The Critical Role of Cloud Access Security Brokers (CASBs) – A Mini-Series [Part 1]
Updated: Sep 18, 2020
The CASB market is rounding the corner into the mainstream. Venture backed startups are being acquired and big tech firms are positioning, while enterprises are taking a serious look at these solutions. In Information Security Risk Management circles, there are some who understand these solutions, but there are still many people that are not clear on where CASB’s fit in an overall Information Security strategy. It’s my goal to provide some background on the topic from a business and technology perspective and start some interesting conversations about these solutions. Starting today, and over a period of four weeks, I am publishing a non-product specific educational series on the Critical Role of Cloud Access Security Brokers that will cover the following topics, using short recorded presentations. This post includes Part 1.
Part 1 is not an overview of CASB. Rather, it is an overview of key Information Security concerns when considering public cloud use in enterprises today. The objective of Part 1 is to organize key risks for consideration. Many of these risks are not mitigated through the implementation of CASB, but several key risks can be addressed, which is why CASB will play a critical role in your strategy. Part 1: What is Cloud Access Security? [THIS POST] – An introduction or refresher on key Information Security concerns when related to public Cloud adoption and the intro of the CASB market. Part 2: What is a CASB and ow does it work? – A deeper dive into how CASB’s work, the functions they provide, and how they are provided. Part 3: How do CASBs Complement other Security Tools? – An overview of how CASBs relate to and integrate with other critical components of the Information Security Architecture. Part 4: CASB Use Cases and Deployment Strategy – The different approaches of implementation and business integration with CASB solutions. A transcript of what I’m saying is provided in the post at the bottom. If you would like a PDF format of the presentation, which may be freely distributed, please let me know. I hope you find this series to be useful and appreciate any and all feedback. Thank you! TRANSCRIPT Hi, My name is Kyle Watson the managing partner of information security at Cedrus and a veteran executive security architect. This is part ONE of FOUR where I will explain the critical role of cloud access security brokers or CASB in your Information Security architecture… Today I’ll provide an intro to Cloud Access Security. The Cloud is a perfect storm for Information Security because we lose visibility and control when service providers take responsibility for systems. If you’re new to Cloud: The industry has standardized the term “Cloud” as a generic way to categorize Internet delivered data and application services. Cloud services are organized into three buckets.
Infrastructure as a Service (IaaS) – systems and storage (ex: AWS)
Platform as a Service (PaaS) – application server stack (ex: IBM BlueMix)
Software as a Service (SaaS) – business applications (ex: Salesforce)
There are various delivery models, but for this presentation we are focused on publicly delivered Cloud although much of it applies to private or hybrid cloud. So, why are Businesses moving to the cloud?. Reduce Total Cost of Ownership, while increasing agility. Outsource hardware and infrastructure management including the constant system updating. Stop worrying about hard to find and keep high-tech skills. Leave development, version management, and application patching to the vendor. And Transfer responsibility for secure coding, hardening, and other security concerns… You Cannot Transfer all of Your Information Security Risk to Cloud Service Providers. Contractually with the provider in your Cloud Service Agreement or through insurance there are ways to financially mitigate the risk of a breach if it occurs at the provider, but your organization will still be accountable if information is leaked or stolen.
For example: Regulated Privacy data such as Personally Identifiable Information (PII) – if your company loses my data, I’m going after you
Also, corporate espionage or up to the second trade information – what if your plans for acquisition are leaked or proprietary designs are stolen
We also cannot hold the Cloud Service Provider accountable for our internal policies or processes being followed correctly including Acceptable Use
Assigning access to the minimum necessary least privilege
Or Termination of access for personnel that stop working here
Shadow IT and IT Consumerization are changing how we work. Shadow IT is the use of consumer targeted or unsanctioned technology to solve business problems, in order to get around IT challenges or funding constraints. IT Consumerization is the growing hazy overlap of personal and corporate device and application use. Here are some examples.
A Business Unit team wants to organize and manage tasks so they signup for Evernote and setup their corporate email to forward it to the vendor provided address, including all attachments.
A marketing design person has a big video file about an upcoming acquisition they need to share with a vendor. They can’t attach it to an email and IT has provided no good “big file” sharing tool, so they upload it to their personal Dropbox and share the data.
A market analysis employee needs to create sophisticated analysis macros in Excel to highlight key findings in the data, but they don’t have the skills – so they hire an offshore contractor to do it for them out of pocket. Then they share the market data, and share their screen so that the contractor can assist.
In all of these cases it means that the employees have agreed to “shrink wrapped” terms and conditions. It also means that confidential or regulated data is being sent to people and businesses to undetermined locations without corporate oversight. Where is your data going? You’re Already Using Tons of Clouds Apps. The average enterprise is using over 900 Cloud Apps.
What is the difference between a Web App and a Cloud App? Web Apps are delivered via web browser. Cloud apps are delivered as a service and house data – they could be Web based or have other delivery mechanisms, like native mobile apps.
The average corporate user touches 20 different Cloud Apps per day
Of course there are many known and sanctioned apps like these, but this only represents a small percentage of the actual apps in use in any given enterprise today.
