SlideShare a Scribd company logo

Cloud Access Security Brokers - CASB

Download as PPTX, PDF
S
Samrat Das

Garage4Hackers Meet 17th June, CASB Presentation-> by Samrat Das

Technology
1 of 25
What is CASB? THIS PRESENTATION AIMS TO BRING FORWARD A CONCISE KNOWLEDGE FOR THOSE PEOPLE WHO ARE INTERESTED TO LEARN ABOUT THE LATEST TREND OF CLOUD BROKER SECURITY. A CLOUD ACCESS SECURITY BROKER (CASB) IS A SET OF NEW CLOUD SECURITY TECHNOLOGIES THAT ADDRESSES THE CHALLENGES POSED BY THE USE OF CLOUD APPS AND SERVICES. THEY WORK AS TOOLS THAT SITS BETWEEN AN ORGANIZATION'S ON- PREMISES INFRASTRUCTURE AND A CLOUD PROVIDER'S INFRASTRUCTURE. THEY ALLOW THE ORGANIZATION TO EXTEND THE REACH OF THEIR SECURITY POLICIES BEYOND THEIR OWN INFRASTRUCTURE TO THIRD-PARTY SOFTWARE AND STORAGE. 17th June 2017
Classified as:  On-premises or  Cloud-hosted software that act as a control point to support continuous visibility, compliance, threat protection, and security for cloud services.
CASB solutions helps to: • Identify and evaluate all the cloud apps in use • Enforce cloud application management policies in web proxies or firewalls • Provide handling of sensitive information • Encrypt or tokenize sensitive content to enforce privacy and security • Detect and block unusual account behaviour indicative of malicious activity • Integrate cloud visibility and controls with broader security solutions for data loss prevention, access management, and web security
USAGE STATS  By 2020, 85% of large enterprises will use a cloud access security broker solution for their cloud services, which is up from fewer than 5% in 2015.  Through 2020, 95% of cloud security failures will be the customer's fault.  Source: (https://www.skyhighnetworks.com/cloud-security-university/what-is- cloud-access-security-broker/)
How CASB comes into market?  To maintain data security and compliance with new data residency laws as their infrastructure moves to the cloud a Cloud Access Security Broker (CASB) comes into play.  CASB provides cloud encryption with the option to have control over their own encryption keys, so access to data without enterprises knowledge is ruled out.
How is CASB presented?  CASB technology is available as a SaaS application or on-premises via virtual or physical appliances, or both using a hybrid combination of on-premises and cloud-based policy enforcement points.  Observations:  •The wide adoption of identity and access management into the cloud, delivering cloud single sign-on, has reduced the friction in adopting cloud services and related security controls like cloud access security brokers (CASBs).  •Many enterprise business units are acquiring cloud services directly without IT's involvement. This form of "shadow IT" is fuelling growth in cloud service adoption as well as security risks.  •The CASB market has evolved rapidly since its gestation period in 2012 and includes a number of high-profile acquisitions.  •Today, CASBs primarily address back-office applications delivered as SaaS.
How Does CASB Work? A high level understanding:  CASBs works by ensuring that network traffic between on-premises devices and the cloud provider complies with the organization's security policies.
Image Source: Gartner’s blog: security musings
Fundamental Capabilities of CASB?  Cloud App Discovery and Analysis  Provide Shadow IT discovery and risk analysis including detailed cloud app ratings, usage analytics, and continuous reporting.  Data Governance and Protection  Provide the ability to enforce data-centric security policies to prevent unwanted activity such as inappropriate sharing of content. Support encryption and tokenization of compliance-related data.  Threat Protection and Incident Response  Prevent malicious activity such as data exfiltration due to account takeover, session hijacking, or insider activity through continuous monitoring of user behavior. Identify and block malware being uploaded or shared within cloud apps and provide tools for incident response.  Compliance and Data Privacy  Assist with data residency and compliance with regulations and standards, as well as identify cloud usage and risks of specific could services.
CASBs most prominent functionalities • Visibility CASBs provide both shadow and sanctioned IT discovery, as well as a consolidated view of an organization's cloud service usage and the users who access data from any device or location. • Compliance CASBs assist with data residency and compliance with regulations and standards, as well as identify cloud usage and the risks of specific cloud services. • Data Security CASBs provide the ability to enforce data-centric security policies to prevent unwanted activity based on data classification, discovery and user activity monitoring of access to sensitive data or privilege escalation. • Threat Protection CASBs prevent unwanted devices, users and versions of applications from accessing cloud services by providing adaptive access controls. Other examples in this category are user and entity behaviour analytics (UEBA) for determining anomalous behaviour, the use of threat intelligence, and malware identification.
Comprehensive CASB solutions leverage the following:  Application Specific Security  The top cloud apps have well-defined APIs that a CASB can leverage to monitor activity, analyse content, and modify settings within accounts on that cloud app.  Inline Security with Gateways  Sitting between the users and their cloud apps, a CASB gateway can provide valuable insights into cloud activity and provide a vehicle for real-time policy enforcement, such as blocking data exfiltration or protecting information with encryption.  Shadow IT Analysis  Existing security devices, such as secure web gateways and firewalls, have log data that can be used to help analyse Shadow IT.  Access Control  Endpoint agents offer another option to manage cloud activity and enforce policies.
