In Cloud Security, 2015 was the year of the Cloud Access Security Broker (CASB). A lot of media coverage, accelerated growth in deployments and investments, as well as high profile acquisitions like Adallom and Elastica. In a nutshell, a CASB comes to secure the organization’s use of 3rd party SaaS, like Salesforce, Box, office365 and the like. A broker is needed in this case to make sure the organization’s security policies are enforced on the use of those applications that are delivered from the cloud and over the Internet, namely from outside of the organization’s secure enterprise network. Privacy and Data Loss are issues for concern in such scenarios. Therefore, security measures like identity authentication, access rights verification and encryption must be deployed to prevent a breach. The term ‘broker’ is used to denote the fact that the CASB function is located ‘between’ the organization and the ‘cloud’. This serves two purposes, the first is to allow the broker function to ‘see’ all the SaaS traffic, and the second, is to provide (the IT department ) a single pane of glass to all SaaS usage, while hiding the complexity and the differences between the different SaaS behaviors and protocols.
What is a Cloud Infrastructure Security Broker (CISB)
CISB is a new type of solutions that takes the concept of CASB and applies it to IaaS (instead of SaaS). The Cloud Infrastructure Security Broker provides the following functions:
- Network security – All major public IaaS offerings from provide native support to a very partial set of network security features. See our blog post for a detailed survey of IaaS providers’ native network security offerings. An Enterprise planning an IaaS deployment is very frequently required to add 3rd party network security solutions on top of the IaaS platform of choice, in order to comply with its security requirements. The CISB provides software components (e.g. gateways, agents) that can be installed on the cloud platform (and/or at the enterprise network) and complement the ‘missing’ network security elements.
- Abstraction – The CISB provides an abstraction layer that unifies multiple IaaS platforms under a single policy system. This enables the IT team to configure a single policy that can be configured and enforced on all IaaS platforms (public, private and hybrid) that are used by the organization. The benefits for the organization are clearly simplicity and operational efficiency. The CISB hides the complexities, mainly the differences between the IaaS platforms by providing a single policy language northbound while maintaining different policy adaptors southbound (one per IaaS platform).
- Automation and Orchestration – The CISB’s role is to make sure the abstract security policy (that encompasses firewall rules, identity-based access rules, encryption policies) are enforced on all IaaS platforms used by the organization. This includes translation of security policies to the different ‘languages’ of the different platforms and configuration of those policies on the cloud platforms themselves as well as on the CISB software elements that may be distributed between the data-centers. Due to the dynamic nature of IaaS deployments, the CISB needs to be able to auto-discover cloud resources (or auto-detect changes), such as virtual servers and containers, and adapt its security scheme to the new or updated resources.
Similar to a CASB in the case of SaaS, the CISB answers to security needs that arise from the use of IaaS. The CISB provides the IT team a single pane of glass vis-à-vis network security for all IaaS deployments. It uses similar principles to CASB like abstraction and automation and even deals with similar issues of identity and privacy. However, unlike a CASB that is focused mainly around privacy and DLP, the Cloud Infrastructure Security Broker has a lot to do with network security and therefore frequently requires software components to be installed by its users in their cloud data-centers.
We expect to see CISB solutions introduced to the market in 2016, either as an evolution of CASBs or as complementary solutions.