Understanding cloud access security brokers (CASBs)
A cloud access security broker (CASB) is a cloud-hosted tool that serves as an additional layer of security between users and cloud service providers. This article explores what CASBs are, their pros and cons, and how they compare to VPNs.
Data security is a top priority for any modern enterprise or digital business network. Employees create and access tons of sensitive data via multiple avenues and devices and from different geographical locations. As more and more organizations adopt cloud-based solutions, the need to protect data and corporate IT infrastructure from external threats increases rapidly.
What is the purpose of CASBs?
A cloud access security broker (CASB) can help by serving as a middleman between the end user and the cloud, helping ensure the integrity of organizational data and application software.
In this article, you’ll learn all about CASBs, how CASbs work, the features and benefits CASBs provide when acting as a layer of network security. You’ll also see a comparison between CASB technology and another type of security measure often used by organizations — the virtual private network (VPN).
Why are CASBs important?
With workforce mobility on the rise due to increased remote working and the resulting reliance on bring your own device (BYOD) policies, it’s become commonplace for employees to access company networks and work-related systems with personal, and sometimes unsecure, devices. This can expose data and IT systems to unauthorized or unsanctioned access, resulting in the vulnerability of sensitive corporate data and intellectual property.
You might be faced with the option of either completely blocking off-premise access to your company network, which would limit employee productivity, or finding a solution to enforce your organization’s security policies and standards for remote workers. CASBs help you achieve the latter; they sit between your user and your cloud system to automatically discover and assess the risk level of each interaction.
Another reason for the increasing relevance of CASBs is the growing insecurity businesses are experiencing regarding the safety of the network for their cloud-based services. In the corporate world, cases of serious cloud infrastructure data breaches and leaks abound, resulting in heightened pressure to ensure adequate levels of security throughout organizational networks. CASBs offer a way to safeguard corporate systems against hacks and associated data leaks.
What is a CASB?
According to Gartner, “Cloud access security brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed.” Going deeper, their scope is explained like so: “CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.”
In short, just like a broker acts as an intermediary between two parties, CASBs sit between the user and the cloud to actively manage access to cloud-based applications, services, and local company resources. Each time a user tries to access an application or service in the cloud, the CASB evaluates the user’s physical location, the security of the network from which the user is connecting, and the time of day, among other aspects.
Then, according to the security policies implemented by the company, access permissions are assigned to the user. In other words, user permissions to access different resources can vary, which is a major paradigm shift over the static role-based access control (RBAC) widely used by many companies.
The ability of CASBs to assign permissions to users dynamically is just one of their advantages. Let’s review in more detail what makes CASBs so useful today.
Benefits of CASB
As discussed, CASBs combine multiple types of security policy enforcement mechanisms under one roof. A CASB gives security teams multiple advantages that we’ll discuss next.
Grants visibility
Visibility means organizations have a detailed overview of the usage of multiple cloud applications or environments as well as information on devices accessing them.
This is particularly useful for large businesses with a lot of employees working on their own devices on the go. In these organizations, corporate data can easily slip out of company oversight, resulting in leaks of confidential information and other intellectual property. CASBs enhance visibility by assigning risk scores and providing contextual access control.
Enforces security policies and ensures compliance
This is one of the greatest benefits of CASBs: Whether the application, service, or data is in the cloud or on premise (i.e., on enterprise servers), no user has direct access to those resources. Instead, each user must authenticate with the CASB and wait for it to grant them whatever permissions it deems appropriate.
It’s a similar security principle to bastion hosts, but taken to another level. Thanks to this feature, CASBs offer a centralized platform from which security teams can quickly block users or restrict their level of permissions if they detect any irregularities.
Because CASBs sit between users and resources, they’re useful for enforcing enterprise security and governance policies. For example, they can help mitigate security risks by detecting malware in files that the user tries to upload to the cloud, or vice versa.
Similarly, CASBs can be used to limit access to certain resources or services according to a predetermined schedule. Additionally, CASBs can be integrated with services that monitor usage logs to detect suspicious patterns and trigger an alert when necessary.
