Adding value to native cloud application security with CASB
Updated: Aug 25, 2020
Many companies are starting to look at Cloud Access Security Broker (CASB) technology as an extra layer of protection for critical corporate data as more and more business processes move to the cloud. Most will start with a discovery phase, which typically involves uploading internet egress logs from firewalls or web proxies to the CASB for examination.
This provides a detailed report of all cloud application access, usually sorted by a risk assessment that is specific to the CASB vendor doing the evaluation (all of the major CASB vendors have strong research teams who do the Cloud service risk evaluation for you, so that you don’t have to). This is a great starting point to the CASB world as it provides instant value, enabling the company to get started on thinking about the policy needed to protect themselves in the Cloud world, and also to drive conversations with the business departments using the cloud services, to get an understanding of why they are using them, and if they really need them to get their jobs done. This can drive a lot of useful considerations, such as:
Is this Service safe, or is it putting my business/data at risk?
If it is creating risk, what should I do about? Can I safely block it, or will it cause an issue with my business users?
If my business users need this functionality, are there better options out there that achieve the same goals without the risk?
And so on. You get the idea. This discovery, assessment and policy definition phase can take some time, possibly weeks or even months, before you are ready to take the next step into a more active CASB implementation.
Let’s quickly summarize the ways in which CASB can be integrated into a more active protection scheme:
CASB’s provide API level integration with many of the major SaaS, PaaS and IaaS services, allowing for out-of-band integration that perform functions like retroactive analysis of data stored in the cloud, or near real-time data protection capabilities than can be implemented in either a polling or a callback model.
CASB’s typically provide an in-line proxy model of traffic inspection, where either all, or some subset, of your internet traffic can be proxied in real time, and decisions can be made on whether to allow the access to proceed. This can incorporate various Data Loss Prevention (DLP) policies, can check for malware, and can perform contextual access control based around a variety of factors, such as user identity, location, device, time of day, etc. – as well as sophisticated anomaly and threat protection using data analytics, such as unexpected data volumes, non-typical location access, and so on.
For users who are leery about using a CASB inline for all traffic, particularly when that traffic is already traversing a complex stack of products (firewall, web proxy, IPS, Advanced Threat Protection …), many CASB vendors also provide a “reverse proxy” model for integration with specific sanctioned applications, allowing for deeper control and analysis that integrates the CASB with the cloud service using SAML redirection at login time.
So, let’s assume that you’ve been through Discovery, defined some policies, decided which of your major SaaS applications you want to focus on first, and now you are ready to move forward with the next phase of implementation. Perhaps you want to protect data flowing into SalesForce, or Office 365, or Google Applications, as these are the most-used and most critical business applications for your organization. But now, as you prepare to move forward, you start to get pushback from the owners of those applications within your organization. “We already have security built into the application”, they say. “Why make things more complicated”. Well, that’s a fair question, so for the rest of this paper we’ll look at some of the key features that CASB’s provide over and above the typical platform capabilities.
Policy based encryption Many platforms, such as SalesForce with its SalesForce Shield capability, provide the ability to encrypt data. With Shield, for example, this can be at either at the file or field level. However, Shield is configured at the organization level. Most companies that use SalesForce will probably have created multiple SalesForce Orgs. It’s likely that you want to define policy consistently across organizations, and even across multiple applications, such as SalesForce and Office365. A CASB can provide you with the capability to define policy once and apply it many times. You have the option to use the CASB’s own encryption, or in some cases to make use of the CASB’s ability to use API integration to interact with the platform’s own native tools (e.g., some CASB’s are able to call out to SalesForce Shield to perform selective encryption as required by policy.) The CASB can protect your data no matter where in an application it resides: in a document, in a record, or in a communication channel such as Chatter. (The CASB can, of course, provide these capabilities for many applications, we are just using SalesForce here as an example.)
Protection against Platform-based leakage f you store data in a cloud service and encrypt it with the platform’s own native mechanisms, then your data is potentially at risk if that provider is hacked. If you use a CASB to encrypt data, using keys that you control, and which are stored in your own keystores (either on premise or in the cloud – most CASB’s allow you to use any KMIP-compliant key management solution) then you are protected against this type of threat. Beyond this simple example of a security breach, there are other related issues. For example, if the platform has a larger ecosystem built on it, such as SalesForce, third party applications may have access to your data. Once you encrypt data using a third party platform you no longer have exclusive control of how that data is accessed, and by whom. Or, what if a government agency, such as the IRS, demands access to your financial data? Or perhaps, as part of a lawsuit, there is a subpoena against some data stored in one of your cloud services? If you don’t hold the keys, your provider may be forced to provide that access without you even being a party to the conversation!
Continuous Data Monitoring A CASB can provide real-time or near-real time monitoring of data. It can use API’s to retroactively examine data stored in a cloud provider looking for exceptions to policy, threats such as malware, or anomalies such as potential ransomware encryptions. It can act as a proxy, examining data in flight and taking policy based actions at a granular level. More than just a black or white block/allow action, the CASB can coach the end-user to move to an approved platform, or temporarily quarantine a suspect file until it can be examined. This goes far beyond the simplistic authorization and encryption capabilities built into most SaaS platforms.
Threat and Anomaly recognition CASB’s typically provide strong capabilities around threat protection and anomaly recognition. Using advanced data science techniques against a “big data” store of knowledge, they can recognize negligent and/or malicious behavior, compromised accounts, entitlement sprawl and the like. The exact same set of analytics and policies can be applied across a range of service providers, rather than forcing you to attempt it on a piecemeal basis. For example, if you are a SalesForce user, this can be applied to the entire AppExchange ecosystem. The CASB may also be able to find out if you are using redundant AppExchange components, and warn you about ones that are particularly risky.
Cross-cloud activity monitoring Because a CASB can be used to protect multiple applications, it can provide a detailed audit trail of user and administrative actions that traverse actions across multiple clouds, and which can be extremely useful in incident evaluation and forensic investigations. The CASB acts as a single point of activity collection, which can then be used as a channel into your SIEM. Rather than attempting to collect and upload logs from a plethora of disparate sources you have a single, centralized, and detailed summary of activity easily available. So to summarize: while many of the major cloud service providers have added interesting and useful security features to their applications, a CASB can add significant additional benefit by streamlining, enhancing and consolidating your security posture across a wide range of applications.
——————————————————————————————————- For more educational material on CASB, please see the series of posts by Kyle Watson, which you can find on his profile page: https://www.linkedin.com/in/tokylewatson Paul Ilechko | Senior Security Architect