Architectural Choices (forward / reverse proxy/APIs) Initially, the market was segregated between providers that delivered their CASB features via forward- and/or reverse-proxy modes and others that used API modes exclusively. Increasingly, a growing number of CASBs offer a choice between the proxy modes of operation and also support APIs (multimode CASBs)
Reverse proxy  This can be deployed as a gateway on-premises or as the more popular method, as SaaS.  This is performed by changing the way authentication works by telling the cloud service that the CASB passes the authentication onto the IDaaS provider, but, importantly, leaves the URL as belonging to the CASB and not the cloud service.  IDaas is defined as identity-as-Service ("IDaaS").  For people interested to learn more about IDaas (https://www.centrify.com/solutions/cloud/identity-as-a-service-idaas/)
 This is one way to provide the ability to insert the CASB in front of end users accessing the SaaS service (with the exception of mobile native apps using certificate pinning) without having to touch the endpoint's configuration.  It also allows for control over key management and application of cryptography solutions on-premises with no access by a cloud-based CASB or cloud service provider. With hosted reverse proxy, there may be indirect access to the key management system and keys/tokens being used in the cloud by the CASB and/or CSP.
Forward proxy  This can be deployed as a cloud or on-premises, and some vendors may deploy software agents on endpoint devices or pass profiles for enterprise mobile management (EMM) to enforce or use other methods like DNS and proxy auto- configuration (PAC) files.
API mode  This leverages the native features of the SaaS service itself by giving the CASB permission to access the service's API directly.  This mode also allows organizations to perform a number of functions like log telemetry, policy visibility and control, and data security inspection functions on all data at rest in the cloud application or service.  The CASB may offer on-premises or hosted key management options.  API mode makes it possible to take advantage of both CASB-native, and a growing number of SaaS service data protection, features offered by the SaaS provider itself (for example, Salesforce Shield), whereby it performs encryption/tokenization functions, but the end users still control the keys. However, the SaaS provider still has access to the keys, and data is unencrypted while used by the application.
 If the SaaS is hosted by another CSP's infrastructure (for example, Amazon, Microsoft), it is available in the memory of the IaaS provider and may not meet strict data residency or compliance requirements
Some use cases for CASB Implementation: • Early anomaly detection: Leveraging data on the go can be used to detect anomalous behaviours and potential • Reporting and auditing: CASB offers enhanced granular visibility with detailed activity logs and other reports useful for compliance auditing and forensic purposes. • DLP: Content validation by public cloud applications, blocking, watermarking, password protecting and encryption will prevent data content from being exposed. • Encryption: CASBs can encrypt objects pre-upload/ post-download giving end-to- end data privacy and regulatory compliance.
Leading choices for CASB:  Microsoft (Adallom)  In September 2015, Microsoft completed its acquisition of Adallom, a CASB that had been shipping since early 2013. This brought CASB to Microsoft's Enterprise Mobility + Security (EMS) suite and added new capabilities to Office 365.  Imperva  Founded in November 2002 and has been shipping a CASB product since January 2014, when it acquired Skyfence. Imperva focuses on providing detailed user activity monitoring, cloud DLP, access control and threat protection.  Bitglass  Founded in January 2013 and has been shipping a CASB product since January 2014.  Bitglass integrates several mobile data management (MDM) and IAM capabilities into its offering, such as remote wipe, single sign-on (SSO) and dual Security Assertion Markup Language (SAML) proxy, providing basic MDM and IDaaS capabilities.
 Cisco CloudLock  Founded in January 2011 and has been shipping a CASB product since October 2013; it was acquired by Cisco in June 2016. It uses an API-only approach to the CASB market. It leverages APIs from cloud services (SaaS, PaaS, IaaS).  FireLayers  Founded in November 2013 and has been shipping a CASB product since April 2014. FireLayers a multimode CASB delivering API, forward and reverse proxy, plus a SAML gateway. It provides cloud application discovery, but not SaaS service security posture assessments. Instead, it on threat protection, behavior analytics, contextual access control and detailed activity monitoring.
Further reading and references: https://www.bluecoat.com/products-and-solutions/casb- cloud-access-security-broker http://security-musings.blogspot.in/2015/04/comparing- cloud-access-security-broker.html http://www.bitglass.com/blog/cloud-access-security-brokers- post5 https://www.ciphercloud.com/blog/casb-101-cloud-access- security-brokers/
THANKS Samrat is a security researcher currently working for Secure Layer 7 India as a Security Consultant. His research interests involve: Penetration Testing, Secure Coding, and Reverse Engineering & Malware Analysis. He can be reached on twitter: @Samrat_Das93 or LinkedIn: https://in.linkedin.com/in/samrat18

