Policy enforcement
CASBs give organizations a way to extend and enforce their activity and data security policies to the cloud, said John Krull, CIO at Seattle Public Schools. Organizations that are moving to the cloud need to ensure that internal business rules, policies and procedures are applied to cloud resources. This applies to both files and applications.
Before cloud storage and software as a service (SaaS) were common, access to data files and applications could be controlled onsite by IT. But with data increasingly becoming resident in the cloud, traditional methods for managing access and enforcing policies no longer work, Krull said. A CASB offers a central mechanism for applying policies and actions to cloud resources even as users access those resources.
But there are other uses as well, he said. While not all CASB vendors provide the same services, most provide visibility into what you’re doing in the cloud, some level of compliance controls, data loss protection and threat mitigation capabilities.
“Combined, they provide the ability to manage who has access to what data, enforce rules around use of the data, ensure integrity of the data, and provide threat assessment and response,” Krull said. CASBs have the automation capabilities to actually train the users on document security and to assess their data sharing practices. “When applied systemically and with governance controls, it can help users follow best practices,” he added.
Allan Edwards
Eastern Michigan University in Ypsilanti, Mich., has been using Cisco CloudLock’s cloud-hosted CASB for about 18 months. The primary goal is to protect against loss and exposure of sensitive data in the cloud, according to Allan Edwards, senior information security analyst at EMU.
Before signing up for the technology, the university did a proof-of-concept run with CloudLock and discovered all sorts of sensitive EMU data stored on Google Drive accounts. The university now uses the CASB service to uncover instances where people might be storing sensitive information in the cloud and gets them to remove it. “We send users notifications automatically when there is a high likelihood of a Social Security number or a credit card number in their Google Drive and ask them to remove that data,” Edwards said.
The CASB service has helped the university’s threat intelligence team discover some unauthorized account usage that it was able to lock down. “The big challenge is deciding what is noise and what is signal when setting up rules” for alerts on sensitive data and potentially dangerous user activity in the cloud, he added.
Many CSA members use CASBs for data protection, primarily through data masking, tokenization or encryption, according to Reavis. Some CASB products and services currently allow organizations to encrypt or to tokenize data before it is stored in the cloud and to decrypt it on the way back. The feature is designed to help companies in regulated industries comply with security and privacy requirements, such as those associated with the Payment Card Industry Data Security Standard.
“We see this as an area with a big promise of growth, but it is somewhat hampered by a lack of conformity on the part of cloud providers and a standard set of data protection APIs,” Reavis said.
More enterprises are also beginning to use CASBs or similar intermediary security technologies to provide some level of security policy management for custom identity-as-a-service platforms, according to Reavis. “I believe this will be a large trend as companies increase their cloud adoption and mature their understanding and management of clouds.”