- Kyle Watson
The Critical Role of Cloud Access Security Brokers (CASBs) – A Mini-Series [Part 4]
Updated: Aug 13, 2020
The CASB market is rounding the corner into the mainstream. Venture backed startups are being acquired and big tech firms are positioning while enterprises are taking a serious look at these solutions. In Information Security Risk Management circles, there are some who understand these solutions, but there are still many people that are not clear on where CASBs fit in an overall Information Security strategy. It’s my goal to provide some background on the topic from a business and technology perspective and start some interesting conversations about these solutions. This is the fourth and final post in a four week, non-product specific educational series on the Critical Role of Cloud Access Security Brokers that has covered the topics outlined below, using short, recorded presentations. This post includes Part 4.
Part 1: What is Cloud Access Security? [link here] – An introduction or refresher on key Information Security concerns when related to public Cloud adoption and the intro of the CASB market Part 2: What is a CASB and how does it work? [link here] – A deeper dive into how CASB’s work, the functions they provide, and how they are provided Part 3: How do CASBs complement other security tools? [link here] – An overview of how CASBs relate to and integrate with other critical components of the Information Security Architecture Part 4: CASB Use Cases and Deployment Strategy [THIS POST] – The different approaches of implementation and business integration with these solutions For each of these presentations, including this one, a transcript of what I’m saying is provided in the post If you would like a PDF format of the presentation, which may be freely distributed, please let me know. I hope you find this series to be useful and appreciate any and all feedback. Thank you!
TRANSCRIPT: Hi, My name is Kyle Watson the managing partner of information security at Cedrus and a veteran executive security architect. This is part four, the final installment in the series where I have explained the critical role of cloud access security brokers or CASB in your Information Security architecture… Today I’ll provide an overview of CASB Use Cases and Deployment Strategy. As an important side note, this material builds upon many of the topics in previous installments of the series. If you haven’t been through the previous presentations, I strongly suggest that you go back and review them now. You can find them in my youtube channel or as a link in this post. CASB Key Use Cases CASBs provide visibility into cloud apps in use in order to discourage Shadow IT CASBs provide cloud DLP, protecting enterprises from breaches that may occur in a cloud app or prevent specific data from being stored in high risk apps CASBs prevent unauthorized access to cloud apps and prevent insider threats for data theft CASB can streamline the effort of Legal and Information Security teams when selecting cloud apps providing risk based decision support CASB can prevent malware threats in stored files in cloud storage Key Use Case – Visibility Scenario: Employees are using cloud applications without the involvement of IT Security or Legal (Shadow IT). Real World Example: ABC Company uses Microsoft Sharepoint for collaboration. Over the past year, there has been a wait list for new Sharepoint sites to be created for business areas. The Marketing business unit decided that they couldn’t wait so went to Jive and signed up for a new collaboration site. The CASB Use Case: Using the access logs of web access gateways, the CASB UI displays apps in use. Information Security Risk Management discovers that 11 people from Marketing are all using Jive. Now appropriate business decisions that incorporate risk can be made. This doesn’t mean that the app needs to be blocked. If ABC Co decides to continue to use the app it can be integrated with the CASB for DLP, Access Control, and Threat Protection. CASB Key Use Case – DLP through API Scenario: Employees and Contingent Workers have been using cloud storage for a few years, but the data has never been reviewed, so the type of data stored in the cloud is unknown Real World Example: ABC Company uses Box as the preferred vendor for cloud storage. However, there is real concern around the data that has been stored in the cloud, in case of a Box breach. The Information Security Risk Management team and the business work together to define what’s important (PII, Confidential documents, Legal concerns, etc…) The CASB Use Case: Using the policy construction in the CASB UI, the Box app (including instance and folders) is configured to be “crawled” within the files, if files are discovered that match the requirements, the data can be encrypted or placed on legal hold. CASB Key Use Case – DLP through in-line active configuration Scenario: Employees and Contingent Workers inside and outside of corporate boundaries are using corporate sanctioned cloud apps, but may not comply to corporate policy Real World Example: ABC Company uses RSA Syncplicity for Storage. Although it is a sanctioned app, as an organization subject to HIPAA, ABC Co has made a business decision that Protected Health Information (PHI) cannot be stored to the cloud. The CASB Use Case: Using the policy construction in the CASB UI, a basic policy can block SSNs from being stored, but an advanced policy can also be created to ensure that when specific combinations of data are contained in a single document, such as medical record number, name, and medical information – it can be blocked from upload. This is advanced DLP and sometimes we refer to this as CASB 2.0. For more detail and please reference the whitepaper “using advanced DLP” by Netskope. CASB Key Use Case – Access Control Scenario: Sales Employees need access to CRM in the office and on the road, but only Sales, Marketing, and Customer Service should be accessing this information. Real World Example: ABC Company uses Salesforce.com for CRM. The