Recommended

Data Loss Prevention from Symantec
Data Loss Prevention from SymantecData Loss Prevention from Symantec
Data Loss Prevention from SymantecArrow ECS UK
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykEryk Budi Pratama
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Symantec Data Loss Prevention 11
Symantec Data Loss Prevention 11Symantec Data Loss Prevention 11
Symantec Data Loss Prevention 11Symantec
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architectureVladimir Jirasek
 
Microsoft Cloud App Security CASB
Microsoft Cloud App Security CASBMicrosoft Cloud App Security CASB
Microsoft Cloud App Security CASBAmmar Hasayen
 

Recommended

Data Loss Prevention from Symantec
Data Loss Prevention from SymantecData Loss Prevention from Symantec
Data Loss Prevention from SymantecArrow ECS UK
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykEryk Budi Pratama
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Symantec Data Loss Prevention 11
Symantec Data Loss Prevention 11Symantec Data Loss Prevention 11
Symantec Data Loss Prevention 11Symantec
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architectureVladimir Jirasek
 
Microsoft Cloud App Security CASB
Microsoft Cloud App Security CASBMicrosoft Cloud App Security CASB
Microsoft Cloud App Security CASBAmmar Hasayen
 
Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016Lance Peterman
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss PreventionReza Kopaee
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Preventiondj1arry
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
microsoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxmicrosoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxGenericName6
 
Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Iftikhar Ali Iqbal
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsAraf Karsh Hamid
 
CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applicationsForcepoint LLC
 
SABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSAcourses
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarJoseph Holbrook, Chief Learning Officer (CLO)
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Data loss prevention (dlp)
Data loss prevention (dlp)Data loss prevention (dlp)
Data loss prevention (dlp)Hussein Al-Sanabani
 
Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecturenarenvivek
 
Microsoft Information Protection: Your Security and Compliance Framework
Microsoft Information Protection: Your Security and Compliance FrameworkMicrosoft Information Protection: Your Security and Compliance Framework
Microsoft Information Protection: Your Security and Compliance FrameworkAlistair Pugin
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYMaganathin Veeraragaloo
 
McAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEMMcAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEMIftikhar Ali Iqbal
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
casb_by_.pptx
casb_by_.pptxcasb_by_.pptx
casb_by_.pptxshahnawaz_pirates
 
Comprehensive Information on CASB
Comprehensive Information on CASBComprehensive Information on CASB
Comprehensive Information on CASBHTS Hosting
 

More Related Content

What's hot

Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016Lance Peterman
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss PreventionReza Kopaee
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Preventiondj1arry
 
microsoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxmicrosoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxGenericName6
 
Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Iftikhar Ali Iqbal
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applicationsForcepoint LLC
 
SABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSAcourses
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecturenarenvivek
 
Microsoft Information Protection: Your Security and Compliance Framework
Microsoft Information Protection: Your Security and Compliance FrameworkMicrosoft Information Protection: Your Security and Compliance Framework
Microsoft Information Protection: Your Security and Compliance FrameworkAlistair Pugin
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
McAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEMMcAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEMIftikhar Ali Iqbal
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 

What's hot (20)

Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
microsoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxmicrosoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptx
 
Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOps
 
CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applications
 
SABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSA - Business Attributes Profiling
SABSA - Business Attributes Profiling
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Data loss prevention (dlp)
Data loss prevention (dlp)Data loss prevention (dlp)
Data loss prevention (dlp)
 
Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecture
 
Microsoft Information Protection: Your Security and Compliance Framework
Microsoft Information Protection: Your Security and Compliance FrameworkMicrosoft Information Protection: Your Security and Compliance Framework
Microsoft Information Protection: Your Security and Compliance Framework
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
McAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEMMcAfee - Enterprise Security Manager (ESM) - SIEM
McAfee - Enterprise Security Manager (ESM) - SIEM
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
 

Similar to Cloud Access Security Brokers - CASB

Comprehensive Information on CASB
Comprehensive Information on CASBComprehensive Information on CASB
Comprehensive Information on CASBHTS Hosting
 
8 major facts you must know before you buying a casb
8 major facts you must know before you buying a casb8 major facts you must know before you buying a casb
8 major facts you must know before you buying a casbciphercloud1
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsDr. Sunil Kr. Pandey
 
SaaS Security.pptx
SaaS Security.pptxSaaS Security.pptx
SaaS Security.pptxchelsi33
 
saassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdfsaassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdfSahilSingh316535
 
Cloud Application Security --Symantec
Cloud Application Security --Symantec Cloud Application Security --Symantec
Cloud Application Security --SymantecAbhishek Sood
 
SaaS Platform Securing
SaaS Platform SecuringSaaS Platform Securing
SaaS Platform SecuringLeo TechnoSoft
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDSweta Kumari Barnwal
 
Cloud Security (CASB) for Slack
Cloud Security (CASB) for SlackCloud Security (CASB) for Slack
Cloud Security (CASB) for SlackSachin Yadav
 
SecSecuring Software as a Service Model of Cloud Computing: Issues and Solutions
SecSecuring Software as a Service Model of Cloud Computing: Issues and SolutionsSecSecuring Software as a Service Model of Cloud Computing: Issues and Solutions
SecSecuring Software as a Service Model of Cloud Computing: Issues and Solutionsijccsa
 
ITU-T requirement for cloud and cloud deployment model
ITU-T requirement for cloud and cloud deployment modelITU-T requirement for cloud and cloud deployment model
ITU-T requirement for cloud and cloud deployment modelHitesh Mohapatra
 
Cloud migration services
Cloud migration services Cloud migration services
Cloud migration services harrissmith5
 
A Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud ComputingA Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud ComputingEditor IJCATR
 

Similar to Cloud Access Security Brokers - CASB (20)

casb_by_.pptx
casb_by_.pptxcasb_by_.pptx
casb_by_.pptx
 
Comprehensive Information on CASB
Comprehensive Information on CASBComprehensive Information on CASB
Comprehensive Information on CASB
 
