Adding additional levels of protection to protect access to cloud solutions increases security, but IT must carefully choose the tools and services responsible for this activity in order not to impact cloud performance. The magic word today is CASB.
Every day, your employees access cloud applications – from Microsoft Office 365, to Box or G Suite – from any type of device, whether in the office or remotely.
Cloud Computing can now be considered a consolidated paradigm that companies adopt to make the most of the capabilities of their IT infrastructure (by adopting a Private and / or Hybrid Cloud) or, completely switching to a pay-per-use or pay-per-use mode of use, to drastically reduce the investment and management costs of internal IT (Public Cloud).
The high maturity of the solutions offered, typically in the public Cloud, and the diffusion of skills in the Cloud area are supporting the growing adoption by companies of Cloud solutions where the user can totally delegate the management of the service to the supplier thus having the possibility of being more focused on business processes (sales, purchases, marketing, training).
However, the adoption of new services external to the company implies less control over their actual performance and stability offered by suppliers (typically public Cloud) and exposes the company to potential risks of cyber-attacks or data loss.
The management and execution of application services and data storage outside the company perimeters also increases the possible impact caused by unsuitable behavior on the part of users or system administrators which can, voluntarily or involuntarily, lead to unwanted access, loss or manipulation of sensitive information.
This perspective is confirmed by Gartner’s analysis which highlights that by 2020, 95% of security incidents will be due to direct user responsibilities. For this reason, it is essential for companies to have systems, security policies and processes capable of mitigating these risks.
If your business is looking for a way to monitor the usage of those applications and the data that travels through the cloud, you should start considering adopting a Cloud Access Security Broker (CASB) solution.
Cloud Access Security Brokers (CASBs) are among the top candidates to become an integral part of modern enterprise cybersecurity infrastructures. The capillary access control capability allows Cloud Access Security Brokers (CASB) to implement real IT governance systems in the security sector, to ensure total visibility between the interactions that users make with cloud services.
This is a more pressing need than ever, considering that smart working and the new collaboration methods envisaged by hybrid work are leading to a progressive expansion of the corporate security perimeter, making it increasingly difficult to defend against cyber threats. ever wider and more varied.
So let’s see what a Cloud Access Security Broker (CASB) actually consists of, what are its fundamental functions and what are the reasons why today a company should at least consider the configuration of an IT security architecture of modern concept, to guarantee the cloud-side and user-side security of their hybrid and multi-cloud infrastructures.
What is a Cloud Access Security Broker (CASB)
According to the definition offered by Gartner, the Cloud Access Security Broker (CASB) is a term that has been used for years to define a particular suite of security applications and its market consists of a set of products and services useful for identifying a company’s security gaps in the use of cloud services.
A CASB is therefore placed between users and the cloud to monitor and verify that the services used are in effect compliant with corporate security policies, and to intervene if any critical issues are detected.
What at first glance might seem an alternative to the various anti-intrusion systems already existing in the field of corporate security.
and therefore a useless additional complication for the IT department called to manage it, upon a more careful analysis proves to be a tool fundamental from a strategic and organizational point of view to increase the control of safety in the company.
In fact, CASBs are at a different operational level compared to traditional security infrastructures, such as hardware and software firewalls, rather than SWGs (Secure Web Gateways) which regulate the behavior of the various network access points. Taking into consideration that we could also detect with respect to a traditional antivirus.
The reason for this substantial ambiguity is very simple to understand, if we consider how the corporate IT department has in fact no control over the intrinsic security of a SaaS (Software as a Service) to which users connect to work.
The security of cloud native web apps belongs to the CSPs (Cloud Service Providers) that provide the service, as well as data storage in the cloud and all possible applications in the cloud, which companies are increasingly using.
as they are more sustainable at of initial costs, scalable according to workload trends and easy to maintain, since their management is fully the responsibility of the service provider.