Sales and Customer Service teams need full access to Salesforce.com and Marketing needs limited access. This is necessary both inside and outside of the corporate network. In addition, ABC Company only has reps and customer presence in USA, Canada, and the UK. The CASB Use Case: Using the policy construction in the CASB UI, the Salesforce.com cloud app is limited to access to the Sales, Customer Service, and Marketing OUs. In addition, the policy is configured so that access to Salesforce.com must be initiated from a device attempting access from a supported region of customer presence. Now attempts outside of the known control set are denied. CASB Key Use Case – Cloud Service Provider Risk Management Scenario: Evaluate vendor risk profile before business area signs up with a new solution Real World Example: ABC Company’s marketing department would like to signup for an email marketing add-on for Salesforce from the Salesforce.com AppExchange, but Information Security Risk Management processes require that they get approval prior to signup. The CASB Use Case: The profile for the add-on is retrieved from the CASB user interface. Data protection, data ownership, and audit-ability are key concerns – this is the company client list. In the CASB UI, we will be able to see answers to key questions about the vendor based upon the CASB company’s research. For example Does the vendor support Encryption at rest? No, in fact they do not. Does the vendor allow the client to hold the encryption keys? Well, since they do not support encryption at rest, they do not. If we go with this vendor, do we own our own data? Yes. But if we decide to leave them, will they permanently erase our data? No, they will not. Can we access Admin or User logs? No we cannot. Perhaps there are other criteria that are equally important or through negotiations some of these items may be changed in your particular agreement… As you can see, the CASB UI can provide decision support quickly. A Second Cloud Service Provider Risk Management Use Case Scenario: Evaluate vendor risk profiles to select the correct cloud app for our business Real World Example: ABC Company is moving storage to the cloud, but wants to decide which cloud storage app is preferred for their business needs. ABC Co must understand the risk implications of each vendor to make a sound decision. The CASB Use Case: ABC Company again has set data protection, data ownership, and audit-ability as high concerns in the evaluation criteria. After applying these settings, the cloud storage apps of choice, such as Box and Microsoft OneDrive rated and prioritized. Other vendors get reordered to a lower level of trust, allowing easier shortlisting for vendor negotiations. CASB Key Use Case – Threat Protection Scenario: Employees and Contingent Workers have been using cloud storage for a few years, but the data has never been reviewed, so integrity of the files is unknown Real World Example: ABC Company uses Box as the preferred vendor for cloud storage. However, there is real concern around the data that has been stored in the cloud, in terms of malware that could be propagated to other partners or clients through document sharing. The CASB Use Case: Using the policy construction in the CASB UI, the Box app (including instance and folders) is configured to be “crawled” so that within the files, if malware is discovered, the files are quarantined. CASB Deployment Strategy First, we crawl. Discovery of Cloud Apps in Use and assess risk, both of the risk profile of any app in use, as well as the ways in which apps are being used. Revitalize Corporate Policy and Prioritize Criteria for “Sanctioned Vendors” In addition to our Information risk teams, We need the business to be involved in this to tell us what’s important. What would cripple us if it was leaked or stolen beyond regulations, Social Security Numbers and Credit cards?. (10-K filing, Confidential acquisition document, proprietary trade information) Prioritize Key Applications for Integration in more sophisticated ways in the follow on steps. …Then, we walk. Integrate Key Applications with API integration (non-intrusive) Implement Policy Violation Action/Alerting to Protect Data through polling (taking input from our revitalized policy decisions) Revitalize Corporate Policy to define what user behavior anomalies are – restrictions like device -type, physical location(s), data downloads? Then, we Run Integrate Applications as Active/In-Line (in waves) Implement Policy to Protect Data in real-time (such as the data blocking scenarios we described in the advanced DLP use case) Implement Access Control Policies to Prevent Unsanctioned Access and “Coach” Users to Sanctioned Apps (taking input from our revitalized policy decisions) Technology Integration On Premises Log Collector for processing and sending logs to the CASB Identity and Access Management (IAM) federated Identity and SSO configuration Mobile Device Management (MDM) / to integrate Endpoint Agents on managed devices Security Information and Event Management (SIEM) to capture CASB policy violations and escalate to the central interface
Process Integration Incorporate CASB policy violation and forensics into the Incident Handling process Dovetail CASB controls into Identity and Access Management (IAM) application on-boarding and governance Bring CASB results into Key Performance Indicator (KPI) and Critical Success Factor (CSF) Dash-boarding
Business Integration Engage BU Security Liaisons to Understand what Critical Data really is to your organization Define a “Service” and Process to Support Business Units with on-boarding to Sanctioned apps and transitioning from risky apps Then, perform the shift to Sanctioned Cloud Apps And Enable Stronger Security with Information Alerting and Reporting from the CASB Well, that’s it for our CASB integration overview. I sincerely hope that this series has provided value in learning about CASB. Thank you, and if you have questions and would like to reach out to me my contact information is on this slide.