The cloud access security broker (CASB) market is gaining a lot of momentum as more organizations look for a solution to help them with cloud service visibility, security, and compliance. Gartner estimates that by 2020, 85% of large enterprises will use a CASB solution for their cloud services, which is up from fewer than 5% in 2015. Customers today have a variety of options when it comes to choosing a CASB vendor and the selection process can be confusing given the variety of vendor capabilities. Just in time for the holidays, Gartner is helping customers maneuver the CASB landscape by authoring a research paper titled “How to Evaluate and Operate a Cloud Access Security Broker”.
I would like to use this opportunity to share some of the highlights of Gartner’s paper and provide a Netskope perspective on the “access centric” piece of the Gartner CASB framework. I will touch on the “threat centric” piece in a future blog post.
In this paper, Gartner uses their Adaptive Security Architecture to help IT security leaders develop a CASB strategy that is based on a continuous and adaptive approach to cloud security and governance. Here is a synopsis of each of Gartner’s best practices and Netskope’s commentary on each of these. You can get the full Gartner paper here.
Achieve Cloud Service Visibility and Perform a Risk and Compliance Assessment
To understand the risks associated with the use of cloud services, enterprises need visibility into what cloud services are already in use (and by which people); the sensitivity of the data being handled; which devices are used to access that data; and from where it’s accessed. In almost all cases, even when enterprises feel they have a good understanding of cloud services use, unsanctioned (also referred to as “shadow IT” or “citizen IT”) usage is taking place.
Gartner presents what is often a critical starting point to assessing risk with cloud usage: The need to see what is going on in your environment. Although Gartner states that the capability of discovery itself is becoming a commodity, Netskope believes there is an opportunity to expand the scope of discovery to make sure that apps, data, users, devices, and location also cover unsanctioned cloud usage. Understanding what activities are occurring in your environment (e.g. sensitive data being uploaded to unsanctioned cloud apps) is a key component of assessing your risk. Many CASB vendors can help you assess risk at the activity level for sanctioned cloud apps, and can only see activities for the sanctioned apps they manage. Only Netskope allows you to see risky activities across both sanctioned and unsanctioned cloud apps.
Use the CASB to Select Appropriate Cloud Services
Enterprises need to continue to understand and verify the compliance and security posture of this cloud service. Leading CASBs have genuine intellectual property with their cloud service assurance databases. A well-designed reporting tool into this database will enable organizations to specify a template of the features and options that cloud services must have before they can even be considered for use by an organization.
Assessing the risk of the cloud app itself is absolutely a critical best practice. Netskope has a dedicated team that researches tens of thousands of cloud apps and assigns an enterprise-readiness score (Cloud Confidence Index) to each. This is based on objective criteria taking in account the Cloud Security Alliance (CSA) Cloud Controls Matrix in addition to our own research. There are two key use cases that this addresses. The first is tying this to the discovery of cloud apps running in your environment and measuring the enterprise-readiness of each of the discovered app so you can assess risk. The other use case is for vendor assurance or vetting new cloud apps that you are looking to bring into your environment. Netskope can be your outsourced due-diligence team and you can use our service as a “consumer reports for your cloud apps”.
Plan for Adaptive Access
To manage risk, enterprises are looking to CASB providers for the ability to apply real-time context to the decision as to whether a cloud service should be accessed — for example, restricting access based on the location, time of day or whether the device is enterprise-managed.
This best practice is critical. Context is key when it comes to determining whether a cloud service should be accessed. Without context, you are forced to take a sledgehammer approach to cloud usage policies and perform an allow vs. block at a coarse-grained level. Understanding who the user is, what device they are connecting from, whether it is managed or unmanaged, what activity they are performing, and what data they are working with will help you be laser focused in putting policies in place. The net-result is you don’t have to perform wide-sweeping block policies that impact users performing real work. You can target specific cases that pose a risk and minimize the sacrificial lambs.
Treat the Encryption and Tokenization of Data with Care
Several CASB solutions support the optional encryption and/or tokenization of data (at the field- or the file-content/object level), so that enterprises can meet the legal and regulatory requirements of their industries or countries. Implemented properly, data protection using encryption/tokenization, while the enterprise maintains control of the key/tokenization dictionary, can be a powerful way to protect sensitive data in the cloud. It can also prevent the cloud service provider from seeing it, if necessary, to satisfy compliance policy requirements. However, when implemented as an in-line proxy, this may create a single point of failure for the cloud service being accessed. If the CASB solution is down, access may not be possible, or, if accessible, the data may be unintelligible. Likewise, if the CASB mapping of the cloud service functionality is incorrect, due to a cloud service update, the CASB may effectively break the cloud service. More importantly, the encryption and or tokenization of data will often affect the end-user functionality of the SaaS application — specifically, search, indexing, sorting, numeric operations at the field level and functions such as document preview in an EFSS, if an object-level attachment is encrypted. Because of these issues, external cloud data protection should only be considered only when it is demanded by regulatory requirements.
