Cloud access security broker (CASB) applications really started to gather steam in the early 2010s. They were designed to provide cloud and software-as-a-service (SaaS) applications with the security controls and protections organizations were used to with internally run information systems.
They needed the same level of auditing, access control, data governance, threat detection and prevention they could enforce when building IT applications or contractually when buying perpetual site licenses.
But much has changed since then and other tools have emerged, such as cloud workload protection platforms (CWPP). Here are some of the top trends in CASB and CWPP categories:
1. Expanding attack surface
The network perimeter from the pre-cloud era is now just one of many areas of modern networks.
As enterprises move to the cloud, they must protect four additional perimeters, because one successful penetration on the right resource can lead to a major incident, as exploits can move farther, faster.
In fact, the security industry has many examples of damage that can be done in a mere 60 seconds or less:
- Data perimeters can allow unauthorized users to read, modify, delete, or download your private data directly from the internet.
- Compute perimeters can allow external entities to run code in your environment, exploiting software vulnerabilities to compromise workloads.
- Messaging perimeters can allow external entities to receive and send messages to private systems that can trigger code or transport malicious payloads to downstream applications.
- Identity perimeters can allow external entities full control over your virtualized data center when privileged identity access management (IAM) users, roles, and access keys are compromised.
“When thinking about how to protect cloud workloads, the overarching trend organizations need to consider is the expanding attack surface in the cloud and how to reduce it,” said Matt Ambroziak, director of sales engineering at Virsec.
2. CASB acquisitions
The initial goals of CASB applications meant that vendors in the market had to have every competence in the security playbook.
They needed broad security capabilities, SaaS applications support, and support from multiple deployment modes (API, proxy, endpoint). That led to a scaling back of the functions. CASB settled primarily on data loss prevention (DLP) for SaaS applications.
Yet, many buyers were still looking for threat detection and access control capabilities for SaaS applications. According to surveys, more than 25% of organizations that bought a CASB solution were unhappy with their investment.
That, in turn, generated a rash of acquisitions. For example, McAfee (Sky-high), Microsoft (Adallom), and Proofpoint (Firelayers) integrated CASBs into their cloud security offerings.
“This practically killed the CASB as it was known and merged it into broader offerings, such as unified DLP/secure web gateways (SWG),” said Boris Gorin, co-founder and CEO at Canonic Security.
Gorin added that CASBs have largely been unbundled to dozens of offerings, each focusing one of the capabilities at the core of the CASB original promise: such as authorization via cloud authorization entitlement management (CIEM); configuration management via SaaS security posture management (SSPM); and threat detection and response.
3. Cloud Workload Protection Platform Emerges
Another direction taken by some in the CASB field has been toward cloud workload protection platform.
These platforms are an answer to such trends as nation-state threat actors shifting their focus to attacking the cloud. Most recently, CrowdStrike discovered the cr8escape zero-day vulnerability in Kubernetes container engine CRI-O, which, if exploited, could allow attackers to execute malware, exfiltrate data, and move laterally.
“It is becoming increasingly crucial for organizations who use container technology on a daily basis in their software development processes to couple that with proper cloud workload protection platforms,” said Patrick McCormack, SVP of platform engineering at CrowdStrike.
“Cloud workload protection enables organizations to see which hosts could be affected by an attack and patch to aid against exploitation in order to better defend against supply chain attacks, like the Sunburst attack.”
McCormack added that the most common causes of cloud intrusions continue to be human errors, such as omissions introduced during common administrative activities. Therefore, it is important to set up new infrastructure with default patterns that make secure operations easy to adopt to ensure that new accounts are set up in a predictable manner, eliminating common sources of human error.
As companies continue rapid adoption of public cloud deployments, even the best security intentions can fall short, due to a reliance on overly permissive default settings and configurations. A number of high-profile breaches have been traced back to the adversary gaining access by exploiting those types of accidental misconfiguration. These misconfigurations take forms of all shapes and sizes. They can range from legacy systems, aged accounts, improper administrative privileges, plain-text passwords to network shares, insecure service accounts, and services run on hosts with multiple admins.
“As businesses begin to rely more and more on cloud computing, it’s becoming increasingly vital to properly configure cloud deployments with security as a top-of-mind priority,” McCormack said.
“Proper cloud security posture management helps organizations effectively identify and respond to these cloud security issues.”
4. CASB integration
But not everyone thinks that CASB functions are being absorbed by other tools.
CASB has been a laggard in adoption due to its lack of full-scale comprehensive integration with other essential cloud security and networking services, such as ZTNA, SWG, FWaaS, and SD-WAN.
“This has meant that few enterprises have been able to fully take advantage of a complete CASB solution, exposing businesses to vulnerabilities, which can easily be avoided,” said Michael Wood, CMO at Versa Networks.
“A new level of genuine integration is now available and will drive CASB adoption to reach a watershed moment in the coming months.”
5. Best Practices Remain Vital
Cloud workload protection platforms and CASB remain important. But technology can’t take the place of rigorous implementation of best practices to reduce the attack surface in the cloud, said Ambroziak with Virsec:
- Deploy proper network segmentation and security. Establish security zones in each of your environments and allow traffic through the firewall for only what is needed and scoped. At a minimum, have a separate VPC for each application and environment but also consider assigning each application environment (development, staging, and production) its own cloud account.
- Take advantage of the principle of least privilege. Assign access and resources with purpose. For instance, a developer just deploying code should not have administrative rights across the entire cloud account. Nor should a developer have continuous access to a production environment. Give them exactly what they need and nothing more. There are tools available to help scope accounts and users appropriately.
- Minimize the install base on computer resources. Install what you need, remove what you don’t. For example, with containers, only install the packages and libraries that your application needs to run. Anything superfluous an attacker can use against you.
- Patch software to fix vulnerabilities. Patching is essential, but it doesn’t address every vulnerability. It is dependent on the vulnerability having been seen in the wild; if you have a version of software that has a zero-day threat, it does nothing for you. And, once a patch is published, it’s a race against time to patch it before an attacker has an opportunity to find and exploit that vulnerability in a system.
- Stop attacker-influenced code with runtime protection. With all this said, exploits still happen and errors occur. True runtime protection acts as a safety net. It enforces what your application should be doing and stops what it shouldn’t be doing in real-time — before an attack happens. Adversaries are blocked before they can exploit a software vulnerability, known or unknown, or take advantage of misconfigurations, outdated security policies, improperly scoped access rights, and insufficient identity or credential management. Dwell time is non-existent, so threat actors never have a chance to install malware or exfiltrate data. And you gain air cover and time to make updates, while still being protected.