This methodology was predicated on the fact that we need to assure our employees, customers, and shareholders that we were able to provide adequate Confidentiality, Integrity, and Availability (The CIA-Triad) for the sensitive data/intellectual property residing in physical data centers.
We have installed Firewalls, Intrusion Prevention, AntiMalware, Data Loss Prevention, Secure Email, VPN, etc... All with the intent on providing a stack of security capabilities to protect data withing our corporate network. Within our corporate data centers.
Simultaneously, our lines of business are becoming more agile, more complex, and more attune to services available "in the cloud". Shadow IT is the new trend. Lines of Business can and are spinning up new services at an aggressive rate to keep up with their online competition. Our ability to manage them "technically" as opposed to by policy has been almost non-existent.
We as Security Experts, are scrambling to augment our "bricks and mortar" based Defense in Depth strategy with Cloud Services, but the path is not presently clear.
Very recently, a niche market has developed to fill this void. Several vendors identifying themselves as Cloud Access Security Brokers (CASBs) have defined a strategy to mitigate this problem. CASBs are either on-premise, or cloud-based (or both) security policy enforcement points. Placed between your end users and the various cloud service providers, they can inspect traffic, manage and enforce policy, alert on anomalous behavior, and in most cases provide some level of DLP enforcement.
Either leveraging existing Single Sign On providers, or corporate Active directory services, these Cloud Access Security Brokers can identify individuals' access into Cloud Service Providers that are affiliated with the broker. Currently these number in the hundreds if not thousands. For "Sanctioned" Cloud Applications (those services for which your enterprise has procured directly) end user access can be strictly enforced by context:
- Who you are (Role based access)
- Where you are coming from (corporate network, public Internet, wifi, geographic region)
- What device you are using (Corporate laptop, Home PC, Tablet or phone)
- What time of day you're working (Are you authorised to work during this time?)
This Context Awareness also allows the CASB providers to employ heuristic analysis on Cloud bound traffic, to do some form of anomaly detection to identify malicious or erroneous traffic. This is an area that they are all investing heavily in today.
Most of the Cloud Access Security Brokers provide granular encryption, but only three provide Tokenization of your Corporate Data in the Cloud. This can be as coarse as entire records or documents, or as fine grained as a field in a form. Adallom has also leveraged the Right's Management functionality of Checkpoint's Capsule to secure data in the cloud, while allowing trusted collaboration.
For more on Tokenization vs encryption, please see my articles: Tokenization as a companion to Encryption and Toronto based PCI Compliance upstart Blueline brings holistic solution to Voice-Web-POS
One of the strengths of some of the Cloud Access Security Brokers is the ability to identify and report on employee access to "Shadow IT" cloud services. "Shadow IT" are described as services that the corporation has not subscribed to as a whole, or has not specifically provisioned for the user in question. These typically include Cloud Storage facilities like Box or Dropbox. Again, if the CASB has an affiliation with the cloud service provider, these can be managed by policy, otherwise they can be flagged and alerted on to your security operations team for manual remediation.
Several of these CASBs provide on-premise inspection and policy gateways to augment your corporate network controls and provide definitive logical access control to the cloud services from within the corporate network. These on-premise gateways complement the cloud based CASB services and provide for a hybrid view of data movement.
Since their emergence in 2012, CASBs have grown in importance and today are the primary technical means of giving organizations more control over SaaS security. This technology will become an essential component of SaaS deployments by 2017.
By 2016, 25% of enterprises will secure access to cloud-based services using a CASB platform, up from less than 1% in 2012, reducing the cost of securing access by 30%.
Gartner has defined the four pillars of CASB as:
As of this time, there are about twelve companies playing in this space. I would like to highlight the leaders at the moment.
(In alphabetical order, and in their own words. ie: pilfered from their websites.)
