Part 2 in a series on cloud security solutions: Choosing the right solution for securing your cloud and hybrid environments can be complicated. The market is an alphabet soup of acronyms, and it's hard to tell what you'll get from one product to the next, or from one vendor to another. That complexity can lead to gaps, confusion, tool sprawl, and weakened defenses
To help you make sense of the current tooling landscape, we're going to dig into individual product categories, explaining what they are, what they do, and their strengths and weaknesses. We'll also compare cloud-native network detection and response (NDR) to those products and show you where NDR provides similar or complementary capabilities.
Today's entry in this ongoing series focuses on cloud access security brokers, or CASBs.
What Is a Cloud Access Security Broker (CASB)?
CASBs were designed to act as security policy enforcement centers in cloud and hybrid environments. They can govern access control, protect against data loss, detect malware, and alert on compromised accounts or high-risk activities. Available in various deployment models such as cloud-hosted software or on-premises software or hardware, CASBs provide visibility into traffic between organizations and their cloud service providers.
How Do CASBs Work?
CASBs can be set up as either forward or reverse proxies, use cloud providers' APIs, or leverage a mixture of both. All three options have their share of pros and cons.
CASBs with Forward Proxies
These tools can be used for cloud applications and data that passes through the proxy. However, they can be difficult to scale because they require self-signed certificates for every device that accesses the proxy. Additionally, forward-proxy CASBs have blind spots when it comes to unmanaged devices (think BYOD) without certificates.
CASBs with Reverse Proxies
Unlike their cousins with forward proxies, CASBs with reverse proxies don't require certificates or special configuration. However, reverse-proxy CASBs do not work with client-side applications with hard-coded usernames. Like their cousins, forward-proxy CASBs can only secure known users and devices.
This relatively new category of CASB integrates with cloud service providers' application protocol interfaces (APIs), removing the need to deploy proxies that can negatively impact performance. They also integrate with in-line security products like next-gen firewalls (NGFW) and gateways, rather than duplicating those efforts as is the case with proxy-based CASBs.
How Does NDR Compare to CASBs?
CASBs do a good job of discovering and securing SaaS apps, and some even support IaaS security. But unlike network detection and response (NDR) tools, CASBs only provide security between the user and the cloud egress point. One key capability they lack is visibility into the east/west traffic between cloud workloads, infrastructure, and services.
NDR separates itself from CASBs when it comes to device and asset discovery, especially for unmanaged assets and internet-of-things (IoT) devices. Asset discovery and classification is about more than having an up-to-date inventory; understanding relationships between assets is crucial to identifying when they behave abnormally. Those abnormalities can indicate attacks in progress. And by taking a network-based approach, NDR tools unlock the ultimate source of truth in the cloud—packets.
While some CASBs can decrypt traffic and data between users and cloud egress points for inspection, they don't typically perform line-rate decryption, offer full packet capture (PCAP), or provide deep machine learning-driven inspection of data for indicators of advanced threats.
Pairing NDR with CASB
Although NDR and CASB can be viewed as competing security categories, they can also play well together. CASBs can be used to secure SaaS applications while NDR patrols the east-west traffic corridor that's used for post-compromise activities. This defense-in-depth strategy enhances security in cloud environments. Best-in-class NDR platforms also provide on-premises and multicloud security in the same user interface, making hybrid defense-in-depth possible.