“What are you trying to achieve?” This is the most important question we ask our clients when scoping their projects. Responses can vary enormously, ranging from education on product features to redesigning IT security architectures. When we understand what motivates a project, we can figure out client success criteria and make recommendations on resources and scope.
The question is especially important for cloud security projects because of the breadth of product offerings and the variables surrounding effectiveness. When client responses indicate a need for cloud service visibility and control, our conversation invariably turns to cloud access security brokers (CASB).
NSS Labs does not currently test CASB products, but we have researched the category extensively in an effort to understand scope, impact, and applicability. At a high level, enterprises use CASB products for centralized visibility into sanctioned cloud services in use within their IT security architectures. CASB products provide three primary capabilities: increase visibility into cloud service utilization; enable identity-based policy enforcement; and reduce risk unique to cloud services. Together, these provide cloud service governance.
Governance is a great boardroom buzzword, but the architects in the room need to know how a CASB makes this happen. How is it deployed? Does it have dependencies? The answers to these questions will help you understand what your CASB can do and how it will impact your IT security architecture.
CASBs have various form factors, deployment modes, and IT security architecture dependencies:
- Form factor – The big three: on-premises, cloud-based, cloud-delivered
- Deployment mode – The four most common are log collection (tap), API, forward proxy, and reverse proxy (enterprises can also utilize several deployment modes, which is known as multimode deployment)
- IT security architecture dependencies – Numerous. In addition to integration with the cloud service, enterprises often must integrate their CASB with existing security technologies to take full advantage of its capabilities.
What isn’t a CASB? A CASB is not a web application firewall (WAF), stateful firewall, next generation firewall (NGFW), or secure web gateway (SWG). Deep packet inspection-based products such as an NGFW or SWG provide visibility into sanctioned and unsanctioned cloud service traffic on a specific network segment and can tell us what cloud services are being accessed at specific egress points. However, without a hook into the destination (i.e., the cloud service being accessed—typically a SaaS), these enforcement points cannot tell us how the data is being used, which is critical in risk discussions.
Many of our clients have expressed concerns over CASB deployments, particularly with regard to security efficacy and operational impact. Additionally, a comprehensive CASB product rollout requires a significant integration effort—we have witnessed well-staffed clients working on CASB deployments for more than 18 months. Also, some traffic flows may not be visible to a CASB, depending on deployment mode and IT security architecture. Hidden costs are a big factor in CASB deployments—many unknowns attend integration with potentially hundreds of applications in use by enterprises today. Enterprises can also be subject to increases in monthly charges from SaaS vendors because of increases in their data needs.
Cost must be weighed against value. Can a CASB add value for an enterprise? Yes, absolutely. These products can help enterprises requiring governance for their cloud services. However, while most offer similar core functionality, ancillary functionality can differ considerably. If your organization is evaluating a CASB, ask yourself: “What are we trying to achieve?”. Once you know this, evaluate the product’s core functionality to determine how it will contribute to your success.
The NSS Labs 2019 Enterprise Intelligence Brief on CASB offers visibility into current enterprise requirements for the technology. You can also read Part 1 of our CASB Product Selection Guide. Both papers are available in our Library.
While NSS does not (currently) test CASB products, they are part of a larger set of cloud-specific security controls that we are exploring for test methodology development, the first of which is Cloud Workload Protection (CWP).