8 major facts you must know before you buying a casb
8 major facts you must know before you buying a casb8 major facts you must know before you buying a casb
8 major facts you must know before you buying a casb
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
 
SaaS Security.pptx
SaaS Security.pptxSaaS Security.pptx
SaaS Security.pptx
 
saassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdfsaassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdf
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Cloud Application Security --Symantec
Cloud Application Security --Symantec Cloud Application Security --Symantec
Cloud Application Security --Symantec
 
SECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESSECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKES
 
SaaS Platform Securing
SaaS Platform SecuringSaaS Platform Securing
SaaS Platform Securing
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
 
Cloud monitoring overview
Cloud monitoring overviewCloud monitoring overview
Cloud monitoring overview
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUD
 
Cloud Security (CASB) for Slack
Cloud Security (CASB) for SlackCloud Security (CASB) for Slack
Cloud Security (CASB) for Slack
 
SecSecuring Software as a Service Model of Cloud Computing: Issues and Solutions
SecSecuring Software as a Service Model of Cloud Computing: Issues and SolutionsSecSecuring Software as a Service Model of Cloud Computing: Issues and Solutions
SecSecuring Software as a Service Model of Cloud Computing: Issues and Solutions
 
ITU-T requirement for cloud and cloud deployment model
ITU-T requirement for cloud and cloud deployment modelITU-T requirement for cloud and cloud deployment model
ITU-T requirement for cloud and cloud deployment model
 
Cloud migration services
Cloud migration services Cloud migration services
Cloud migration services
 
A Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud ComputingA Survey on Different Techniques Used in Decentralized Cloud Computing
A Survey on Different Techniques Used in Decentralized Cloud Computing
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
UNIT III - ppt.pptx
UNIT III - ppt.pptxUNIT III - ppt.pptx
UNIT III - ppt.pptx
 

Recently uploaded

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Recently uploaded (20)

