The Most Critical CASB Use Cases in the Market Today: Govern Cloud Access by Device Type

Netskope

As enterprises adopt cloud services and seek out a cloud access security broker (CASB), the use cases they are pursuing are maturing. They are moving well beyond log-based discovery and looking to govern usage, secure data, and protect against cloud threats.

Netskope customers have deployed Netskope’s ALL-MODE architecture (with nearly three-quarters of them going beyond a single mode) to achieve their most critical use cases. We have noted 15 of these use cases in our recent e-book, The 15 Critical CASB Use Cases, and we’re highlighting them and more (and we want to hear from you too!) in this blog.

Here’s use case #2: Govern cloud access by device type.

Organizations are adopting cloud apps and suites in record numbers. The most popular, Office 365, has taken off like wildfire, for the first time topping the list for most-used apps in the enterprise, even inching ahead of Facebook, according to the latest Netskope Cloud Report.

However, one of the biggest things holding organizations back from adopting apps and suites like Office 365 in a wholesale way is governance issues, especially when it comes to the myriad device types accessing the suite. As an aside, when we here at Netskope deliver Cloud Risk Assessments to our customers and prospects, they are often surprised by the number of unique devices accessing their cloud services – the number is often at least 2-3x the number of users on the network.

When it comes to downloading sensitive business plans or non-public financials, many organizations are fine to have that content accessed or even downloaded by an authorized user on a managed device . IT knows it has a reasonable chance of protecting that content on those devices. However, what’s not acceptable is giving full access to a suite of productivity apps to a user on a BYOD or home device. Some of our largest organizations in the financial services, retail, healthcare, utility, and other vertical industries are using Netskope to segment access by device type, classification, or other attribute. One of the world’s largest retailers describes this as “swim lanes:” They provide users on unmanaged devices access to web-based email only while users on managed devices get access to the full suite. A third group, hourly workers accessing via corporate-provided iPads, are allowed to access to Yammer, and are beholden to a few activity and data policy constraints.

To achieve this use case, the enterprise must deploy in an inline mode as either a forward or reverse proxy. Those who need to cover sync clients use a thin app to steer cloud traffic in a forward proxy mode, while those who provide browser-based access can achieve their use case in a reverse proxy. Here are five critical functional requirements needed to achieve this use case:

  • Understand different authentication federation protocols across Office 365 and other suites

  • Be able to detect device, as well as device attributes such as classification (e.g., “managed” vs. “unmanaged”)

  • If sensitive data is part of the use case, detect sensitive data, e.g., “confidential”

  • Be aware of context, e.g., activities such as “upload” and “download”

  • Recognize and enforce differing policies between app instances (so they can enforce their corporate access policy on the corporate-sanctioned version of OneDrive while either bypassing, blocking, or blocking upload of sensitive data to personal OneDrive accounts)

Learn more about this and 14 additional most impactful use cases by downloading The 15 Critical CASB Use Cases.