Securing the Cloud: The role of CASB and CNAPP
Securing Access and Enhancing Visibility Across SaaS Applications and Infrastructure
As organisations expand their use of cloud services, maintaining secure access and visibility across a wide range of applications becomes essential as I discussed in part one of my CNAPP series. But how can security teams gain insights into application usage, monitor data sharing and downloads, and track user activities within these apps? Ultimately, how can they restrict the use of unsanctioned or potentially malicious SaaS applications while still giving employees the flexibility they need to work from anywhere?
If you work in security, you’re likely familiar with these growing pains. Threats are becoming increasingly complex, moving across email, messaging apps, identities, applications, and infrastructure. To understand and contain these attacks, defenders need intelligent, automated, and integrated security solutions that close detection and response gaps, freeing up time for more proactive measures. Some of the top threats we face today include:
Insider Threats: Internal users may unintentionally or maliciously compromise sensitive data.
Over-Permissive Access & OAuth Apps: Excessive permissions or OAuth applications with broad access can introduce risks from external threats.
Malicious SaaS Applications: Unvetted or malicious SaaS applications can bypass traditional security controls, putting sensitive data at risk.
Compromised Identities and Data Exfiltration: Both human and AI-based actors can use stolen credentials to exfiltrate critical data from cloud environments.
Unwanted or Unsafe Generative AI Apps: The spread of unapproved or insecure GenAI apps can lead to data exposure, malware infections, or inadvertent sharing of sensitive information with external systems.
In this landscape, Cloud Access Security Brokers (CASBs) and Cloud-Native Application Protection Platforms (CNAPPs) are essential to a comprehensive cloud security strategy. In this post, we’ll explore how CASBs—such as Microsoft Defender for Cloud Apps—integrate seamlessly with CNAPPs to deliver stronger, unified cloud security.
What is a CASB and what can it do to help enhance cloud security?
In very simple terms, a CASB is a checkpoint between a cloud-based user and a cloud-based application or resource they are trying to access, such as a SaaS application. By adding visibility into cloud app usage, user activity, and data flow, CASBs allow organisations to enforce critical security policies. Integrating a CASB like Microsoft Defender for Cloud Apps within a CNAPP enhances your cloud security by protecting against threats, safeguarding data, and maintaining compliance.
quick note: A CASB like Defender for Cloud Apps is part of the Security Service Edge (SSE), which falls under the broader SASE architecture framework. This framework offers both secure and optimized network connectivity across organizational resources. (I'll dive deeper into the differences, complexities, and features of SSE and SASE in a future blog, so stay tuned!)
What Are the Four Pillars of a CASB?
Now that you know what a CASB is, you might be wondering about its foundational components. Let’s break down the four pillars of a CASB:
Visibility: CASB solutions help discover "shadow IT": systems and processes, especially cloud services, that are not officially documented and that may introduce unknown security risks. Defender for Cloud Apps features include:
Discover SaaS applications that are in use in your environment across our cloud app catalog containing more than 30,000 applications.
Categorise and assess discovered SaaS apps and apply tags (Monitor, Sanctioned, Unsanctioned, or create your own.
Govern discovered SaaS apps and block them manually or via discovery policies reducing shadow IT.
With SAAS security posture management view misconfigurations in connected SaaS applications and get details from Microsoft Secure Score on how to proactively prevent the misconfigurations with links to vendor documentation.
Data security: CASBs prevent confidential data from leaving company-controlled systems, and help protect the integrity of that data. This capability is especially relevant with the proliferation of AI tools into which employees may attempt to upload protected data. Important technologies for this area include access control and data loss prevention (DLP). With Defender for Cloud apps:
Discover sensitive files at rest View sensitive files that exist at rest in Microsoft and connected non-Microsoft SaaS apps.
Protect data at rest Apply policies to non-Microsoft apps to revoke files
shared with too broad of an audience or alert when these files are detected or apply labels. Labels can also be applied to files in non-Microsoft applications along with some edge cases not covered in Purview.
Protect data in motion Apply policies to data moving between boundaries
within a browser session using inline proxy. This provides the ability to block upload/download/copy/paste/apply label on unmanaged devices.
Threat protection: CASBs block external threats and attacks, in addition to stopping data leaks. Anti-malware detection, sandboxing, packet inspection, URL filtering, and browser isolation can all help block cyber attacks. Defender for Cloud Apps features include:
Intelligent heuristics identify potentially malicious files and
detonate them in a sandbox environment
Capture an audit trail of in app activity with correlated data across all your connected SaaS apps and apps flowing through inline controls which are aggregated into a single location with a common schema and enriched with signals from Microsoft Threat Intelligence.
Detect threats from users inside your organisation detect anomalous behaviour from individual users such as mass download or repeated activities and automatically take action to suspend accounts.
Detect threats from privileged accounts Detect anomalous behaviour from individual users such as mass impersonation by a single user, login from new
country with an admin account, or unusual activity from an MSSP admin.
Use powerful KQL queries to hunt for audited activity in a common schema across all your connected SaaS applications along with the rest of the signals that are coming from other Microsoft 365 Defender products
Single pane off glass , admins can view, triage and investigate multi-stage incidents that have been correlated across the Microsoft XDR stack all in one place,
Send data to Microsoft Sentinel from Defender for Cloud apps ingesting the CloudAppEvents table to Sentinel for long term storage and hunting.
Send enriched data from CloudAppEvents table to EventHub or AzureStorage and consume downstream for things like third party integration or power bi dashboards.
