- Kyle Watson
The Critical Role of Cloud Access Security Brokers (CASBs) – a Mini-Series [Part 2]
Updated: Sep 18, 2020
The CASB market is rounding the corner into the mainstream. Venture backed startups are being acquired and big tech firms are positioning while enterprises are taking a serious look at these solutions. In Information Security Risk Management circles, there are some who understand these solutions, but there are still many people that are not clear on where CASB’s fit in an overall Information Security strategy. It’s my goal to provide some background on the topic from a business and technology perspective and start some interesting conversations about these solutions. This is the second post in a four week, non-product specific educational series on the Critical Role of Cloud Access Security Brokers that will cover the topics outlined below, using short, recorded presentations. This post includes Part 2.
Part 1: What is Cloud Access Security? [link here] – An introduction or refresher on key Information Security concerns when related to public Cloud adoption and the intro of the CASB market Part 2: What is a CASB and how does it work? [THIS POST] – A deeper dive into how CASBs work, the functions they provide, and how they are provided Part 3: How do CASBs complement other security tools? – An overview of how CASBs relate to and integrate with other critical components of the Information Security Architecture Part 4: CASB Use Cases and Deployment Strategy – The different approaches of implementation and business integration with these solutions For each of these presentations, including this one, a transcript of what I’m saying is provided in the post. If you would like a PDF format of the presentation, which may be freely distributed, please let me know. I hope you find this series to be useful and appreciate any and all feedback. Thank you! TRANSCRIPT for Part 2: Hi, My name is Kyle Watson the managing partner of information security at Cedrus and a veteran executive security architect. This is part TWO of FOUR where I will explain the critical role of cloud access security brokers or CASB in your Information Security architecture… Today I’ll provide an overview of CASBs and how they work. What CASB’s are, and what they aren’t: CASBs bring a single interface to common Cloud Access Security Requirements including Visibility into Cloud App Use, CSP Risk Analysis, Visibility, Access Control, Data Loss Prevention, and Threat Protection for cloud applications. Federated Identity Services – CASBs heavily rely on provisioning and SSO solutions but do not, as a general rule, provide them. Enterprise Mobile Device Management Services – CASBs can assist with securing the data in the interaction with Cloud Apps but cannot prevent mobile device penetration, so these services are also critical at the device level. Many CASBs integrate with leading MDMs. The Critical Role of CASB in your Information Security Strategy. These items shown in red, although critical to cloud access security, are not provided by CASB CSP Vendor Risk Management – CASB provides decision support to help select appropriate vendors based upon your risk tolerance Visibility – CASBs can provide visibility into the cloud apps in use, who is using them, and what data is flowing where Access Control – CASBs can control access to specific cloud apps by specific user, device type, location, behavior, and other factors Data Loss Prevention or DLP – CASBs can identify and protect data stored in cloud apps through encryption or tokenization. Threat Protection – CASBs can also detect malware threats in files stored in cloud app storage Lets take a look at CASB in Action. First, the CASB solution examines logs from corporate edge of network devices to analyze traffic and detect what application may be in use, providing visibility. This is known as discovery mode. Once the CASB knows what applications are in use, it can provide decision support for Cloud Service Provider Risk Management – rating the risk associated with each cloud service provider and app, which can be incorporated in to sanctioning decisions In proxy mode, when users access the Cloud App, the CASB sits between the user and the cloud, at the highest level, the CASB can provide Access Control to determine if the application is sanctioned and the person is authorized to use it. It can also provide adaptive controls to determine if a user is authorized based upon device, user behavior, location, time, and other factors The user’s authentication is integrated with a corporate Identity store and an Identity service provider in order to generate an SSO token, which allows the user to login to the app without entering an additional password. It also prevents users whose access has been terminated on corporate identity stores to access the cloud app after termination. The user is directed to the application for business use If critical or regulated data is going to be stored in the cloud app, the CASB can provide data loss prevention and may be configured by policy to tokenize or encrypt the data flowing to the cloud app. Tokenization involves changing the actual data to a represented value. The CASB solutions can also crawl existing cloud storage apps to apply DLP policies. From the CSP to the user, the CASB may be able to assist in providing threat protection, preventing malware from being propagated from the CSP to the user’s device. Some CASB solutions can also crawl existing cloud storage apps to discover malware threats and quarantine suspect files. If the user is outside of the corporate network and attempts to access the application directly, the Cloud App, Identity services and CASB work together. First the Cloud App will be configured to redirect authentication to the Corporate Identity provider Then, once authenticated, the configuration will direct the user through the CASB for use during the session IF the access is from a native app instead of a browser, there will likely be a requirement to install a component on the device to ensure that traffic is routed properly through the CASB. Now lets look at integration in more detail CASBs can be integrated into your security architecture in several ways, and most organizations will use a combination of approaches. Stage 1 – Passive / Non-Intrusive are typical first projects for integration With Log-based Discovery, we capture logs from edge of network devices to detect cloud apps in use or “Shadow IT” Best for providing a baseline of cloud app usage It’s an agentless configuration Passive review of access using network device logs Only relative to access through corporate networks, so this will not capture off premise access that is not through a corporate VPN Works with any / unknown applications – in other words the type of client (browser or native app) is irrelevant