This is a decidedly attractive scenario, with an important price to pay, which does not refer so much to the invoice issued by the CSP, but rather to the fact of having to blindly trust its work in terms of security.
An error on the part of the cloud service manager could cause serious damage to a client company, if the bad guys were able to come into possession of sensitive data or trade secrets.
A Cloud Access Security Broker (CASB) is therefore natively conceived for the cloud, as well as the applications and resources it is called upon to monitor.
Its goal is not to replace the traditional IT security infrastructure, but to integrate it with new functions, to manage policies related to all cloud activities, to enhance IT governance by specifically supporting all security-related control actions. of data, users and applications.
While waiting to go into detail in the following paragraphs, we can anticipate the main operational benefits that derive from a conscious adoption of a CASB:
Threat detection: allows you to obtain complete visibility and perform a dynamic analysis on the behavior of applications in the cloud, with the possibility of identifying or even predicting threats, thanks to the active detection of anomalous ones that could correspond to the occurrence of malicious actions.
This happens thanks to the use of tools based on machine learning, which allow real-time analysis of the huge flow of data that is generated, for example, between users and applications.
User protection: The analytics system monitors all aspects of user behavior to enable secure provisioning of applications. The possibility of integrating directory systems allows the CASB to verify all possible correlations between active users and the various cloud enabled applications, in order to detect possible anomalies and the consequent threats that could be active internally or externally of the company perimeter.
Secure configuration and application monitoring: A Cloud Access Security Broker (CASB) allows you to have visibility on the applications in the cloud to use, to guarantee their secure provisioning right from their implementation, thanks to all the necessary security configurations to ensure compliance with the company policies.
Application monitoring is part of the activities to be envisaged to detect possible cyber-attacks in real time. In the course of the next paragraph, we will see what is specifically meant by visibility and compliance in the context of corporate IT security.
The 4 pillars of the CASB
By now aware of the definitions and the general framework, we can tackle the next topic. The IT literature, through some definitions originally formulated by Gartner, is in fact used to recognize some points of reference to Cloud Access Security Brokers (CASB), otherwise known as the four pillars of the CASB. We take a cue from these definitions to observe which are the four pillars on which companies should try to build a secure structure regarding their business in the cloud.
Visibility
CASB systems guarantee complete visibility of what is called shadow IT, to shed light on the shadow areas that may occur given the growing use of multi-cloud architectures, which see the SaaS applications used in the company multiply every day.
An effectively implemented Cloud Access Security Broker (CASB) must allow IT managers to have a single control panel, capable of summarizing all the applications in the cloud, to which users are registered and connected, with a detailed list of the devices used.
Only in this way is it possible to have complete visibility of the software used by employees and to make the appropriate assessments in terms of security, relating to the nature of cloud native applications themselves, to the methods of accessing, processing and storing data, etc.
In other words, a CASB must answer the following question: “Who is doing what in the cloud?”. This is a fundamental question to classify the applications in use as valid or not for the purposes of business objectives, in accordance with corporate security policies.
In addition to the fact that, leaving aside issues that specifically concern only the aspects related to security, such information can allow a rationalization of the software park, with relative savings in terms of costs for subscribing to the services.
Modern CASBs make use of features based on artificial intelligence to analyze large amounts of data and draw up a detailed report on the activity logs of the various applications, with the possibility of setting auto-alerts in the event that suspicion arises about some malicious actions.
A classic case is given by a simultaneous access of the same user from two different places, which gives rise to the suspicion of a compromise of his access credentials.
Similarly, the Cloud Access Security Broker (CASB) is able to detect in real time if a user is using software deemed unreliable, for example a P2P file sharing application, to proceed with its eventual ban.
Compliance
One of the actions of the CASB is to highlight the aspects related to what in jargon is defined as compliance, that is, compliance with company standards and rules regarding certain functions, specifically those relating to safety. Basically, the CASB analyzes the characteristics, in order to highlight inconsistencies and possible risks arising from the use of a SaaS or other cloud services.
