Security has always been a top concern for organizations moving parts of their IT operations to the cloud. They’re discovering that traditional security measures just don’t measure up to the unique challenges of cloud and mobile services. And it’s more than just needing to know who is accessing Office 365 or Salesforce. Shadow IT is a big concern, as groups or individuals begin buying SaaS and PaaS outside of IT’s normal regulatory umbrella.
This is where Cloud Access Security Brokers (CASB) come in. Emerging soon after cloud services started becoming popular, CASBs sit between cloud service providers and the consumers of those services. Deployed as a SaaS application or as an on-premise physical or virtual appliance, they provide a security and policy enforcement point that can ensure compliance, increase visibility, reduce threats, and help control cloud costs.
Yet even though CASBs are purpose-built for cloud security, an appreciable number of enterprises are still unaware of them and what they can do. A 2015 Gartner report states that only 5% of large enterprises are using CASBs, although that number is predicted to increase dramatically to 85% by 2020.
Fishtech uses a proven cloud deployment methodology for our clients called the Cloud Ramp Framework (CRF), ensuring that every step of the cloud migration is secure. CASB is deployed in the CRF from the very first phase. Essential for us is that a CASB solution must be chosen that not only secures all of a client’s cloud applications but also integrates well with the other components of a cloud deployment such as analytics and identity management.
Gartner defines four equally important functional pillars that a CASB solution must deliver:
- Visibility: This is key not only to cost control through usage metering but also for application discovery, helping you get a handle on shadow IT.
- Compliance: CASBs are a key tool for assuring that cloud applications are in compliance with industry regulations such as HIPPA and PCI. And, their discovery capabilities help you to head off any applications that might cause the organization to become non-compliant.
- Data Security: CASBs provide a policy enforcement point for monitoring user activity and ensuring that sensitive data remains protected through such controls as audit, quarantine, user coaching, blocking, and encryption. While some CASBs can integrate with Data Loss Prevention (DLP) and Data-Centric Audit and Protection (DCAP) systems, having a DLP/DCAP capability within the CASB itself enables the application of a common set of security policies across many applications.
- Threat Protection: This pillar covers a number of functions. The CASB can protect cloud services from being accessed by unauthorized users and devices. Depending on the product, it can also perform threat analysis, malware identification, and User and Entity Behavior Analytics (UEBA).
These four pillars are essential for any complete CASB solution. Something that provides only data security, for instance, is not a complete solution.
Resting on these four pillars, Netskope defines four essential considerations for evaluating CASB solutions:
- Granular Applications Control: This applies to both sanctioned and unsanctioned applications, and ranges from full access to an application suite such as Salesforce or Office 365, to specific limitations on unsanctioned applications that allow qualifications on usage.
- Accurate Protection of Sensitive Data: The CASB should not only use context-based detection and sophisticated DLP mechanisms such as document watermarking and fingerprinting. It must provide flexible options for analysis of potential violations before sensitive data leaves the premises.
- Real-Time Malware Protection: The CASB must be able to scan for and remediate malware and other threats as files are being uploaded or shared.
- Adaptability: Supporting current use cases is not enough. The CASB must have the flexibility to scale to future architectures and adapt to new applications and services.
The business benefits of cloud services go far beyond just reducing the costs of physical infrastructure. Cloud-based services provide greatly improved collaboration; enable BYOD and anywhere, any device access to applications; empower employees to bring in the resources they need to do their jobs better, and allow the business to rapidly scale resources to changing business demands. But the very characteristics that motivate migration to the cloud present security concerns that can’t be answered using traditional security tools. Finding the right CASB for your cloud services, and integrating CASB into the very first phases of your migration plan, ensures that your data remains secure and your users are compliant with your IT policies.