What Is It? CASB usually pronounced “KAZ-BEE” in style reminiscent of the 1982 hit by The Clash. “Rock the Casbah”, is a technology that arrived not long after the rise of Cloud Computing showing yet again that security is usually a thought behind the functionality we desire. “Can we do this?” “Yes, we can, and here’s how we do it.” “Cool. So, how do we secure it?” Blank stares follow.
A CASB mostly sits between you and your chosen cloud, either public or private, and are either on-premises, cloud-based (SaaS), or hybrid enforcement points. Their role is to interject your security policies on-the-fly as the resources are accessed to make sure that nothing nefarious happens (there is that word again). Rather than being a one-trick pony, a CASB can enforce a large number of security policies which can include single sign-on (SSO), authorisation, encryption, logging and alerting, malware detection and prevention, device profiling, and even mapping credentials to resources. There are many other uses, but let’s not get ahead of ourselves here!
Another term you may hear when dealing with CASB is “Tokenisation” which is switching something sensitive, such as your data, for something that is not — the token. This token maps to the data through a tokenisation system kind of like how you would check your coat at a fancy restaurant and the clerk gives you a number. The token itself is practically useless to try to understand what data it maps to; only the tokenisation system knows. The tokenisation system should protect with the best practices and level applied to the rest of the data — you don’t want it to become the weak link! When the tokenisation system gets the right token, it can “detokenize” the data for access. An analogy is going to the post office with a delivery notice to get your online purchases.
According to Gartner, by 2020, up to 60% of large enterprises will use a CASB solution to govern cloud services, whereas presently, less than 10% do. If you’re not talking about CASB now, you probably will be very soon. And more than just the large enterprises may benefit. Smaller businesses, without the expensive security budgets, can benefit from the flexible options out in the market right now.
Where Do I Start? The obvious question is to ask yourself if you need CASB, but first, ask yourself if you have any cloud services now or will soon. Odds are you do, and you will. With the rise of AWS, Azure, and an endless number of private clouds available, CASB should be on the radar. Not just on the radar, but closing into the centre fast. Rare is the organisation that is entirely in-house these days to exercise nearly full control. Even using a colocation datacentre allows a fair degree of control, just like in-house, but moving to the cloud presents unique challenges.
Many organisations I have spoken with over the past five years or more have adopted a cloud-first strategy and endeavour to have any new systems as cloud-based while migrating existing systems to the cloud at the same time. CASB, as you can understand, is a critical safeguard of this mass exodus of locally-controlled systems and data.
Let’s just say that you have all your systems in-house and something terrible happens. You can quickly run to the server room and pull a cable out of a router or firewall. Maybe the Internet or Email goes down for a bit while you get it sorted out, but you’re in control. Now, let’s imagine you are fully-cloud based, and you get breached. Someone evil has access to your cloud. You run to the same server room and pull the cable. Only now the bad guys still have access, and you don’t. You’ve effectively turned yourself into an island and the guy getting voted off the island at Tribal Council and getting their torch extinguished is the one holding the blue copper cable (or fibre). Thanks, Survivor!
If you answered yes to anything cloud about your business, you need CASB as part of your Cyber Security Strategy. In terms of the vendors to start with, you have a few options. According to either Gartner or Forrester, there are a few leaders, but you should always consider the challengers and others because they may offer something specific that you need. Get the right people involved and do your homework.
How do I make It Work? There are a few ways to implement CASB, but it sits between you and your cloud of choice. Its role is two-fold, but the functions are not mutually inclusive. You can perform security or management or, as I recommend, both. Security, in general, is the prevention of risk relating to your cloud computing. Management is the mitigation of risk. There is probably little point to implementing security without some means of managing it. If we focus too much on the “Before” of a breach, we’re in trouble. We will flounder when it comes to the “During” and “After” of same. Also, the more you know about what is happening and has happened, the better positioned you will be from here on out.
