IT Focus Area: Security
December 16, 2016
Cloud Access Security Brokers: Closing the SaaS Security Gap
Today’s complex, hybrid IT environment is making it hard for organizations to get their arms around security.
The cloud market is rapidly maturing, but there is a lack of confidence in cloud security. Many enterprises have adopted a cloud-enablement mindset and are "cloudifying" traditionally internal applications, but worry that they don’t have the right tools to fully secure their data in the cloud. As demand for SaaS enterprise applications continues to accelerate, developing an effective approach to cloud security has become a top priority for organizations in all industries.
A recent 451 Research report based on a survey of 1,100 senior IT security executives at large enterprises worldwide found that 85 percent of enterprises are now using sensitive data in the cloud, up from 54 percent last year. And 70 percent are concerned about it. *
When organizations transfer data to a cloud, the responsibility for protecting that data typically remains with the organization (as data custodian). Sensitive data is easy to misuse in cloud-based applications, and few SaaS providers offer a degree of control that approaches what IT teams are used to exerting over on-premises applications. To make matters worse, the majority of organizations experience some level of unauthorized provisioning of cloud services — shadow IT — which makes it nearly impossible to ensure security policy enforcement.
As the public cloud services market expands, organizations need to keep pace and advance their data protection capabilities by focusing on the security of the data itself no matter where it is stored, used or transmitted. Organizations that want to leverage SaaS while maintaining security and compliance need tools that focus on securing data in the cloud.
The Role of CASBs
Securing cloud access is a critical part of a comprehensive data-centric security program. Over the last two years, we’ve been hearing a lot about cloud access security brokers — CASBs. CASBs are policy enforcement points that sit between an organization's on-premises infrastructure and a cloud provider's infrastructure. They act as gatekeepers, interposing enterprise security policies as cloud-based resources are accessed.
Many organizations have invested heavily in next-generation firewalls (NGFW), proxies, data loss prevention (DLP), intrusion detection and prevention systems (IDS/IPS), and identity and access management (IAM) solutions in order to monitor and control on-premises applications. CASBs extend similar capabilities into cloud applications.
A New Approach to Data Protection
The use of cloud applications such as Salesforce, Microsoft Office 365 and Box is soaring, and users are accessing these resources with mobile devices. IAM solutions help to secure access to data and enhance cloud security by providing capabilities such as single sign-on and federated access, and endpoint security controls facilitate data protection on mobile devices. CASBs take a different approach by providing visibility and control that is centered on the applications themselves. Cloud applications typically have different administrative user interfaces (UIs), with different features and capabilities. CASBs enable organizations to manage and enforce security policies across these disparate applications, providing much-needed insight into cloud activity, and a single point of control for multiple applications and services.
By 2020, 85 percent of large enterprises will use a cloud access security broker platform for their cloud services, which is up from less than 5 percent today, according to Gartner. **
There are numerous providers with different capabilities and areas of emphasis, which can increase the complexity of evaluations. It is important to understand the four central areas of CASB functionality, and its use cases in order to choose providers that can help the organization achieve its security and business goals.
Few cloud applications provide audit or activity logs. CASBs help to resolve this issue by providing audit-level logging, and alerts and reports that can transform logs into actionable intelligence. For example, a CASB can inform you that a user is simultaneously logging into Microsoft Office 365 from Moscow, and Salesforce.com from Chicago. Since they cannot be in two places at once, this is a clear indication of stolen credentials. CASBs also provide insight into anonymizers, malware and other traffic that indicates an active intrusion. Additionally, some platforms offer a security posture assessment database to provide visibility into the "trustability" of specific cloud service providers.
Audit logging is required by many regulatory bodies. Organizations in highly regulated industries — such as financial services and healthcare — need to show accurate logs of data and application access. Many of them have been hesitant to use cloud applications for this very reason. CASBs help fill in the gaps presented by SaaS vendors that don’t offer the visibility and data protection tools needed to maintain compliance with regulatory mandates. In addition to identifying cloud usage and the risks associated with specific cloud services, they can provide audit logs, encrypt data at rest, and enforce DLP policies in order to restrict access to regulated data.
CASBs can monitor data access, and ensure that it is risk-appropriate. Leading providers offer both contextual access control — which governs the level of access a user has to an application based on variables such as their role, the device being used (managed or unmanaged), and their geographic location — and DLP capabilities that enable actions such as the quarantine of data being shared outside of the organization, and the redaction of sensitive content. DLP features are both natively included in CASBs, as well as available through on-premises DLP products via ICAP integration. Several CASBs also provide the ability to encrypt/tokenize content in cloud applications at the field and file level. Encryption key management can be integrated with on-premises products.
CASBs utilize threat intelligence, and provide threat protection related to user behavior and the use of corporate and customer data. One example is the previously mentioned login activity of a single user accessing different applications simultaneously, from different countries. Another example of anomalous behavior a CASB can protect against in real-time (depending on policies and the deployment model) is a sales rep who regularly logs into Salesforce and updates data related to a limited number of accounts, and then one day tries to download the entire company contact database to an unmanaged device. Some CASB providers have their own analyst teams researching cloud-specific and cloud-native attacks.
