five pillars – visibility, compliance, security, threat detection, and enterprise connectivity. 
• The cloud access security broker architecture has ten major components, where it sits between the organizational and external cloud layers. 
• A cloud access security broker serves seven major use cases, including integration and security. 

According to the Forecast: Information Security and Risk Management, Worldwide, 2019-2025, 1Q21 Update by Gartner, the cloud access security broker is among the fastest-growing security and risk management sectors, despite being a mature market. Organizations must leverage cloud access security brokers as a central cog in their digital transformation roadmap to drive standardized, stable, and secure cloud adoption. 

Can cloud access security brokers protect enterprises from future security challenges? Share your thoughts with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window !

MORE ON CLOUD SECURITY

• Top 10 Cloud Security Software Solutions in 2021
• What Is Cloud Encryption? Definition, Importance, Methods and Best Practices
• Top 10 Cloud Data Protection Companies in 2021
• Top 10 Encrypted Cloud Storage Platforms in 2021
• Top 10 Encrypted Cloud Storage Platforms for Enterprises in 2021