VPNs have been around for over two decades. While they still play a very important role in the security landscape, there are a couple of new kids on the block rapidly gaining ground. They are, of course, software defined perimeter (SDP) and cloud access security brokers (CASB). If you haven’t heard much about them, you soon will.
Remote access has become a huge sticking point for many organizations. With so many employees suddenly accessing applications and data from home, collaborating with colleagues using numerous online tools, and spending hours each week on video conferences, corporate networks have been stretched to their breaking point. Not only do these networks need to evolve, the IT teams running them need better tools to see, control and manage the data that employees are accessing. Reducing risk while enabling productivity is an enormous challenge.
With all of that in mind, it’s vital that IT teams make the best decisions possible when investing in a new remote access tool. Should it be a VPN, an SDP or a CASB? In this post let’s take a look at the CASB to see exactly what it is, and when it might be right for your organization.
What is a CASB?
The ‘C’ in CASB tells us a lot about its sweet spot. Being designed to help IT administrators manage applications and data in the cloud, CASBs are particularly good at monitoring cloud service usage within an enterprise. As an extension of that monitoring capability, CASBs can be used to implement policy controls that ensure those cloud services are being used securely. These tools are basically a hub for the authentication and encryption of data that goes to the enterprise’s endpoint devices (typically laptops, tablets and smartphones).
Prior to the appearance of CASBs, which first started gaining traction five years ago, the tools that most enterprise security managers used could not provide visibility into what was happening on external networks. For example, they couldn’t see whether enterprise data was protected or at risk, and they had very limited control over what those endpoint devices were doing.
Fast forward to today, and almost one in five large enterprises uses a CASB to control at least some cloud services.
Some of the most popular CASBs today come from McAfee, Netskope and Symantec, but there are many more. Their quality and features vary significantly, but in general they should all offer the following features:
- Visibility into cloud-based application usage on every endpoint device in the organization
- Tools to ensure that all application data is stored securely in the cloud
- Tools to ensure regulatory compliance
- Threat protection, to ensure a low risk of breach for any data stored in the cloud
In practice this means that IT teams using a CASB should be able to ‘see’ all sanctioned and unsanctioned (i.e. Shadow IT) cloud service usage. They should also be able to pinpoint individual users and endpoint devices, and either allow or deny access to specific cloud services.
CASBs should also offer security tools that offer access controls that allow IT teams to set up policies to alert or even block or quarantine risky or dangerous cloud usage. They also need to cover the basics, such as threat intelligence and anti-malware capabilities, while some of the more sophisticated ones include behavioral analytics.
Is CASB right for your organization?
Credit where credit is due, CASBs are a great tool for certain organizations and certain use cases. Are they right for your organization? There’s an easy way to find out. Gartner recently released a report, “Solving the Challenges of Modern Remote Access,” which posed this exact question. When choosing between a VPN, an SDP or a CASB solution, just ask yourself the following:
Are 100% of your applications – e.g. SaaS, O365, etc. – hosted on the public web?“
If every one of your applications (and their data) are hosted on the public web, then yes, a CASB is a viable option for your organization’s remote access needs.
However, as the decision tree below shows, if, like 98% of organizations today, you still maintain some kind of on-premise or private cloud resource, then the best solution for your needs will be a VPN, an SDP, or possibly a combination of the two.
Mobile VPNs not only offer protection for critical data, their ability to enable split tunneling, data compression and application persistence can actually improve user experience. Likewise, SDPs offer the granular policy controls made possible by their zero trust roots, which CASBs simply cannot provide.
Whether to adopt a VPN, an SDP or a CASB can quickly be determined by looking at the resources these tools will need to protect. Are they hosted in the public cloud? Or in the private cloud? Or maybe on-premise? How will this change over the next two to five years?
By asking just a few questions, finding the best remote access solution for your organization’s needs may be the easiest decision you’ll make all day.