Cloud security gateways (CSGs), also known as cloud access security brokers (CASB), are on-premises or cloud-hosted security software that act as a policy enforcement point between an enterprise and cloud applications that employees use. CSGs provide IT security teams visibility into cloud service usage and cloud-centric security capabilities that mirror the controls enterprises deployed to protect their data in on-premises applications including data loss prevention, user and entity behavior analytics (UEBA), encryption, access control, and more.
Key Requirements of Cloud Security Gateways
While cloud adoption continues to rise, enterprises are finding that simply blocking cloud services from being used isn’t sufficient. With the explosive growth of available cloud services, when an organization blocks one cloud service, employees frequently respond by seeking out lesser-known, potentially riskier alternatives that can end up exacerbating the problem.
And while the IT department may have visibility into sanctioned/permitted cloud services, they lack the needed visibility into the scope of shadow IT cloud service use. They often do not know, for example, who is using which cloud services, what kind of data is going to each cloud service in use, with whom that data is being shared with, and which devices are accessing it and from where.
These organizations turn to CSGs to solve this problem. CSGs provide continuous visibility into both sanctioned and unsanctioned (shadow IT) cloud usage. This visibility extends to the data retention policies of each unsanctioned cloud service, how much data is being uploaded/downloaded to a cloud service, whether the service provider can encrypt data at rest or in transit, and an overall security risk score for each cloud service in use. Enterprises use the cloud service risk score to evaluate and select cloud services that meet their security and compliance requirements, thereby streamlining the process of cloud service adoption.
Employees routinely upload sensitive and regulated data to the cloud. In the past, organizations relied on on-premises data loss prevention (DLP) solutions to protect that data from leakage via email and ensure they remained compliant with internal policies and external regulations. CSGs extend these on-premises DLP controls to the cloud so that enterprises can prevent certain types of sensitive data from being uploaded to high-risk cloud services or being shared from trusted cloud services to third parties.
CSGs also provide a unified, cross-cloud DLP policy engine, incident reporting, and remediation workflow that ensure a consistent set of controls across cloud services. The cloud DLP capabilities of CSG can protect a broad range of sensitive and regulated data including payment card data (PCI-DSS), protected health information (HIPAA-HITECH), intellectual property, and personally identifiable information.
3. Threat Protection
One of the core capabilities of a CSG is threat protection. This capability is essential because cloud usage occurs outside the scope of conventional enterprise threat protection solutions, such as intrusion prevention solutions (IPS) and security information and event management (SIEM) systems. Additionally, the rise of social engineering and the resulting compromised accounts have become one of the leading causes of security failures.
CSGs analyze cross-cloud user behavior patterns to identify both malicious and negligent insider threats, as well as external threats such as compromised accounts. Effective threat protection uses machine learning to build behavior models for all employees and create baselines for each. Any activity that deviates from this baseline is then flagged as a threat if it reaches a certain threshold.
There are four primary CSG deployment modes that provide coverage for different users, devices, and access scenarios:
- Log collection – consuming event logs from existing infrastructure such as firewalls, secure web gateways, and SIEMs.
- Forward Proxy – inline deployment between the endpoint and cloud service in which the device or network routes traffic to the CSG proxy.
- Reverse proxy – inline deployment between the endpoint and cloud service in which the cloud service or identity provider routes traffic to the CSG proxy.
- API – direct integration of the CSG and cloud service. Depending on cloud provider APIs, the CSG can view activity, content, and take enforcement action.
4. Data Security
As enterprise data is transferred to the cloud and employees access data from off-network locations and unmanaged devices, they circumvent existing security technologies. CSGs provide an additional layer of security such as encryption, access control, etc.
Mature CSGs can provide end-to-end structured and unstructured data encryption to data being uploaded to a cloud service and data already in a cloud service. These solutions also allow the enterprise to control the encryption keys used to protect data in the cloud and integrate with KMIP-compliant key management solutions to broker the use of enterprise keys.