CASB
CASB
CASB
Getting Started
with CASB
How Cloud Access Security Brokers
Can Help Manage People-Based Risk,
Apps and Data in the Cloud
proofpoint.com
GETTING STARTED WITH CASB \ E-BOOK
Introduction:
Hybrid Work, Digital Transformation and the Cloud
The cloud has been a game-changer for modern
business. Cloud platforms and services are key
What is a CASB solution?
enablers of today’s remote, hybrid and mobile Gartner defines CASB as “products and services
workforce. They make business more agile, that address security gaps in an organization’s use
workplaces more flexible and operations more of cloud services.”1 While most cloud providers
efficient. and platforms offer some limited security features,
CASBs provide broad visibility into your users, cloud
But the cloud is also a game-changer for
apps and data.
cybersecurity. Users, apps and data no longer sit
behind your network perimeter. Your people share With a CASB, you can extend your corporate
sensitive data without oversight. And cyber criminals security policies to the cloud. You can also get a
can compromise user cloud accounts to steal funds consolidated view of user and data activity to help
and valuable data. and manage and secure it from a single location.
2
GETTING STARTED WITH CASB \ E-BOOK
Table of Contents
3 Benefits By Industry . . . . . . . . . . . . . . . . . . . . . 8
3
GETTING STARTED WITH CASB \ E-BOOK
Data loss/leakage
Data privacy/confidentiality
0 10 20 30 40 50 60 70 80
2020 2021
CASBs provide visibility into and control over shadow it to limit people-related risk.
4
GETTING STARTED WITH CASB \ E-BOOK
CASBs help you detect and respond to unusual account activity, which may indicate
compromised credentials. CASBs also help deploy and enforce policies to protect
cloud accounts and data.
CASBs can increase visibility into how your people handle data and can improve
data security through policies that control access to cloud services based on device,
application, user risk and more.
5
GETTING STARTED WITH CASB \ E-BOOK
Combining CASB with an enterprise DLP solution offers added security for risk
vectors such as email, endpoint, cloud, network file shares and the web. Integrate
your CASB with an insider threat management (ITM) solution can offer even
stronger protection.
Used with archiving, e-discovery and content supervision solutions, a CASB can
reduce cloud and data security headaches at audit time.
A CASB can help you avoid breaches that stem from cloud misconfigurations.
“The pace of client inquiry indicates that CASB is a popular choice for cloud-using organizations...
CASB’s growth remains higher than any other information security market.”
6
GETTING STARTED WITH CASB \ E-BOOK
For the CISO, security director, (cloud) security architect, security engineer or
security operations manager
You are likely concerned most with: Here’s how a CASB can help:
• Cloud threats that can hurt financials and brand • Stop cloud threats before they do damage to
reputation company credibility
• Cloud data loss and intellectual property (IP) theft • Reduce exfiltration of valuable and sensitive
• Unauthorized access to cloud data and services information
• Contain “shadow IT”
• Enabling hybrid work to keep users productive in any • Simplify and secure access to cloud apps through
environment people-centric, adaptive access controls
• Increasing adoption of IT-approved cloud apps • Simplify collaboration while protecting sensitive data
through secure access controls in the cloud with data-access and sharing controls
• Simplifying collaboration and data sharing among • Discover and categorize cloud apps and identify
remote, hybrid and on-site users cloud usage
7
GETTING STARTED WITH CASB \ E-BOOK
Benefits By Industry
Every industry and organization is unique. Here’s how a people-centric CASB can benefit yours.
8
GETTING STARTED WITH CASB \ E-BOOK
95%
of organizations were targeted
32%
of compromised organizations had post-access
activity, such as file manipulation, email forward-
ing, and OAuth app activity
52%
of organizations had at
least one compromised
account
10%
of organizations had
authorized malicious
OAuth apps
9
GETTING STARTED WITH CASB \ E-BOOK
Use case 1:
Cloud threat protection
Today’s attacks target people, not technology. This is just as true for the cloud
as it is on premises. As businesses move their messaging and collaboration
platforms from the corporate network to the cloud, they become vulnerable to
attack.
Cyber criminals tend to target popular SaaS applications like Microsoft 365
and Google Workspace. Just about everyone at your company uses these
applications, and they hold the key to business communication and vital data.
Attackers use a variety of techniques to compromise cloud account credentials
and take advantage of vulnerable users.
Geofencing, or blocking network traffic from problem areas, goes only so far.
That’s because many threats originate from within an organization’s own country
or region. And geofencing may just not be an option for global companies or
those whose workers travel to foreign locations.
10
GETTING STARTED WITH CASB \ E-BOOK
Ransomware
Ransomware is one of today’s most disruptive forms of cyber attack. With just a
single username and password—especially for cloud apps such as Microsoft 365
or Google Workplace—a ransomware operator can launch attacks inside and
outside of your organization.
A modern CASB gives you the visibility to surface the lateral spread or risk to
your data because of a compromised account. You can see whether a suspicious
login is correlated to an account that sends malicious emails. You’ll be alerted if
an attacker tried to install persistent access through setting email forwarding and
delegation rules or by using OAuth tokens. And can easily learn what suspicious
file activity occurred.
