Cover image for Monitoring The Cloud

Monitoring The Cloud

antoinette0x53 profile image Antoinette Maria ・3 min read

I'm trying to get better about describing to non-security people what it is I do for work. So I'm going to start writing these little posts about different tools we use so that I can reference them later.

Many companies, both small and large, are beginning to move towards cloud based solutions, such as Salesforce, Box, AWS,etc, to meet the different needs of the company. With the growth of cloud solutions as enterprise solutions, concerns surrounding the security of customer data has grown as well. Companies want to know what data is being stored in the cloud, who has access to that data, and what they can do with the data. This is where a CAS or CASB enters into the equation. A Cloud Access Security Broker is a fairly new technology that allows companies to monitor, alert, and sometimes enforce policies in their cloud solutions. The main use cases surrounding CASBs are data loss prevention (DLP), shadow IT (the detection of cloud applications that have not been approved for use), and privilege abuse.

There are three different types of CASB solutions available: API-based, cloud-based, and hybrid.

API-Based Solutions
API based CASBs are out of band solutions that rely on pulling information via the APIs offered by the cloud vendor in use. For example, an API based CASB will pull logs from Salesforce using the Salesforce API. If the API doesn't capture a particular event then it won't be visible to the CAS-B either. The advantages of the API based solution is that you don't have any network latency, low impact to end users, and visibility of IaaS and PaaS (rather than just SaaS). The disadvantage to API based solutions is the lack of real time prevention. API based CASBs don't enable administrators to stop a transaction as it happens. It's strictly reactive.

Proxy-Based Solutions
A proxy based CASB uses a forward or reverse proxy to tunnel user traffic through the CASB solution for monitoring and alerting. This solution is really good for companies whose end users use managed devices. The problem with the proxy-based solution is that there can be a pretty significant network latency and it only works for SaaS solutions. Proxy based solutions are also a central point of failure, creating an opportunity for high user impact should something go wrong. However, in contrast to the API based solution, proxy based CASB solutions allow you the opportunity to enforce policy as the violation occurs. This can be invaluable for companies who use applications where data exfiltration is a big concern (i.e. Salesforce or OneDrive).

It's the best of both worlds. Some of the disadvantages still exist but the impact is reduced with advantage of having both solutions rolled into one.

A CASB isn't...

a replacement for a SIEM solution.
A CASB should not be looked as a replacement for a SIEM. The features of a SIEM far out weigh anything the CASB is capable of in terms of monitoring logs.

a replacement for a DLP solution.
Many companies turning to CASBs to monitor their cloud apps are doing so because they need to implement DLP for cloud. That, however, isn't a reason to forget about DLP outside of SaaS applications.

a replacement for a proxy or web gateway.
A CASB isn't meant to proxy all end user traffic. It's only used to monitor the traffic for the cloud applications that need to be monitored.

The CASB should be used in conjunction, not in place of, all of these solutions. A CASB can provide logs (visibility) into cloud applications and assist existing DLP solutions.

As I mentioned before, this a fairly new space in the security world. Many solutions are still maturing and evolving. I believe in the future most of the products offered in this space will be hybrid solutions to better fit a larger share of the market. Either way, if your company has a large chunk of data being stored in the cloud there's a good chance it will soon use a CASB to monitor that data in the near future.


Editor guide