Is CASB the answer to all your cloud security challenges?
Cloud Access Security Broker technology is a fast growing market, and aims to help organisations apply security policies across the cloud. It's an answer to a long-standing problem, but which option is the best fit for your environment, and how do you avoid the common pitfalls?
What have the Romans ever done for us? Besides aqueducts, they also built some pretty impressive walls. The one they built around the strategically important port of Londinium in the late 2nd century still stands in parts, in what is now England's capital.
It was designed to repel invasion, probably from the Picts who overran Hadrian's wall in the 180s. It also helped control access to the city, and its treasures within.
Today such control has gone, and the wall is no more than an attractive relic, a tourist destination. This feeling of loss of control will be familiar to technology leaders.
Part of a remaining section of the London Wall
In the pre-cloud, exclusively on-premise days, organisations had a perimeter which they could protect and control. Everything inside was theirs, everything outside was not. Enforce your security policies inside the perimeter, make sure nothing nasty hops over the wall: job done.
Today, corporate data and systems are hosted anywhere and everywhere. Often technology leaders don't even know where their data sits, or who else shares the servers on which their critical systems run.
How can security principles be applied to such a disparate system?
One answer, is a Cloud Access Security Broker (CASB). This is a system which enforces an organisation's security policies across the cloud, sitting between the cloud provider and the corporation consuming its services. It's a concept which has been gaining traction in recent years, with the market set to be worth in the region of $7.5 billion by 2020 according to many estimates.
There are a wealth of CASB suppliers available today, with traditional security vendors like McAfee (following its January 2018 purchase of SkyHigh Networks) and Symantec, software behemoths like Microsoft and Oracle, and smaller, specialist outfits like Netskope and Okta all in the game.
Where to start with CASB
The first hurdle technology leaders must overcome when looking to implement their own CASB, is understanding where to start.
Steve Riley, research director cloud security at Gartner, advises firms to begin with a detailed listing of use cases that are specific to a customer's exact needs.
Think about how end-users will interact with cloud services and with what kinds of devices - Steve Riley, Gartner
"Think about how end-users will interact with cloud services and with what kinds of devices: CASBs can provide differentiated SaaS functionality when a device is managed vs. unmanaged," says Riley.
This could help where end users want to access sensitive corporate data from personal devices. A CASB solution could convert information into a more secure read-only format, which is preferable to the alternative of blocking it completely.
"Envision more scenarios about how people need to interact with data and the types of cloud services that are important for the business. From here, a proof of concept (POC) can be developed, and, therefore, acquisition becomes considerably easier," he adds.
CASB comes in several flavours
Three religions, the holy trinity
CASB solutions come in three principle flavours, API-only, proxy-only or multimode (both API and proxy).
API-based CASB defines a limited selection of sanctioned cloud-based applications which corporate users can access. This means, for instance, that the CASB provider will take over administration rights for its customers' Office 365 (O365) users. When a user logs in, the traffic is shunted out to the CASB provider who checks all the data before sending it through to O365.
"It's not on the network, the data goes to the application and we check it there. We'll look at all their files, and scan everything for malware," says André Stewart, vice president EMEA, Netskope.
Proxy-only CASB is where all traffic goes through the security provider's cloud first, where it's scanned and checked for compliance with corporate policies, before being sent out to the wider internet, or to whichever cloud applications it was originally intended.
"The difference is proxy-based CASB can deal with sanctioned and unsanctioned applications," says Stewart. "We see all the data, forwarded from any type of device to our cloud."
The third flavour, or religion as Stewart refers to them, is multimode, which offers end users both API and proxy options depending on the use case.
Netskope's André Stewart
But is there a definitive 'best' flavour?
The depends on the use case, and choice should be driven by an organisation's mix of cloud applications and connectivity. Proxy-based architecture is more holistic in the sense that it can deal with any application, not just those specifically singled out by IT. However, especially security conscious organisations, or those in heavily regulated industries, will want cloud traffic restricted to applications they deem suitable - so again it's down to the use case.
What does CASB do?
CASB essentially tries to do four things: discover which cloud applications are used across the business, secure data, protect against threats, and ensure compliance with corporate policies.
Gartner refers to these as the 'four pillars' of CASB.
"The CASB market is crowded, with vendors seeking differentiation across the four pillars," says Riley. "Some execute well across all of them, while others choose to focus on fewer of them but still offer basic functionality in all four. When originally conceived, CASBs focused on either visibility or encryption. As products have matured, visibility remains an important use case, but additional use cases have arisen that are as important, if not more so, than visibility.
He adds that whilst no single CASB product would perfectly fit every use case, pure-play, stand-alone CASB platforms (not necessarily always from stand-alone CASB vendors) provide more features, cover more cloud services, and support a wider array of enterprise use cases.
This agility is far outpacing the features being delivered by cloud service providers, as well as by other vendors that offer a subset of CASB features as an extension of their existing security technologies - Gartner
"This agility is far outpacing the features being delivered by cloud service providers, as well as by other vendors that offer a subset of CASB features as an extension of their existing security technologies. Furthermore, platforms from leading CASB vendors were born in the cloud, designed for the cloud, and have a deeper understanding of users, devices, applications, transactions and sensitive data than CASB functions that are designed as extensions of traditional network security products and services."
What are the typical CASB use cases?
Those use cases
So once again vendor selection comes down to the use case. But what these use cases? What are the most common reasons firms decide to deploy a CASB solution?
Typically end users come from two angles to try to solve the problem of cloud security. One is a traditional large enterprise either moving into the cloud, or recognising that half of its data is already there. The other is a cloud-first outfit, with very little infrastructure on premises. Generally CASB vendors see more of the former.
"The first group want to know where their data is," says Stewart, referring to the visibility or discovery use case, often driven by shadow IT.
"Businesses in that enterprise are spinning up new AWS instances, or adopting applications for HR for instance in the cloud, and IT is trying to figure out how big the adoption of cloud is within their firm."
Most IT leaders are surprised at how many cloud-based applications are used by employees when presented with an audit, and only one out of dozens of CIOs Computing spoke to about shadow IT felt they had a firm grip on it. Recent research conducted by Computing revealed that eight per cent of European-based firms described their use of public cloud services as completely ad hoc, and driven by individual users.
If anything, the situation worsens the larger the organisation. Typically, enterprises with over 50,000 employees find they're using between 3,000 and 5,000 cloud applications.
It's not uncommon to find that just examining storage applications, most big firms are using Box, DropBox, WeTransfer and others. One firms we analysed was using over 40 different unsanctioned storage applications - André Stewart, Netskope
"It's not uncommon to find that just examining storage applications, most big firms are using Box, DropBox, WeTransfer and others. One firms we analysed was using over 40 different unsanctioned storage applications," says Stewart.
Some might feel that sounds pretty good. Consume lots of different services in small volumes to avoid those pesky enterprise licensing requirements. That's both short-sighted - if we know one thing about cloud providers it's that they're relentless when it comes to determining who's using what - and dangerous.
"Enterprises don't even know the terms and conditions signed by employees when they use these services, sometimes it means they don't even own their data anymore," Stewart warns.
So that's the discovery use case, the next is the idea of having some controls around the data being used. When an organisation finds out there are three different HR tools doing the same thing, they try to consolidate, block anything they deem risky, then coach users to use the sanctioned applications in that space.
"Then once they have sanctioned certain applications, say consolidating 40 storage applications to just Box, OneDrive and Dropbox - which is a typical decision - they then want to put some controls around the data in those storage services. These tend to be controls around who can access the service, with different access rights at different levels. Then you have more controls over which data can be shared publicly, which puts in DLP [Data Loss Prevention] rules around the data. Then they'll have malware, so they know their data in the cloud is clean and safe."
Many organisations start to think about CASB when they move to O365 - with Microsoft Office being a traditionally on-premises suite which is now pushing some of its customers cloudwards.
"Companies may have been using things like Salesforce before, but for some reason didn't think their data was in the cloud. O365 underlines fact they needed to move the security perimeter to cover data and applications, and not just think of it as a physical perimeter," says Stewart.
And having controls around devices also appeals, as firms continue to move towards employee-owned smartphone and tablet use even for core business processes.
GDPR is another factor pushing some firms towards CASB, with the facility to encrypt data before it goes out to the cloud reducing the perceived risk of personally identifiable information leaking out. No doubt the fines, with a maximum penalty of up to four per cent of the annual turnover of the parent company, are a significant factor here.
Finally, according to Stewart, data loss prevention is the remaining common use case.
"Being able to ensure confidential information is accessed by the right people, and not shared publicly by accident is key. We see paranoia from some firms who are worried about where their data might go. We can put the right filters in place and if data goes to the wrong place we can track it and do something about it," he says.
