Cloud Security 101 – Do you already CASB?

“Hey, Mike, where can I find our current project calculation? Our client keeps asking questions … ”
“It’s in our team’s Box folder like all the previous versions. Wait a second, I’ll share the link with you!”
“Great! Maybe you can share that file directly with them? And please, add their purchasing department as well. You’ll find the contact in Salesforce.”

Does this conversation sound familiar to you? Probably you or the organization you work for have already had your own share of experiences with clashing IT concepts: While many people praised on-premise components and have considered the cloud “evil” for a long time, things have changed fundamentally in the last two decades. Online services are becoming a vital part of both private and enterprise IT usage, blurring the border between those things that happen in your own, fully controlled environment and those that are handled by somewhat anonymous data centers located all over the globe. On the one hand, cloud services increase people’s mobility, since the data and business processes required are just a few clicks away. On the other hand, this also poses new risks and threats to data handling. Suddenly, you have to trust not only one but many different cloud providers when sharing your data or collaborating via online services.

But don’t worry – hope, and more importantly your data, is not necessarily lost in the wide space of cloud providers. With Cloud Security Access Broker (CASB) products on the rise, there are several IT security solutions that aim to secure your business processes, data usage, and collaboration tasks happening in the cloud.

Unfortunately, there is no clear-cut, sharp definition of the functional scope of CASB products, as they often port and combine well-established security controls and approaches to the unknown terrain called the cloud.

What are the actual use cases?

One of the most popular CASB use cases is shadow IT discovery and cloud service sanctioning, which provides a general overview of the usage of online services within an organization. CASB products observe cloud-service-related network traffic to identify shadow IT usage with different levels of granularity: While some products provide an overview of aggregated traffic metrics (e.g., total upload/download in GB), others operate on an in-app activity level, thus being able to identify various user actions within a cloud service, such as sharing of a file and downloads of single documents. After identifying a distinct cloud service, CASB products often leverage proprietary catalog information with metadata relating to cloud services and their respective providers (e.g., the cloud service’s location and the vendor’s certifications) to provide a risk indication and to determine whether data are processed in a compliant manner. Eventually, they enable the sanctioning of compliant services via blocking actions and other controls.

Another use case that especially targets cloud storage providers focuses on data protection and encryption. Here, all data that leave your premises get secured/encrypted before being uploaded to the cloud, thus protecting them from unwanted access by third parties as well as the cloud service provider itself. Not only file encryption is widely used, but format-preserving encryption of fields can also be observed within cloud services such as Salesforce.

Some CASB products dive even deeper into your cloud-processed data. By adapting typical DLP measures, they provide data inspection, classification, and subsequently, appropriate data security controls that limit the risk of data leakage. Some solutions even include DRM measures such as document watermarking when accessing data from the cloud.

Finally, all of the use cases above can be connected to individual users. By applying a user-centric view, some CASB products see and alert on the basis of user behavior anomalies like excessive cloud usage or unwanted data movement actions.

The four areas introduced above represent the major capabilities of CASB products. Still, there are various additional use cases implemented, ranging from web filtering and threat protection (e.g., online anti-virus scanning) to IaaS controls.

And which cloud services do they cover?

That heavily depends on the use cases and the deployment model (see next section). The CASB products that aim for general shadow IT discovery usually come with a broad cloud service catalog covering a mid-range 5-figure amount of cloud services and their respective reputation. More specialized CASBs focusing on data protection and DLP often have a lower coverage, only targeting a handful to some dozen cloud services. Finally, there are the highly-specialized CASB solutions that only handle certain niches, such as data encryption in Salesforce.

Since most CASBs combine several use cases into a single solution, they usually have a broad and current coverage of cloud services. In particular, enterprise-relevant services, such as Office 365, Box, Dropbox, Salesforce, and ServiceNow, are broadly covered.

How do they integrate into my infrastructure?

There are several deployment options of CASB products that, again, are highly dependent on the use cases addressed: While products only consume log data from proxies to gain cloud visibility in a read-only manner, others act like inline proxies, enabling real-time data control measures. In on-premise environments, CASBs commonly send forward proxy components, while in the Internet, many vendors operate reverse proxy components to secure selected cloud services. Like any other proxy infrastructures, CASB-related proxies are prone to end-to-end encrypted traffic, such as SSL connections with pinned certificates. For example, the Dropbox endpoint agent only permits secure connections to the Dropbox backend. As a reaction, a small number of solutions additionally provides endpoint agents in order to control cloud traffic. With them, communication can explicitly be forwarded to CASB proxies and data can be intercepted and handled before being dropped into the respective local cloud service agents.

A notable trend is a dedicated integration of CASB solutions with cloud services through their respective APIs, thus not requiring any direct inline component. However, this also poses continuous challenges to CASB vendors, as cloud service providers are constantly improving and broadening their APIs, resulting in the CASB provider’s strong dependency on the service provider. Additionally, API connections have a rather reactive character unlike inline proxies, thus informing the CASB after the data were processed in most cases. Still, some cloud service providers, especially the big players on the market, start including real-time data controls, giving CASBs a chance to intercept the current data action before it is finished.

Most CASB solutions provide a SaaS-based backend themselves, orchestrating their single components like proxies and endpoint agents. Just like any other IT security solution, the deployment modules introduced above are often available as a physical or virtual appliance or as software installation.

Let’s sum up

Focusing on various use cases and covering a comprehensive amount of cloud services, CASB solutions enable secure handling of your data in cloud platforms outside of your control. Since there is a huge functional range on the CASB market, it makes sense to break down the group of CASB products based on their capabilities and your special use cases. Are you looking for a solution that only stores encrypted files to a small set of cloud storage providers? Then you should probably look at solutions with an inline component being highly specialized in file and data cryptography. If it’s just a matter of gaining visibility of shadow IT, you may consider CASBs with log parsers to process your existing proxy logs. Collaboration actions and advanced DLP functions, again, are usually covered through API integrations. But remember, there are many solutions that combine many different techniques, so how will your use cases probably evolve?

In a nutshell, start evaluating your infrastructural requirements and determining your use cases first before you go hunting for CASB solutions. Then, you have a chance to identify the appropriate solution for you. But always keep in mind: Eventually, you may only shift your trust from the affected cloud services to a single Cloud Security Access Broker which is yet another cloud service in most cases. Therefore, keep your eyes open for CASB solutions that give you as much control as possible.

Also, our “Technology Scouting and Evaluation” service is there to help you. After assessing a broad range of CASB products in mid-2017, our team is currently evaluating recent changes on the CASB market. So stay tuned, we will share our findings with you shortly.

Who we are
The “Technology Scouting & Evaluation” (TSE) service identifies and evaluates promising IT security solutions. With this service, DCSO supports companies in staying ahead of a dynamic and ever-changing market. The centralized and unbiased evaluation process is supplemented with the experience of all community members.