In 2018, shortly before leaving his job, an engineer who worked for a US Navy contractor transferred over 5,000 files to his Dropbox and emailed a few of the documents to himself. These documents contained sensitive information about company finances and intellectual property pertaining to product designs.
Incidents of data leakage like this have assumed more significance in the present hybrid workforce age. The proliferation of cloud applications used by employees has brought productivity, ease of use, and scalability to work. At the same time, however, it has also brought an increased risk of shadow IT, data exfiltration, and insider threats.
Simply put, you may not know which of the numerous SaaS applications your employees are using contain your organisation’s data. Considering the heightened risk, it’s essential that your organisation broadens its security approach with cloud protection capabilities. A cloud access security broker (CASB) can help you with precisely this.
Making a strong case for a CASB
Analyst firm Gartner first defined the phrase “cloud access security broker” in 2012. A CASB is a solution that sits between an organisation’s users and the various cloud services they access. Because of where it sits, a CASB can not only help an organisation authenticate and authorise users as they attempt to access cloud resources, but it can also enable the organisation to identify what flows in and out of the cloud.
Listed below are four key capabilities offered by a CASB:
- Visibility: While the cloud makes it easier for teams to collaborate, employees still use different unauthorised and unknown cloud applications, known as shadow applications, for better and quicker results. However, the use of shadow applications is a big issue for the IT team. A CASB helps IT security teams overcome the issue of shadow applications by providing visibility into cloud app usage, apps accessed from unmanaged devices, users accessing and modifying data on the cloud, and much more for holistic cloud security monitoring.
- Compliance: A CASB helps with meeting compliance requirements by ensuring the security of data, both in transit and in storage. It also safeguards organisations from data exfiltration by monitoring data leakage from the cloud. A CASB helps meet a variety of compliance standards, including the GDPR, CCPA, HIPAA, and LGPD.
- Data security: One of the core objectives of a CASB is to ensure data security. A CASB monitors access to data on the cloud and identifies unauthorised access to sensitive data. Security features such as data leakage prevention and access control minimise the possibilities of data leakage.
- Threat protection: A CASB provides security against both internal and external threats that organisations face. It learns behaviour patterns of users and develops a baseline. Whenever a deviation from the baseline is noticed, the CASB alerts the security team to remediate the threat.
Ensuring an effective security operations centre
An organisation’s security operations centre may be highly reliant on a security information and event management (SIEM) solution today. Within the next two years, you need to ensure that your SIEM solution either integrates seamlessly with an external CASB or has built-in CASB capabilities. There are five strong reasons for doing so: to address the high uptake of cloud applications, correlate events that happen in different parts of the network, prevent data leaks, provide visibility into shadow IT, and offer visibility into identity and access management (IAM).
Addressing the high uptake of cloud applications
Research suggests that the average employee uses 10 SaaS applications every day, and organisations on average use 254 applications. These applications could range from third-party analytics tools that ingest customer data sets to consumer versions of approved enterprise apps like Microsoft 365 or Google workspace. On top of that, they may use some of these applications on their own mobile devices.
If the risks posed by utilising all these tools were not enough, most organisations today use a multi-cloud environment with various PaaS and IaaS delivery models. This is why organisations need a CASB-enabled SIEM solution that gives visibility into the applications in use and how they are being used. With such a solution, organisations will know the level of risk posed by a particular application.
Correlating events that happen in different parts of the network
Cyberattacks have become sophisticated in recent times; there have been instances of living-off-the-land attacks, cloud malware with initial access in an on-premises server, cloud ransomware and disruptionware, and insider attacks. Organisations need the ability to see patterns and correlate seemingly unrelated events that happen in different parts of the network, and to group them together as a single security incident.
Preventing data leaks
With the advent of cloud apps, there is a substantial risk of both intended and unintended data leaks. For example, an employee in the marketing department may use an app called Font Candy to create vibrant typography. However, this app may be unsanctioned within the organisation, and the employee may have private contact details and classified information stored within it at risk of being leaked. In such a scenario, managing unauthorised uploads of sensitive data and preventing data leaks is crucial. With a CASB, one can enforce cloud security policies and controls to prevent data from being transferred over the internet.
Providing visibility into shadow IT
Nowadays, most organisations have a list of sanctioned cloud apps that employees can use if they wish. These applications could have become sanctioned after the organisation deemed them to be secure and effective for employee productivity. The sanctioned applications are either owned or controlled by the organisation. On the other hand, shadow applications fall outside the ownership or control of IT teams. Shadow applications may have vulnerabilities and loopholes that could be exploited by attackers. A CASB provides visibility into the usage stats of these applications and the identity of users who use these applications frequently.
Offering visibility into IAM
According to Erik Wahlstrom, research director at Gartner, “Organisations shouldn’t replace their IAM programs with CASBs, but rather intersect the two for increased governance and access control of cloud applications.” A CASB can provide better IAM through adaptive authentication and user-based risk analysis. By bringing this capability within SIEM, organisations will be able to see the risky behaviour of users in a single console and use playbooks and workflows to respond to these threats.
A CASB has become an integral part of any organisation’s defence strategy. It can help defend against the use of shadow applications and data exfiltration into the cloud. An effective CASB will integrate seamlessly with a SIEM solution, and will provide network visibility, data security, compliance management, and threat protection. CASBs can help improve the security posture of organisations.
(The author Ram Vaidyanathan, Product Manager, ManageEngine and the views expressed in this article are his own)