Migration to the cloud presents many unique challenges in protecting your data. A new generation of technologies called Cloud Access Security Brokers (CASBs) has emerged with the sole purpose of protecting corporate data while embracing cloud applications and services.
CASBs elegantly address new use cases that define some of the most difficult security problems in cloud computing. These use cases may be applicable to unsanctioned clouds of any kind, sanctioned clouds which may include 3rd party software-as-a-service applications, and custom applications which are deployed on public platforms such as Amazon AWS, Microsoft Azure, Google Cloud Services clouds, and others. CASBs provide a single unified and consistent approach to providing cloud security for all of the clouds that you use.
The critical use cases can be organized into four main categories:
- Visibility. Provide for the automated discovery, assessment, and blocking of unsanctioned clouds (shadow IT) being used across the entire enterprise.
- Data Protection. Implement policies that govern the protection of data when uploaded to the cloud, shared with external business partners, shared with other internal departments, accessed and downloaded to mobile devices, and much more.
- Threat Protection. Provide threat protection to address the need within both enterprise and government to protect clouds from malicious insiders, compromised accounts, advanced persistent threats (APTs), attacks on application program interfaces (APIs), malware, ransomware, and much more.
- Compliance Support. Compliance use cases are often the single biggest drivers for the deployment of CASB technology. The rolling waves of global compliance have complicated cloud deployment and will continue to drive the need for CASBs for the next five years.
1. Use cases around visibility
Important use cases around Visibility involve cloud identification, risk assessment, audit trails for forensic investigation, and e-discovery as follows:
- Identify all cloud services in use. The average enterprise may use hundreds of cloud applications of varying sizes, but, in our estimate, the typical IT team has complete knowledge of only a percentage of them. This automated discovery must find applications regardless of whether they are accessed from within the enterprise networks or remotely using mobile devices.
- Identify the risks of the clouds in use by the enterprise. It is important to understand the risks associated with the cloud currently in use, regardless of whether the clouds are sanctioned by management or part of the Shadow IT usage. If the cloud applications are important to the enterprise, risks must be identified so they can be addressed appropriately.
- Identify an audit trail of user activity for forensic investigation and e-discovery. The typical enterprise may have one or more investigations ongoing which require some form of e-discovery. These may be driven by human resources, legal to satisfy a subpoena, governance, compliance, executive management, the board of directors, and other departments for a variety of reasons. It is expensive and difficult to understand where all of the data is located. It is often more important to understand communications using corporate tools that reference that data and the history of access, duplication, download, and sharing of that data.
2. Data protection use cases
These use cases implement policies that govern the protection of data when uploaded to the cloud, shared with external business partners, shared with other internal departments, accessed and downloaded to mobile devices, and much more. Primary use cases around data protection include:
- Implement policies for data loss prevention (DLP) for data uploaded and stored in the cloud. DLP is one of the hottest technologies to consider for your enterprise in 2019. There are many types of restricted data within the enterprise, including intellectual property, financial data, sensitive data as stipulated by compliance regulations, and more. If this data is not pseudonymized prior to upload to the cloud, the data is not sufficiently protected. This may result in the theft of intellectual property and compliance failure. This problem occurs when employees use unsanctioned clouds, sanctioned clouds, and when deploying custom applications.
- Implement policies for collaborative governance with third parties and between internal groups. There are many types of sensitive and restricted data within the enterprise. This may include intellectual property, financial data, sensitive data as stipulated by compliance regulations, and more. Policies for sharing data with third parties may vary considerably depending on governance and compliance requirements. There are also policies that require careful governance and highly controlled access among internal groups.
- Implement policies to pseudonymize data using encryption to protect sensitive data. Pseudonymization is required by many compliance requirements. In some cases, only pseudonymization is requested, while in others this is expanded to specifically request the use of encryption. Pseudonymization is the process whereby identifying fields within a database are replaced by non-identifying terms. Data must often be pseudonymized prior to upload to the cloud in order to protect the data or avoid compliance failures and to eliminate data breach.
- Implement policies to pseudonymize data using tokenization to protect sensitive data. There are many cases where an enterprise wants to mask or hide identifying data in an online cloud application. Tokenization refers to a technique that replaces the original data with a “token,” which contains no information from the original content. Unlike encryption, there is no mathematical tie between the token and the original data. Tokenization, also referred to as data masking, is commonly also used to meet compliance requirements in countries or regions with strict data residency laws.
- Implement policies that restrict data encryption key management to internal use only. Many cloud vendors require copies of your data encryption keys. Unfortunately, this opens you to data breaches due to misconfiguration, administrative error, activities by malicious insiders that work for your cloud vendors, and third-party forced disclosure.
- Implement policies to provide digital rights management for digital documents. The enterprise wants to implement Digital Rights Management (DRM) to protect data across sanctioned clouds of all types. DRM allows both enterprise and government to control access, sharing, and redistribution of digital documents which may contain copyright material, intellectual property, trade secrets, and other sensitive and confidential data.
- Implement policies for non-compliant devices using mobile device management. It is important to implement policies restricting access via the device and specifically blocking the download of content. Policies can allow the restriction of the use and the download of data to bring your own device (BYOD – personal mobile device platforms), corporate owned personally enabled devices (COPE), or corporate owned business only (COBO) devices.
- Implement policies for cloud governance to block access to cloud applications based on risk. The average enterprise may use many hundreds of cloud applications. Some unsanctioned cloud applications, based upon the judgment of management, may represent unnecessary risks to the organization for a variety of reasons. It is important that these designated high-risk clouds are not available for use from corporate networks or corporate devices or used with corporate data.
3. Threat protection use cases
To address the need within both enterprise and government to protect clouds from malicious insiders, compromised accounts, advanced persistent threats (APTs), attacks on application program interfaces (APIs), malware, ransomware, and much more. Primary use cases around threat protection include:
- Block threats from malicious insiders or compromised accounts based on activity during and after login, and on parameters surrounding attempted login. It is important to detect and respond to unusual employee activity which might be suggestive of malicious behavior or of compromised credentials and an ongoing cyberattack.
- Block malware and ransomware. It is important to detect and respond to malware, ransomware, and other attacker tools that may be transported in within infected documents. Once in the cloud, if undetected, these can potentially infect many documents and result in the loss of data.
- Block APT attacks that target application program interfaces (APIs). Advanced Persistent Threats often can invade cloud environments, seeking to compromise data. Once in the network, they can listen to network traffic, intercept additional credentials, and target even encrypted data through the application program interface (API). This needs to be secured to meet security and compliance requirements.
- Block APT attacks that target cloud misconfiguration or administrative error. Advanced Persistent Threats often can invade cloud environments, seeking to compromise data. Once in the network, they can listen to network traffic and identify misconfiguration and administrative errors that allow access to data. This needs to be secured to meet security and compliance requirements.
4. Compliance use cases
Based upon our independent research, CASB Compliance Use Cases remain the single biggest drivers for the deployment of CASB technology. The rolling waves of global compliance have complicated cloud deployment and will continue to drive CASB deployment strongly for the next five years. Primary use cases around compliance include:
- Implement policies to protect data using pseudonymization. Pseudonymization is required by many compliance requirements. In some cases, only pseudonymization is requested, while, in others, this is expanded to specifically request the use of encryption and/or tokenization. Data must often be pseudonymized prior to upload to the cloud in order to protect the data, avoid compliance failures, and eliminate data breach. Unauthorized access to encrypted data generally does not constitute a data breach or violation of compliance under the great majority of the state, regional, industry, and national laws because the data is unintelligible. Data may also be pseudonymized to meet the needs for data sovereignty (data residency), where data cannot be shared beyond the borders of a specific country or economic union.
- Implement policies to prevent third-party forced disclosure of your data by a cloud vendor. Cloud vendors that hold your data in unencrypted format, or that hold a copy of your data encryption keys, can access your data or be compelled to access your data by government warrants and subpoenas. This can happen without your knowledge or permission.
- Implement policies for data sovereignty (data residency). Many compliance regulations stipulate a requirement for data sovereignty (data residency). Data residency requires that all of the physical data is stored and maintained within the specified geographic borders or boundaries. These are often associated with the border of a country or economic union.
- Implement additional policies for a broad mix of global regulations. This may include GDPR, HIPAA, PCI-DSS, GLBA, the pending California Data Privacy law in 2020, Sarbanes Oxley (SOX), FISMA, NERC CIP, and others.
In summary, the imperative for comprehensive cloud security could never be more compelling than it is today. CASB use cases are driven by the need to protect your most sensitive data in the cloud from data breaches, insecure API interfaces, system vulnerabilities, account hijacking, malicious insiders, malware, advanced persistent threats, and more.
Complete knowledge of all cloud usage is required to meet corporate governance, address compliance, most efficiently utilize information technology and legal resources, and ensure that the security operations team integrates these clouds into their plans. All of these clouds must be identified, categorized, and secured.
Finally, CASB use cases for the encryption or tokenization of data are critical in a time when it is very likely that attackers will penetrate your most secure networks. CASB strategies allow the enterprise to retain the encryption keys and thus continuously protect the data at rest, in use, and in transit through APIs, middleware, and the network.