AWS account Security: a great example to compare and contrast Lacework with CASB solutions

Lacework is a cloud security company, and we recently launched Lacework for AWS CloudTrail, a new solution focused on AWS account security. Securing a “cloud account” sounds a bit like a cloud access security broker (CASB) – but we’re not a CASB. To clear up any confusion, let me outline how the new Lacework solution works and clarify the problem we’re solving. I’ll do that by answering 3 questions:

  • What attack surface do we protect?
  • How do we fit into your architecture?
  • How do we use rules and policies?

Attack Surface

Lacework for AWS CloudTrail protects your AWS account. By “account,” we mean the AWS “place” you go as an admin when you’re building or managing your AWS solution (be that a website, mobile app backend, IoT service, or whatever you’re building with AWS). When you (or your DevOps team) create new AWS storage and compute resources, add or change administrative users, or manage other AWS services, these tasks happen in your AWS account. I don’t need to tell you how important it is to harden this attack surface – if you don’t, our recent blog post, Real-world AWS Account Compromises and How Lacework Stops Them, shows what can happen.

We don’t limit our scope to monitoring account access – we also guard against unusual account activity. With Lacework, you’ll know if someone fires up an EC2 instance for bitcoin mining, modifies access privileges for a service account, or starts doing something new in an inactive region. We take a “trust no one” cloud security approach by comparing each action in an AWS account to the baseline – no matter who or what does it. You can read more about “trust no one” in a recent Tech Beacon article: “Is the key to bulletproof security zero-trust networks?

CASBs protect a different type of cloud account access, focusing on the accounts used by rank-and-file employees to access SaaS apps instead of the administrative AWS account. For example, a CASB can prevent or limit access to a SaaS HR solution if an employee makes a time-off request from outside their typical location or if they use an unknown device. That’s a completely different attack surface that’s certainly worth protecting – it’s just not what we do.

Architectural Approach

Architecturally, Lacework works out-of-band by using API information from AWS CloudTrail. CloudTrail lets us see changes to EC2 instances, S3 buckets, IAM and more. We continuously monitor your cloud security and alert you when we see something out of the ordinary. Because Lacework isn’t inline and because we use the CloudTrail logs your implementation already generates, we don’t impact the user experience, change the cloud service you offer, or add much to your administrative workload.

To enforce SaaS access policies across the enterprise, CASBs must-see, and control login attempts for each end-user on every secured SaaS app. CASBs do this by proxying login activity (the typical CASB architecture) or by using an API for out-of-band control when the SaaS application supports it (increasingly popular, but not an option for many SaaS solutions). Proxies can impact the user experience and increase calls to the IT help desk. (Again, this observation isn’t a criticism, it’s just the nature of a CASB).

Since Lacework isn’t trying to protect the same attack surface as a CASB, we can take a much less intrusive architectural approach that avoids proxies altogether.

Policies and Rules

Lacework to baseline the activity of your AWS account and alert you when something’s out of place. Automation is a core design tenet for us because today’s cloud implementations grow and evolve too fast for hands-on maintenance. So we did away with manual creation of policies and rules and built a product designed for the demands of the cloud.

CASB solutions are, by contrast, designed to enforce enterprise access policies. By necessity, admins must spend significant time defining and maintaining those policies.


Both CASB and Lacework provide security for a cloud account, but that’s where the similarity ends. It’s our mission to safeguard your AWS account from compromise or misuse by using CloudTrail data to automatically detect suspicious behavior. And since we use standard AWS CloudTrail logs to do the job, setup is easy and maintenance is easier.

Give us a call and we’ll set you up with an account right now – we have a no-cost volume tier that’ll let you see exactly how Lacework protects your AWS account.