As applications transition from on-premises architectures into the cloud, mainstay strategies for securing them struggle to keep up. Applications are developed, updated, and consumed continuously using a variety of cloud platforms. Where once IT Security was tasked with governing a single infrastructure with visibility and control over components such storage, network, and web access, it is not uncommon to have data and applications hosted at dozens of different SaaS and IaaS vendors, each with a unique toolset of security controls. As the number of disparate services and controls increases, creating programs that provide consistent visibility, governance, and control into where and how data is being used by whom becomes exponentially more difficult.
A primary purpose of a Cloud Access Security Broker (CASB) is to provide a unified set of controls and policies that apply to multiple, dissimilar cloud services. While the abstracted toolset is similar to what many IT Security experts expect in terms of DLP, remote access, and event monitoring, they are implemented differently with the CASB, smoothing out the differences between one cloud service provider (CSP) and another. A properly deployed CASB should provide a single pane of glass providing at least the following security services: Shadow IT discovery, data security including data classification, DLP for data at rest and in motion, encryption/DRM, and collaboration/sharing control, matching learning threat protection (UEBA), adaptive access controls to restrict access using context such as location or device category, and secure configuration to ensure IaaS resources are in compliance with benchmarks and standards.