Compliance: Because the cloud is so spread out and is not under a company's control, it can be difficult for companies operating in the cloud to meet strict regulatory requirements CASBs help ensure compliance with data privacy and safety regulations, and monitor compliance for enterprises requiring adherence to regulatory standards like HIPAA or PCI DSS. Defender for Cloud Apps features include:
OAuth app consent discovery allows you to discover SaaS applications that have been consented to in your organisation for first and third-party apps using app connectors. See app risk permission levels and which users have authorised the app.
Auth app registration discovery Discover SaaS applications that have been granted permissions in Microsoft Graph API. Also view apps that are overprivileged, apps accessing sensitive data, and volume of data being uploaded as well as anomaly detections powered by Microsoft threat intelligence.
OAuth app enforcement Automatically revoke apps identified
in OAuth policies and App Governance policies.
(New emerging pillar) Secure and detect malicious AI apps with Defender for Cloud Apps feature allows you to discover over 400 GenAI apps, understand the risks with the ready-to-use risk assessments evaluating over 40 risk factors, and set controls accordingly to mitigate the risks. It helps you detect and remediates threats from suspicious interactions with Copilot for Microsoft 365, such as accessing sensitive files via Copilot from comprised user accounts or risky IPs.
How Do CASBs and CNAPPs Work Together?
While CASBs focus on securing access and data in cloud services, CNAPPs concentrate on the security of cloud-native applications and infrastructure. Integrating CASB capabilities within a CNAPP strategy enhances cloud security in powerful ways:
Comprehensive Visibility: CASBs offer deep visibility into cloud usage and data flows, complementing CNAPP’s focus on application and cloud infrastructure security. Together, they provide a 360° view of applications, the cloud services they interact with and cloud infrastructure, enabling security teams to identify risks quickly.
Enhanced Data Protection: CASB integration means CNAPPs can extend data protection not just within applications, but also across cloud environments, covering data in transit and at rest. This alignment with data-centric security principles helps keep sensitive information secure, regardless of where it travels.
Unified Compliance and Governance: CASBs excel at enforcing compliance with regulatory requirements across cloud services. Integrating CASB capabilities within a CNAPP framework helps create a unified governance model, simplifying the complexity of compliance reporting and reducing the effort of adhering to multiple standards.
Streamlined Security Operations: Converging CASB and CNAPP functions within a single pane of glass significantly reduces operational overhead. This integration minimises the risk of errors caused by managing multiple tools, while also reducing tool fatigue—allowing security teams to respond faster to incidents and potential breaches.
Top 3 Use Cases of CASBs:
Record an audit trail for all user activities across hybrid environments:
Whether a user identity is compromised, or an employee is deliberately carrying out risky actions across your environment of cloud apps, it’s key to understand that adversaries act regardless of whether an app or information is located on-premises or in the cloud. Therefore, it’s key for your IT to be able to trace and investigate the actions of any end user or privileged account laterally and across hybrid environments.
A CASB enables you to capture a detailed audit trail of all user and admin activities across your managed cloud and on-prem services for forensic investigations. This allows your IT to retrace all actions in case a breach or risky event is identified. Tracked events include activities such as sign-ins, downloads or uploads, and lateral movements, to provide full coverage for hybrid environments.
Detect and remediate malware in your cloud apps:
As the sophistication of cyber threats continues to evolve, malware is becoming one of the fastest growing security concerns for organisations, with the majority of reported breaches now involving some type of malware.
A CASB allows you to closely monitor your cloud storage applications and identify potentially malicious files in your environment. Pre-existing files are scanned using multiple layers of detection engines to assess whether a file is malicious and associated with known malware. Microsoft Cloud App Security runs suspicious files through a sandboxing engine to detect malicious behaviour and enables you to react quickly to zero-day malware in cloud storage solutions. You can also leverage session controls to prevent the upload and infiltration of known malware in real-time across all of your apps.
Enforce adaptive session controls to manage user actions in real-time:
In a cloud-first world, identity has become the new perimeter— protecting access to all your corporate resources at the front door.
Microsoft Cloud App Security leverages Microsoft Entra ID conditional access policies to determine a user’s session risk upon login. Based on the risk level associated with a user session, you can enforce adaptive in-session controls, that determine which actions a user can carry out, and which may be limited or blocked entirely. This seamless identity-based experience ensures the upkeep of productivity, while preventing potentially risky user actions in real-time. The adaptive controls include the prevention of data exfiltration by blocking actions such as download, copy, cut or print, as well as the prevention of malicious data infiltration to your cloud apps by preventing malicious uploads or pasting text.
Microsoft Defender XDR integration:
Microsoft Defender XDR integrates seamlessly with Microsoft Defender for Cloud Apps to enhance security across cloud environments. This integration enables organisations to gain comprehensive visibility into their cloud application usage and detect advanced threats in real time. By leveraging the data and insights from Defender for Cloud Apps, Defender XDR can correlate alerts and incidents, providing a unified view of security events. This holistic approach allows security teams to respond swiftly to potential threats, enforce policies, and manage vulnerabilities effectively, ensuring that cloud applications remain secure and compliant with organisational standards.
As you can see, the integration of CASBs and CNAPPs is crucial in today's complex cloud landscape. They not only enhance security measures but also provide the visibility and control necessary to manage risks effectively. For a deeper understanding of how these platforms can transform your security approach, explore my complete series on Cloud Native Application Protection Platforms.
Stay tuned for more insights on cloud security, where we’ll dive into the intricacies of SSE and SASE next!
Data Sources:
Top 7 SaaS Security Risks (and How to Fix Them), 2022
2023 State of SaaSOps study, BetterCloud
Have blog ideas, want to engage on a topic, or explore collaboration? Let’s take it offline reach out on LinkedIn. I’d love to connect and continue the conversation!