Most SaaS vendors do not offer basic detailed visibility and data protection tools to ensure compliance. The Cloud Access Security Broker (CASB) therefore has the task of filling this gap, with specific actions capable of guaranteeing an additional level of security against threats such as the data breach, rather than guaranteeing total compliance with data access policies. sensitive, avoiding as much as possible the occurrence of a data leak.
Data Security
CASB systems help to consolidate compliance with data security policies, implementing monitoring and analysis actions, useful for preventing malicious actions on the data.
Monitoring takes place by controlling access to data in the various situations in which this can happen and automatically adopting useful actions to safeguard their integrity, such as quarantine, watermark or encryption, as weapons to counter a possible data leak by malicious people, who could come into possession of a company’s confidential information to illegally resell it to its competitors, causing damage that goes far beyond the economic fact.
Cloud Access Security Brokers (CASB) are particularly effective in controlling the accesses that users make on the basis of their authentication status, the device used and the place of connection.
In particular, device control is essential in remote or agile working regimes (smart working) where employees can resort to BYOD (Bring Your Own Device), a condition that should always be avoided if possible, since it dangerously contributes to widening the corporate security perimeter, making it much more complex to control.
A CASB can check the devices connected to the network and identify their interaction with cloud services. In this way, in addition to excluding unauthenticated IDs from their systems, it can also prevent certain behaviors that comply with the policies, such as downloading or uploading files to email / office applications via devices for mixed use, which the employee also uses for personal activities, in a context completely unrelated to corporate IT.
Threat Protection
The CASB is in general an effective tool for protecting corporate systems from cyber threats that can occur within, rather than outside, the corporate security perimeter. The actions it can carry out in this sense are truly many.
Based on what is highlighted in the first three pillars, the Cloud Access Security Broker (CASB) can, for example, prevent certain users, devices and applications from accessing cloud services.
It can also activate UEBA (User and Entity Behavior Analytics) activity, rather than advanced malware detection and all those actions that can take advantage of the analytical-predictive functions that modern CASBs are equipped with, thanks to the use of artificial intelligence.
A classic mistake, or formal flaw that companies often commit is to trust the cloud a priori, as CSPs (Cloud Service Providers) are required to comply with the SLAs provided for in the contract, which also include specific security conditions and resilience.
This is not to say that it is not true, but the daily news informs us that CSPs are anything but infallible in the face of the incredible amount and variety of threats that occur. If an attack involves the data of a client company, it is true that this may eventually retaliate against the supplier, but in the meantime, the loss or leakage of information can cause even fatal damage to the business. And there is no revenge that holds.
If, as we have seen above, the Cloud Access Security Broker (CASB) can bridge the security gaps between the company and the cloud, it can be similarly effective in preventing certain internal conduct.
Thanks to its monitoring, for example, an employee, even without particular malicious intentions, but for example to enjoy an alleged convenience, can try to download the entire customer database from a CRM. Even if it is not an illegal maneuver, this practice causes the leakage of sensitive data from a secure perimeter, with all the risks involved, so it is desirable that the CASB prevent the download by users who remain authorized to access it. even remotely.
The application areas of a Cloud Access Security Broker
The CASB contributes to substantially reduce the risks deriving from cyber threats, thanks to a greater awareness of what is happening in the company. On a practical level, the implementation of a Cloud Access Security Broker (CASB) can take place in-line, with real-time control of the interaction between user and SaaS application, rather than off-line thanks to the use of an API telemetry available through SaaS providers. To date, CASBs are used, for example, to ensure compliance with corporate security policies in many application areas, including:
- Cloud Governance and Risk Assessment
- Authentications, Authorizations and Single Sign-On
- Credential mapping
- Device profiling
- Data loss prevention
- Control of collaboration and sharing activities with cloud native applications
- User Behavior Threat Prevention (UEBA)
- Data tokenization and encryption, with access key management
- Registrations and reports
- Malware detection
- SSO and IAM integrations
The real-time nature and the use of tools for the advanced analysis of large amounts of data thanks to artificial intelligence techniques make modern CASB very effective systems for safeguarding corporate security. However, CASBs cannot act alone, but must be combined with other security devices, on-premises rather than in the cloud, such as systems capable of decoupling hardware from control mechanisms to create hybrid networks (eg. Software Defined WAN, Zero Trust Network Access, Firewall as a Service, Secure Web Gateway, etc.), over VPN connections, as required for example by a modern network architecture such as SASE (Secure Access Service Edge).
It should also be noted that Cloud Access Security Broker (CASB) does not in any way constitute a substitute for a corporate security culture that is generated only thanks to the continuous training of employees. Using a typically slang expression, the technology doesn’t allow users to give a damn about security, but it helps business systems work more securely. Driving a safe car does not a priori avoid the occurrence of an accident in the event of reckless conduct, nor the theft of the car itself if the most basic rules of common sense are ignored, leaving the keys inserted in the dashboard.
What are the services that a CASB platform must have
A CASB platform must provide complete protection against malware, zero-day attacks, Man-in-the-Middle and phishing attacks, as well as hijacking employee SaaS accounts, ensuring the necessary Identity Protection required by corporate policies.
All this is developed by integrated modules that work in harmony. These are modules that are perfectly in line with market demands, given that 90% of data breaches in SaaS environments are the result of a violation of the identity of an authorized access profile.
The heart of CASB solutions is the Identity Protection engine: the component that is responsible for validating access to the cloud and SaaS applications. It provides true Multi-factor Authentication (MFA) which requires an additional level of authentication when transferring data packets to an end point. And this also applies to access to applications, for example on the cloud.
Furthermore, thanks to machine learning algorithms, CASB platforms are able to make immediate decisions following the request for access from a device. If the request presents anomalies, such as login from suspicious places or IP addresses with a bad reputation and other “suspicious” events, the platform does not give the green light.
It is therefore an intelligent monitoring thanks to machine learning to which dynamic blocking tools are added. Also in this case, the CASB platforms exploit automation tools that allow you to send alerts and perform automatic data and access protection routines.
It is important to clarify that, although the default configurations are already very advanced, the CASB tools offer a wide range of customization options, to be delegated to the IT partner or cloud service provider that offers a protection service.
Taken individually, each of these tools is not equivalent, specialists warn: this is why it is important for each company to consider what their potential needs are in order to be able to evaluate each tool with the right attention.
When a Cloud Access Security Broker is needed
Do we really need to specify when a CASB is needed? The answer is simple, always.
Today there is no company that can be considered immune from a cyber-attack. Even the smallest can have a direct link with the information systems of larger companies, as suppliers, for example, and through those profiles it is easy to access data of primary importance for a company. Vital data for the functioning of the systems, or simply sensitive data or industrial patents.
We also remind you that, according to the GDPR, even the owner of the end point from which the attack started can be held responsible for the damage. This means hefty fines if you fail to prove that you have a next-generation protection system.
Having clarified that there are no companies, large or small, or immune vertical markets, it must be specified that the CASB platforms today are mainly distributed in the form of a service. And this is a huge advantage, especially in terms of costs. The service mode (SaaS) allows all companies to enjoy truly state-of-the-art protection against a negotiable fixed monthly payment.
It is important to choose the right IT partner. It must be structured, i.e. equipped with SOC (Security Operation Center). It is a coordinated control center from which attacks and dangers can be monitored in real time. The IT partner, then, must have all the tools for the outsourced management of the corporate network of its customers. Finally, it is important to choose partners specialized in security, referenced and with certified resources. To avoid the use of different partners, you can opt for a Cloud Service Provider which, in addition to taking charge of the customer’s entire IT infrastructure, offers a CASB offer in its portfolio.
