This section covers how to use the Cloud Access Security Broker (CASB) feature for the Cloud Web Security service.

Overview

The Cloud Access Security Broker (CASB) feature provides visibility and control on user activities while accessing SaaS applications.

The CASB feature includes the following capabilities:

Application Visibility (part of both Cloud Web Security Standard and Advanced Edition packages): A customer has the ability to view the different SaaS applications being accessed by users within their network. For each application, a customer using CASB Application Visibility can observe:

  • The risk score for each application.
  • The number of times users have accessed an application.
  • The application’s category.

Application Control (part of the Cloud Web Security Advanced Edition package only): A customer has the ability to control specific actions that can be performed on each SaaS application.

Out-of-the-box predefined controls are available for all SaaS applications with application specific controls provided at a per-application level. These controls can be customized and configured per application and based on User and User Group.

For each application, a customer using CASB Application Control can control:

  • Initial access to the application site (Allow or Block).
  • Additional actions including Login, Upload/Download Content, Search, Edit, Share, Create, Delete, Like, or Post.

Customers can see the currently available actions for the applications they would like to control.

Prerequisites

Users need the following for access to the Cloud Access Security Broker (CASB) feature with Cloud Web Security:
  1. A customer Enterprise on a production VMware Cloud Orchestrator with Cloud Web Security activated.
  2. The customer's SD-WAN Edges, the SASE PoPs, and the Orchestrator must all use Release 4.5.0 or later.
  3. CASB Application Visibility is useable for all Cloud Web Security customers whether they have a Standard or Advanced package.
  4. To access CASB Application Control, a customer must have a Cloud Web Security Advanced package.
    If users navigate to Cloud Web Security > Configure > Security Policies and clicks on an existing Policy or create a new Policy, the CASB tab will include a lock icon. This indicates that only CASB Visibility is allowed with the Standard Edition license and that to create CASB Control policies, the Advanced Edition license is required.
  5. Optional: An Identity Provider (IdP) if the customer plans to have user-based rules. For more information on configuring either Workspace ONE or Azure Active Directory (AD) as an identity provider, consult the respective guides on the Single Sign-On Guides (SAML) page.

CASB Configuration Workflow

Having covered the two key capabilities Application Visibility and Application Control that comprise the CASB feature, this section will cover the CASB workflow.

Create, Configure, and Apply a Security Policy

For details on Creating, Configuring, or Applying a Security Policy for the Cloud Web Security service, consult the relevant documentation in the Cloud Web Security Configuration Guide.

CASB Settings - Application Visibility

After a Security Policy has been associated to a customer segment, traffic from endpoint devices behind the SD-WAN Edge or coming via Secure Access clients are being inspected and monitored if it passes through the Cloud Web Security policy.

  1. On the VMware SASE Orchestrator UI, navigate to Cloud Web Security > Configure > Policy Settings > CASB.
  2. The CASB Settings page provides a list of Applications which match a Security Policy Rule and are sorted by default for the highest Number of Access (the number of times a particular application has been accessed within the specified time period).
    • Each Application will also have a Risk Score associated with it: Low (1-3), Medium (4-6), or High (7-9).
    • The Applications table can be sorted by Application Name, Category Name, # of times Accessed, or Risk Score by clicking on the column header. Or by clicking the sort icon for a column, users can search for a particular term or number in that column.
    • The CASB Settings page by default displays 20 Applications per Page, users can scroll to the bottom of the page and specify up to 100 Applications per Page. Users can also select a new page of Applications either by clicking one the arrow icons or specifying a specific page in the text box.
    • As more traffic passes through the Cloud Web Security service, the Applications list may change depending on which websites are being visited. These changes can include application order, number of applications, access events, and risk score.

Create and Apply a CASB Control Rule

To create and apply a CASB Control Rule, see Configure Cloud Access Security Broker Rules.

Verify a CASB Rule is Working

After the Security Policy with the CASB Control Rule is published, go to a website affected by the rule and test the control features to confirm it is working as expected. To verify that the applications have CASB controls configured, use the Cloud Web Security > Monitor > Web Logs page. For example, in an instance where users tried to log into the WeTransfer website and was blocked as per the published CASB Control rule. The Web logs show the blocked login attempt.

Monitor CASB

  1. Navigate to Cloud Web Security > Monitor > CASB Analysis.
  2. On the CASB Analysis page, users can view a selection of bar charts for Top Categories, Top Applications, Top User, and Top Uploads by Application.
  3. Web Logs: Cloud Web Security > Monitor > Web Logs page users can learn greater details about an application access event. For any CASB Application event, user can click the bubble associated with that log entry to see the full Log Entry Details.