Whether security or management or both, there are four key functionalities to consider. These include Visibility, Data Security, Threat Protection, and Compliance. Visibility is important because it allows you to keep an eye on both sanctioned and unsanctioned activities. What is an example of “sanctioned”? Your use of cloud services, such as Office 365. What are “unsanctioned”? Think, Shadow IT. If you’re using the cloud, you can bet others are using it too beyond your knowledge and control.
Data security is the obvious one. Cloud computing presents a unique challenge. While the data is yours, the systems that store and process it are probably not. Threat protection permits you to control devices, users, and even application versions and can observe for anomalies through user behaviour and other types of analytics. Programs have their nuances, even malware. Compliance is a far greater concern, especially where more and more regulations on who can do what, which what, and how. Think about General Data Protection Regulation (GDPR) or Mandatory Data Breach Notification here in Australia.
CASB for security resides in line with your data path and can consist of an agentless deployment or agent-based deployment. An agent-based CASB deployment requires proxy agents on each endpoint, including in the cloud itself and on the endpoints in your enterprise. These can be difficult to deploy and are best suited where the assets are corporate-owned and managed. Think, for example, of installing endpoint protection clients. Agentless, on the other hand, can cover all devices, whether company-owned or not and is much quicker to deploy. Many of us operate in a BYOD capacity with our mobile devices and just as many would object to having a third-party exercise control over them.
Agentless deployments only concern themselves with corporate data, ignoring personal data unless otherwise configured. Agent-based CASB, however, will concern itself with both corporate and personal data. You must ask the right questions as to which solutions suit your enterprise best, but odds are an agentless solution may be your preferred choice; just don’t ignore an agent-based deployment until you know for sure. Even consider Hybrid if that suits you better.
CASB for management is more of an after-the-fact environment and can use APIs to inspect data in the cloud for events but can yield a wealth of information to allow you to stay on top of things. You could, for example, feed data from proxy, gateway, or firewall logs into CASB for analysis on cloud-based activity such as access, application usage, and so on.
An API-only CASB can offer management-only via APIs from some of the significant cloud-based services available and can give you value through some degree of visibility. I’m more inclined to use a multi-mode CASB for both security and management. Newer offerings even include a degree of zero-day protection against known and unknown threats. They may effectively knock down the risk before it ever reaches you or you ever become aware. You know, those things that go “bump” in the night?
The Bogeyman notwithstanding, you need to have a good understanding of your cloud computing environment and needs to know what solution works best for you. You may lean towards a multi-mode, agentless CASB deployment, or you may find an agent-based solution suits your environment better. Ask the questions, get the answers, and make an informed decision.
Pitfalls? The most apparent trap has a cloud-first strategy that lacks adequate security controls. The data is leaving your premises, and it can be a long way with a lot of stops in the middle before it gets back to your controlled space. Like any road trip with many stops, you must secure your data. The creatures that inhabit those spooky roadside rest areas exist in a virtualised sense as well. That end-to-end control must be maintained.
You should also carefully consider the type of deployment you are using because if you choose one over the other without considering your data, applications, users, and workspaces, you may find you’re leaving gaps. Imagine, for example, an agent-based CASB deployment, but you cannot take your computer on the road, so productivity could take a hit while you are away. There are many scenarios, so ensure you choose the one that suits your workforce style the best.
Base your CASB implementation based on use cases over technical architecture. Function before fashion!
Ghosts in The Machine? Like any other environment, you must secure the endpoints. Let’s say you have CASB fully deployed, but a lax security policy allows a malicious entity to gain access to the cloud using a “trusted” system. Yes, there are ways to mitigate this very possibility, but it illustrates that no single strategy can stand alone. CASB, in and of itself, is not a silver bullet but is much more effective when combined with several strategies. What strategies may you ask? Perhaps revising the previous 37 articles on the ASD mitigation strategies is an excellent place to start.
Anything Missing? Be sure that whichever CASB solution you select aligns with both your internal infrastructure and your selected cloud services. For the most part, the available solutions play nice with each other, but it never hurts to be sure and when having the conversation with your CASB service providers and experts, be sure to disclose these. Odds are they’ll ask first but be prepared to cover all bases.
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through Shutterstock.