Research shows that more than 31% of organizations or groups using cloud
services experienced account compromise that started with phishing campaigns.2
To cover their tracks, attackers sometimes leverage virtual private networks
(VPNs) or TOR nodes, which preserve a user’s privacy and identity. These
connection methods can get past certain network access controls used in Office
365, as well as user authentication based solely on location.
Email account compromise (EAC) and business email compromise (BEC) are
forms of phishing that target businesses and people who perform wire transfer
payments or have access to confidential employee data, such as W-2 tax forms.
Cyber criminals typically pose as executives or business partners to prey on
victims’ trust.
2 Proofpoint research.
11
GETTING STARTED WITH CASB \ E-BOOK
Nigeria
South Africa
United States (via VPNs)
Other
Source: Proofpoint
India 3%
China 3% Russian
Federation
19% Russian
Federation
Vietnam 3% United States
3%
Top 15 Countries India Top 15 Countries of America
31%
Brazil 3% Percentage of 3%
Percentage of
Successful Compromise China
Targeting Attempts
South Africa (including proxy sources) 3%
7% (including proxy sources)
Indonesia
United States 3%
of America
The 8%
Netherlands Vietnam 3%
8%
Nigeria The Netherlands 3% France Brazil
11% 5% 6%
Source: Proofpoint research
12
GETTING STARTED WITH CASB \ E-BOOK
13
GETTING STARTED WITH CASB \ E-BOOK
Cloud-based file storage apps are common exfiltration points. Our data shows
customers are especially concerned about exfiltration to personal cloud storage
and USB devices.
But without content awareness, organizations have a hard time knowing whether
sensitive data is being moved to personal cloud storage accounts, possibly
against policy, or corporate cloud accounts. And without behavior awareness,
they can’t tell the different between users who are malicious, negligent or
compromised.
14
GETTING STARTED WITH CASB \ E-BOOK
Compliance
When you move data to the cloud, compliance with government regulations
SHARING IS SCARING and industry mandates becomes more difficult than ever before. Compliance
requirements are constantly changing, with a growing emphasis on data security,
Among the cloud accounts we’ve studied: privacy and sovereignty.
13% The data types that are of most concern are customer or employee personally
identifiable information (PII) such as Social Security numbers or date of birth,
have broad sharing permissions consumer payment card information (PCI), and protected health information
(external and internal) (PHI) such as medical records. Noncompliance can lead to significant financial
penalties and potential damage to your reputation and brand.
5% Getting visibility into your cloud apps, identifying and classifying data in the
cloud, and preventing unauthorized sharing are essential to minimize your
are shared with personal accounts
compliance risk.
that use popular email services
CASB policy parameters should include user roles, risks associated with the login
and contextual information such as user location, device health and others. For
example, organizations in highly regulated sectors such as healthcare have strict
policies about accessing sensitive data from unmanaged or risky devices.
To get started, study how data is handled by your cloud apps and understand
your organization’s specific data security objectives and use cases for data
identification, file remediation, forensics and reporting.
The right CASB solution should allow you to deploy cloud DLP policies consistent
with those for email and on-premises file repositories. It should also be able to
integrate with other DLP solutions and enable you to unify incident management.
15
GETTING STARTED WITH CASB \ E-BOOK
All of this can have a serious impact on your brand reputation and your bottom line. Here are just a few examples.
Education is most vulnerable Sensitive data and IP theft Wire fraud in real estate
Cyber criminals see school districts, The attack: The cloud account The attack: According to the FBI, the
colleges and universities as “easy of the CEO of a major airline was real estate sector is the most heavily
prey,” with large numbers of students compromised. targeted industry for wire fraud. Threat
and faculty and decentralized security actors compromised Microsoft 365
operations. The aftermath: Within six days, 40,000 accounts in a 75,000-employee real
files were downloaded. estate investment firm. Five executives
The attack: Seventy percent of all had their accounts taken over.
educational institutions using cloud
services have experienced account The aftermath: With access to the
takeovers that originated from IMAP- executive’s email, attackers changed
based brute-force attacks. Common ABA bank routing numbers and
titles among those targeted include siphoned off more than $500,000.
“Professor” and “Alumni.”
16
GETTING STARTED WITH CASB \ E-BOOK
17
GETTING STARTED WITH CASB \ E-BOOK
DLP terms
Here’s a list of key DLP capabilities for identifying regulated data.
Identifiers: Predefined regular expressions or algorithms Contextual matching: A method of data matching based
that can be used to to identify specific number patterns or on factors that don’t include the document contents. These
character string patterns, which may include mathematical external factors may include document header, document
formulas, such as the Luhn algorithm, a modulus 10 size and document format.
algorithm used to identify valid credit card numbers.