Adallom delivers an extensible platform to secure and govern cloud applications. In addition to discovering almost 13,000 cloud services in use, Adallom offers comprehensive controls for data sharing, data security, DLP, eDiscovery and access control. The Adallom platform also integrates with existing on-premises solutions such as SIEMs, MDMs, NACs and DLPs. Adallom has identified new malware attacks in the wild, including a Zeus variant attacking Salesforce, and an identity token hijacking vulnerability affecting Office 365. On April 21st, Adallom announced an HP partnership where its platform will be resold on the HP price list, and offered with the HP Enterprise Security Products and Enterprise Security Services portfolio. https://www.adallom.com
Bitglass the Total Data Protection company, is a Cloud Access Security Broker, founded in 2013, that delivers innovative technologies that transcend the network perimeter to deliver total data protection for the enterprise - in the cloud, on mobile devices and anywhere on the internet. Bitglass delivers the security, visibility, and control that IT needs to enable mobile and cloud in the workplace, while respecting user privacy.
CipherCloud is a cloud security software suite that encrypts data during the upload process, and decrypts during download. The encryption keys used for this process remain within your business network; thus, unauthorized users accessing data in the cloud will only see indecipherable text.
CipherCloud also comes with built-in malware detection and data loss prevention. There are specific builds for commonly used cloud applications such as Salesforce, Office 365, Gmail and Box, as well as a variant that can be configured to work with any cloud-based applications your business uses.
Netskope is a leader in cloud app analytics and policy enforcement. Netskope aims to eliminate the catch-22 between being agile and being secure and compliant by providing visibility, enforcing sophisticated policies, and protecting data in cloud apps.
Netskope is a service that discovers and monitors cloud apps and shadow IT used on your network. Netskope monitors users, sessions, shared and downloaded content as well as the shared content details, and provides detailed analytics based on this information.
Perspecsys' AppProtex Cloud Data Protection Platform provides a flexible cloud data control platform that enables organizations to identify and monitor cloud usage and then encrypt or tokenize data that it does not want to put in the cloud “in the clear”. The Platform intercepts sensitive data while it is still on-premise and replaces it with a random tokenized or encrypted value, rendering it meaningless should anyone outside of the company access the data while it is being processed or stored in the cloud.
Skyhigh Networks enables organizations to adopt cloud services with appropriate security, compliance, and governance. Skyhigh supports the entire cloud adoption lifecycle, providing unparalleled visibility, analytics, and policy-based control. Specifically, Skyhigh shines a light on Shadow IT by giving a comprehensive view into an organization’s use and risk of all cloud services. Skyhigh analyzes the use of all cloud services to identify anomalous behavior indicative of security breaches, compromised accounts or insider threats. Finally, Skyhigh enforces the organization's policies on the use of over 12,000 cloud services by providing contextual access control, structured and unstructured data encryption and tokenization, data loss prevention, and detailed cloud activity monitoring for forensic and compliance purposes.
While conducting this review of the CASB market, I looked at a number of Security Controls that I would expect a mature Access Broker to provide. I've laid this out in accordance with Gartner's four pillars:
Visibility, Data Security, Compliance and Threat Prevention.
If you think I have omitted your favorite Cloud Access Security Broker, or have mis-represented a control above, please have them forward details to me including their position on each of the items in the above controls list. After validating each, I will gladly amend the list.
Although the CASB market space is still in it's infancy, the main players have done a good job defining - and meeting - most of the requirements of an off-premise security service.
I'm interested to see what happens to this space over the next three years. My money is on convergence of CASB, SSO, and Mobile Security providers.
Standing at the Crossroads: Employee Use of Cloud Storage.
Gartner: The Growing Importance of Cloud Access Security Brokers
Gartner: Emerging Technology Analysis: Cloud Access Security Brokers
Bitglass: The Definitive Guide to Cloud Access Security Brokers
CipherCloud looks to stay at the head of the cloud security class
Ciphercloud: 10 Minute Guide to Cloud Encryption Gateways
Ciphercloud: Cloud Adoption & Risk Report in North America & Europe – 2014 Trends
NetworkWorld: How the cloud is changing the security game
Adallom: The Case For A Cloud Access Security Broker
Adallom: Cloud Risk Report Nov 2014
Check Point Capsule and Adallom Integration
HP - Adallom: Proven Cloud Access Security Protection Platform
Adallom : to Offer Comprehensive Cloud Security Solution for Businesses With HP
PingOne - Skyhigh: PingOne & Skyhigh Cloud Security Manager
ManagedMethods: Role of Enterprise Cloud Access Security Broker
Standing at the Crossroads: Employee Use of Cloud Storage.
Cloud Computing: Security Threats and Tools
SC Magazine: Most cloud applications in use are not sanctioned