Cloud Access Security Broker Architecture. How much time does it take to build a cloud access security broker (CASB) architecture? What are some of the challenges you face when building CASBs?
Are there any specific benefits you can expect from your CASB deployment? To gain some insight into these questions, read on to learn about the valuable secrets.
1. Your architecture will be unique to your organization
Security architects should not assume that the designs that worked for their peers will work for them. There are too many factors that can influence architecture, including the organization’s strategy, risk tolerance, existing security tools and investments, and business processes to name a few.
This is why it’s important to understand how cloud security works and why planning is so critical before making any decisions regarding deployment.
2. Your architecture should consider your cloud business processes
Once you have a good understanding of how the technology works, it’s time to plan how this will work within your organization. The best way to do this is to define your business processes for accessing cloud applications and services, which will help determine what kind of policies you need to enforce and what data you need from these applications in order to make decisions about access control.
It is also important to determine how your CASB fits into your existing network architecture. This includes knowing where it should be deployed (on-premise or in the cloud), whether or not it should be integrated with other security tools and technologies, what provider you will use for the technology, etc.
3. Your architecture should consider integrations with existing technologies
One aspect that often gets overlooked when implementing CASBs is how they will work with other security tools and technologies. There are several ways that CASBs can integrate with your existing environment. It can be used as an enforcement point for your existing security tools It can be used to enforce multi-factor authentication (MFA).
Also, it can be integrated with your network perimeter (e.g., firewall or web proxy) to enforce MFA and policies around cloud apps and services It can be integrated with your directory service (e.g., Active Directory) to store identity policies, auditing trails, compliance reports, etc.
4. Your architecture should secure both internal and external access to cloud applications and services
You shouldn’t overlook securing access from outside users and devices as well as from internal users and devices. Any organization that has a public-facing website or external-facing API needs to consider how they secure access from the outside world.
While many organizations focus on securing access from their internal network, they tend to forget about securing access from the outside world. This is just as important because you don’t want someone accessing resources in your cloud without proper authorization. Further, potentially causes damage or disruption to your business operations by exploiting vulnerabilities in your infrastructure or applications.
External-facing CASBs use various techniques to enforce policies on access requests coming from the outside world, including 1. The ability to block malicious IP addresses. 2. The ability to block malicious user agents. 3. The ability to check device reputation. 4. The ability to check certificate validity.
Some organizations also leverage a common gateway interface (CGI) scripts and API endpoints in order to block unwanted requests before they reach their backends. The idea is that even if someone has compromised a user’s credentials, they won’t get very far if they don’t have access to the correct CGI scripts or API endpoints used by a particular application or service.
5. Your architecture should focus on both the technical and policy aspects of cloud access security
The technical components related to building a secure infrastructure that contains perimeter controls, identity and access management systems and other security tools that enforce policies around cloud apps and services.
The policy components relate to how you are going to apply authorization policies, as well as how you will implement multi-factor authentication (MFA). You can’t have one without the other because they work together to protect your organization’s data and applications in the cloud.
Conclusion
A good way to think about this is that your CASB needs to be integrated with the rest of your security ecosystem. It needs to enforce policies around access requests from internal users as well as external users, it needs to block malicious requests from reaching your back end, it needs to enforce MFA for any users accessing resources in the cloud, etc. 6. Your architecture needs a tuning phase after deployment.