As employee use of cloud apps explodes – can CASBs help?

Rapid adoption of software as a service (SaaS) has changed the security paradigm for enterprise applications. Provisioning is no longer an activity performed solely by IT; instead, business managers are independently purchasing cloud apps and skipping security practices. This leaves enterprise data exposed, forcing IT/security teams into reactive mode as they try to manage risks with their existing security tools using ineffective “whack-a-mole” approaches.

Ultimately, as enterprises shift more workloads to the cloud, securing this environment becomes one of the most critical challenge facing security and IT decision makers. Shadow IT has further complicated the ability of enterprises to gain visibility and control of the applications employees use every day.

For that reason, enterprises are increasingly looking to cloud access security broker (CASB) vendors to fill the void. CASBs are designed to work with any and all SaaS applications by delivering add-on security capabilities and analytics that enable detection and response for cloud apps.

Last year for its CASB Magic Quadrant report, Gartner predicted that by 2020, 60 percent of large enterprises will use a CASB to govern cloud services, up from less than 10 percent today. The analyst firm also predicted that SaaS and IaaS will drive end-user CASB spending, from $150.7 million in 2015 to $713 million in 2020.

Co-author of the Magic Quadrant Steve Riley noted that, “CASBs are becoming as important to cloud as firewalls became to data centers. With your firewall: the whole purpose was to protect your data on your systems. In cloud it’s still your data, but it isn’t your system anymore. CASBs are the thing that helps you protect your data on somebody else’s systems.”

Gartner defines four equally important functional pillars that a CASB solution must deliver: visibility, compliance, data security, and threat protection. These four capabilities are mandatory to address the tenant security responsibilities listed above and are essential for cloud security success. The following four considerations should be taken into account when evaluating and deploying CASB solutions.

SaaS discovery and reputation

SaaS discovery represents one of the most important capabilities in the CASB toolbox because it catalogs all SaaS usage by employees. It’s quite common to have hundreds of applications on the list. Depending upon an application’s specific purpose, this implies there is likely widespread loss of visibility and control of sensitive data being uploaded by users. That’s enough to keep any CISO awake at night, and it certainly justifies CASB investment.  

By nature, assessing a SaaS vendor’s security capabilities (above) is inherently opaque and requires significant investigation and due diligence. Hence, security certifications for SaaS vendors carry a lot of weight, and reputation is also critical. As part of their service, CASB vendors should include a reputation service that evaluates the security maturity of an entire catalog of SaaS vendors. Risk scores must be provided so that IT security teams can make informed decisions about whether or not certain cloud apps should be trusted and used by employees. 

However, before you go exercising control, remember that consumerization trends have shown that heavy-handed approaches to security often backfire, so the most effective strategy is to “coach” employees to use more secure options. But if the risks of dubious cloud apps are ultimately unacceptable and user practices don’t adjust accordingly, application blocking can and should be used.

Identity and two-factor authentication

As soon as the cloud application count goes above one or two, having employees managing their own identities and passwords quickly become a tangle of security risks and poor user experience. So integration with Identity and Access Management (IAM) is mandatory for managing risk and optimizing user experience. Better yet, an integrated IAM with the CASB solution will accelerate deployment and increase the CASB’s value for organizations that have yet to roll it out. Of course, if you already have IAM, the CASB solution must be able to support multiple identity vendors. Risk-based authentication is effective at balancing user experience with security control. When risky behavior or activity is detected, a user request should be sent to re-authenticate using an additional second factor.

Data visibility, control, and loss prevention

Visibility of data flowing in and out of cloud applications is best enabled with Data Loss Prevention (DLP) practices and tools. DLP is not a new capability so enterprises with existing deployments should be able to extend their existing policies via Internet Content Adaptation Protocol (ICAP) into the CASB for additional enforcement and protection of both structured and unstructured data within cloud apps.

For many mid-sized organizations that don’t yet have DLP, an integrated CASB DLP option for configuring and enforcing policy is a great cost-effective option. Appropriate DLP controls are needed to enforce policies for preventing the most sensitive data entering a cloud app. Similar controls should also prevent or alert when users attempt offloading of sensitive data particularly into unmanaged devices.

The latter is the riskiest, and having an integrated Digital Rights Management (DRM) capability means that when a third party user or an internal user on an unmanaged device needs to view data, it can be done simply through web browser scripts that prevent saving, offloading and cutting and pasting of data. Finally, for the most security-conscious organizations, being able to enforce data-at-rest encryption using their own unique keys ensures that no other party, including the SaaS provider itself, can access cloud data.

Threat detection and response

Stolen credentials by attackers, and malicious insider usage are two major threats facing cloud applications. Two-factor authentication goes a long way to mitigate stolen credentials, but it’s not always used, nor is it foolproof. Advanced analytics, or more specifically User Entity and Behavior Analytics (UEBA), is a critical capability that identifies such types of potentially malicious activity so that immediate responses can be taken including locking the account, or requesting step-up authentication. 

Decision makers recognize that they really can’t prevent employees from accessing cloud applications, but CASB allows businesses to get their arms around Shadow IT as well as sanctioned cloud application usage by extending on-premises security policies to the cloud. Rather than fighting SaaS, CASB tools embrace SaaS in a way that doesn’t impair the user experience, but instead enhances it while allowing the enterprise to maintain a comprehensive and consistent security policy across all software environments.