Compliance refers to adherence to regulations that govern the safety of enterprise data in the cloud. Your organization’s compliance standards can be enforced with CASBs as a third party that adheres to regulations such as HIPAA and PCI DSS. Your CASB must be able to assess your compliance risks and then inform your IT security team of the areas to shore up to mitigate these risks.
Track device activity
According to Cisco, 95% of organizations allow personal devices in the workplace. BYOD policies allow employees to use their own devices such as laptops, phones, and tablets to access privileged information and cloud applications.
While BYOD benefits productivity and employee morale, it also brings significant security challenges. Employee devices, especially mobile phones and tablets, tend not to be secure, making them easy targets for malicious agents. In this regard, endpoint security solutions such as antivirus or security suites are not enough to guarantee security when an employee is accessing sensitive information and applications.
As you might guess, CASBs allow your organization to offer employees the flexibility of BYOD while ensuring security standards by monitoring and tracking workers’ usage of mobile and personal devices for work.
Simplifies support and protection of public-facing cloud applications
A recent prediction from Gartner stated that “almost two-thirds (65.9%) of spending on application software will be directed toward cloud technologies in 2025, up from 57.7% in 2022.”
In other words, the explosion in the use of suites such as Microsoft Office 365, Teams, and Google Workspace, as well as applications, services, and APIs specific to each organization, has made it necessary to find solutions that guarantee the security of both users’ and businesses’ assets. CASBs and cutting-edge solutions like Tailscale are ideal for that purpose. We will go into more detail about that later when we talk about CASBs versus VPNs.
Provides data security
The ease with which data can move in a world where cloud adoption has become the norm presents a threat to the ability of businesses to safeguard their sensitive and confidential information.
CASBs address this threat as gatekeepers that monitor the movement of important and sensitive information in the cloud. They can scan in real time and block unauthorized access to data. CASBs get this done by compiling a comprehensive view of normal cloud data usage and cross-referencing this with anomalous behavior. Anomalous behavioral patterns in data usage then lead to a commensurate response by using capabilities such as adaptive and contextual access control, threat intelligence, and prioritized analysis.
Adds extra layer of network security
While there is no single solution that addresses all aspects of cybersecurity, CASBs tick several boxes on that list. One of the biggest challenges among organizations has to do with user management.
CASBs offer a centralized platform to handle user authentication as well as other security functions already described above, such as credential mapping, device profiling, encryption, malware detection, and more.
So far, you’ve learned what CASBs are and their benefits, leaving aside one important aspect: CASB types. That will be addressed next.
Types of CASB
Like other security solutions such as firewalls, CASBs are available as on-premise devices, as cloud services, or even as endpoint software. We will briefly review each of these implementations.
On-premise gateways
This is a type of CASB used by organizations that have a strict requirement that prevents certain information from being moved to the cloud. As a result, the gateways related to both hardware and software resources are deployed by organizations on premise rather than in the cloud.
One big disadvantage of selecting an on-premise CASB is the additional cost of maintenance, which can be a strain on the resources of the company. Also, an on-premise CASB limits your organization’s ability to cope with huge data processing requirements that are typical of sophisticated threat detection algorithms. This latter consideration makes CASBs particularly inefficient when your organization requires low latency or high transfer speeds.
Host agents
Unlike on-premise gateways, agent-based CASBs are a software-based solution. This allows, for example, the installation of agents in key points of your company, such as database servers, application servers, bastion hosts, or in cloud-based infrastructure.
A major benefit of this type of CASB is that it provides your organization with a great degree of control over the traffic going out of your system. Additionally, it can take action in real time if it detects any threats. However, since it basically acts as a doorman between users and your cloud applications, this type of CASB can significantly decrease your network speed if it isn’t implemented properly. For this reason, most of these solutions run from the cloud, where they can scale as traffic demand increases.
API-centric
These CASBs identify threats in the cloud by using API access to your SaaS applications. They make use of the native APIs of cloud applications to secure your cloud application data and access. The API-centric approach works in such a manner that it’s as though CASB is a feature of your own application.
