What are CASB Solutions?
Answer: The CASB Cloud Access Security Broker provides you with visibility, data security with Data Loss Prevention (DLP), and threat protection for your IT infrastructure, so you can safely deploy and use cloud applications
The cloud allows companies to be more agile, collaborative, and more cost-efficient, but these great benefits also come with increased security challenges.
- How do you find out what cloud applications are being used in your company, and if they are safe and secure?
- How do you ensure that confidential and sensitive documents are not being shared inappropriately?
- How do you adhere to the many critical compliance regulations?
- How do you protect against internal and external malicious activity?
Cloud Access Security Brokers (CASBs) address all of these fundamental questions, so your IT Infrastructure can be safe and secure when using the cloud.
Cloud Access Security Broker (CASB)
A CASB is a software tool or cloud service that sits between a companies on-premises or remote IT infrastructure and a cloud provider's infrastructure, performing the role as a mediator to examine cloud traffic and extend the reach of their security policies.
CASB does this by interposing themselves between end users - whether they are using desktops on the corporate network, on mobile devices, or by working remotely using unknown networks - or by harnessing the power of the cloud provider's application API.
CASB helps an IT Security team:
- Identify and evaluate all the cloud applications in use (Shadow IT)
- Enforce cloud application management security policies in existing web proxies or firewalls
- Create and enforce granular security policies to govern the handling of sensitive information, including compliance-related content
- Encrypt or tokenize sensitive content to enforce privacy
- Detect and block unusual user account behaviour which is indicative of the malicious user activity
- Integrate cloud visibility and protection controls with your existing security solutions
Cloud Service Models
A Cloud Access Security Broker Examines Three Categories of Cloud Apps:
- IaaS - Infrastructure as a Service Examples include: GCP, AWS and Azure. The IaaS provider hosts hardware, software, servers, storage, and other cloud-based IT infrastructure components enabling companies to deploy their business applications and data in the cloud.
- SaaS – Software as a Service Examples include: Microsoft Office 365, Box, Dropbox, and more. The SaaS provider hosts software applications and makes them available via subscription over the internet. SaaS is a popular model for many business enablement applications including messaging, email, file sharing, CRM, HRM, and many more.
- PaaS – Platform as a Service PaaS provides hardware and software environments which can host applications and data. PaaS services can include web service integration, collaboration for DevOps, database integration while offering information security. PaaS environments include vendors like AWS, Azure, Google, IBM, Salesforce.com, Red Hat.
Nine Reasons to use a CASB Solution
- Uncover and rate cloud apps for risks CIOs think they have only about 30-40 cloud applications on their network when in reality the average company has over 1,000. They need to be able to identify these applications, rate them according to their security risk, and select those that conform to the companies risk tolerance.
- Classify data Compliance Officers need to know what types of compliance-related data (PII, PCI, PHI, GDPR-related, etc.) is being stored and shared in the cloud, and whether this data is exposed or at risk. Other data types such as company legal documents, engineering designs, application source code, and other intellectual property, need to be identified and protected.
- Identify data exposures Security Administrators and Compliance officers need to identify the rules to govern data exposure by data classifications to control accidental sharing in the cloud—either inadvertently due to user error, due to malicious use or hacker activity.
- Extend on-prem DLP to the cloud Companies with on-premises DLP often want to extend their coverage to the cloud in a seamless way which provides consistent dictionaries, security policies workflows, and unifies security reporting.
- Identify risky users CIOs, IT Security Directors, and Data Privacy Officers all need to identify risky user behaviour, including but not limited to sensitive file oversharing, data exfiltration, data destruction, and the use of unsafe cloud apps. They all need to respond to security incidents quickly, discover the impact of and the extent of the credential compromise, malware infection, brute force attacks, or other security issues, and automate security precautions wherever possible.
- Develop a cloud governance program Companies need to protect their intellectual property (IP), stay competitive in the marketplace, and maintain regulatory compliance. They need to do this by applying DLP, data security, encryption, and access controls to their SaaS, PaaS, and IaaS cloud resources, perhaps creating a Cloud Center of Excellence.
