Over the past 18 months, I’ve been working on CASB in some form or another including:
Educational architectural and technical videos
Request for Proposal (RFP) assistance
Pre-sales presentations and demos
Proof of Concepts (POCs)
Operations build-out and transition
I’ve discovered some interesting things working with vendors, clients, and our own security technical staff here at Cedrus. One of them is about the ownership model. There is not a 1:1 map when you compare CASB solution features to the structures of organizations that are deploying them. There seems to be a lack of organizational placement, a permanent home when it comes to CASB. This extends both to technology and business process ownership.
Most CASB solutions are a natural evolution out of the network layer of technology and hence so did many of the key players at CASB vendors. These folks are experts in networks, firewalls, proxies, Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS), Security Information and Event Management (SIEM), etc.
However, many of the features being offered by CASB extend into areas that don’t typically overlap with the responsibilities of the teams that run these areas of the Security Operations Center (SOC). These include things like Identity and Access Management (IAM), Data Loss Prevention (DLP), Encryption, Application Programming Interface (API) integration, and Malware prevention. Working on technical integrations with CASB there is a need to bridge at least four groups that are often separate in enterprises.
Active Directory Admins
Identity and Access Management (IAM) Team(s)
And Public Key Infrastructure (PKI) / Encryption if they’re separate from one of the other teams
That’s only the technical part. From an operational perspective, most of the work CASBs are doing are directly related to people, applications, and data. For instance:
Encrypt Protected Health Information (PHI) when it gets stored in Google
Scan all documents in the corporate OneDrive to find and move Personally Identifiable Information (PII)
Prevent people from uploading confidential documents as attachments on LinkedIn
This brings up the question: What is the best group for management of CASB? All of this means that we need people constructing and approving policy that have an understanding of what’s important to the business, what regulatory mandates are instructing the organization to do, and what makes a “good” cloud app vendor vs. a “risky” one. A strong grasp of change control process must be realized and followed. Like SIEM, false positive alert evolution has to be done by this team within the CASB tool in order to get useful alerting that can be used to take concrete action. We also need these folks to be able to understand and/or work with IAM Federated Single Sign-On (SSO) configurations and redirects, PKI certificates, and DLP policies.
Finally, this group has to be able to engage the business constructively, to help them transition from risky to sanctioned apps, and educate personnel on risky actions. With CASB being so new, many organizations only have a small portion of functionality deployed, such as the application discovery features that can assist organizations in resolving the ever-expanding Shadow IT. Discovery functionality can be easily managed in an existing team as a secondary responsibility. This person or team can produce reports that can be reviewed and action can be taken out of band.
A home for CASB As CASB solutions get integrated with full enterprise security systems and processes this won’t be enough. At minimum, a Center of Excellence (COE) will have to be established for CASB. Long term, I believe a business service is needed to effectively leverage the solution for maximum risk reduction with minimum business disruption. I would love to hear other views on this as well, so please comment and share your insight!
Kyle Watson Partner, Information Security at Cedrus Digital