Netskope TakeEncryption is a key part of any cloud security strategy. Netskope provides strong encryption capabilities to enhance security and confidentiality of content exposed to the cloud. Files can be selectively encrypted in flight to avoid indexes for sensitive data, augmenting the confidentiality capabilities of providers that already offer encryption, or bulk processed to bring encryption to services that don’t offer it natively. Gartner’s warnings around cloud encryption are absolutely correct. It is important to understand the trade-offs that come with it and the specific use cases where it makes sense along with the use cases where maybe not be applicable.
Continuously Verify Secure and Compliant Sensitive Data Usage
Most enterprises have a blind spot when sensitive data is stored in cloud services. The CASB platform should provide for continuous sensitive data monitoring — sometimes referred to as “cloud DLP” — through APIs or via in-line inspection. Here, the CASB solution should provide an understanding and a mapping of sensitive information flows — who, what, when where and why — even if no action is taken.
Cloud DLP is a critical part of any cloud security strategy and Gartner accurately points out that context needs to be applied to DLP so you can map to a cloud security policy to handle sensitive data leakage. Netskope offers the most powerful cloud DLP out of any CASB vendor. More than 3,000 data identifiers, 500 file types, out of the box compliance profiles such as PCI, PHI, and PII, and advanced features such as proximity, fingerprinting, and exact match make up a powerful DLP engine. Extend that DLP engine with integration to on-premises data loss prevention software offerings along with the ability to point our DLP engine in context to both sanctioned and unsanctioned sets our “noise-cancelling” cloud DLP solution apart from the CASB pack.
Continuously Verify Secure and Complaint Usage
In addition to sensitive data monitoring, we believe that all cloud activities (actions and transactions) should be continuously monitored, logged and analyzed, and ideally, they should provide the alternative to real time, cloud service, transactional (actions within the cloud service) decision making on a per user, application, device or transaction basis. This is a more granular form of adaptive access, based on context — for example, downloading customer records from Salesforce. At a minimum, this action would be logged. If the context of the action violates policy — for example, downloading customer records onto an unmanaged device — then the action could be blocked or a warning message could be displayed to the user before allowing the process to proceed. Alternatively, a step-up authentication method, such as an out-of-band text message, could be triggered if anyone suspects the account has been compromised.
Enterprises should favor CASB vendors that provide embedded user and entity behavior analytics (UEBA) capable of baselining the actions of specific users, groups, devices, apps and roles, and using this context to detect anomalous behaviors that might indicate an insider threat, data exfiltration activity or someone using compromised credentials. For example, if a user is downloading an abnormally large amount of customer data, as compared with what is normal for him or her (or for his or her peers), an event could be generated, or the requested download could be blocked.
There is an obvious theme that is bubbling to the top and that is the importance context plays when getting visibility into cloud usage. Context is also important when it comes to behavior analysis and determining when activities are abnormal. Netskope leverages our unique capability to see activity-level details across sanctioned and unsanctioned cloud apps and uses context and anomaly detection algorithms to determine when an activity is outside of the norm.
Investigate and Respond to Exceptions
Exceptions will be flagged in the access and use of cloud services that must be investigated. Because the core of any enterprise CASB strategy (and of the framework) is based on continuous visibility, this data must be available to a security analyst to investigate incidents that have been flagged, including in existing tools, such as security information and event management (SIEM). In some cases, no action will be needed. In other cases, adjustments to policies may be required — for example, providing a given user or group more or less access. Leading CASBs are becoming increasingly sophisticated, enabling the exception response to be automated and making the data or process owners (and not IT) the primary escalation and action point for workflow.
The need for continuous visibility drives the requirement to have a system in place to manage exception on an ongoing basis. External SIEM tools are a key extension to CASB and Netskope specifically provides integration with a variety of 3rd party SIEM platforms. What is more is that Netskope leverages a REST API to make available all the rich contextual data involving apps, users, devices, location, data, and activities directly to the SIEM so activities can be correlated and exceptions can be properly managed.
In addition to managing exceptions, the rich amount of cloud services usage data can be analyzed and used to better manage cloud use. For example, to enable an operations or security analyst to visualize overall usage and activities, as described previously, business unit application owners should also be able to view this data and make intelligence-driven decisions as to access and licensing. Ideally, the CASB platform provides visualization capabilities to visualize and understand trending, as well as highlighting over-licensing or under-licensing situations. In addition to the native management console, the event data stream should be exportable to enterprise SIEM systems for analysis and compliance reporting. If policy changes are considered, the CASB solution should provide the ability to proactively model the impact and risk of making the change before the change is implemented.
This is a great way to close on the best practices for cloud services access. A CASB is only as useful as the data you are able to get out of it. Netskope provides a risk dashboard to help customers visualize their risk based on apps discovered, use activity, compromised credentials and a number of criteria. Netskope also provides an app analytics facility where you can slide and dice data to get the answers you are looking for along with custom reports that are generated from ad-hoc queries. This is extremely powerful enabling you to get answers to questions like “show me download activity for users that are about to leave the company.
The CASB market is gaining momentum and 2016 just might be the year of the CASB. If you are evaluating CASB, I highly recommend taking a look at the Gartner paper, “How to Evaluate and Operate a Cloud Access Security Broker” and obviously take a look at Netskope.