- Ensure compliance & data privacy Compliance Officers may want to continuously monitor how the data is being accessed and shared by the company and individual teams, to make sure they meet compliance requirements.
- Monitor cloud usage & detect threats Security managers need to continually monitor data usage for possible security policy violations, data leakage, malware attacks, and user access to unauthorised websites that could pose a risk to cloud accounts and data.
- Post-incident response If user accounts are being compromised, files being infected with malware, or company data being mishandled from cloud accounts, IT teams need the ability to initiate a post-event investigation on the security issue, and to provide an audit trail detailing what company documents were moved to where and by what credentials.
Compliance and Data Privacy
CASBs should assist with data privacy and compliance with regulations and standards, as well as identify cloud usage and the risks of specific cloud services.
What compliance issues should companies consider?
- Personally Identifiable Information (PII) Basic information like names, addresses, and phone numbers of customers are subject to data privacy regulations, such as the EU’s General Data Protection Regulation (GPDR).
- Personal Health Information (PHI) Perhaps no other type of data is as regulated, as patient and medical record information. Since recent cyber-crime reports indicate that this type of data is a prized target for hackers, with records fetching over £250 each on the black market. Regulations like HIPAA and HITECH in the United States and their equivalents around the globe give companies specific guidance on how sensitive data should be treated at all times.
- Payment Card Details Or Personal Financial Data Compliance mandates such as PCI DSS and Gramm-Leach-Bliley require financial institutions, as well as those storing or processing credit and debit cards, to take specific steps to protect the security and confidentiality of their customers’ financial information, regardless of whether it is kept on-premises or in the cloud.
- General Data Protection Regulation (GPDR) The European Union, General Data Protection Regulation requirement has significant implications for companies using cloud applications. GDPR requirements are concerned with location, access, protection, handling, security, and encryption for personal data. Companies will need to monitor and control the cloud applications and services where employees may be sending personal data on EU residents, and the personal data they store in these cloud applications and services will need to carefully monitored and protected. These compliance requirements apply to any company no matter where they are located if they process personal data on EU residents.
- Other Regulated Data Types Many other industries have their compliance measures. Educational institutions need to adhere to the guidelines specified in the Family Educational Rights and Privacy Act (FERPA). Manufacturers of defence-related products need to adhere to the data security measures defined in the International Traffic in Arms Regulations (ITAR). Agencies and law enforcement groups dealing with data such as fingerprints and biometrics must follow the security guidelines specified by the Criminal Justice Information Service (CJIS). Finally, many institutions specify their internal security guidelines that all of their units must comply with, for both on-premises and the cloud.
Given the strict nature of compliance requirements and the penalties for exposing sensitive data, enterprises and companies need to ensure that they meet specific requirements in the cloud. CASB solutions are playing a critical role in helping compliance and security professionals to ensure:
- Cloud apps and services have the appropriate security certifications.
- Certain clouds are blocked from receiving specific types of regulated data.
- Regulated data that does legitimately need to be placed in the cloud is secured per compliance guidelines.
Take Action with three steps!
- Ensure cloud applications meet compliance security requirements Audit all cloud app use in the company. Use CASB Audit intelligence on sanctioned and unsanctioned (Shadow IT) cloud apps in use to make sure they comply with any external or internal data security requirements. Restrict access to those cloud applications that cannot be brought into compliance.
- Identify regulated content in cloud apps Use CASB to identify and monitor any regulated content that may be stored in or shared with a cloud application or service by the company. Decide what type of regulated content (if any) should be allowed in the cloud. Establish requirements for how that data should be protected.
- Enforce the right security policies to protect regulated data Centrally define and enforce CASB security policies to protect regulated data and to control how it is (or is prevented from being) stored and processed in cloud apps and services per the requirements in the appropriate compliance regulation such as GDPR, HIPAA, PCI DSS, etc.
The CASB Solutions information shown above is mostly generic in nature and based on best-practice, therefore to get a better understanding on what we can do for your business, all we ask is that you contact us, to discuss your cybersecurity and CASB needs, to protect your IT systems and data. Cyberteam Security Professionals are Symantec CloudSOC R2 trained and certified.
Click here to contact us