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

Cloud Access Security Brokers - CASB

  • 1. What is CASB? THIS PRESENTATION AIMS TO BRING FORWARD A CONCISE KNOWLEDGE FOR THOSE PEOPLE WHO ARE INTERESTED TO LEARN ABOUT THE LATEST TREND OF CLOUD BROKER SECURITY. A CLOUD ACCESS SECURITY BROKER (CASB) IS A SET OF NEW CLOUD SECURITY TECHNOLOGIES THAT ADDRESSES THE CHALLENGES POSED BY THE USE OF CLOUD APPS AND SERVICES. THEY WORK AS TOOLS THAT SITS BETWEEN AN ORGANIZATION'S ON- PREMISES INFRASTRUCTURE AND A CLOUD PROVIDER'S INFRASTRUCTURE. THEY ALLOW THE ORGANIZATION TO EXTEND THE REACH OF THEIR SECURITY POLICIES BEYOND THEIR OWN INFRASTRUCTURE TO THIRD-PARTY SOFTWARE AND STORAGE. 17th June 2017
  • 2. Classified as:  On-premises or  Cloud-hosted software that act as a control point to support continuous visibility, compliance, threat protection, and security for cloud services.
  • 3. CASB solutions helps to: • Identify and evaluate all the cloud apps in use • Enforce cloud application management policies in web proxies or firewalls • Provide handling of sensitive information • Encrypt or tokenize sensitive content to enforce privacy and security • Detect and block unusual account behaviour indicative of malicious activity • Integrate cloud visibility and controls with broader security solutions for data loss prevention, access management, and web security
  • 4. USAGE STATS  By 2020, 85% of large enterprises will use a cloud access security broker solution for their cloud services, which is up from fewer than 5% in 2015.  Through 2020, 95% of cloud security failures will be the customer's fault.  Source: (https://www.skyhighnetworks.com/cloud-security-university/what-is- cloud-access-security-broker/)
  • 5. How CASB comes into market?  To maintain data security and compliance with new data residency laws as their infrastructure moves to the cloud a Cloud Access Security Broker (CASB) comes into play.  CASB provides cloud encryption with the option to have control over their own encryption keys, so access to data without enterprises knowledge is ruled out.
  • 6. How is CASB presented?  CASB technology is available as a SaaS application or on-premises via virtual or physical appliances, or both using a hybrid combination of on-premises and cloud-based policy enforcement points.  Observations:  •The wide adoption of identity and access management into the cloud, delivering cloud single sign-on, has reduced the friction in adopting cloud services and related security controls like cloud access security brokers (CASBs).  •Many enterprise business units are acquiring cloud services directly without IT's involvement. This form of "shadow IT" is fuelling growth in cloud service adoption as well as security risks.  •The CASB market has evolved rapidly since its gestation period in 2012 and includes a number of high-profile acquisitions.  •Today, CASBs primarily address back-office applications delivered as SaaS.
  • 7. How Does CASB Work? A high level understanding:  CASBs works by ensuring that network traffic between on-premises devices and the cloud provider complies with the organization's security policies.
  • 8. Image Source: Gartner’s blog: security musings
  • 9.
  • 10. Fundamental Capabilities of CASB?  Cloud App Discovery and Analysis  Provide Shadow IT discovery and risk analysis including detailed cloud app ratings, usage analytics, and continuous reporting.  Data Governance and Protection  Provide the ability to enforce data-centric security policies to prevent unwanted activity such as inappropriate sharing of content. Support encryption and tokenization of compliance-related data.  Threat Protection and Incident Response  Prevent malicious activity such as data exfiltration due to account takeover, session hijacking, or insider activity through continuous monitoring of user behavior. Identify and block malware being uploaded or shared within cloud apps and provide tools for incident response.  Compliance and Data Privacy  Assist with data residency and compliance with regulations and standards, as well as identify cloud usage and risks of specific could services.
  • 11. CASBs most prominent functionalities • Visibility CASBs provide both shadow and sanctioned IT discovery, as well as a consolidated view of an organization's cloud service usage and the users who access data from any device or location. • Compliance CASBs assist with data residency and compliance with regulations and standards, as well as identify cloud usage and the risks of specific cloud services. • Data Security CASBs provide the ability to enforce data-centric security policies to prevent unwanted activity based on data classification, discovery and user activity monitoring of access to sensitive data or privilege escalation. • Threat Protection CASBs prevent unwanted devices, users and versions of applications from accessing cloud services by providing adaptive access controls. Other examples in this category are user and entity behaviour analytics (UEBA) for determining anomalous behaviour, the use of threat intelligence, and malware identification.
  • 12.
  • 13. Comprehensive CASB solutions leverage the following:  Application Specific Security  The top cloud apps have well-defined APIs that a CASB can leverage to monitor activity, analyse content, and modify settings within accounts on that cloud app.  Inline Security with Gateways  Sitting between the users and their cloud apps, a CASB gateway can provide valuable insights into cloud activity and provide a vehicle for real-time policy enforcement, such as blocking data exfiltration or protecting information with encryption.  Shadow IT Analysis  Existing security devices, such as secure web gateways and firewalls, have log data that can be used to help analyse Shadow IT.  Access Control  Endpoint agents offer another option to manage cloud activity and enforce policies.
