A definitive guide to cloud access security brokers
Article by Bitglass Australia's Dave Shephard.
Although cloud apps like Microsoft 365 (formerly Office 365), Salesforce and Box are the future of enterprise computing, security concerns continue to plague public cloud adoption.
While organisations are keen to migrate to the cloud, they need robust visibility and control capabilities in order to keep sensitive corporate data safe.
To secure cloud apps, organisations need a comprehensive security solution that offers visibility, data security, threat protection and compliance. Cloud access security brokers (CASBs) are a data-centric solution for securing SaaS apps end-to-end, from cloud to device.
By intermediating or ‘proxying’ traffic between cloud apps and end-user devices, CASBs offer IT administrators granular access control and deep visibility over corporate data – critical functionality for organisations moving from internal, premises-based apps to the cloud.
Cloud app vendors like Google and Microsoft are motivated to secure their infrastructure and to protect against threats to their applications. Denial of service attacks, malware outbreaks, and large data breaches are the types of security events that land cloud app vendors on the front pages of global business media, and have a severe negative impact on their businesses.
However, control over access and downloaded data is the enterprise’s responsibility. Theft of user credentials, regulatory compliance failure and data leakage due to improper controls all rest on IT. IT must have a security solution in place to protect corporate data from these types of risks that fall outside of the control of the SaaS application provider.
Balancing IT needs and employee demands
Years ago, when BYOD was less prevalent, employees simply accepted a poor user experience as a necessary evil. Today, employees are quick to reject IT solutions that reduce productivity and that impede their privacy. Enterprises must adopt user friendly solutions that enable a more productive, mobile workforce
Finding a CASB that can meet these key requirements will help to prevent employees from going rogue and working around IT. The solution needs to take into consideration:
- Usability: Consumer apps have set a high bar for users which has created the expectation that cloud apps in the enterprise will match that experience and enhance, not hinder, productivity.
- Privacy: Employees have an expectation and a right to privacy. Gone are the days when it was acceptable for IT to capture personal traffic in the security dragnet.
- Mobility: Employees want to have the latest devices and access corporate data without restrictions, even if those devices aren’t managed by their employer.
Components of a complete CASB solution
While enabling mobility is often a boon to productivity, cloud apps also make data access much easier, which can pose a threat to security. A complete CASB must close the gap by protecting data-at-rest and data-in-motion across all devices. Cloud, mobile, discovery and identity are the core components of a CASB which, together, provide total data protection.
A deep understanding of how employees are using cloud apps is key to identifying risky or malicious activity. By tracking user activities, CASBs can generate a baseline behavioural profile, and alert on deviations so that IT can take immediate action. Visibility can also help IT build security policies that minimise risk of data loss without impeding on employee workflows.
CASBs protect corporate data both in the cloud and on any device in real-time. API integration into cloud apps is used to scan and protect data-at-rest, and proxies are used for inline, real-time protection for data being accessed via both managed and unmanaged devices.
Using built-in APIs, CASBs are able to scan and identify sensitive content stored in apps like Microsoft 365 and Google Apps, and apply granular access controls to data. With traditional solutions, access control capabilities are limited and IT is forced to simply allow or block access. With a CASB, IT administrators have more flexibility in extending access with context- and content-aware.
Data must be protected at rest in the cloud, at rest on mobile devices, and in transit, making cloud and mobile inseparable components of a complete security solution. The CASB data-centric approach to security ensures that corporate information stays protected on any device, anywhere.
When organisations focus entirely on securing devices instead of securing data, there is a real threat of data leakage. An employee can, for example, download a file with sensitive customer information to a managed device, move that file over to an unmanaged device, and perhaps upload that file to an unsanctioned cloud application.
If the device were secured without other data-centric protections, IT would lose visibility and control over that file. With a CASB, a content-aware DLP engine can encrypt, DRM, and watermark data in real time, ensuring that sensitive information stays protected across both managed and unmanaged devices.
Another risk faced by organisations when it comes to enabling secure mobile and BYOD is the threat of lost and stolen devices. CASBs are capable of enforcing a wide array of device security policies on any device, functionality that has historically only been possible on managed devices.
CASBs can require use of a PIN or passcode for added security and can even selectively wipe just corporate data from any mobile device.
Data leaving the corporate network and heading to high risk destinations is a major concern for enterprises. High risk destinations take many forms: malware command and control sites, anonymisers like Tor, ‘shadow IT’ cloud applications, and more.
All these destinations are at risk from sensitive data exfiltration and must be identified in a timely fashion. CASBs offer discovery services that analyse proxy or firewall data to identify vulnerable traffic between the network and high risk destinations. Destinations associated with known malicious activity can be identified in order to remediate high risk endpoints and users.
In many organisations, individual accounts are created within each cloud app, without a centralised identity system, a practice that can make provisioning new accounts and securely authenticating users more difficult.
A complete CASB features an integrated identity management solution or works with an existing identity management infrastructure to enable secure authentication across all cloud apps. Secure authentication, often necessary to achieve regulatory compliance, can drastically reduce the attack surface that hackers can use to access corporate data.
To summarise, in a world of cloud applications and mobile devices, IT must secure corporate data on any device, anywhere. Existing security technologies, developed only to secure data on the network, are not suited to solving this task.