Cloud

6/7/2017
04:47 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Security in the Cloud: Pitfalls and Potential of CASB Systems

The transition to cloud has driven a demand for CASB systems, but today's systems lack the full breadth of functionality businesses need.

Security leaders moving to the cloud are worried about data protection. Many are considering cloud access security broker (CASB) systems to monitor security as they navigate the cloud security space.

Many organizations lack full understanding of the cloud services they use and their associated risks, interfering with compliance and protection, research shows. Meanwhile, more sensitive information is being stored with SaaS apps like Office 365, Box, DropBox, Slack, and others. 

CASB is an intermediary to give businesses "a single console approach to providing consistent security and policy management across the hundreds, and even thousands, of unique cloud services an enterprise is using," says Jim Reavis, CEO for the Cloud Security Alliance.

The need for CASB to provide visibility, compliance, data security, and threat protection has grown as IT functions move off-premise and security leaders need more granular visibility and policy management. By 2020, Gartner reports, 85% of large enterprises will use a CASB.

Understanding CASB

"The most common use case for CASBs today is to gain visibility of organizational cloud service usage -- how many cloud services, what are they used for, which departments are using them," says Reavis.

"That information is used to discover policy violations and organizational risks and allow enterprises to take corrective action," he continues. This may include automated remediation, detailed information for manual response, or integration with other security tools in the SOC.

Businesses can use CASB to understand where corporate data is going, detect suspicious activity, scan emails for malicious content and prevent the spread of malware, and stop a range of attacks.

CASB systems are also used for inline data protection, like with encryption or tokenization. This is more popular in regulated environments because it keeps cloud-based data under user control. While it has potential for the long term, says Reavis, this is challenging today because there aren't many technical standards for data protection APIs that cloud providers can use.

Two major deployment methods for CASB are API-based and proxy-based, he explains. API-based involves out-of-band deployment directly integrated with the cloud providers' API interfaces. Proxy-based CASB systems examine identified network traffic flows.

Both API- and proxy-based solutions have benefits and drawbacks. API products enable access by anyone from anywhere, but they don't eliminate access by cloud providers, says Willy Leichter, VP of product and content marketing for CipherCloud. These also depend on the quality and performance of APIs from cloud security providers.

API solutions may vary in quality or not be supported by the CASB vendor. Proxy-based systems may cause an outage for end users if a SaaS app alters its user interface.

Where today's systems fall short

While CASB systems are good for visibility, they don't help solve all the issues they highlight, says Tim Prendergast, founder and CEO at Evident.io. He likens the situation to a doctor telling a patient they have several problems but lacking the ability to fix them.

This poses a challenge to overworked security teams, which may question the benefit of buying a CASB system when they lack people to solve issues it highlights. Many may wonder whether they should have used the funds to hire more talent for assigning and solving problems.

"Data without action is kind of useless," says Prendergast. "Data has to be automatable so your team can solve the problem and move on to bigger projects."

The newness of the cloud has proven a constraint to the evolution of CASB, Reavis adds, because cloud providers still view one another as competition.

"CASBs have to take a lot of different competitive, incompatible cloud services and make a coherent picture for the enterprise," he explains. For API solutions, there is a practical challenge because APIs are inconsistent among different cloud providers.

"It will reflect tensions, competition, and lack of standards if they can't provide as rich of information as if everyone agreed on the same thing," says Reavis.

Predicting the future of CASB  

Reavis says the competitive dynamic among CASB providers is a "consequence of newness" and limits the consistency and richness of the service they can provide. However, consolidation is happening. Companies are being purchased and maintaining service with their buyers.

CASB systems will have a difficult time as teams and users become more distributed, says Prendergast. Providers may have to re-architect their systems to monitor traffic of employees logging in from different networks.

For businesses that need to protect sensitive data, CASB solutions should give deep integration with specific clouds, third-party tools, enterprise systems, and workflows, says Leichter. Tools promising advanced data protection should support complex environments and maintain the functionality of cloud applications.

David Waugh, VP of sales and marketing at ManagedMethods, warns of "proxy fatigue" among CASB customers and end users of going through a proxy. As CASB adoption increases, he expects API-based tools to be as prevalent as firewalls were in the last decade.

What to know before you buy

Security leaders weighing the pros and cons of CASB systems should think about their infrastructure before purchasing.

"In order for a CASB solution to be effective, businesses need to carefully consider what clouds are businesses-critical, what data is sensitive, and who needs to access it," says Leichter, "If data protection is applied poorly, it can be a blunt instrument that breaks important cloud functionality."

The need for CASB varies from business to business, Prendergast explains, and it's important to have realistic expectations. If you're hoping to better understand the web and SaaS services employees are using, CASB could be worth the cost.

"The reality is, there are ups and downs and pros and cons," he says. "Ask what you want to get out of it before you engage. If you're a startup or a large business, a lot of times CASB won't make sense ... There are probably 500 other security problems you should be solving before that."

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PatrickF934
50%
50%
PatrickF934,
User Rank: Apprentice
6/16/2017 | 3:07:16 PM
Re: CASBs can, in fact, take action on the issues they highlight.
Thanks for your response to the article. I work with Tim at Evident.io, and while I understand your points, I want to clarify some things. Taking action is not sending the data off to a non-CASB product and throwing the issue over the wall.  Sure, if you are a legacy man-in-the-middle approach to control you can attempt to take action, but architecturally this would fail when cloud services are accessed outside the networks behind the CASB solution. "Public Cloud" is exactly that... unconstrained access from anywhere in the world. This is where the CASB approach fails. No CASB player has full API coverage for public cloud and therefore cannot lay claim that they are true hybrid coverage solutions, much less process the environments in real time and mitigate risk across the overall attack surface. Integrations with other point products is a referral network, and not core CASB remediation capability.
nets651
0%
100%
nets651,
User Rank: Apprentice
6/8/2017 | 10:32:43 AM
CASBs can, in fact, take action on the issues they highlight.
The comment by the gentleman from Evident.Io is plainly inaccurate. Multi-mode CASBs have gone far beyond Discovery for many years and can take a multitude of actions on anomalies, threats detected, DLP violations etc... both inline and out-of-band, including access control, alerting, quarantine, blocking, coaching, redirecting, encrypting/tokenizing and more. These actions can be taken across all modes, from out-of-band APIs to reverse proxy or full forward proxy.  They can be integrated with existing DLP, UBA, Threat Detection and IR solutions for end-to-end closed-loop remediation. 
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Search Cybersecuruty and you will get unicorn.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.