  • 14. Architectural Choices (forward / reverse proxy/APIs) Initially, the market was segregated between providers that delivered their CASB features via forward- and/or reverse-proxy modes and others that used API modes exclusively. Increasingly, a growing number of CASBs offer a choice between the proxy modes of operation and also support APIs (multimode CASBs)
  • 15. Reverse proxy  This can be deployed as a gateway on-premises or as the more popular method, as SaaS.  This is performed by changing the way authentication works by telling the cloud service that the CASB passes the authentication onto the IDaaS provider, but, importantly, leaves the URL as belonging to the CASB and not the cloud service.  IDaas is defined as identity-as-Service ("IDaaS").  For people interested to learn more about IDaas (https://www.centrify.com/solutions/cloud/identity-as-a-service-idaas/)
  • 16.  This is one way to provide the ability to insert the CASB in front of end users accessing the SaaS service (with the exception of mobile native apps using certificate pinning) without having to touch the endpoint's configuration.  It also allows for control over key management and application of cryptography solutions on-premises with no access by a cloud-based CASB or cloud service provider. With hosted reverse proxy, there may be indirect access to the key management system and keys/tokens being used in the cloud by the CASB and/or CSP.
  • 17. Forward proxy  This can be deployed as a cloud or on-premises, and some vendors may deploy software agents on endpoint devices or pass profiles for enterprise mobile management (EMM) to enforce or use other methods like DNS and proxy auto- configuration (PAC) files.
  • 18. API mode  This leverages the native features of the SaaS service itself by giving the CASB permission to access the service's API directly.  This mode also allows organizations to perform a number of functions like log telemetry, policy visibility and control, and data security inspection functions on all data at rest in the cloud application or service.  The CASB may offer on-premises or hosted key management options.  API mode makes it possible to take advantage of both CASB-native, and a growing number of SaaS service data protection, features offered by the SaaS provider itself (for example, Salesforce Shield), whereby it performs encryption/tokenization functions, but the end users still control the keys. However, the SaaS provider still has access to the keys, and data is unencrypted while used by the application.
  • 19.  If the SaaS is hosted by another CSP's infrastructure (for example, Amazon, Microsoft), it is available in the memory of the IaaS provider and may not meet strict data residency or compliance requirements
  • 20. Some use cases for CASB Implementation: • Early anomaly detection: Leveraging data on the go can be used to detect anomalous behaviours and potential • Reporting and auditing: CASB offers enhanced granular visibility with detailed activity logs and other reports useful for compliance auditing and forensic purposes. • DLP: Content validation by public cloud applications, blocking, watermarking, password protecting and encryption will prevent data content from being exposed. • Encryption: CASBs can encrypt objects pre-upload/ post-download giving end-to- end data privacy and regulatory compliance.
  • 21. Leading choices for CASB:  Microsoft (Adallom)  In September 2015, Microsoft completed its acquisition of Adallom, a CASB that had been shipping since early 2013. This brought CASB to Microsoft's Enterprise Mobility + Security (EMS) suite and added new capabilities to Office 365.  Imperva  Founded in November 2002 and has been shipping a CASB product since January 2014, when it acquired Skyfence. Imperva focuses on providing detailed user activity monitoring, cloud DLP, access control and threat protection.  Bitglass  Founded in January 2013 and has been shipping a CASB product since January 2014.  Bitglass integrates several mobile data management (MDM) and IAM capabilities into its offering, such as remote wipe, single sign-on (SSO) and dual Security Assertion Markup Language (SAML) proxy, providing basic MDM and IDaaS capabilities.
  • 22.  Cisco CloudLock  Founded in January 2011 and has been shipping a CASB product since October 2013; it was acquired by Cisco in June 2016. It uses an API-only approach to the CASB market. It leverages APIs from cloud services (SaaS, PaaS, IaaS).  FireLayers  Founded in November 2013 and has been shipping a CASB product since April 2014. FireLayers a multimode CASB delivering API, forward and reverse proxy, plus a SAML gateway. It provides cloud application discovery, but not SaaS service security posture assessments. Instead, it on threat protection, behavior analytics, contextual access control and detailed activity monitoring.
  • 23.
  • 24. Further reading and references: https://www.bluecoat.com/products-and-solutions/casb- cloud-access-security-broker http://security-musings.blogspot.in/2015/04/comparing- cloud-access-security-broker.html http://www.bitglass.com/blog/cloud-access-security-brokers- post5 https://www.ciphercloud.com/blog/casb-101-cloud-access- security-brokers/
  • 25. THANKS Samrat is a security researcher currently working for Secure Layer 7 India as a Security Consultant. His research interests involve: Penetration Testing, Secure Coding, and Reverse Engineering & Malware Analysis. He can be reached on twitter: @Samrat_Das93 or LinkedIn: https://in.linkedin.com/in/samrat18