Cyber

Cloud brokers

by Mark Rowe

It’s no secret that cloud apps like Office 365, Salesforce and Box are the future of enterprise computing, yet security concerns continue to plague public cloud adoption. Many organisations are eager to migrate to the cloud, but need robust visibility and control capabilities in order to keep sensitive corporate data safe, writes Eduard Meelhuysen, pictured, Head of EMEA at the data protection product company Bitglass.

To secure cloud apps, organisations need a comprehensive security solution that offers visibility, data security, threat protection, and compliance. Cloud Access Security Brokers (CASBs) are a data-centric solution for securing SaaS apps end-to-end, from cloud to device. By intermediating or “proxying” traffic between cloud apps and end-user devices, CASBs can offer IT administrators granular access control and deep visibility over corporate data – critical functionality for organisations moving from internal, premises-based apps to the cloud.

Cloud app vendors like Google and Microsoft are motivated to secure their infrastructure and to protect against threats to their applications. Denial of service attacks, malware outbreaks, and large data breaches are the types of security events that land cloud app vendors on the front page of the Wall Street Journal, and have a severe negative impact on their businesses. Control over access and downloaded data, however, is the enterprise’s responsibility. Theft of user credentials, regulatory compliance failure, and data leakage due to improper controls all rest on IT. IT must have a security solution in place to protect corporate data from these types of risks that fall outside of the control of the SaaS application provider.

Balancing IT and employee

Years ago, when BYOD was less prevalent, employees simply accepted a poor user experience as a necessary evil. Today, employees are quick to reject IT solutions that reduce productivity and that impede on their privacy. Enterprises must adopt user-friendly solutions that enable a more productive, mobile workforce. Finding a CASB that can meet these key requirements will help to prevent employees from “going rogue” and working around IT. The solution needs to take into consideration:

– Usability: Consumer apps have set a high bar for user which in turn has created the expectation that cloud apps in the enterprise will match that experience and enhance, not hinder, productivity.
– Privacy: Employees have not only an expectation, but a right to privacy. Gone are the days when it was acceptable for IT to capture personal traffic in the security dragnet.
– Mobility: Employees want to have the latest devices and access corporate data without restrictions—even if those devices aren’t managed by their employer.

Components

While enabling mobility is often a boon to productivity, cloud apps also make data access much easier, which can pose a threat to security. A complete CASB must close the gap by protecting data-at-rest and data-in-motion across all devices. Cloud, mobile, discovery, and identity are the core components of a CASB which, together, provide total data protection.

Cloud

A deep understanding of how employees are using cloud apps is key to identifying risky or malicious activity. By tracking user activities, CASBs can generate a baseline behavioural profile, and alert on deviations so that IT can take immediate action. Visibility can also help IT build security policies that minimize risk of data loss without impeding on employee workflows.

CASBs protect corporate data both in the cloud and on any device in real-time. API integration into cloud apps is used to scan and protect data-at-rest, and proxies are used for inline, real-time protection for data being accessed via both managed and unmanaged devices. Using built-in APIs, CASBs are able to scan and identify sensitive content stored in apps like Office 365 and Google Apps, and apply granular access controls to data. With traditional solutions, access control capabilities are limited and IT is forced to simply allow or block access. With a CASB IT administrators have more flexibility in extending access with context- and content-aware.

Mobile

Data must be protected at rest in the cloud, at rest on mobile devices, and in transit— making cloud and mobile inseparable components of a complete security solution. The CASB data-centric approach to security ensures that corporate information stays protected on any device, anywhere.

When organisations focus entirely on securing devices instead of securing data, there is a real threat of data leakage. An employee can, for example, download a file with sensitive customer information to a managed device, move that file over to an unmanaged device, and perhaps upload that file to an unsanctioned cloud application. If the device were secured without other data-centric protections, IT would lose visibility and control over that file. With a CASB, a content-aware DLP engine can encrypt, DRM, and watermark data in real time, ensuring that sensitive information stays protected across both managed and unmanaged devices.

Another risk faced by organisations when it comes to enabling secure mobile and BYOD is the threat of lost and stolen devices. CASBs are capable of enforcing a wide array of device security policies on any device, functionality that has historically only been possible on managed devices. CASBs can require use of a PIN or passcode for added security and can even selectively wipe just corporate data from any mobile device.

Discovery

Data leaving the corporate network and heading to high-risk destinations is a major concern for enterprises. High-risk destinations take many forms—malware command and control sites, anonymizers like Tor, “shadow IT” cloud applications, and more. Each of these destinations represents a risk of sensitive data exfiltration and must be identified in a timely fashion. CASBs offer discovery services that analyse proxy or firewall data to identify vulnerable traffic between the network and high-risk destinations. Destinations associated with known malicious activity can be identified in order to remediate high risk endpoints and users.

Identity

In many organisations, individual accounts are created within each cloud app, without a centralized identity system—a practice that can make provisioning new accounts and securely authenticating users more difficult. A complete CASB features an integrated identity management solution or works with an existing identity management infrastructure to enable secure authentication across all cloud apps. Secure authentication, often necessary to achieve regulatory compliance, can drastically reduce the attack surface that hackers can use to access corporate data.

To summarise, in a world of cloud applications and mobile devices, IT must secure corporate data on any device, anywhere. Existing security technologies, developed only to secure data on the network, are not suited to solving this task. The Bitglass Cloud Access Security Broker solution transcends the network perimeter to deliver total data protection for the enterprise—in the cloud, on mobile devices and anywhere on the internet.

Related News

  • Cyber

    Epidemiology-based cyber prototype

    by Mark Rowe

    The telecoms firm BT reports that it has developed an epidemiology-based cybersecurity prototype, “Inflame”. It uses deep reinforcement learning to enable enterprises…

  • Cyber

    Rescue partner

    by Mark Rowe

    iCyber-Security Group (iCS) has joined the Cyber Rescue Alliance, the London-based cybersecurity industry membership group. Briefly, Cyber Rescue Alliance is a consultancy…

  • Cyber

    Data security for 2018

    by Mark Rowe

    With an increasing number of high profile data breaches during 2017, it’s no surprise that data security has become a key topic…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing