WEBVTT 1 00:00:00.000 --> 00:00:01.001 In this lesson, 2 00:00:01.001 --> 00:00:06.001 we will learn about a Cloud Access Security broker or CASB. 3 00:00:06.486 --> 00:00:11.235 A cloud access security broker is a security solution 4 00:00:11.235 --> 00:00:13.239 that acts as a control point 5 00:00:13.239 --> 00:00:17.351 between cloud service users and cloud applications. 6 00:00:17.351 --> 00:00:19.501 Cloud access security brokers 7 00:00:19.501 --> 00:00:23.482 or CASBs enforce security policies 8 00:00:23.482 --> 00:00:27.239 and protect data across cloud environments. 9 00:00:27.239 --> 00:00:32.239 CASB implementation concepts include API-based 10 00:00:32.602 --> 00:00:37.489 and proxy-based cloud access security broker solutions. 11 00:00:37.489 --> 00:00:42.489 An API-based CASB integrates directly with cloud services 12 00:00:43.486 --> 00:00:47.488 and uses APIs to monitor cloud data flow, 13 00:00:47.488 --> 00:00:49.863 enforce security policies, 14 00:00:49.863 --> 00:00:53.487 and provide visibility into cloud usage 15 00:00:53.487 --> 00:00:56.733 without affecting user experience. 16 00:00:56.733 --> 00:01:00.734 Proxy-based CASBs, on the other hand, 17 00:01:00.734 --> 00:01:04.118 route cloud traffic through a proxy server, 18 00:01:04.118 --> 00:01:08.230 allowing real-time inspection, threat prevention, 19 00:01:08.230 --> 00:01:11.004 and enforcement of security policies 20 00:01:11.004 --> 00:01:15.003 by sitting between the user and the cloud device. 21 00:01:15.003 --> 00:01:17.914 Let's learn more about API-based 22 00:01:17.914 --> 00:01:22.232 and proxy-based cloud access security brokers. 23 00:01:22.232 --> 00:01:26.993 First, we have API-based cloud access security brokers 24 00:01:26.993 --> 00:01:29.101 or CASBs. 25 00:01:29.101 --> 00:01:33.120 A cloud access security broker is software designed 26 00:01:33.120 --> 00:01:35.484 to manage and secure access 27 00:01:35.484 --> 00:01:39.588 to cloud services across various devices, 28 00:01:39.588 --> 00:01:41.492 acting as an intermediary. 29 00:01:41.492 --> 00:01:46.492 A cloud access security broker enforces security policies, 30 00:01:46.985 --> 00:01:51.744 monitors cloud usage, detects threats, validates compliance, 31 00:01:51.744 --> 00:01:55.839 and provides visibility into cloud activities, 32 00:01:55.839 --> 00:01:59.234 ensuring that only authorized individuals 33 00:01:59.234 --> 00:02:02.846 can access cloud services and resources. 34 00:02:02.846 --> 00:02:06.119 While cloud access security brokers integrate 35 00:02:06.119 --> 00:02:10.972 with identity providers to help manage authentication, 36 00:02:10.972 --> 00:02:14.252 their primary role is to enforce security 37 00:02:14.252 --> 00:02:18.232 and governance policies across cloud environments. 38 00:02:18.232 --> 00:02:22.737 When configured as an API-based CASB, 39 00:02:22.737 --> 00:02:27.618 the broker connects to cloud services through an API, 40 00:02:27.618 --> 00:02:30.246 facilitating the exchange of data 41 00:02:30.246 --> 00:02:33.591 between the cloud service and the user. 42 00:02:33.591 --> 00:02:38.116 This implementation allows the cloud access security broker 43 00:02:38.116 --> 00:02:42.609 to manage access and apply security controls directly 44 00:02:42.609 --> 00:02:45.481 via the cloud provider's API. 45 00:02:45.481 --> 00:02:49.012 For example, if a user's account is disabled 46 00:02:49.012 --> 00:02:51.747 or their authorization is revoked, 47 00:02:51.747 --> 00:02:56.747 the API-based CASB can quickly update the cloud provider, 48 00:02:57.604 --> 00:03:02.604 instructing it to deny that user access to cloud resources. 49 00:03:03.237 --> 00:03:07.115 Suppose a username Jason has been removed from the network 50 00:03:07.115 --> 00:03:09.599 for a security violation, 51 00:03:09.599 --> 00:03:13.233 the CASB or cloud access security broker 52 00:03:13.233 --> 00:03:18.233 would notify the cloud provider using its API connection 53 00:03:18.238 --> 00:03:21.730 to block any further logins from Jason, 54 00:03:21.730 --> 00:03:25.577 even if Jason tried to access the resources 55 00:03:25.577 --> 00:03:27.737 from another location. 56 00:03:27.737 --> 00:03:32.732 One of the primary advantages of API-based CASBs 57 00:03:32.732 --> 00:03:36.655 is that they work seamlessly with cloud-native services, 58 00:03:36.655 --> 00:03:41.655 requiring no modification of user devices or traffic routes. 59 00:03:42.353 --> 00:03:47.353 However, API-based cloud access security brokers also come 60 00:03:47.994 --> 00:03:50.244 with certain limitations. 61 00:03:50.244 --> 00:03:55.244 These brokers are dependent on the API capabilities provided 62 00:03:55.345 --> 00:03:57.330 by the cloud service. 63 00:03:57.330 --> 00:04:00.241 So, if the API does not support 64 00:04:00.241 --> 00:04:03.565 specific granular security policies, 65 00:04:03.565 --> 00:04:07.485 such as allowing access only to certain data types 66 00:04:07.485 --> 00:04:12.485 or regions, the CASB may not meet the organization's needs. 67 00:04:13.733 --> 00:04:16.744 Now, if your organization requires 68 00:04:16.744 --> 00:04:19.614 advanced security configurations, 69 00:04:19.614 --> 00:04:23.371 such as blocking specific cloud applications 70 00:04:23.371 --> 00:04:28.088 or controlling data access based on geographic location 71 00:04:28.088 --> 00:04:33.088 and the CSBs API lacks support for these granular policies, 72 00:04:34.066 --> 00:04:38.072 the API-based approach may not suffice. 73 00:04:38.072 --> 00:04:40.081 This limitation arises 74 00:04:40.081 --> 00:04:44.849 because API-based cloud access security brokers rely 75 00:04:44.849 --> 00:04:49.849 on capabilities exposed by the cloud service provider's API, 76 00:04:49.986 --> 00:04:54.000 which might not provide the level of control needed 77 00:04:54.000 --> 00:04:57.510 for complex policies like geofencing 78 00:04:57.510 --> 00:05:00.241 or application-specific restrictions. 79 00:05:00.241 --> 00:05:01.845 In such scenarios, 80 00:05:01.845 --> 00:05:05.885 a proxy-based cloud access security broker 81 00:05:05.885 --> 00:05:07.983 may be a better option. 82 00:05:07.983 --> 00:05:09.493 So second, 83 00:05:09.493 --> 00:05:13.583 we have proxy-based cloud access security brokers. 84 00:05:13.583 --> 00:05:16.738 A proxy-based cloud access security broker 85 00:05:16.738 --> 00:05:20.850 or a CASB functions by intercepting traffic 86 00:05:20.850 --> 00:05:23.735 between users and cloud services. 87 00:05:23.735 --> 00:05:26.745 It can be set up in two primary ways: 88 00:05:26.745 --> 00:05:30.745 as a forward proxy or a reverse proxy. 89 00:05:30.745 --> 00:05:33.339 In a forward proxy configuration, 90 00:05:33.339 --> 00:05:38.339 the CASB is positioned at the edge of the user's network. 91 00:05:38.362 --> 00:05:41.740 All traffic from users inside the network 92 00:05:41.740 --> 00:05:45.742 is directed through the cloud access security broker 93 00:05:45.742 --> 00:05:48.740 before it reaches the cloud service. 94 00:05:48.740 --> 00:05:52.907 This allows the CASB to enforce policies 95 00:05:52.907 --> 00:05:55.369 such as ensuring that the devices 96 00:05:55.369 --> 00:05:58.738 and users meet security requirements 97 00:05:58.738 --> 00:06:01.611 before they can access the cloud. 98 00:06:01.611 --> 00:06:05.598 For example, when a parent configures a proxy 99 00:06:05.598 --> 00:06:08.247 on their home network to monitor 100 00:06:08.247 --> 00:06:11.360 and restrict their children's internet usage, 101 00:06:11.360 --> 00:06:15.862 all traffic must pass through that forward proxy. 102 00:06:15.862 --> 00:06:17.739 This allows the parent 103 00:06:17.739 --> 00:06:20.916 to block access to inappropriate websites 104 00:06:20.916 --> 00:06:24.645 and see how much time children spend online. 