As organizations put more of their information on the cloud and conduct more of their business there, they’re discovering that the process of tracking their data is becoming more complicated — and occasionally out of their hands.
While they’re able to monitor data being transferred within the company, they’re not always able to see exchanges from one app to another — for example, when an employee shares company information stored on Box.com to a personal email.
“All of our existing network security infrastructure becomes blind to data transfers that happen in the cloud,” said Srini Gurrapu, McAfee’s chief cloud evangelist, speaking at CDW’s Managing Risk SummIT in Boston.
Cloud access security brokers provide a new security avenue for companies that want to store information in the cloud, giving them ways to track east-west traffic, to monitor shadow IT and to kick suspicious users off their networks.
CASBs create visibility in areas of the network that companies weren’t previously able to see, said Eric Andrews, vice president of cloud security for Symantec. “And not only can I discover risky apps, I can do something about them,” he added.
The average corporate network contains about 2,000 cloud-based apps, Gurrapu said, everything from Office365 to employees’ personal Google Suite accounts. “The cloud means easy sharing,” he said. “That’s a major, major security risk.”
How CASBs Create a Secure Environment
Among the functions that CASBs can provide:
- The ability to see information flowing from cloud to cloud, and the ability to stop it if the activity looks suspicious. For example, a company can keep data encrypted even after it’s been downloaded, “and make sure the user has to phone home in order to gain control to that content. They can’t open it without authorization,” Andrews said.
- More sophisticated user authorization. Most companies use a simple sign-on procedure; once you’re in, you’re in, Andrews said. But what if someone who is legitimately logged in begins behaving suspiciously? “You want to be able to do things on the fly. You want adaptive authorization,” he said. “As the threat elevates on that user, I can push back to get that user off the system and make them re-verify.”
- Coordination among cloud services and on-premises technology. If an organization already has data-loss prevention technology in place, it should be able to coordinate with the cloud service provider to create one monitoring system, Andrews said. CASBs help to integrate the technologies so that the organization has one system with one set of policies. “This is all happening on the back end,” he said. “I don’t have to build new filters every time I find a risky app.”
CASB Challenges Still Exist for Businesses
CASBs have a few hurdles still to overcome: no industrywide standards exist for them yet, though Gurrapu said that’s being worked on. And they’re not effective for situations that involve money transfers.
“The industry is struggling a little in terms of coming up with new best practices,” Andrews said. “This whole migration to cloud is putting a strain on organizations from a people and process standpoint.”
But the hope — and the early experience — is that CASBs create an environment where more risk is spotted earlier, and resolved more quickly.
“It’s an automated watchdog looking over the shoulders of your users,” Andrews said.
Check out our event page for more articles and videos from the Managing Risk SummIT.