09 March 2017
Blogs by author: Global Services, We’re a leading global business communications provider
More organisations are aware of productivity-boosting cloud applications, but few know how to use these securely. That’s where Cloud Access Security Brokers can help.
Clouds. Visibility, nil.
As organisations seek to benefit from the flexibility, convenience and cost-efficiency of the cloud, security is expanding out of the data centre. This leaves security decision-makers without visibility or control of cloud applications used in their organisation.
Security decision-makers currently have no insight into what’s happening in cloud applications. This means they must choose to either: allow cloud applications they can’t control, or block cloud applications outright — at the cost of employees’ ability to collaborate.
A risk of data loss.
Without cloud visibility, companies can’t answer questions like: “What cloud applications are being used by employees in the organisation?” Or: “How securely is data being stored within these applications?”
Controlling what sensitive information is allowed to be stored in the cloud, and who can access it, is fundamental to secure collaboration inside the organisation and with partners. Currently, organisations can’t extend data-loss prevention (DLP) capabilities into their cloud environments, so they’re at risk of data leaks.
Equally, organisations face difficulties with bring your own device (BYOD) and remote users, who require reliable, global access to corporate cloud applications, but work outside of the traditional security macro-perimeter.
Key challenges with cloud security.
Some of the main issues that organisations face when it comes to cloud security, are:
- Visibility: organisations can’t ‘see’ sanctioned and unsanctioned cloud applications, so they have no visibility of the cloud applications used by employees within the organisation (or the risk associated with them).
- Threats: whether from compromised accounts, insider threats and/or malware attempting to move data to and from the cloud, organisations are constantly at risk from cyber criminals.
- Compliance: data-leak prevention solutions in data centres can’t protect organisations against data exfiltration by remote or BYOD users.
- Collaboration: organisations have no visibility of who files are shared with or who has access to them, and they can’t apply policy around secure collaboration.
- Data security: there’s no way to consistently apply encryption across sanctioned applications, or control access to sensitive data from unmanaged devices.
- Inconsistent security policy: organisations can’t consistently apply policy across all cloud applications users are collaborating with.
What do Cloud Access Security Brokers (CASBs) provide?
Visibility: CASBs allow organisations to see which cloud applications are being used, the data transferred to and from them, and who the data’s shared with.
Risk assessment: with visibility achieved, CASB solutions provide a breakdown of the risks associated with each cloud application detected. Organisations can then define their sanctioned cloud applications based on dozens of factors, for example implementation of encryption for data at rest, last known data breach and legal agreements.
DLP: using either the API model or proxy approach, CASBs provide DLP functionality, so organisations can detect sensitive information being stored or transferred to the cloud. They can then quarantine, delete or encrypt it.
Threat protection: CASBs can identify suspicious behaviour, such as simultaneous logins from multiple geographic areas and large data exfiltration attempts, in addition to malware scanning data in the cloud.
Access control: using a CASB, it’s possible to control the devices and locations users can login from, and the applications they can login to. Authentication to Software-as-a-service (SaaS) applications can be stepped-up when required, or users can be redirected to sanctioned applications as dictated by company policy.
A CASB secures access to the cloud in many ways.
API connectors utilise the API functionality provided by SaaS providers such as Dropbox, Microsoft Office and Box View. They control and secure the data stored within your SaaS application.
Whenever an action’s performed in your cloud application, your CASB solution is notified and decides how to react. The benefit of the API connector approach is that it doesn’t require any footprint on user devices — the CASB solution interacts with SaaS applications from the cloud.
API connectors provide visibility and control for sanctioned SaaS applications, but how do you gain visibility and control for unsanctioned cloud applications?
CASBs use forward proxies to ensure all cloud application traffic goes through the CASB solution. This is achieved through:
- on-premises appliances (virtual or physical) to route traffic from the premises to the cloud
- client-side software or PAC files
- domain name system (DNS) redirection.
While forward proxies provide control, they also increase friction by requiring additional configuration by users, either through proxy configuration or client installations.
Reverse proxies redirect users trying to access sanctioned SaaS applications through the CASB service, regardless of where they try to access it from.
This is achieved by setting the CASB solution as the designated authentication source for the given SaaS application. The CASB solution then forwards the authentication request to the identity access management (IAM) system, but, crucially, forwards all future traffic through the CASB solution as well, allowing it to inspect traffic to and from the sanctioned SaaS application.
In order to gain visibility of cloud usage throughout the organisation, proxy and firewall logs can be submitted to the CASB solution to provide a comprehensive analysis of cloud activity in the organisation.
To find out more about why balancing effective cloud usage and security should be a top priority in your organisation, and how to keep your data secure, take a look at our managed cloud security service.