105 00:06:24.645 --> 00:06:28.739 However, forward proxies have limitations. 106 00:06:28.739 --> 00:06:31.129 Since all traffic is inspected, 107 00:06:31.129 --> 00:06:34.734 not just the traffic heading to cloud services, 108 00:06:34.734 --> 00:06:37.999 this setup can cause network bottlenecks, 109 00:06:37.999 --> 00:06:40.105 reducing performance. 110 00:06:40.105 --> 00:06:43.993 Additionally, users can sometimes find ways 111 00:06:43.993 --> 00:06:47.349 to bypass the proxy altogether. 112 00:06:47.349 --> 00:06:50.651 For instance, a tech-savvy teenager 113 00:06:50.651 --> 00:06:54.139 might figure out how to connect directly to websites 114 00:06:54.139 --> 00:06:56.351 by using IP addresses, 115 00:06:56.351 --> 00:07:01.119 circumventing the restrictions imposed by the forward proxy. 116 00:07:01.119 --> 00:07:03.607 To address some of these issues, 117 00:07:03.607 --> 00:07:06.491 a reverse proxy can be used. 118 00:07:06.491 --> 00:07:10.991 When protecting a cloud service as a reverse proxy, 119 00:07:10.991 --> 00:07:14.113 the cloud access security broker is positioned 120 00:07:14.113 --> 00:07:17.243 between the user and the cloud service, 121 00:07:17.243 --> 00:07:19.860 managing and securing traffic directed 122 00:07:19.860 --> 00:07:22.990 towards specific cloud applications. 123 00:07:22.990 --> 00:07:27.364 And rather than inspecting all outgoing traffic from users, 124 00:07:27.364 --> 00:07:29.855 the reverse proxy only intercepts 125 00:07:29.855 --> 00:07:34.364 and inspects traffic headed to the cloud services. 126 00:07:34.364 --> 00:07:38.359 This means that users are free to access other parts 127 00:07:38.359 --> 00:07:42.118 of the internet without passing their communication 128 00:07:42.118 --> 00:07:45.136 through a cloud access security broker. 129 00:07:45.136 --> 00:07:50.136 But when they try to access those protected cloud resources, 130 00:07:50.237 --> 00:07:53.002 the cloud access security broker steps in 131 00:07:53.002 --> 00:07:55.856 to enforce security policies. 132 00:07:55.856 --> 00:07:59.606 So, while reverse proxies can improve performance 133 00:07:59.606 --> 00:08:03.482 by reducing unnecessary traffic inspection, 134 00:08:03.482 --> 00:08:05.862 they also have a drawback. 135 00:08:05.862 --> 00:08:08.349 They only work with cloud services 136 00:08:08.349 --> 00:08:11.617 that support reverse proxy configurations. 137 00:08:11.617 --> 00:08:15.618 So, if the cloud application does not support this method, 138 00:08:15.618 --> 00:08:20.618 a reverse proxy cloud access security broker cannot be used. 139 00:08:20.732 --> 00:08:22.739 So remember, 140 00:08:22.739 --> 00:08:27.402 a cloud access security broker is a security solution 141 00:08:27.402 --> 00:08:31.849 that manages and secures access to cloud services, 142 00:08:31.849 --> 00:08:35.100 enforcing policies to protect data. 143 00:08:35.100 --> 00:08:37.379 Cloud access security brokers 144 00:08:37.379 --> 00:08:41.646 or CASBs come in two main formats, 145 00:08:41.646 --> 00:08:44.734 API-based and proxy-based. 146 00:08:44.734 --> 00:08:48.821 API-based CASBs integrate directly 147 00:08:48.821 --> 00:08:53.821 with cloud services using APIs to monitor and control data 148 00:08:54.232 --> 00:08:57.354 without affecting the user experience. 149 00:08:57.354 --> 00:09:01.055 Proxy-based CASBs, on the other hand, 150 00:09:01.055 --> 00:09:05.239 intercept traffic between users and cloud services, 151 00:09:05.239 --> 00:09:09.487 inspecting it in real time to enforce security. 152 00:09:09.487 --> 00:09:14.487 While API-based CSBs offer seamless integration, 153 00:09:14.684 --> 00:09:19.117 proxy-based CASBs provide a little more control, 154 00:09:19.117 --> 00:09:22.655 especially for complex security needs, 155 00:09:22.655 --> 00:09:27.655 but the drawback is they may impact performance.