Document fingerprinting: Identifies when blocks of texts
Dictionaries, keywords: Collections of words and/or or forms need to be identified for DLP. Algorithms map
phrases. These are often aligned for a specific regulation or documents and files to shorter text strings.
industry such as healthcare, HIPAA, financial, PCI and other
related terms. Exact data matching (EDM): A capability that ingests
specific database fields and looks for the exact contents of
Proximity matching: A match condition based on how far those fields when applying DLP—often used in healthcare to
apart two identifying entities may be. For example, a regular identify documents with specific patient record numbers.
expression and dictionary keyword may have a proximity
setting of up to 20 words, which tells the policy to be Optical Character Recognition (OCR): The ability to
enforced when the expression and keywords are within 20 recognize text contained from an image. Often used to
words of one another but no more. identify sensitive information contained within scanned
forms or documents.
18
GETTING STARTED WITH CASB \ E-BOOK
CASB catalog cloud services (including third-party OAuth apps) rate the risk level
and overall trustworthiness of cloud services and assign them a score. CASBs
even provide automated access controls to and from cloud services based on
cloud service risk scores and other parameters, such as app category and data
permissions.
19
GETTING STARTED WITH CASB \ E-BOOK
Most OAuth apps request permission to access and manage user information and
data and sign into other cloud apps on the user’s behalf. For example, they can
access users’ files, read their calendars, send emails on their behalf and more.
These add-on apps use OAuth authentication to obtain limited access to cloud
services. OAuth enables a user’s account information or data to be used by apps
without exposing the user’s password. OAuth works over HTTPS. It uses access
tokens (rather than login credentials) to authorize devices, APIs, servers and
applications. OAuth apps can be added to an entire domain or to an individual
user account.
Unfortunately, OAuth apps can easily be exploited. Attackers can use OAuth
access to compromise and take over cloud accounts. Until the token is explicitly
revoked, the attacker has persistent access to the user’s account and data.
Given the broad permissions they can have to your core cloud applications,
OAuth apps have become a growing attack surface and vector. Attackers use
various methods to abuse OAuth apps, including compromising app certificates,
which was also used in the SolarWinds/Solorigate campaign.
20
GETTING STARTED WITH CASB \ E-BOOK
21
GETTING STARTED WITH CASB \ E-BOOK
Forward proxy
In this “first-mile” inline deployment, the CASB intercepts user traffic to govern
application access and apply data controls. It can route traffic using any one of a
number of techniques, such as DNS redirect, firewall-enabled forwarding, proxy
auto-configuration (PAC) files or endpoint agents.
Reverse proxy
As “last-mile” inline deployment, a reverse proxy deployment puts the CASB in
front of the cloud service. After they’ve been authenticated though an identity-as-
a-service (IDaaS) provider, users are directed to the CASB, which in turn manages
access to the cloud application. Reverse-proxy deployments can apply controls
such as step-up authentication.
API mode
In this deployment, the CASB uses out-of-band application programming
interfaces (APIs) to receive and analyze cloud traffic data such as log events, data
files, user activity and more. The CASB enforces security policy and remediates
access issues with features such as:
22
GETTING STARTED WITH CASB \ E-BOOK
• High-privilege users
• Users targeted by an usually high volume or highly sophisticated attacks
• Users shown to be especially susceptible or vulnerable to phishing tactics
• DLP, threats, OAuth • Shadowy IT • Access (SAML) for • DLP (SaaS Iso) for • Access governance
apps governance for discovery approved apps approved apps and DLP for
API-connected apps • Audit traffic logs • Detect, block and • Detect and prevent approved, tolerated
• IAAS protection and risk score apps enforce (MFA, VPN) in real time and unapproved apps
• Detect and remediate • On-demand and in real time • Any device • Detect and prevent in
in near real time ongoing • Any device (agentless) real time
(agentless) • Managed device
(agent)
All Devices
Managed Devices
23
GETTING STARTED WITH CASB \ E-BOOK
This level of visibility and control enables you to keep threats at bay, protect your
information assets and stay compliant. Proofpoint provides the only CASB to meet
the needs of security people serious about cloud threats, data loss and time-
to-value. Proofpoint CASB is built on an agentless cloud security architecture. It
protects your most valuable cloud assets and accelerates your migration to the
cloud.
24
GETTING STARTED WITH CASB \ E-BOOK
• Detect and remediate account • Discover sensitive data • Identify and audit cloud app
takeover • Monitor risky, excessive data usage (including shadow IT)
• Adaptive controls, including sharing • Detect and mitigate malicious
multifactor authentication • DLP unified across email, third-party (OAuth) apps
(MFA),, to protect from endpoint, on-premises file • Cloud security posture
unauthorized access to shares and web channels management
IT-approved cloud apps
• Advanced malware protection
powered by Proofpoint TAP
Learn More
Find out how we can help you move forward more confidently with your cloud strategy at
proofpoint.com/us/products/cloud-security/cloud-app-security-broker
25
GETTING STARTED WITH CASB \ E-BOOK
LEARN MORE
For more information, visit proofpoint.com.
ABOUT PROOFPOINT
Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions,
Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including more than
half of the Fortune 1000, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is
available at www.proofpoint.com.
©Proofpoint, Inc. Proofpoint is a trademark of Proofpoint, Inc. in the United States and other countries. All other trademarks contained herein are property of their respective owners. Proofpoint.com
0505-001-01-02 11/21