This type of CASB not only enforces security on the periphery of your application; it works within the application itself without causing latency or other network issues. The major challenge of this approach is that the CASB does not work in real time until the API is called. This means that an API-based CASB will only work within the context of the cloud application it was built into and will stay dormant in other contexts.
To clarify, nothing prevents combining different implementations for better results. So you could use an agent-based CASB that runs from the cloud that also integrates API-centric features. Consolidating the benefits of each type of solution can help mitigate the inherent limitations of CASBs, a topic we’ll discuss below.
Shortcomings of CASBs
As with any other technology, CASBs have some drawbacks: One major aspect has to do with the fact that they’re cloud-based, and the other has to do with its implementation.
Cloud limitations
Almost all forward-thinking CASBs are now cloud-based. This means there are very few options available to legacy network users. That said, there are solutions that provide legacy network support with proxy-based CASB implementation.
But it’s not just legacy networks that limit the adoption of CASBs. As one recent survey highlighted, 98 percent of companies still use on-premise servers, meaning their systems are essentially walled off from the cloud. As a result, CASB solutions tend to struggle to meet the needs of these companies.
As mentioned earlier, some companies are legally required to keep data on premise or are otherwise prohibited from uploading data to the cloud. Some of these companies operate in critical sectors like aerospace, defense, and healthcare. If you’re part of a regulation-heavy industry, the choices are restricted: You can explore ways to move your data to cloud-based servers, which would open up a wide range of CASB solutions; or you can consider the limited options of on-premise CASB solutions.
Implementation difficulties
The multiple advantages that CASBs offer come at a cost — namely, complexity. Here’s an overview of the challenges associated with the implementation of this type of security solution.
- Their configuration is not simple: As mentioned, CASB deployment can be complex. It requires expertise in proxy auto-configuration, log collection, and many deployment tools in order to get it up and running. Furthermore, setting up CASB security rules is not a trivial task, which may lead to configuration errors that compromise its operation.
- CASBs become more complicated as the network grows: This is a direct consequence of the point above. Every time a new cloud service is added, users from a different location join, or usage patterns change, adjustments need to be made to the CASB configuration. This makes the already-challenging task of fine-tuning security rules even more complex.
- CASBs can restrict the wrong kind of traffic or user: Using machine learning-based behavioral pattern analysis of cloud data access and usage, CASBs can flag and restrict the access of any employee or third party that adheres to its previous models of anomalous behavior. However, this can backfire if the employee’s authorization has not been updated or synced with the cloud, or if their cloud application usage coincides with anomalous behavior. It can even lead to the user losing access simply because their device has been flagged or restricted before.
- Organizational resources are needed to manage and resolve CASB issues: Finally, CASBs need IT staff to keep them up and running, which is an additional cost that not all organizations can afford.
As you can see, CASBs are not perfect. However, that doesn’t mean your organization shouldn’t consider them; CASBs are effective in granting appropriate permissions to users at the time they authenticate, thus mitigating unauthorized access to cloud resources. In other words, its benefits can outweigh its limitations.
That being said, implementing CASBs in your organization far from guarantees impenetrable security against all types of cyber threats. This leads us to VPNs, which continue to be the top cloud security solution among enterprises, and how CASBs perform in comparison.
CASBs vs. VPNs
While CASBs are a step in the right direction toward cloud security, they’re not a silver bullet; your organization will need additional security layers to protect resources against cyberattacks. To that end, next-gen VPNs like Tailscale offer unique features that in some cases even overlap with those of CASBs — which begs the question of which is better between these solutions.
In this section, we’ll cover the differences between CASBs and VPNs when addressing different pain points that companies currently face.
Secure access for remote work
No one disputes the superiority of VPNs when it comes to safely accessing corporate data and applications. This is because they establish an encrypted tunnel for data exchange between the remote user and on-premise resources.
However, traditional VPNs are not designed to enforce cloud security policies, implement ACLs, or prevent malware. These are functions that are attributed to CASBs. In other words, CASBs are better for totally web-facing companies that use multiple applications and cloud services.
