Over the last year, I’ve been asked many times about Cloud Access Security Brokers (CASB)s. Even if people don’t use those words, the topic comes up over and over. This blog is a quick reference to discuss cloud authentication, Single-Sign-On (SSO) and other related technologies.
What is a CASB?
A CASB is a centralized access management solution. At its heart a CASB stores an account and password for every user. The CASB then integrates with the organization’s applications: O365, Quickbooks, Active Directory, Google, Expensify and others. Once the user account is associated with an application, the user has access seamlessly with a single login account. The CASB stores logs related to user creation, modification and termination as well as access logs for all the associated applications.
CASBs integrate to applications in 3 ways:
Master Account / Password
In the least secure, least integrated example, a master account and password is used for all users to access the application. The equivalent of a “shared account”, CASBs offer this option for single-user or low security applications. Beware – using this method for sensitive or confidential information can result in unsecured data.
User Account / Password
In the next most secure example, individual user accounts are matched up between the CASB and the application the user is accessing. John Doe in the CASB is matched up with John Doe in the application and passwords must match. Some applications allow the CASB to enforce password policies and reset passwords. Be careful to choose one that allows users to manage application passwords to avoid un-necessary support calls.
The most secure version of a CASB integrates user creation, management and termination from the CASB. For fully integrated applications, the CASB provisions new user accounts, manages permissions and revokes access. John Doe’s account in the CASB auto-creates John Doe’s account in the application and manages passwords via the CASB’s password policy. Be careful to choose a CASB that integrates with YOUR applications.
What a CASB isn’t
Don’t confuse your in-house SSO solution or a simple Active Directory (AD) integration with a true CASB. A CASB, if configured correctly, is the center of your authentication universe. Extensions of AD or other approaches may give you some password management capabilities, but a true CASB logs all authentication activities across your ecosystem and gives you centralized security control.
When to Use a CASB
If you aren’t using one today, you should consider it immediately. CASBs are often inexpensive and easy to configure. You must plan your implementation well and test everything, but it is better to begin now than to let your complexity grow, or worse, allow a breach. Done correctly, your users will have fewer passwords to remember and your company will have greater control over digital assets.
Startups and small companies should consider beginning with a CASB before setting up any other centralized account management. Often the CASB can help auto-provision new employees and can be the foundation for your entire IT environment.
If a CASB isn’t part of your infrastructure today, it will be – or should be. CASBs are and will be a core technology supporting your security and compliance in the future. Companies like centrexIT using technologies like OKTA can help you achieve your goals. Don’t take the CASB lightly. It is the keys to your castle.