Cloud Access Security Brokers (CASB), also known as security gateways (CSGs), is a software tool or service that sit between an organization's on-premises infrastructure and the public cloud infrastructure. It acts as a gatekeeper which allows the organization to extend the reach of their security control and policies beyond their own infrastructure. The CASB usually are cloud-hosted security software (could also be deployed through hybrid cloud) which act as a policy enforcement point between an enterprise and their cloud infrastructure and all the cloud based applications that their employees use world wide. CSGs provide IT security teams visibility into cloud service usage and cloud-centric security capabilities that mirror the controls enterprises deployed to protect their data in on-premises applications including data loss prevention, user and entity behavior analytics (UEBA), encryption, access control, and much more. There are primary four methods CSG are deployed and provide coverage for different users, devices, and access scenarios, as below: Log collection - consuming event logs from existing infrastructure such as firewalls, secure web gateways, and SIEMs. Forward Proxy - inline deployment between the endpoint and cloud service in which the device or network routes traffic to the CSG proxy. Reverse proxy - inline deployment between the endpoint and cloud service in which the cloud service or identity provider routes traffic to the CSG proxy. API - direct integration of the CSG and cloud service; depending on cloud provider APIs, the CSG can view activity, content, and take enforcement action. Key Requirements of Cloud Security Gateways 1. Data Security As enterprise data is transferred to the cloud and employees access data from off-network locations and unmanaged devices, they circumvent existing security technologies. CSGs provide an additional layer of security such as encryption, access control, etc. Mature CSGs can provide end-to-end structured and unstructured data encryption to data being uploaded to a cloud service and data already in a cloud service. These solutions also allow the enterprise to control the encryption keys used to protect data in the cloud and integrate with KMIP-compliant key management solutions to broker the use of enterprise keys. 2. Threat Protection One of the core capabilities of a CSG is threat protection. This capability is essential because cloud usage occurs outside the scope of conventional enterprise threat protection solutions, such as intrusion prevention solutions (IPS) and security information and event management (SIEM) systems. Additionally, the rise of social engineering and the resulting compromised accounts have become one of the leading causes of security failures. CSGs analyze cross-cloud user behavior patterns to identify both malicious and negligent insider threats, as well as external threats such as compromised accounts. Effective threat protection uses machine learning to build behavior models for all employees and create baselines for each. Any activity that deviates from this baseline is then flagged as a threat if it reaches a certain threshold. 3. Cloud Applications Security Organization's cloud based applications deployments are always vulnerable to attacks. Public cloud infrastructure do not provide complete security beyond good firewall services. In fact more than 99% of all security breaches happen over the opened ports allowed by these firewalls. The most common kind of attack being the denial of services (DoS/DDos) happen through the legitimately opened ports via firewalls. The CASB provides the required Intrution Detection and Prevention Services (IPS/IDS services) to an organition's cloud based applications (and/or servers). 4. Visibility While cloud adoption continues to rise, enterprises are finding that simply blocking cloud services from being used isn’t sufficient. With the explosive growth of available cloud services, when an organization blocks one cloud service, employees frequently respond by seeking out lesser-known, potentially riskier alternatives that can end up exacerbating the problem. And while the IT department may have visibility into sanctioned/permitted cloud services, they lack the needed visibility into the scope of shadow IT cloud service use. They often do not know, for example, who is using which cloud services, what kind of data is going to each cloud service in use, with whom that data is being shared with, and which devices are accessing it and from where. These organizations turn to CSGs to solve this problem. CSGs provide continuous visibility into both sanctioned and unsanctioned (shadow IT) cloud usage. This visibility extends to the data retention policies of each unsanctioned cloud service, how much data is being uploaded/downloaded to a cloud service, whether the service provider can encrypt data at rest or in transit, and an overall security risk score for each cloud service in use. Enterprises use the cloud service risk score to evaluate and select cloud services that meet their security and compliance requirements, thereby streamlining the process of cloud service adoption. 5. Compliance Employees routinely upload sensitive and regulated data to the cloud. In the past, organizations relied on on-premises data loss prevention (DLP) solutions to protect that data from leakage via email and ensure they remained compliant with internal policies and external regulations. CSGs extend these on-premises DLP controls to the cloud so that enterprises can prevent certain types of sensitive data from being uploaded to high-risk cloud services or being shared from trusted cloud services to third parties. CSGs also provide a unified, cross-cloud DLP policy engine, incident reporting, and remediation workflow that ensure a consistent set of controls across cloud services. The cloud DLP capabilities of CSG can protect any kind of sensitive and regulated data including protected health information (HIPAA-HITECH), intellectual property, and personally identifiable information.