Even in the absence, or more likely, deliberate ignorance of a valid use case, many firms will be rounded up and herded towards CASB by their suppliers. Most of the large enterprise software providers are moving their existing customers over to cloud services, meaning the software upgrade cycle will end up in the cloud whether it wants to or not. Security teams will then find themselves looking for CASB features to deal with the new environment.
A pitfall best avoided
Common pitfalls
So you're sold on the concept, the business case has been approved and there's budget in the pot. The next stage is the purchase itself. As with many service negotiations, it's the licensing terms that you need to be wary of.
This is largely because the licensing models used by CASB vendors vary wildly in their complexity and detail. If possible, demand a simple licensing model. Gartner's Riley suggests a model based on two simple metrics: the number of cloud services and the number of users.
"CASB pricing is often based on a per-feature (or feature group), per each protected cloud service. If data loss prevention is a critical CASB use case, many vendors require purchasing it for each cloud service (once for Salesforce, again for Office 365 and once more for ServiceNow for instance). A better licensing model covers all required CASB features for the number of cloud services and users expected in the current budget cycle. As additional cloud applications come online, it won't be necessary to make trade-offs between what applications and data need individual CASB capabilities versus what the licensing scheme of the current budget cycle allows."
If your CASB solution is set to encrypt data, then falls over, cloud application access may suddenly fail.
There are post-implementation pitfalls too, some potentially caused by encryption. If your CASB solution is set to encrypt data, then falls over, cloud application access may suddenly fail.
"Likewise, if the CASB mapping of cloud service functionality becomes out-of-date because of a cloud service update, the CASB may effectively break the cloud service. More importantly, the encryption or tokenisation of data will often affect the end-user functionality of the SaaS application—specifically, search, indexing, sorting, numeric operations at the field level and functions such as document preview in an EFSS [Enterprise File Synchronisation and Sharing], if an object-level attachment is encrypted. Because of these issues, external cloud data protection should only be considered only when it is demanded by regulatory requirements," adds Riley.
Some organisations may even be discouraged from installing a CASB solution by their SaaS vendor. Microsoft for instance dislike products like proxies, caches and WAN optimisers being placed in front of their services. Their fear is that those products will introduce latency or other issues, for which they will take the blame. But of course it's not the customer's job to make their suppliers happy, and organisations should treat such discouragement with the scorn it deserves.
Riley adds that organisations should resist the urge to govern everything at once after a CASB is deployed.
"CASB projects should not try to control and monitor all possible cloud applications from day one. Once a cloud usage visibility baseline is established, the best practice is to perform a risk-based prioritisation to determine which cloud services to phase monitoring and control into first."
He recommends that enterprises identify one or two cloud services that host the organisation's most sensitive information and start the project there, expanding to all cloud services over time.
"For example, many organisations start with a single cloud application of interest—typically Salesforce or Office 365. The project scope should include plans to activate DLP from the beginning for these critical services. Another way to scope the project will be to start by limiting access to managed devices only and handle unmanaged device scenarios in future phases. As other cloud services will be phased in over time, make sure the CASB contract anticipates and allows for this expansion."
Another common problem is that an enterprise will make an all-singing and all-dancing purchase, and then ask the system only to perform a few opening bars and a quick soft shoe shuffle.
"Ensure all features are being used. You can control data downloaded to unmanaged devices, look for anomalies in traffic that may indicate a rogue user or hijacks credentials as well as DLP. CASBs are a toolkits of multiple options - sadly some customers just use a few options available," one experienced practitioner told Computing.
Finally, the best advice, which applies to any procurement not just CASB, is to ask vendors for references from customers of a similar size to your own organisation, and with similar requirements. An admission that none are available should be seen as cause for concern.
A CASB solution won't guarantee security any more than any other product, and no sane vendor would claim otherwise (much as insane vendors, or at least insane vendor marketing does indeed exist). However, with core enterprise applications increasingly moving to the cloud, more organisations will find the need for something to apply governance across their progressively disparate estate.
The city walls aren't coming back any time soon, but that doesn't have to mean that the orderly streets and walkways of the corporate network are ripped up by rampaging Picts, or anyone else for that matter.
Finally, for anyone who'd like to know more about the benefits the Romans brought to provinces they occupied, this video should prove educational.
Author spotlight
Stuart Sumner
More from Stuart Sumner
The Metaverse is 'a grand folly' say CIOs and Zuckerberg's actions are 'terrifying'
'Whole world of complexity' for energy companies to deliver on government promises, says energy CTO