Security across users and devices
As we’ve discussed, CASBs make it easy to implement BYOD policies as well as secure access to cloud resources. However, CASBs may not be as good when data is on premise since they significantly impact connection performance, which is a dealbreaker for low latency use cases. In this sense, a VPN like Tailscale is the ideal solution since, being built on top of WireGuard® (more on this shortly), it has a low impact on connection speed.
Furthermore, Tailscale makes it easy for businesses to integrate with cloud servers, serverless apps, AWS RDS databases, corporate firewalls, web servers, and even popular network attached storage (NAS), such as Synology, QNAP, Unraid, FreeNAS, and more.
Cloud-based is the new norm
CASBs were basically designed to allow IT admins to manage data access over the cloud. While legacy VPNs take an all-or-nothing approach to access control, CASB tools encrypt cloud data with contextual access control to prevent unknown user access. Cloud-based access control is the new norm, and corporations and businesses are increasingly looking to transition to cloud-based solutions.
In short, CASBs offer advantages to organizations that extensively use third-party cloud-based applications, while VPNs like Tailscale provide unparalleled security when it comes to connecting remotely to either on-premise resources or to another user.
Furthermore, as repeatedly hinted at throughout this article, Tailscale offers features that go beyond traditional VPNs and even rival CASBs:
- Built on top of WireGuard: There is no doubt that WireGuard is the most advanced VPN protocol today since it allows incredible transfer speeds with low latency, secures traffic through cutting-edge end-to-end encryption, and has the ability to maintain a reliable connection even when changing networks. That said, Tailscale takes WireGuard to a new level by facilitating secure connections through agents that are installed on each device.
- Scalable: CASBs are difficult to scale, a drawback that Tailscale overcomes thanks to its point-to-point mesh network topology and cloud management. Each user only has to install the Tailscale agent on their device and log in, and they’ll be able to see the endpoints available to them on the corporate network. Behind the scenes, the security team decides which resources to add to the network as well as the access permissions and corresponding rules.
- SSO support: CASBs revolve around ensuring that only properly authenticated users can access sensitive resources. Unlike many VPNs, Tailscale has native support for popular single sign-on (SSO) providers such as Google, Microsoft, GitHub, Okta, OneLogin, and even custom OIDC and SAML providers. In other words, user authentication is also centralized and can be managed at the convenience of administrators, allowing users to be quickly blocked or restricted if necessary.
- Network access controls (ACLs): Another aspect where Tailscale and CASBs overlap is access control. Tailscale allows fine-grained control over access to network resources through its administrative console. From there, security teams can create groups, assign access rules, and more.
Ultimately, your choice between CASB and VPN is wholly dependent on your needs as an organization, but if you want the best of both worlds, Tailscale is a solution built upon the WireGuard framework, thus combining VPN capabilities with the very best features of a CASB.
Conclusion
CASBs have proven to be invaluable for businesses looking to enhance remote access for their workers. CASBs are one way you can ensure a workable solution for your cloud data access and security. Over the course of this article, you’ve learned about CASBs, why we use them, their benefits, and their limitations. You’ve also got an in-depth comparison between CASBs and VPNs, including WireGuard VPN.
Tailscale is a zero config VPN that lets you create a secure corporate network to support your development routine. It’s currently the most advanced VPN available on the market. As mentioned earlier, the great thing about Tailscale is that it performs most of the tasks delegated to CASBs with ease. You can quickly explore Tailscale now as it can run on all major platforms. To try it out, download Tailscale today.
FAQs
What are the major benefits of implementing CASB?
By acting as an intermediary between users and the sensitive data they access, CASBs help enforce a company’s security policies, ensure compliance, and limit access when necessary. CASBs can proactively monitor usage logs to detect suspicious patterns and trigger alerts, and they can track individuals’ device usage, a particular advantage when employees are using their personal devices for work.
How is a CASB different from a VPN?
Virtual private networks are designed to establish encrypted tunnels for remote data exchange, but not necessarily for enforcing cloud security policies or implementing access controls, which are typically the purview of CASBs. On the other hand, CASBs can cause latency and other performance issues compared to VPNs — especially when the CASB is implemented on-premise.
