The Real World Use Cases for Implementing a Cloud Access Security Broker (CASB)
by Gregory Kiker, Information Security Practice Leader at cStor
As the trust in cloud-based applications continues to grow with no end in site, the volume of cloud-based applications and data continues exploding too. For many organizations, that means the need for a security and policy intermediary has become more pressing than ever.
Cloud access security brokers (CASBs) are on-premise, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed.
Security Enforcement Across a Wide Range of Applications… Yes, Even MS Office
CASBs consolidate multiple types of security enforcement including policies such as authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention, and so on.¹
Microsoft Office 365 is showing success in capturing a large portion of the business enterprises over the last year. The increases are estimated at 300%+ growth, yet there is still room to grow. With the popular Office product subscription comes a cloud drive, called OneDrive, offering an individual 1TB of space. With a majority of businesses using Office products, it is easy to understand why so many are moving to the cloud services.
The Security Gaps Are Closing, But There’s More to Do
While the industry is seeing some improvement in security, the gap is still large and the risk of losing sensitive data is a reality. One CASB usage analysis of 20,000 plus cloud services has determined that a staggering 58% of the sensitive data found resides in Microsoft Documents.
Learn to Ask the Right Questions, Not Loaded Ones
So is the cloud secure? The truth is, that’s a loaded question. One way that a CASB helps to secure cloud-based applications and data is through encryption.
A cloud access security broker sits between the user and the cloud service provider and screens usage, secures data, and guards against threats. By applying strong encryption in context, they are able to discern contextual info about the transaction.
For instance, the CASB should know who is transacting, what group they are in, the physical location, what action they are performing in what service and to what data, and if that data is sensitive.
How might that look in the real world? Take for example, an HR user uploading a kitten video. Clearly that doesn’t rank the same as an employee uploading a Word document entitled ‘Personal Health Info” that triggers a confidential data DLP (data loss prevention) violation.
Context is 9/10th’s of the Law
This kind of contextual security intelligence is achieved by deploying the CASB as a forward proxy, reverse proxy, and in a limited way, using the cloud service’s API. To apply this policy to all traffic flow, including sync clients and native and mobile apps, even in unofficial cloud services, the CASB needs to be deployed as a forward proxy. For browser traffic to authorized services only and mobile traffic contained to a limited set like Salesforce, a reverse proxy is used. In cases where the encryption is not happening inline, but after the upload, an API deployment is used.
Critical Requirements for a Viable Use Case
Beyond deployment choices, here are five critical requirements that are needed to achieve a use case:
- Be aware of context, like activities such as “upload”
- In both sanctioned and unsanctioned services, see and control usage
- Use key management to apply strong encryption to sensitive content
- Integrate with KMIP-compliant, on-premises key manager
- Ecode the unpublished API and decrypt SSL to comprehend the transaction, used for a forward proxy
So, how are you applying strong encryption based on conditional factors in cloud services? And what else can a cloud broker do for an organization? Here are just a few ways CASBs can add immediate value to your security initiatives:
- Advanced, enterprise DLP
- Granular policies for all apps
- Architecture for any use case
- Access and privilege control
- Active threat protection
- Provide visibility and control over cloud spend
- Ensure compliance in the cloud
- Mitigate cloud app usage risk
- And more…
Most organizations simply don’t know what they don’t know, and those unknowns are almost always what keeps security professionals up at night.
How to Your CASB Right the First Time
Look for agnostic, unbiased partners that can help do a paid or even free assessment that will uncover your true cloud usage and identify where you may have gaps in your security policies and procedures.
Unless, of course, you prefer NOT to know. That’s another post entirely. 🙂
¹Source: Gartner IT Glossary, http://www.gartner.com/it-glossary/cloud-access-security-brokers-casbs/