CASBs originally focused on discovering shadow IT– unknown services used by individuals or business units outside those permitted by the IT department – but as organizations realized that the solution to this problem pointed more toward controlled enablement rather than removal of these services, CASBs began to offer feature sets across four pillars: Data Security, Compliance, Threat Protection, and the core capability of Visibility.
Many organizations are already accelerating formal adoption of cloud computing across a wide range of business units. This may be leading to an increasing number of employees managing their own security credentials on IaaS (Infrastructure as a Service), PaaS (Platform as a Service), SaaS (Software as a Service), and now FaaS (Functions as a Service) resources. In this environment, CASBs can help bridge the security gaps created by this erosion of centralized identity and access management (IAM) and improve control over use of these services, presenting an appropriate barrier and yet not impeding the natural conduct of business by employees both on-premises and in the field.
This consolidation of cloud access controls helps where it is known which cloud services are being used but it does not help with shadow IT. Such services might be being used to work around perceived or actual deficiencies in an organization’s official IT stack, or they may just be a simple reflection of user preference. Rather than activity that must be stamped out, their use may actually be critical for productivity, efficiency, employee satisfaction, and even as a source of innovation, but it is unlikely to be in line with the organization’s security policies or other IT requirements for support, reliability, availability, etc., and can also be a source of malware that could lead to a catastrophic data breach.
A CASB can help bring an organization’s shadow IT into the light, not only enabling support for necessary work practices while ensuring they do not compromise the mission, but also illuminating true cloud expenditure that permits improvements in cost controls.
Many organizations are already migrating IT resources away from their own data centers and into multiple clouds, including those offered by Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and the breadth of online applications available across the SaaS vendor market. Employees are already sharing sensitive data through these services – Office 365, Salesforce, Amazon S3, Workday, et al.– many of which assert some version of a shared responsibility model that places liability for data security on the customer.
Concerns about the security of the cloud itself are largely misplaced, however. The infrastructure of most CSPs, especially those offering services that have become mainstream, is undeniably highly secure. Concerns should instead be focused on correct configuration of security controls offered by the CSP, as well as identification of required controls that are not available. A recent report discovered that, due solely to such mis- or missing configurations, over 1.5 billion files were exposed in cloud and cloud-related services such as S3, rsync, SMB, FTP, NAS drives, and web servers (Digital Shadows, 2018). It is anticipated that, through 2023, at least 99% of cloud security failures will be due to mistakes made by cloud service consumers rather than by CSPs (Gartner, 2018). While some CASBs now offer cloud security posture management (CSPM) capabilities to assess and reduce configuration risk in IaaS, PaaS, and SaaS offerings through additional controls such as encryption, a CASB can provide an organization with further insurance such that, even if misconfigurations are present, sensitive data cannot be compromised. Such insurance proves particularly necessary when adequate data protection is not offered by a particular cloud service, or when such protection is required against the CSP itself.
Most CASBs evolved from one of two initial postures in relation to data security: a focus on data loss prevention (DLP) and threat detection, or the provision of encryption or tokenization to address privacy and data residency. While these starting positions subsequently expanded to provide coverage across all of these features, there has been a shift away from offering robust data-centric security and key management. For most CASBs, nowadays, data security primarily means DLP, which uses a variety of mechanisms to detect sensitive data within sanctioned cloud services or as it is uploaded to cloud services – sanctioned or shadow – and then blocking, deleting, placing in legal hold, or quarantining content flagged as a potential policy violation. This typically supports both on-premises and remote cloud services users, whether from mobile applications, web browsers, or desktop sync clients. But DLP can only go so far in environments that make data sharing within and across cloud services increasingly easy before a breach occurs. Any organization that uses the cloud to store data should realize that a CASB may not be able to detect how or with whom that data is shared from the cloud, or even who shared it.
Strong data-centric protection mechanisms can address this breach risk, but while many CASBs advertise the capability to encrypt or tokenize data destined for the cloud, these features now tend to be restricted to only a small number of mainstream services, such as Salesforce and ServiceNow. CASBs that began adding these features – driven as much to satisfy analyst ratings as to achieve or maintain competitive parity – discovered that cryptography is a challenging technical domain. Considerable subject matter expertise is required to implement and maintain cryptographic systems, and this expertise does not typically fall within the scope of CASB core competencies. As a result, some CASBs have withdrawn or no longer actively market these features, and some obfuscate their lack of capability or restricted applicability via generalized claims of “data security” that only addresses DLP, adaptive access control (AAC), and the like.
Additionally, while the enactment of the Clarifying Lawful Overseas Use of Data (CLOUD) Act in the U.S. and the growing understanding of the EU’s General Data Protection Regulation (GDPR) strongly suggest that encryption and key management are becoming critical capabilities (Gartner, 2019), there has been some hesitancy in their adoption, as encryption and tokenization applied outside a SaaS application can affect its functionality as well as that of integrated third party services. Continuing innovations in applied cryptography available via some vendors such as OpenText Voltage, however, have minimized these impacts on functionality such that it is now worth assessing any that might remain in relation to the cost and risk of delegating field and file level data protection to the CSP, or of not applying it at all.
The advent of stricter privacy laws in many industries and regions may also be impacting operations. Regional regulations like the GDPR, the California Consumer Privacy Act (CCPA), the Brazilian General Data Protection Law (LGPD), and the India Personal Data Protection Bill, as well as industry regulations like those imposed by PCI DSS, SOX, HIPAA, HITECH, FINRA, and FFIEC are creating an array of compliance requirements whose complexity pushes many organizations toward the most conservative global position: ensuring that the sensitive data of the businesses and its customers is always protected, wherever it goes, and to the strongest degree possible.
A CASB with strong data privacy controls across multiple applications can help achieve this; and through policy awareness and data classification functionality, CASBs can help to ensure compliance with data residency laws and to benchmark security configurations against constantly updating regulatory requirements.
Threat Detection and Prevention
A CASB can defend the organization against the ever-expanding arsenal of malware, including introduction and propagation through cloud storage services and their associated sync clients and applications. A CASB may use advanced threat intelligence sources to scan and remediate threats in real-time across internal and external resources; identify compromised user accounts through the detection and prevention of unauthorized access to cloud services and data; and combine static and dynamic analyses with machine learning and UEBA (User Entity Behavior Analytics) capabilities to identify anomalous activities, ransomware, data exfiltrations, et al.