With API Integration, we can take advantage of visibility, DLP, and threat protection for cloud apps we already know we’re using or planning to use, such as Salesfoce.com or cloud storage apps. Best for well-known cloud application integration Agentless Cloud application callbacks to CASB or CASB polling of app for interesting items Config is between cloud app and CASB, so the type of client (native app or browser) is irrelevant Only works with cloud applications the CASB vendor has implemented (The top cloud apps used in business today will be available in the popular CASBs) Stage 2 – Active / In-line configurations position the CASB between the user and the cloud app and are typical follow-on project phases Reverse-Proxy (this is when the user contacts the cloud app first and then the CASB is placed in line during authentication) Best for non-enterprise managed devices Agentless Cloud application configuration, through Single Sign On protocols, redirects user for authentication and CASB Proxy Works with browser only And of course, this only works with known and configured applications Forward Proxy (this is when traffic is routed through the CASB by default for particular cloud apps) Best for enterprise managed devices Off network devices require installed agent Proxy chaining allows CASB to have traffic routed through it after going through the main corporate web proxy/gateway. Alternatively, this can be done using DNS. Agentless, works with browser – agent works with browser and native apps Works with any / unknown applications Active/In-line configurations are better for DLP and Access Control, such as preventing upload of data that violates policy as well as identifying potential breach activities such as multiple accesses from different locations in a particular, or downloading much more data than usual. So how are CASB’s providing Cloud Service Provider risk management? In some ways, CASBs allow businesses to outsource most of the hard work in analyzing CSP risk on their own. CASB vendors maintain running lists of cloud apps (tens of thousands) and risk profiles based upon many different data points CASB vendors have teams of specialists, including legal, researching cloud apps continually to accurately present risk profiles up to date They Review Terms and Conditions to determine things like who has license to the data They Review Service Organization Controls (SOC) reporting for effectiveness of security controls And they also send specific questionnaires to CSPs to gather additional information CASB vendors are maintaining risk profiles independently, and see this as a key competitive advantage – meanwhile, Cloud Security Alliance (CSA) is establishing a “Trust” protocol and registry so that Trust can be measured publicly CASB provides a UI with decision support regarding vendor risk profile to incorporate into vendor selection and policy decision-making CASB UIs allow for ranking areas of concern from high to low in order to target the risk review to your business profile. For example a particular regulatory mandate may be important to you along with control of data and physical datacenter locations Here’s the background on how CASBs provide visibility CASBs consume logs from edge of network devices to determine cloud apps in use (passive, log based discovery) Note: If CASB is not configured as forward proxy, logs have to be periodically re-read to detect new cloud apps CASBs may be configured as active in-line to track access to configured / integrated applications (reverse proxy) or any cloud application (forward proxy) This allows you to see how much data, of what type, has gone where, by whom And policy violations And all of these data points can be incorporated into Policy construction in the CASBs CASBs also provide robust Access Control Specific cloud apps can be blocked, or non-preferred cloud app access attempts can be used to “coach” users to sanctioned apps Specific users or groups can be authorized to use specific cloud apps CASBs can utilize risk related data like user behavior, data, device, and location criteria in access control decisions for step-up authentication Identity is not “deeply” integrated with the CASB, in other words there is no HR Identity Feed or personnel information in the CASB There is typically tight integration with Active Directory (AD) so AD groups can be used in Access Control Data Loss Prevention is perhaps the most critical CASB use case Data elements to be protected can be defined, and a set of pre-defined well-known structures like SSNs and credit card numbers are included CASBs also hook into API calls defined by the Cloud Apps and can take action on data during a particular API call HTTPS traffic can be inspected to ensure that policy applies to data sent using transport encryption Cloud storage can be “crawled” to find critical data and apply policy, such as encryption Policy can be defined in a granular fashion as to how the data should be encrypted or tokenized (transformed) as it relates to the CASB and cloud application service. Policy can include user information such as device, location, user behavior, and more. Policy can include vendor risk tolerance aspect from risk analysis, for example no SSNs can ever go to a particular cloud storage app. Some vendors also provide an on-premise solution for DLP and data encryption in those cases where customers are very concerned about data even leaving their network at all. And last but not least is threat protection CASBs maintain activity logging for exceptions and alerting CASBs provide anomaly detection for compromised accounts, forensics support, and provide malware detection As outlined in the DLP section, CASBs can “crawl” storage apps to detect data types and during this crawl, they detect malware in stored files Well, that’s it for our CASB overview. In part 3 we’ll look at CASB integration with other technologies in the security architecture