1.廠商列表
Bitglass
CipherCloud
Cisco Cloudlock
Forcepoint CASB
IBM Managed Cloud Services
ManagedMethods
Masergy
McAfee/Skyhigh Security Cloud
Microsoft Cloud App Security
Netskope
Oracle CASB Cloud Service
Palo Alto Networks Aperture
Proofpoint CASB
Symantec/Skycure
CASB看起來即像是上網行為管理+威脅分析+DLP+防火牆+堡壘機+身份認證產品的合集,但它究竟如何部署呢? 總體來說,分為3種部署模式:
- 純網關型模式。在用戶的網絡出口處放置一套CASB網關設備,對所有的需要處理的SaaS服務進行代理,相應的移動設備需要配置相關的Profile文件或者安裝客戶端,使此類SaaS流量也指向CASB網關。
- 控制器+雲端能力中心模式。與第一種方案不同之處在於,用戶網絡內只有一個輕型的控制器用於策略執行。但是對於風險分析、數據加密、安全評估、策略生成、初始化數據格式等工作都在雲端完成。而第一種方案中所有工作都有CASB網關完成。
- 客戶端+雲模式。在所有SaaS終端使用設備上裝上CASB客戶端APP。
CASB公司,在關注的業務層面既有交叉,也各有不同,都是在SaaS業務的過程中的身份識別、訪問權限、操作權限、數據及文件生命周期、數據資產加密、數據遷移、數據備份、以及審查回溯等各個環節提供保護。從技術角度上來看,CASB的實現並不是什么難題,但是如何實現對大量SaaS服務適配,SaaS業務雲端歷史數據與新數據的全局發現與整理,對SaaS業務過程的無縫干預與用戶無感體驗,這些工程性問題恰恰是CASB產品的真正難點。
CASB的出現依然是解決身份、控制、審查、防泄密、完整性等這些老生常談的問題,但是面向的基礎架構環境已經從傳統盒子堆,變成了雲。
1. Bitglass
Bitglass 是一家專注於保護企業數據的雲安全初創公司,該公司成立於 2013 年,總部位於加州,現任首席執行官 Nat Kausik 是一位 IT 行業的老兵,曾在 1989-1997 年之間在惠普公司擔任首席科學家,之后他創立了一系列初創公司,也獲得成功退出。值得一提的是,Nat Kausik 早在 1991 年還著作了一本關於機器學習的書。
官網鏈接:https://www.bitglass.com/
Correspondingly there are three types of CASB
- API-only CASB that deliver only management. Such CASB use API access to SaaS apps to remediate after data-leakage events.
- Multi-mode First-Gen CASB that deliver management and security, but not Zero-Day protection. Such CASB offer signature-based protection for known data leakage paths and a fixed set of applications
- Multi-mode Next-Gen CASB that deliver management, security and Zero-Day protection. Such CASB dynamically adapt to deliver protection for known and unknown data leakage risks and malware threats, on any app.
1.1 API-only CASB
API-only CASB offer management capabilities by remediating data-leakage events after the fact via the APIs provided by some applications.
API CASB operate “out-of-band” not real-time. Users directly access cloud apps and data from any device, managed or unmanaged, without restriction or control. API CASB use the applications’ API to analyze the data-at-rest in the cloud. Based on policies set by the administrator, files that are in violation may trigger visibility logging alerts. Alternatively, files that are in violation may be quarantined, or have sharing permissions revoked.
Strengths:- Visibility & DLP remediation on data at rest after breach & compliance violations
Weaknesses:
- No Real-time protection
- No Mobile data protection
- No Threat protection
- No Zero-day App Control
- No Zero-Day threat protection
- No Identity control
1.2 Multi-mode First-Gen CASB
Mult-mode first-Gen CASB offer both API mode and proxy mode. Operating in proxy mode typically requires an agent on every device, and is not suitable for unmanaged personal devices. Proxy agents may also interfere with existing infrastructure such as Secure Web Gateway proxies. Multi-mode first-gen CASB can also identify “ShadowIT” cloud applications used in the enterprise, by checking against a manually curated index of cloud applications.
Strengths:ShadowIT analysis with manual index
- Requires proxy agents on every device
- No agentless mode
- No Mobile Data Protection
- No Zero-day App Control
- No Zero-Day threat protection
- No Identity control
1.3 Multi-mode Next-Gen CASB
- API+Forward proxy + Reverse-Proxy + Active-Sync Proxy + SAML Proxy
- Zero-Day real-time control of any managed app
- Zero-Day read-only control of any umanaged app
- Zero-Day real-time agentless AJAX-VM on any device
- Zero-Day threat protection
- Searchable, sortable cloud encryption
- Custom app support
- API visibility and control of data-at-rest
- Agentless Mobile security
- Integrated identity control
- Automated ShadowIT Analysis w/ 100K+ apps