CASB and Firewall – Why CASB is better
Now that you know why you need the CASB, let’s see what its features are. This tool performs several fundamental functions that go beyond corporate firewalls and web gateways:
Cloud App Management: The CASB governs cloud applications and services, providing a centralized view of your cloud environment, with details of who is accessing which application and what data in the cloud, from where and from which device.
Since cloud usage has become so pervasive nowadays, the CASB catalogs cloud services (including third-party OAuth applications), assesses their risk level and overall reliability, and scores them. The CASB also offers automatic access control to, and from cloud services, based on risk score and other parameters, such as data category and permissions.
Defense against cloud threats: The CASB helps identify threats, for example by monitoring suspicious logins or too many logins, then sending alerts. The CASB also uses advanced anti-malware tools and sandboxes to block and analyze threats. And in some cases, CASB solution providers rely on globally researching the behaviors and characteristics of current and emerging cloud attacks. Today’s sophisticated CASB solutions also allow you to configure policies for the automatic remediation of cyber threats. As a prevention, you can configure access control at the user level, based on his role (such as privileges and VIP status), the level of risk associated with the login and other contextual parameters, such as the user’s location, device security and more.
Securing Sensitive Data: Discovery and removal of publicly shared files, and Data Loss Prevention (DLP), are critical components of a CASB solution. For example, the CASB allows you to set and enforce security policies to allow users to access only certain categories of data based on their privileges. Most CASB solutions are equipped with DLP and are also integrated with corporate data protection solutions.
Cloud Compliance: The CASB can be of great help when you need to demonstrate that you are enforcing the right control policies on cloud services. Through its global vision, automatic remediation, policy creation and enforcement, and reporting capabilities, the CASB enables you to be compliant with data management, privacy and retention regulations.
Including the GDPR, General Data Protection Regulation (GDPR), and standards and regulations such as the HIPAA, Health Portability and Accountability Act.
Four things to consider before choosing your CASB
1) Define your goals before choosing your CASB
One of the most recurring problems when companies have to choose their reference tools is that every organization must have a clear understanding of the objectives to which this type of tools must serve. A Cloud Access Security Broker, in fact, is not the panacea for everything and does not solve anything. So first you need to understand what you want to accomplish.
A cloud access security broker such as, for example, Palerra, Elastica, Skyhigh Networks or Netskope, usually requires an independent set of security policies between the enterprise and the cloud provider such as AWS (Amazon Web Services) or GCP (Google Cloud Platform).
Sometimes the goal may be to bring out all those operations associated with shadow IT or even just to identify weaknesses in services or inefficiencies in security policies. In other cases, the CASB can play a role that goes far beyond monitoring and management, allowing the various business units to realize how and how much cloud services are used, thus optimizing the associated spending budgets.
2) Review settings and requirements of your systems
Cloud Access Security Brokers offer a wide range of features including offering detailed analysis to system administrators with respect to cloud services. In fact, CASBs carry out various activities: they make it possible to use packaged models, customize policies, integrate machine learning solutions to monitor behavior and bring out risky activities. Not only that: CASBs generate logs, send alerts and create timely reporting that helps IT managers when, in some cases, they are even able to implement reactive actions to increase security policies. A Cloud Access Security Broker can also be integrated with existing IT platforms according to LDAP (Lightweight Directory Access Protocol) as well as with identity and access management tools, help desk systems or trouble ticketing systems as well as other types of security tools such as single sign-on.
Reviewing the setting characteristics of the CASB ensures that these are based on the real business needs and can intercept precisely those gaps that require additional security measures.
3) Evaluate the scope of active cloud services
Organizations can tailor a CASB to suit specific cloud services or entire platforms. These service-specific tools can do their job reliably, but only for what they are supposed to do.
For example, if your cloud business development software runs on AWS, you might need one tool for AWS and another for your cloud software repository such as GitHub.
Furthermore, if a company changes its cloud platform, it may be necessary to invest in another CASB. This means that a company must budget multiple CASB tools in case it becomes necessary to diversify the activities on the cloud.
Locally hosted CASBs require updates, but in some cases, updates can be truly disruptive. Companies that implement an in-house Cloud Access Security Broker, on the other hand, will have to integrate the platform with some patch management tools as well as with change management tools.
When CASBs are released by third parties, however, users must take into consideration the possibility of having disruptions or service interruptions that can occur with any other type of software as a service. Vendor must align with SLAs that meet business security and compliance requirements.
4) Consider multiple CASB operating models
Companies can issue a CASB on different levels. Each level can offer unique benefits and capabilities so it is very important to understand where the tool is able to operate most effectively.
Implementing a CASB locally is one of the most frequent reference models because it allows you to monitor network traffic, manage identities and access for groups, devices or geographical areas or integrate local encryption to prevent unauthorized access. However, releasing a local Cloud Access Security Broker requires it resources to manage and support one more system to control.
CASBs are quite simple to manage, but defining an encrypted control can impact the application performance associated with cloud data processing. For example, if a CABS encrypts financial data, an app responsible for managing a financial process in the cloud may not be able to decrypt this data.
Threats that CASB can monitor
CSA’s study “The Treacherous 12: Cloud Computing Top Threats 2016” helps to understand the risks associated with the adoption of public Cloud services, focusing on 12 main security threats that must be managed to ensure system stability and correct management of related data.
Nine of the twelve threats identified by the research can be mitigated and constantly monitored thanks to the adoption of CASB systems:
Data breach: the CASB allows the detection of data breaches, monitoring privileged users, security policies for data encryption and the movement of sensitive information, preventing or limiting the impact caused by abnormal behavior or access unauthorized.
Security of the programming interfaces of an application or API [4] (Insecure APIs): the CASB is able to detect anomalous API calls and alerts the user and the service administrator by assigning a risk score to external APIs and applications based on such activities.
Security of access credentials (Weak ID, Credential and Access Management): CABS helps to improve the security in the use of access credentials, monitoring the security policies related to password expiration and detecting any user access patterns and compliance of the use of encryption keys.
System and Application Vulnerability: CASB supports system security by continuously monitoring configuration changes or changes in the access model.
Theft of user credentials to carry out illegal actions (Account Hijacking): by monitoring users, privileged accounts, service accounts and API access keys, CABS can detect account hijacking threats thanks to machine learning techniques and behavior analysis.
Compromise of the Cloud provider’s ICT infrastructure (Shared Technology Issues): The CASB reduces the risks of compromising the services used by monitoring the infrastructure and application resources, often shared, and ensuring their proper segregation.
Abuse of Cloud services (Abuse & Nefarious Use of Cloud Services): CASB helps reduce the risks of abuse of Cloud services, monitoring workloads at Infrastructure as a Service (IaaS) level and access models in SaaS services to detect abnormal executions of compute instances and abnormal user access patterns.
Targeted and continuous attacks (Advanced Persistent Threats): The CASB is able to detect anomalies of incoming and outgoing data (data exfiltration [6]), helping to discover if a network has been the subject of an APT attack by blocking its point of access
Unfaithful users or suppliers (Malicious Insider): The CASB can monitor the excessive use of user privileges that deviate from compliance guidelines by detecting malicious user activity through user behavior analysis tools (UEBA – User Behavior Analytics).
Conclusions
Companies that want to leverage Public Cloud services for mission-critical applications and sensitive data will have to review data security governance requirements under a different lens. The increase in the maturity of public cloud solutions and the massive push towards labor mobility (e.g. BYOD, smart working, etc.) introduce a series of variables that are not easily controllable with the current systems used by companies.
The adoption of CASB systems as security checkpoints for Cloud services increases visibility on accesses and transactions made to systems, applications and data, guaranteeing direct control over the corporate security policy.
The combination of the CASB functions, tightly integrated with the Cloud provider and the corporate security policies, can address the main security governance requirements of the services.