CASB vs Cloud SIEM for SaaS Security

Today’s businesses spend more money on SaaS tools than on laptops. On average, today’s employees use a minimum of eight different SaaS tools. The security implications of this robust cloud landscape cannot be neglected and we trust you are fully aware of it already.

As an IT leader, you are responsible for keeping your company’s cloud infrastructure secure, but with the multitude of cloud apps businesses use on a daily basis, you have less and less control of that security landscape. As security solutions proliferate to respond to the diversity of needs, it’s becoming increasingly difficult to grasp all the needs and decide which solution will be most effective at eliminating all the risks your organization faces.

In this article, we take a look at two popular solutions that security professionals often resort to: Cloud Access Security Broker (CASB) and Cloud Security Information and Event Management (SIEM) solutions. In particular, we will discuss:

• What a SaaS CASB solution is
• Is CASB enough to secure your cloud infrastructure?
• How CASB differs from SIEM
• Requirements of a complete security environment

What is a Cloud Access Security Broker?

Gartner defines cloud access security brokers (CASBs) as “on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.”

In essence, CASBs secure data flow between your organization and the cloud vendor, according to your organization’s security policies. They encrypt data to prevent malware and thus protect your system against cyberattacks.

4 functionalities of CASB tools

The four main functionalities of CASB are (also defined by Gartner):

• visibility
• compliance
• data security
• threat protection

We investigate whether these functionalities are enough to guarantee security of your SaaS apps in the next section.

CASB solution deployment types

There are two different ways to deploy CASBs (each affects their performance differently; read on to find out how):

• Using API: API-based CASB integrates with supported cloud apps, but doesn’t cover the unsupported ones. These would be blocked against use.

• Using Proxy or Gateway: unfortunately, these solutions slow down network performance because of the single checkpoint. They also adversely affect login.

Is SaaS CASB enough to secure your cloud infrastructure?

CASBs allow you to see the data on security threats that occur when cloud apps are in use. They report in real time when an account is compromised and confidential data is exposed and offer some features for threat protection and remediation.

At the same time, CASBs lack broader visibility across your entire SaaS (and IaaS!) architecture; the top priority of SaaS security. Alone, CASBs are siloed solutions that simply are not enough to keep your infrastructure secure. Without complete visibility, you will not be able to automate detection and response of threats, misconfigurations and violations.

CASB solution limitations

• It’s a point tool

When we talk about CASBs, we have to acknowledge that these are point tools and as such their protection range is limited. CASB is essentially a visibility and policy control point that sits between your users, your organization and the cloud. CASB solutions focus exclusively on the cloud. They offer deep analytics and a wide variety of controls for cloud services, but their coverage does not go beyond the cloud infrastructure. As such, their scope of coverage is limited to various points within the cloud.

• Proxy-based CASBs have critical blind spots

Remember proxy-based CASB earlier was mentioned earlier? Its biggest downside is that it’s unable to keep up with the pace of upgrades to your application infrastructures, which obviously causes performance and security issues. Microsoft has pointed out that CASB is not enough and recommended better solutions. The company even provided an elaborate list of reasons why you should not use them. These reasons include the inability to test traffic compatibility, interoperability and performance, which often causes them to break. Their availability and performance may degrade and their terms of use may be violated.

Additionally, proxy-based CASBs actually limit the visibility of what’s in your cloud. They miss data shared by people outside your organization (be it customers or collaborators); they cannot monitor your desktop, nor API connections to third-party SaaS. But what’s most ironic is the fact that if the proxy goes down, the only people who have access to your data will be outside collaborators.

• No coverage of intranet data

If you want to secure data in intranet applications and services, CASB is not your best choice. If your organization shares data between computers connected to LAN, they will not be covered, since they aren’t cloud-based.

• Difficult installation

Most CASB solutions are hard to install. In addition, they will only work well on devices managed by your organization. Your security professionals must have a thorough understanding of the organization’s use cases and a host of IT skills to be able to manage them properly.

• Lack of a universal tool

It’s hard to decide which CASB solution to pick for any one organization; there are no universal criteria and oftentimes you are being warned that you need to do your own thorough research before picking the right solution. You can find more examples of what’s already been written on this topic here.

• Cannot act as a firewall

While CASBs add some features to firewalls, they should not be replaced by them. Firewalls are still crucial for providing visibility to network traffic and do a great job at blocking bugs.

CASB comparison: Unlike CASB, Cloud SIEM provides unified coverage

Both CASB and SIEM solutions secure your cloud infrastructure, but there are clear differences in how they cover your SaaS tools.

Cloud SIEM collects data from many different sources, not just from the cloud. These include: your on-premise applications, databases, web proxies, network switches, routers, data loss prevention and more. They filter through and correlate event logs across the different systems, informing you of threats in real-time, thus allowing you to respond to them in the shortest amount of time possible.

whereas SIEM is a consolidated tool that extends the cloud to cover your entire business infrastructure. It offers early attack detection through real-time data analysis, whereas CASBs only cover certain points within the cloud and inform you about the usage of your SaaS tools. Further, proxy-based CASBs only secure SaaS cloud services, leaving IaaS and PaaS clouds vulnerable.

Ensuring a fully secure SaaS

Employees sign up for all kinds of SaaS tools unaware of the consequences. As a security professional, you need to have full visibility into what applications just entered your environment, how they entered and how to remove them quickly.

If your organization uses, say, G Suite for example, and has other SaaS tools, it will certainly need a solution that both secures them and gives you visibility and control over them; you will need a solution that can do more than CASB.

While CASBs do add value to your existing security infrastructure, they should not be treated as your first line of defense. You can use this solution to augment your existing security infrastructure.

When it comes to securing your SaaS apps, ensuring full visibility of what is going on within your cloud should be your top priority. With Sumo Logic Cloud SIEM, you can have an integrated view across your hybrid and multi cloud infrastructure. A cloud-native tool is better for SaaS and extends beyond it, to ensure maximum protection.

For more information on how to secure your SaaS apps, refer to our earlier post on this topic.