CASB: properties of a complete web protection platform

The workplace has transformed during the past decade or so. The dividing line between the corporate office and the outside world that was neatly delineated by firewalls and other security tools no longer exists. People work in the office, at home, in the local coffee shop, on trains and everywhere else.

SD-WANs are the leading approach to supporting this new environment because they allow internet and cloud access from virtually anywhere. This flexibility requires a re-thinking of security, however, because branch locations and remote workers now directly «touch» the internet and the cloud. Each point of contact therefore must be independently secured.

This is a steep challenge. In our previous blogs we've looked at efforts to protect this fractious environment through deployment of Cloud Access Security Brokers (CASBs). Placing these devices between the cloud/internet and the enterprise network is a big step toward ensuring that corporate security policies are being tracked and maintained. CASBs essentially do the security bidding of the enterprise network as it interfaces with the outside world. 

manny-pantoja-smallPhotograph by Manny Pantoja

In the bigger picture, they are the stage on which a complete web protection platform can be built. They provide the framework in which the organization's security tools are housed and managed. The goal is to establish a complete web security platform with at least five high level capabilities.

A CASB must: 

  • Easily ingest data from proxies
  • Decrypt SSL traffic
    The CASB must go beyond access to all the logs. It must be able to perform «man-in-the-middle» decryption to assess SSL traffic.
  • Provide deep visibility into user traffic
    The CASB provides insight into the traffic coming from the web through such things as unauthorized Dropbox accounts. APIs doing this monitor SharePoint and OneDrive. They search for unsanctioned data, such as credit card numbers, personal ID information and corporate documents that should not be publicly shared.
  • Include rule filtering
    The platform should enable flexible filtering that uses the rules set by the organization. For example, it blocks confidential documents from unauthorized outside sharing if they carry the proper metadata. This can be done by searching for specific data elements using data leakage protection (DLP) tools to scan documents' text.
  • Have the ability to block applications from a central console 
    This is a challenging task and therefore is not commonly used. Blocking applications generates many false positives. Very careful management is required. It also requires blocking access to apps such as Google Drive. That's a non-starter for many organizations and their employees.

Complete web protection with Open Systems

The bottom line is that a full and comprehensive suite of security and data privacy tools must shield corporate users wherever they are. Open Systems provides integrated CASB, security operations center and next-generation firewall management. By combining these tools, Open Systems' integrated Secure SD-WAN solutions enable response time that can be counted in minutes.

a leading SD-WAN analyst image

This post was written by a leading SD-WAN analyst, for Open Systems.