Cloud Access Security Brokers (CASB): the new Eldorado of security?
Regularly the small world of security is racing for new technical solutions. Some make paperboard; some are flops. Even if the subject is not new, Gartner spoke in 2012, I feel a growing interest in Cloud Access Security Brokers. The reason: the use of increasingly massive cloud applications in companies. What are the security needs addressed by these technologies and what are the use cases?
Definition of CASB
To quote the definition of Gartner, Cloud Access Security Brokers (CASBs) are points of concentration, deployed in the enterprise or in the cloud, placed between users and cloud services they use to enforce security policies of the company. These CASB must send (in theory) subjects as diverse as authentication, access authorization, SSO, tokenization, encryption etc …
The functions of the CASB
The CASBs can meet families of 5 issues:
Application visibility: the CASBs are capable platforms show by “who” and “how” are used cloud applications. Without necessarily need a SIEM, the CASBs offer an overview of the use of cloud applications as dashboards and can also send alerts. These reports enable decision makers to monitor trends in internal purposes and can help them detect deviant behavior or threats. This need for visibility is typically part of the fight against the shadow IT.
User Identity: Identity is a key challenge for companies using cloud applications. It is not uncommon for specific accounts dedicated to cloud, posing a recurring problem of account management (create, delete), passwords … A CASB, in this case, an important role it can provide to all cloud applications a single authentication system by authenticating users with internal directories and then uses a Cloud Identity Provider third.
Application Access Control: the access control brick can define who has access to which applications Cloud, under what conditions and in what context. CASB one must be able to set policy by application or specific function to a particular application. These policies can be based on: – membership of a group – a device type or OS – a geographic location.
Data protection: when accessing cloud applications, the CASB should protect the company against any leakage of sensitive data by identifying and categorizing data. The CASB will then allow administrators to create security policies adapted to the sensitivity / risk data. This relates to the functionality of a DLP, but limited to cloud applications.
Data Encryption: . To store confidential information in the cloud, nothing better than to encrypt
This is one of the first applications of CASBs and may be the best known, but also one of the most complex. Indeed, wanting to encrypt data to be stored in the cloud requires distinguishing the most sensitive data that require encryption of data that can be stored in the clear. The security aspect here joined the business aspect of it which is not the least of the challenges.
In addition to key management, store encrypted data in the cloud will pose a major question: that of the full text search information . The CASBs will be able to substitute for all or part of the search functions of cloud applications.
These features seem attractive, but what type of architecture will address all these needs? To my mind, a complete solution should offer 4 types of deployments:
Cloud: interesting to test some features, make the discovery or analysis of logs, identity and access management, but less suitable in my data encryption;
access: placed cut the flow internet before its release, the CASB makes sense when cryptographic operations or of data protection, but also for identity management;
on the workstation: protecting information in the cloud, it is good but have the ability to do so on the job, is better! Indeed any downloaded file on a device from the cloud rather then secure on the terminal can be a source of leakage data to the company. The ability to control the data at the workstation whatsoever is indispensable!
on the network access control, unfortunately, not enough CASB and install on the network may be the only way to identify unauthorized exit points: wifi unsecured access, unofficial Internet access etc …
Protect data in the cloud
Some actors may have a different definition of CASB, because there is not really structured market. Similarly, publishers tend to highlight specific features based on their expertise (sometimes because they do not have the functions mentioned in this article!).
I think the CASBs could quickly become critical solutions for companies by their ability to meet the security needs of different businesses that are turning massively to cloud applications.
You will find quantity of white papers from the publishers, case studies, you form your opinion on the relevance, if any, of these solutions that could be generalized in the coming months.
Some names of publishers finally: Bitglass, PerspecSys, CipherCloud, Elastica, Adallom and many others. The list is not exclusive, as those I have not mentioned me apologize.