MY TAKE: CASBs help companies meet ‘shared responsibility’ for complex, rising cloud risks

By Byron V. Acohido

Cloud Access Security Brokers – aka “caz-bees” — have come a long way in a short time.

CASBs, a term coined by tech industry consultancy Gartner, first cropped about seven years ago to help organizations enforce security and governance policies as they commenced, in earnest, their march into the cloud.

Related: Implications of huge Capital One breach

CASBs supplied a comprehensive set of tools to monitor and manage the multitude of fresh cyber risks spinning out of the rise in in corporate reliance on cloud services. In doing so, CASBs became the fastest growing security category ever, as declared by Gartner. Yet, somehow, catastrophic cloud breaches continued to occur, ala Capital One recently losing 100 million customer records kept in its Amazon Web Services S3 data storage buckets.

I had the chance to speak with Mahesh Rachakonda, vice president of products and solution engineering at CipherCloud, a San Jose, CA-based CASB, about this. We met at Black Hat 2019 and had a wide ranging discussion about the complex challenges companies face meeting their end of the security burden, while using cloud services. For a drill down, give a listen to the accompanying podcast. Here are key takeaways:

Fresh attack tiers

CASBs innovated like crazy to make it OK for enterprises to steadily move more and more of their on-premises operations onto a cloud service. Leading-edge CASB systems gave companies granular visibility and control over infrastructure (IaaS,) platform (PaaS) and software applications (SaaS) supplied by a cloud services vendor.

Still, the added complexities of cloud migration translated into fresh tiers of wide-open attack vectors. It turned out that moving traditional on-premises systems for HR, IT services, management, finance, accounting, ERP and CRM onto a cloud service run by a third party – made it much more difficult to implement a unified enforcement policy, Rachakonda says.

For one thing, the top cloud services providers, namely Amazon, Google and Microsoft, imposed a  “shared responsibility”  model for cybersecurity. This meant the cloud service provider was only responsible for ensuring the security of baseline software configurations, having to do with making a service available.

So the subscriber – the organization rushing to offload large parts of its operations to a third-party – remained responsible for everything else; specifically for securing all configurations and policies set on the user’s side of the house.

Shifting responsibilities

Ask Capital One how difficult that is. Capital One reportedly misconfigured a firewall and failed to keep close track of its AWS Management Console, which left access open to a laid-off Amazon technician, who was able to pilfer personal information for some 106 million bank patrons.


“Controlling user access, understanding the nature of data, how data is going into and coming out of the cloud, how it’s coming out of the cloud, all these are responsibilities that have shifted onto the customer,” Rachakonda told me. “It has become very important to understand that adopting to the cloud occurs under a shared responsibility model, and that the customer has to have a strategy and a plan to make sure that the security gaps are addressed.”

CASBs have made it easy to think through and implement robust security policies while using popular IaaS resources, like AWS, Google Cloud and Microsoft Azure, as well as ubiquitous SaaS tools, like or Office 365.

CipherCloud’s platform, for instance, can onboard a major customer relationship management (CRM) tool, like, in a matter of minutes, he says. It also has flexibility to work in a variety of mode to connect to the cloud service and, crucially, control user access, including limiting privileges and automatically blocking  access if the user’s behavior is found to be anomalous, Rachakonda says.

Myriad entry points

Data moving to and from the cloud also gets inspected, using data loss prevention (DLP) technology to help enforce policies, he added. “Let’s say that for PCI-DSS compliance you cannot upload credit card numbers into the Salesforce cloud,” Rachakonda says. “The DLP engine can actually detect card numbers and either block the action or simply mask the data.”

It struck me that CASBs have rather rapidly emerged as a timely and powerful tool that companies can leverage to actually try to live up to their part of shared responsibility model for using cloud services.

“CASBs are a must for every organization wanting to adapt to the cloud,” Rachakonda observed. “Vulnerability comes from the fact that the cloud services are not configured properly because there are so many cloud services, and each one is very different.

“There are so many entry points, and it is extremely difficult for someone to understand the nuances; and putting the proper security configurations in place, is extremely difficult.”

It comes back to complexity. Cloud adoption continues to rise. Organizations today typically use a dozen or more cloud services. Striking a balance between productivity gains and keeping things as security and private as they ought to be is going to remain a central challenge.

It is a positive development that CASBs arose  — and can be expected to continue innovating to help companies meet this challenge. I’ll keep watch.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone