Cloud services can become a vulnerability to an organization’s threat protection and data security strategy if mishandled. Although identity and access management (IAM) programs protect the front door of sanctioned applications, they do not protect against unsanctioned applications. This is where cloud access security brokers (CASBs) can bridge the gap.
CASBs add security where traditional IAM cannot
“CASBs add security where traditional IAM cannot,” Erik Wahlstrom, research director at Gartner, says. “They don’t replace IAM, but do provide visibility and control back to IAM.” Technical professionals must integrate the two and use their combined strengths when onboarding, securing, monitoring and managing cloud services.
At the most basic level, CASBs add an extra layer of protection to the components of IAM systems. They enable organizations to track user behavior, apply consistent security policies across multiple applications and enforce policies (e.g., session termination) in the event applications are misused.
Identity is likewise a foundational piece of information for CASBs
Identity is likewise a foundational piece of information for CASBs. IAM and CASBs work together to provide heightened discovery, monitoring and protection of your organization’s services in order to make informed decisions when protecting cloud applications.
Improve your IAM security posture
“There are many synergies between the CASB and IAM that organizations should assess and use, if possible,” Wahlstrom says. He outlines some of the main ways CASBs can improve your IAM security posture.
- Manage third-party applications: Mobile and third-party applications are hard to manage. If they have access to data stored in cloud services, they should be considered a new threat for attack. CASBs provide a centralized interface to discover, report and restrict the use of third-party applications.
- Trigger identity management events: The real-time risk analysis functionality in CASBs can trigger identity management events in identity governance and administration (IGA). They can alert an organization of an unusual event within a cloud system and ultimately deactivate a user from all systems.
- Use step-up authentication: In discovering abnormal behaviors through risk analysis, users can then be prompted for step-up authentication to increase the assurance that the intended user is present. This will strengthen the organization’s existing authentication model.
- Discover and limit the use of corporate credentials in unsanctioned applications: Any reuse of corporate credentials in unsanctioned applications widens an organization’s potential attack surface. CASBs discover usage of unsanctioned applications and can either block access or provide tools to help the organization securely onboard the unsanctioned application to its IAM infrastructure.
Organizations shouldn’t replace their IAM programs with CASBs, but rather intersect the two for increased governance and access control of cloud applications
It is clear that CASBs interact with, use and help multiple features of IAM. “Organizations shouldn’t replace their IAM programs with CASBs, but rather intersect the two for increased governance and access control of cloud applications,” says Wahlstrom.