What is CASB?
A cloud access security broker provides visibility, data security with Data Loss Prevention (DLP), and threat protection so you can safely use cloud apps.
How do you gain visibility into what cloud apps people are using and if they are safe? How do you ensure sensitive documents are not being shared inappropriately? How do you adhere to critical compliance regulations? How do you protect against malicious activity? Cloud Access Security Brokers (CASBs) address all of these questions so you can be safe and secure in the cloud.
CASB helps an IT Security team:
Examples include: AWS and Azure. The IaaS provider hosts hardware, software, servers, storage, and other infrastructure components enabling organizations to deploy their own applications and data in the cloud.
Examples include: Microsoft Office 365, Google G Suite, Box, Dropbox, and more. The SaaS provider hosts software applications and makes them available via subscription over the internet. SaaS is a popular model for many business enablement applications including messaging, email, file sharing, CRM, HRM, and more.
PaaS provides hardware and software environment that can host applications and data. PaaS services can include web service integration, collaboration for DevOps, database integration, all while offering information security. PaaS environments include vendors like AWS, Azure, Google, IBM, Salesforce.com, Red Hat.
CIOs think they have 30-40 cloud apps on their network, when in reality the average organization has over 1,000. They need to be able to identify these apps, rate them according to their security risk, and select those that conform to the organizations’ risk tolerance. For more info, refer to the Shadow IT Discovery Best Practices Guide.
Compliance Officers need to know what types of compliance-related data (PII, PCI, PHI, GDPR-related, etc.) are being stored and shared in the cloud, and whether this data is exposed or at risk. Other data types such as legal documents, engineering schematics, source code, and other intellectual property, need to be identified and protected.
Security Administrators and Compliance officers need to identify the rules to govern data exposure by classification to control accidental sharing in the cloud—either inadvertently due to user error, due to malicious use or hacker activity.
IT organizations with on-premises DLP often want to extend coverage to the cloud in a seamless way that will affords consistent dictionaries, policies, and workflows, and unifies reporting.
CIOs, IT Security Directors, and Data Privacy Officers need to identify risky user behavior, including but not limited to sensitive file oversharing, data exfiltration, data destruction, and the use of unsafe cloud apps. They need to quickly respond to incidents, discover the the impact of and extent of credential compromise, malware infection, brute force attacks, or other issues, and automate security precautions wherever possible.
Organizations need to protect their intellectual property, stay competitive in the marketplace, and maintain regulatory compliance. They need to do this by applying DLP, data security, encryption, and access controls to their SaaS, PaaS, and IaaS resources, perhaps forming a Cloud Center of Excellence.
Compliance Officers may want to continuously monitor how data is being accessed and shared by the organization and individual departments to make sure they meet compliance requirements.
Security managers need to continually monitor data usage for possible policy violations, data leakage, malware attacks, and user access to unauthorized websites that could pose a risk to cloud accounts and data.
In the event that cloud accounts are compromised, files are infected with malware, or data is mishandled from cloud accounts, IT departments need the ability to initiate a post-event investigation on the issue and to provide an audit trail detailing what documents were moved where and by what credentials.
Effective CASB solutions need to cover a wide range of scenarios including documenting sanctioned and unsanctioned apps, risk scoring of apps and users, and tracking business and personal accounts as they access sanctioned apps, mobile devices and desktops - both managed and un-managed. To protect the flow of information depending on content, a CASB may add authentication and encryption to traffic to and from the cloud. To address all of these scenarios, comprehensive CASB solutions use the following:
Many of the major cloud applications have well-defined APIs used by a CASB to monitor activity, analyze content, and modify settings as needed.
CASB Gateways sit between the users and their cloud apps, providing valuable insights into cloud activity and offering a vehicle for real-time policy enforcement.
CASB can import log data from firewalls, secure web gateways, or WAFs to analyze traffic and protect information.
Endpoint agents help manage cloud activity by users on BYOD, and enforce policies for CASBs.
In order to effectively protect your cloud apps and data no matter the user, location, or access device, your CASB needs to seamlessly integrate with core security infrastructure, including DLP, endpoint management, web security, encryption, user authentication, and advanced threat protection. Ultimately you want to leverage all of your security assets and investments to deliver the most effective security for the cloud. CASB 2.0 is about intelligently integrating CASB 1.0 functionality with all these core security technologies to provide comprehensive coverage of your cloud activity.
A comprehensive CASB 2.0 solution requires deep integration to gain real value. Such a solution should:
Many organizations will require some form of secure web gateway and CASB functionality. There are pragmatic issues to consider when deploying both. How do you steer traffic? How many user authentications are required? How can you share information between your secure web gateway and your CASB? How can you take action to control use of high risk cloud apps?
With CASB 2.0, the secure web gateway and CASB can be intelligently integrated to deliver more value.
There are many ways to share content, including confidential data, in an organization. Cloud-based file sharing, email (in the cloud and on-premises), and shared servers or folders are all popular methods. With CASB 2.0 you can seamlessly integrate DLP across all channels at risk for data loss -- in the cloud and on-premises, ensuring effective DLP coverage and simpler operations.
A CASB 2.0 approach to digital rights management, encryption, and tokenization will intelligently integrate end-to-end encryption with CASB, DLP, and user authentication to protect data wherever it goes, including but not limited to en route to or at rest in cloud apps.
Malware, including advanced malware, affects files and systems both within your network perimeter and in your cloud accounts. Content enters cloud apps through direct cloud-to-cloud interactions, via on-premises or endpoint to cloud transactions, through sync and share of computing environments, or may be created natively within cloud apps so traditional perimeter protection is no longer sufficient.
A CASB 2.0 solution should leverage the best quality malware protection and ATP solutions to fully protect assets in the cloud.
A CASB 2.0 approach provides a deeper level of integration. Rather than a one-way sharing of information (SSO to CASB), CASB 2.0 solutions leverage a two-way sharing of information, so CASB insights can inform user authentication solutions. This way organizations can confirm and control user access to cloud assets mid-session if user behavior demonstrates high risk activity. A comprehensive solution would allow organizations to define granular policies based on a wide range of transaction attributes to enable the integrated system to require stepped-up authentication as users pursue high risk transactions or access highly sensitive data.
Endpoint solutions have insights regarding user activity that could be valuable for CASBs to leverage. CASB 2.0 solutions can bring more value doing a deeper level of integration with existing endpoint security solutions.
Basic information like names, addresses, and phone numbers of customers are subject to data privacy regulations, such as the EU’s General Data Protection Regulation (GPDR).
Perhaps no type of data is as regulated as patient and medical record information. Since recent cyber-crime reports indicate that this type of data is a prized target for hackers, with records fetching over $300 each on the black market. Regulations like HIPAA and HITECH in the United States and their equivalents around the globe give organizations specific guidance on how sensitive data should be treated at all times.
Compliance mandates such as PCI DSS and Gramm-Leach-Bliley require financial institutions, as well as those storing or processing credit and debit cards, to take specific steps to protect the security and confidentiality of their customers’ financial information, regardless of whether it is kept on-premises or in the cloud.
The European Union General Data Protection Regulation requirement has significant implications for organizations using cloud applications. GDPR requirements are concerned with location, access, protection, handling, security, and encryption for personal data. Organizations will need to monitor and control the cloud applications and services where employees may be sending personal data on EU residents and the personal data they store in these cloud applications and services will need to carefully monitored and protected. These compliance requirements will apply to any company no matter where they are located if they process personal data on EU residents.
Many other industries have their own compliance measures. Educational institutions need to adhere to the guidelines specified in the Family Educational Rights and Privacy Act (FERPA). Manufacturers of defense related products need to adhere to the data security measures defined in the International Traffic in Arms Regulations (ITAR). Agencies and law enforcement groups dealing with data such as fingerprints and biometrics must follow the security guidelines specified by the Criminal Justice Information Service (CJIS). Finally, many institutions specify their own internal security guidelines that all of their units must comply with, for both on-premises and the cloud.
Given the strict nature of compliance requirements and the penalties for exposing sensitive data, enterprises and organizations need to ensure that they meet specific requirements in the cloud. CASB solutions are playing a critical role in helping compliance and security professionals ensure:
Audit all cloud use in the organization. Use CASB intelligence on sanctioned and unsanctioned (Shadow IT) cloud apps in use to make sure they comply with any external or internal data security requirements. Restrict access to those cloud applications that cannot be brought into compliance.
Use a CASB to identify and monitor any regulated content that may be stored in or shared with a cloud application or service by the organization. Decide what type of regulated content (if any) should be allowed in the cloud. Establish requirements for how that data should be protected.
Centrally define and enforce CASB security policies to protect regulated data and to control how it is (or is prevented from being) stored and processed in cloud apps and services per the requirements in the appropriate compliance regulation such as GDPR, HIPAA, PCI DSS, etc.