Traditional security tools just don't measure up to the unique challenges of securing Software as a Service (SaaS); namely, because they aren’t comprehensive or scalable. That's why a Cloud Access Service Broker (CASB) is needed. CASBs are designed to work with any and all SaaS applications by delivering add-on security capabilities and analytics that are mandatory to enable detection and response for cloud apps.
Over the last few months, I've had the opportunity to sit in on beta testing with Masergy customers. The initial report from the SaaS discovery tool is always a big eye-opener for the customer security team. SaaS discovery represents one of the most important capabilities in the CASB toolbox because it catalogs all SaaS usage by employees.
It's quite common to have hundreds of applications on the list. Depending upon an application's specific purpose, this implies there is likely widespread loss of visibility and control of sensitive data being uploaded by users. That's enough to keep any CISO awake at night, and it certainly justifies CASB investment.
The SaaS model itself is not a security problem. On the contrary, mature SaaS vendors likely have the economies of scale to afford proper security implementation that many mid-sized enterprises have to skimp upon. But much like Infrastructure as a Service (IaaS) /Platform as a Service (PaaS), SaaS relies on a shared security model with responsibilities assigned to both parties.
Visit Innovation Enterprise's Digital Strategy Innovation Summit in Sydney, September 17-18, 2018.
Summary of SaaS tenant security risks
- Assessing SaaS vendor inherent security risks that are not readily measurable nor apparent.
- Restricting sensitive data from being uploaded into cloud apps, sanctioned or unsanctioned, and share into insecure environments.
- Enabling quick detection of stolen credentials and malicious insider usage, and responding to incidents before serious damage is done.
- Extending protection to mobile devices where agents or management is impractical
- Preventing cloud apps from turning into malware conduits.
- Regulating identities and enforcing appropriate authentication to streamline user experience and productivity while managing tasks.
Shared security models for cloud
Gartner defines four equally important functional pillars that a CASB solution must deliver: visibility, compliance, data security, and threat protection. These four capabilities are mandatory to address the tenant security responsibilities listed above and are essential for cloud security success. The following four considerations should be taken into account when evaluating and deploying CASB solutions:
Saas discovery and reputation
By nature, assessing a SaaS vendor's security capabilities is inherently opaque and requires significant investigation and due diligence. Hence, security certifications for SaaS vendors carry a lot of weight, and reputation is also critical. As part of their service, leading CASB vendors include a reputation service which evaluates the security maturity of an entire catalog of SaaS vendors. Risk scores must be provided so that IT security teams can make informed decisions about whether or not certain cloud apps should be trusted and used by employees.
However, before you go exercising control, take note that consumerization trends have shown that heavy-handed approaches to security often backfire, so the most effective strategy is to "coach" employees to use more secure options. But if the risks of dubious cloud apps are ultimately unacceptable and user practices don't adjust accordingly, application blocking can and should be used.
Identity and two-factor authentication
As soon as the cloud application count goes above one or two, having employees managing their own identities and passwords quickly become a tangle of security risks and poor user experience. So integration with Identity and Access Management (IAM) is mandatory for managing risk and optimizing user experience. Better yet, an integrated IAM with the CASB solution will accelerate deployment and increase the CASB's value for organizations that have yet to roll it out. Of course, if you already have IAM, the CASB solution must be able to support multiple identity vendors. Risk-based authentication is effective at balancing user experience with security control. When risky behavior or activity is detected, a user request should be sent to re-authenticate using an additional second factor.
Data visibility, control, and loss prevention
Visibility of data flowing in and out of cloud applications is best enabled with Data Loss Prevention (DLP) practices and tools. DLP is not a new capability so enterprises with existing deployments should be able to extend their existing policies via Internet Content Adaptation Protocol (ICAP) into the CASB for additional enforcement and protection of both structured and unstructured data within cloud apps. For many mid-sized organizations that don’t yet have DLP, an integrated CASB DLP option for configuring and enforcing policy is a great cost-effective option. Appropriate DLP controls are needed to enforce policies for preventing the most sensitive data entering a cloud app. Similar controls should also prevent or alert when users attempt offloading of sensitive data particularly into unmanaged devices.
The latter is the riskiest, and having an integrated Digital Rights Management (DRM) capability means that when a third party user or an internal user on an unmanaged device needs to view data, it can be done simply through web browser scripts that prevent saving, offloading and cutting and pasting of data. Finally, for the most security-conscious organizations, being able to enforce data-at-rest encryption using their own unique keys ensures that no other party, including the SaaS provider itself, can access cloud data.
Threat detection and response
Stolen credentials by attackers and malicious insider usage are two major threats facing cloud applications. Two-factor authentication goes a long way to mitigate stolen credentials, but it’s not always used, nor is it foolproof. Advanced analytics, or more specifically User Entity and Behavior Analytics (UEBA), is a critical capability that identifies such types of potentially malicious activity so that immediate responses can be taken including locking the account or requesting step-up authentication.
The nature of this technology requires advanced security monitoring and incident response. Only the largest enterprises can afford to build a Security Operations Center (SOC). A lot of data can be pulled out of a cloud app from 11:00 pm to 6:00 am when your team is sleeping. Security expertise and 24/7 monitoring are mandatory to ensure that the CASB solution is configured correctly and that incidents are quickly identified, and appropriate responses are executed.
When you spend the money on CASB, be sure to account for a managed service if you don't have your own SOC. Also, it's completely reasonable to push the costs of managed CASB back to the business units that are procuring SaaS. The cost of security should be tied to SaaS adoption: you can’t have one without the other.