There are numerous use cases for CASBs. The technology is still evolving and as enterprise cloud usage continues to grow, so will the ways in which it is used to protect data. Below are a few of the most popular ways CASB technology is currently being used to accomplish security goals:
Shadow IT Discovery: Cloud-based applications have made Shadow IT a major problem, since anyone with a credit card can purchase and deploy them. CASBs include a Shadow IT discovery component that can audit the network to identify the SaaS applications being used, and provide a business-readiness rating that specifies how safe the applications are for the organization.
Access Control Enforcement: Leveraging existing single sign-on providers or corporate Active Directory (AD) services, CASBs can identify users’ access to SaaS applications. End user access (to sanctioned applications) can be strictly enforced by context:
- Who you are (role-based access)
- What device you are using (smartphone, tablet, corporate laptop, etc.)
- Where you are coming from (corporate network, public Internet, Wifi, geographic region)
- When you're working (are you authorized to work during this time?)
Encryption: CASBs provide a common point of encryption for cloud services. They can encrypt objects at the file level before upload or upon download from a public cloud application according to policies that have been set, maintaining both data privacy and regulatory compliance. This enables key management to be maintained and controlled by the organization, not the SaaS provider.
DLP: CASBs can verify content within the public cloud applications being used by the organization, encrypting, password protecting, watermarking, or blocking in accordance with policies and keeping sensitive data from being shared via unauthorized channels.
Reporting: The increased visibility CASBs provide into data and user activity enables them to provide comprehensive activity logs and other reports that are useful for auditing and forensics.
User & Entity Behavior Analytics (UEBA): Leveraging data collected as users perform activities in cloud applications, CASBs can perform analytics to establish user behavior and service baselines, so that anomalous behavior that indicates threats can be detected, and alerts can be generated.
There are two primary deployment options for CASB solutions. Organizations should consider each, and choose the one that best aligns with their overall range of applications, access methods and goals.
- As a proxy-like gateway (in either forward or reverse-proxy mode)
CASBs deployed in proxy mode are in-line gateways that monitor outbound web traffic to SaaS applications. The deployment is complementary to, and not a replacement of, current network security controls (i.e., web proxies, firewalls). Users and devices access cloud services through either a reverse proxy or forward proxy service.
Forward-proxy can be deployed as a hosted solution or on-premises. It requires all outbound web traffic to be redirected to the CASB proxy through one of the following options:
- Via proxy chaining with existing on-premises gateways or web proxies
- Routing directly to it as an explicit proxy
- Using proxy auto-configuration (PAC) files
- Deploying an agent on managed devices
Key management in the forward-proxy method is typically managed with solutions currently used by the organization.
In a reverse-proxy deployment, the CASB sits between the cloud application and the user. When a user makes a web request to an SaaS provider, the URL is rewritten to point back to the proxy server instead of directly to the cloud application for analysis. This method can be deployed either on-premises, or as a hosted solution. The on-premises option gives organizations full physical control over key management and the application of cryptography solutions currently in use, ensuring that no third party has access.
- As an API-based, cloud-native SaaS solution
The API approach is an out-of-band solution. It doesn't follow the same network path as data; users go to the cloud directly, leveraging cloud APIs to monitor and manage user access and enforce security policies. The CASB scans data at rest in cloud services and enforces policies by connecting to the cloud provider via API calls, and inspecting data at periodic increments. The CASB may offer on-premises or hosted key management options.
There are pros and cons associated with each implementation approach, and they cover unique use cases. Some CASBs support one versus the other, while others offer both deployment models. Organizations may choose to combine them in order to expand their use case coverage.
Some CASB vendors offer other methods, such as log forwarding or monitoring SPAN/TAP ports to collect data and conduct analysis. However, these methods limit the ability of the CASB to be proactive, and their use is generally restricted to generating reports on the access usage of sanctioned and unsanctioned cloud providers.
There are numerous CASB solutions to choose from; a comprehensive evaluation is critical to finding the best match for an organization’s needs. Assessing how employees are currently using various cloud services, carefully planning use cases, developing policies and architecting how the CASB will integrate into overall network and security operations are important parts of the decision-making process. Many companies leverage a vendor-independent technology partner to help them test and evaluate potential solutions, and find the right fit. Professional services such as security program and data protection assessments can pave the way to a successful deployment by evaluating the overall state of your organization’s security and objectively detailing current policies, controls and processes.
Closing the SaaS Security Gap
Cloud applications are here to stay, and cloud access security brokers address the security and compliance concerns they present. By applying consistent data protection across environments, CASBs are closing the gap in SaaS security confidence and ensuring that vulnerabilities aren’t created as users switch applications, and data moves from one provider to another. With CASB technology, organizations can adopt third-party applications with peace of mind, knowing that they have the right tools to maintain security and compliance, no matter which applications they choose.
Find out how to secure your cloud data. Get your guide to developing a cloud strategy.
*2016 451 Research/Vormetric Data Threat Report (DTR), February 24, 2016 https://451research.com/blog/53-451-research-and-vormetric-shed-light-on-the-current-state-of-data-security
**Gartner Market Guide for Cloud Access Security Brokers, 24 October, 2016 https://resources.netskope.com/h/i/161227815-gartner-report-market-guide-for-cloud-access-security-brokers/162899