Our Lives are Mobile and Cloud Apps are Everywhere. It’s not enough to focus our strategy on Windows PCs behind corporate firewalls. We have Macs, Chromebooks, Linux and more… Plus, most Cloud apps have Android or Apple IOS specific apps, Mobile Web layouts, or both and are accessible from anywhere. When Personnel register directly with CSPs, they are usually agreeing to shrink wrapped terms and conditions, and are very likely using the same password that they prefer on the corporate network. Both of these issues introduce risk in addition to the unknown variable of the enterprise-level quality of the CSP. And based upon recent research by NetSkope, more than half of all Cloud App activity occurs on mobile devices Let’s Review Cloud Access Security Concerns and Risks – First We’ll look at Visibility, Detection, and Prevention
If over 900 apps are in use, and IT is aware of 20 of them – how can you determine what cloud apps are in use?
Since we do not have physical control over the Infrastructure, we need assurance that the CSPs are following appropriate physical and logical controls including Identity Management, Access Control, patching, resiliency, and malware protection just to name a few.
When CSPs are engaged outside of the official IT, Information Risk Management, and Legal functions what risks do we accept from these vendors?
Since Cloud apps are evolving faster than ever, how do we continually monitor and govern access to all of the new apps that become available in the market?
Other Concerns Include Access Governance
How to we provision access to the right people in our organization?
When people change jobs or leave the company, how to we ensure that access is adjusted or removed?
What mechanisms to we use to ensure that the access provided complies to policy such as least privilege? And how to we gather attestation from managers and asset owners for our users of Cloud apps that are housing regulated data?
What about Access Management and Single Sign On?
How are our users authenticating to these Cloud Apps? Do we control that identity store or is it at the CSP?
How do we ensure only authorized personnel can access Sanctioned Cloud Apps?
And how do we control that appropriate authentication mechanisms are implemented outside of corporate firewalls?
Of course there is Data Protection
Is confidential or regulated data being stored in CSP datacenters? If so, is it encrypted (and who holds the keys)?
And is any of that data replicated to local devices for performance or offline access?
Enterprises are not properly securing cloud access
Have your policies been reviewed and updated in the last 5 years? Does your policy address, for example, Data Protection or Vulnerability Scanning policies when faced with the realities of Cloud?
Have your Standards been analyzed to incorporate Cloud Access requirements and constraints?
Is anyone watching over what Cloud Apps are allowed or blocked?
Is anyone Managing that? Are your Security, Legal, and IT Groups working together to forge solid Cloud Service Agreements?
What are the minimum assurance criteria required for Vendor engagement? Physical controls, logical controls, visibility, or incident handling?
Here are some key questions for your company
How are Cloud apps currently provisioned and deprovisioned? Do you have Federated Identity Management solution, such as user access provisioning and Single Sign On, in place to accommodate the ever growing Cloud App realm?
What are the top corporate information assets that are at highest risk in the Cloud? Do you know if they are presently being stored in Cloud Apps? What regulatory mandates are of concern to your organization in this area?
What gaps presently exist in your processes or tooling to take on the rapid move to Cloud? Do you have SIEM? Is it actually doing something of value? What about Enterprise Mobility Management?
Cloud Access Security Is
Ensuring Policies and Standards Exist and account for the realities of today’s Cloud world
Engaging Information Security Risk Management and Corporate Legal in Cloud Service Agreement negotiations to address Information Security concerns
Providing Federated Identity Services such as provisioning and Federated Single Sign On from Corporate controlled Identity stores.
Risk Rating Cloud Apps and Vendors and Incorporating this Risk into Selection / Sanctioning
Detecting and Monitoring the Constantly Growing and Changing Cloud App Use by Personnel, including Third Parties
Controlling Access to specific Sanctioned Cloud Apps and Preventing access to Unsanctioned Cloud Apps
Providing Data Protection for Regulated Data to support compliance requirements
Protecting against Cloud App Vendor Compromises and Cloud Threats
What’s Happening in the Security World? Enter Cloud Access Security Brokers (CASB)
Enterprises are scrambling to detect what cloud apps are in use and working to plug holes. CASB is the next big thing in security and analysts and large organizations are really starting talk and plan around it. CASBs sit between your organization and Cloud Service Providers to provide Identification and Assessment, Policy and Compliance, Data Security, and Threat Protection.
Most CASB vendors are niche and growing rapidly and partnering with other vendors, like Okta and Ping for Federated Identity services. Some examples of these vendors are Netskope, Skyhigh, Ciphercloud, and Bitglass.
Standards and Solutions are Evolving
Cloud Security organizations are settling on standards and guidance. Look for the Cloud Security Alliance for excellent support on Policies, Standards, and Assurance and the Cloud Standards Customer Council for excellent support on Cloud Service Agreements
In Technology, the “big” vendors are slow to provide solutions in this area, except for a few including:
IBM – who built Cloud Security Enforcer from the ground up
Microsoft – acquired Adallom
Bluecoat, who acquired the Elastica CASB solution, is now being acquired by Symantec
And Cisco, who is acquiring CloudLock
Well, that’s it for our first intro into Cloud Access Security. In part 2 we’ll start getting into how CASB’s work.