Cloud Security: Creating Borders in Borderless Environments
The Cloud has fundamentally changed the IT consumption model and enabled businesses to rethink their go-to-market strategies to become nimbler and more innovative at a lower entry point. Because of this transformation, Cloud has become the biggest change in IT since the introduction of the desktop computer. With change comes new benefits and challenges.
Traditional security methods were built around a centralized data model and limited device access. While these traditional tools still have value, they leave gaping holes in a borderless environment. As a result, the Cloud Access Security Broker (CASB) market has emerged to help enable a centralized view, control, and protection over all data and access devices regardless of location. CASB is sometimes also referred to as Cloud Security Gateways (CSG). CASB in its simplest form is software that sits between the cloud provider and the cloud consumer to extend and enforce corporate security policy, governance, and compliance in to the cloud.
We hear about cloud data breaches almost daily. There are two trends with these breaches - - they tend to be self-inflicted and they are getting more costly.
Gartner estimates that through 2023, at least 99% of cloud security failures will be the customer’s fault.
According to the Ponemon Institute, the average cost of a data breach is now $3.8 million.
There are two general methodologies corporations have traditionally used to address IT security:
Protect the heart of what matters: the data
Protect the devices and highways that access the data: endpoints, networks, etc.
The concepts behind CASB are designed to integrate with these methodologies and technologies while providing that centralized command and control that is lost in a Cloud environment when leveraging traditional security solutions.
CASB is a relatively young and emerging market and therefore in some respects it has become a catch-all for cloud-based security solutions. There are many providers that are claiming to be a part of the CASB market since it is the latest cloud security buzz word. However, most true CASB solutions address many of the same security and compliance gaps in a cloud environment.
Let’s take a closer look at the benefits of the CASB model.
Visibility: CASB can provide the ability to see traffic to, from, and between cloud services, users, and endpoints anywhere. However, just as importantly, they can help identify Shadow IT services so IT can integrate them in to their corporate security, governance and compliance requirements.
Data Security: Data discovery and classification are at the core of CASB security. A centralized and unified policy engine drive access, sharing, collaboration, DLP, tokenization, logging, alerting, profiling and remediation rules that can be applied to implement and enforce corporate policy. Structured and unstructured data at rest encryption, monitoring data in transit, information rights management have also been incorporated in to many solutions. Many solutions also leverage anti-malware and endpoint detection and response (EDR) solutions.
Threat Protection: Behavior analytics, user activity monitoring and machine learning are at the heart of many solutions. By understanding “normal” behavior and responses to that behavior, CASBs can protect and take corrective action.
Compliance: Through the above benefits of visibility, control and reporting you are able to provide information that helps an organization report and abide by various compliance and governance requirements. In addition, the ability to monitor and manage the security posture of the cloud control plane in many SaaS environments provides continuous security controls and compliance.
Some products address a subset of these benefits. However, more comprehensive CASB solutions may be comprised of multiple products or modules to realize these benefits.
There are three general CASB deployment methods, each one provides coverage for different users, access scenarios, and functionality.
Log collection: Event logs are collected from infrastructure components such as firewalls, secure web gateways, and SIEMs. Log collection is sometimes leveraged for anomaly detection, performance and configuration issues, and root cause analysis. Log collection is reactive and not real time.
API: IaaS and SaaS providers may allow direct integration through APIs to provide functionality such as data and user visibility and enforcement. API is generally considered the preferred method for a specific cloud resource since it directly integrates the security model in to that cloud resource, minimizes any performance impact, has visibility in to all traffic to that resource, scales better than the proxy method and secures all traffic to the cloud resource. The challenge with API is that it is specific to the cloud resource it is tied in to and will not have visibility or secure other traffic.
Forward Proxy: deployment between the endpoint and the cloud service where the user is directed to the CASB proxy
Reverse Proxy: deployment between the endpoint and the cloud service where the cloud service routes traffic to the CASB proxy
Both forward and reverse proxy solutions are in-line and can take security action in real time. However, proxy solutions can impact performance since traffic is forced through a common interface and could miss traffic if it is not configured for all users or endpoints that don’t support proxies or may not capture some cloud-to-cloud traffic.
CASB is still an emerging market. Garter expects CASB to be deployed in more than 60% of enterprise organizations by 2022, up from less than 20% today. As more IaaS, SaaS, and PaaS providers make APIs available, the scalability and controls will continue to improve, management will be reduced, and the end user experience will become seamless.
It is the transformation to a new IT consumption model that drove the creation of PTP. Our mission is to help dynamic and fast paced companies realize their potential by leveraging the latest technologies that enable infinite innovation and maximize the end user experience.