Is It Time to Add a CASB to Your Toolbox?
By Anita J. Bateman, CISSP
According to a recent survey by the Cloud Security Alliance, 64.9 percent of IT leaders think the cloud is “as secure or more secure” than on-premises software. However, the same survey revealed that one in three enterprises do not have a process to onboard cloud services, and the most common reasons for rejecting cloud requests are related to trust, encryption and data loss prevention.
One solution for many of these challenges is to deploy a cloud access security broker (CASB, as defined by Gartner) or a cloud security gateway (CSG, per Forrester’s definition) product. This article will explain why a CASB might be right for you, review prerequisites, and provide a vendor overview and key selection criteria.
What is a CASB?
Let’s start by looking at what functionality a CASB provides. As defined by Gartner, there are four pillars of functionality for a CASB: visibility, compliance, data security and threat protection. How many of us can say with certainty how many and which cloud applications are being used by our employees within our environment? And across cloud service providers?
The biggest misconception around CASBs according to Rich Campagna, senior vice president of products and marketing at Bitglass, is what the software is designed to do. “Most people view the mission of CASBs incorrectly to secure applications that are not secure. In reality, the mission of a CASB is to secure the usage of the application itself, by providing visibility and control over data sharing, unmanaged device access, and integrating with data loss prevention and event monitoring tools.”
Gartner is predicting that by 2020, 85 percent of large enterprises will use a cloud access security broker platform for their cloud services. Office365 adoption has been the major driver for CASB deployment to date, as enterprises strive to understand where and how their corporate data is being used.
Highly regulated industries, such as financial services and healthcare, have been first adopters in the CASB space, due to the ability of most CASBs to automate policy enforcement controls and address country-specific requirements. As enterprises grapple with data residency concerns, increased encryption requirements, Bring-Your-Own (BYO) trends, increased movement of enterprise core functions to the cloud and new regulations (e.g., EU General Data Protection Regulation coming in May 2018), CASBs will fill a gap in their information security strategy.
Understand your data—and your needs
With the ease of access, low cost and quick time-to-deploy for most cloud applications, many cloud services are used by corporate employees without going through a sanctioned IT vetting and deployment process, creating a larger “shadow IT” footprint than we have seen before.
The liability for cloud data usage and security failures lies with the enterprise, not with the cloud service provider. This means we are all on the hook for securing the usage of our data in the cloud. One of the initial use cases for CASBs is to gain visibility into what enterprise data is being exchanged across the enterprise, across cloud providers, and from both managed and unmanaged devices. This requires an understanding of your corporate data and usage flows. A data classification definition will be instrumental in helping you interpret the discovery findings available from a CASB deployment.
By discovering and understanding your universe of cloud solutions that contain your corporate data, you can determine where your highest cloud data risk lies, and create improved compliance, security and policy enforcement, including automation by a CASB solution.
Some CASB vendors have even created large repositories and risk scoring frameworks to perform ongoing evaluation of cloud vendor applications and assign risk scores. With more than 20,000 cloud applications in the market today, this is a valuable service a vendor can provide for you.
- Some CASB vendors are providing an initial evaluation at minimal or no charge to help customers get a jump on understanding where their risks lie.
Look before you leap into the CASB deep end
Choosing whether to implement a CASB solution is no different than any other security technology decision made regularly. The old adage “Begin with the end in mind” applies here as well. Determine your vision (e.g., information security strategy) and where you want to be at the end of this journey.
Consider doing the following:
- Confirm the problem you are trying to solve and the priority of this issue within the organization. What can you already do today, and is there value in adding a CASB solution? Is your goal to move from a “cloud = No” organization to a “cloud = Yes and here’s how” organization? Is your goal simply to meet regulatory and compliance requirements? Is your goal to automate policy enforcement across cloud providers because your IT security team is inundated and can’t keep up with ongoing demands? Or all of the above?
- Remember your reporting and audit requirements. The ability to enforce a single set of policy and controls and have consistent reporting across cloud providers is another driver pushing enterprises to deploy CASBs.
- Understand and classify your data—including levels of protection needed by data type and risk to the organization if specific data types are lost or stolen.
- Identify your encryption requirements and policies for different data types, and whether you require cloud service providers to let you manage your own encryption keys. Some require access or ownership of the encryption keys being used, which can pose additional risk to your enterprise.
- Review and understand your user patterns, including browser-based activity, mobile applications, sync clients, application ecosystem-driven data sharing, and access from both managed and unmanaged devices.
- Prioritize your cloud services favoring those that need immediate attention, based on your data classification and risk management plans. This will identify your integration needs and help you focus your tactical plan.
- Identify the ecosystem that you need a CASB to work with. What enterprise cloud solutions are most critical to you in the next 12 to 18 months that you want to ensure integrate well with a CASB solution?
- Look at your architecture; if you have older technologies or homegrown applications, CASB integration may be more difficult. Identify existing security tools that you want to integrate with a CASB solution, such as your access control/IAM, SIEM, DLP, GRC, secure web gateways or other tools.
- Review current policies for governance and risk management within the organization, including DLP policies. Ensure you have executive support behind these policies.
- Be ready to roll out your single sign-on (SSO) solution to your cloud applications.
- Understand your company culture to determine what sponsors outside your department you need to enlist in order to cultivate and maintain a safe cloud usage culture.
- If you are a global enterprise or highly regulated, identify the regulatory and compliance requirements you need to adhere to, e.g., FCC, FINRA, PCI, HIPAA, FedRamp certification and EU data requirements.
- Review the Cloud Controls Matrix (CCM) and the Security, Trust and Assurance Registry (STAR) from the Cloud Security Alliance (www.cloudsecurityalliance.org) to determine if you will leverage these resources as part of your CASB selection.
- A CASB may become a critical component to your environment so the same resiliency, performance, scalability, latency and single point of failure requirements will be necessary to maintain your sustainable and high-performing architecture.
- Establish and evangelize a cloud solution onboarding process—you will need it if you plan to use a hosted CASB solution and for new cloud applications. Consider how to make this as easy as possible for your enterprise business users so that cloud “shadow IT” does not continue to grow.
Choosing the best CASB for your enterprise
CASB solutions may be deployed as on-premises solutions or SaaS solutions, depending on the specific vendor product options. CASB technology can be implemented in an API model or in a proxy model (reverse proxy or forward proxy) or a hybrid multi-mode configuration.
Most CASB vendors are enhancing their integration options to connect with your existing SIEM, DLP and other security tools. This can be highly useful if you have already deployed other security solutions within your environment, and to provide consolidated reporting. The major CASB vendors all have substantial detailed product information available on their websites.
John F. Kennedy once said, “There are risks and costs to a program of action—but they are far less than the long-range risks and costs of comfortable inaction.” The former U.S. president wasn’t speaking about cloud technology, of course, but as enterprises continue to push core business applications to the cloud, Kennedy’s words still apply. Many on-premises technology footprints will continue to decline and drive the need for solutions like CASBs to secure enterprise data usage in the cloud. And just like any other security initiative, CASB success is at least partially driven by following best practices, managing enterprise risk and aligning these solutions with your information security strategy. •
Anita J. Bateman, CISSP, lives and works in Houston. An expanded version of this article originally appeared in the May/June issue of InfoSecurity Professional.