Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/7/2017
04:47 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Security in the Cloud: Pitfalls and Potential of CASB Systems

The transition to cloud has driven a demand for CASB systems, but today's systems lack the full breadth of functionality businesses need.

Security leaders moving to the cloud are worried about data protection. Many are considering cloud access security broker (CASB) systems to monitor security as they navigate the cloud security space.

Many organizations lack full understanding of the cloud services they use and their associated risks, interfering with compliance and protection, research shows. Meanwhile, more sensitive information is being stored with SaaS apps like Office 365, Box, DropBox, Slack, and others. 

CASB is an intermediary to give businesses "a single console approach to providing consistent security and policy management across the hundreds, and even thousands, of unique cloud services an enterprise is using," says Jim Reavis, CEO for the Cloud Security Alliance.

The need for CASB to provide visibility, compliance, data security, and threat protection has grown as IT functions move off-premise and security leaders need more granular visibility and policy management. By 2020, Gartner reports, 85% of large enterprises will use a CASB.

Understanding CASB

"The most common use case for CASBs today is to gain visibility of organizational cloud service usage -- how many cloud services, what are they used for, which departments are using them," says Reavis.

"That information is used to discover policy violations and organizational risks and allow enterprises to take corrective action," he continues. This may include automated remediation, detailed information for manual response, or integration with other security tools in the SOC.

Businesses can use CASB to understand where corporate data is going, detect suspicious activity, scan emails for malicious content and prevent the spread of malware, and stop a range of attacks.

CASB systems are also used for inline data protection, like with encryption or tokenization. This is more popular in regulated environments because it keeps cloud-based data under user control. While it has potential for the long term, says Reavis, this is challenging today because there aren't many technical standards for data protection APIs that cloud providers can use.

Two major deployment methods for CASB are API-based and proxy-based, he explains. API-based involves out-of-band deployment directly integrated with the cloud providers' API interfaces. Proxy-based CASB systems examine identified network traffic flows.

Both API- and proxy-based solutions have benefits and drawbacks. API products enable access by anyone from anywhere, but they don't eliminate access by cloud providers, says Willy Leichter, VP of product and content marketing for CipherCloud. These also depend on the quality and performance of APIs from cloud security providers.

API solutions may vary in quality or not be supported by the CASB vendor. Proxy-based systems may cause an outage for end users if a SaaS app alters its user interface.

Where today's systems fall short

While CASB systems are good for visibility, they don't help solve all the issues they highlight, says Tim Prendergast, founder and CEO at Evident.io. He likens the situation to a doctor telling a patient they have several problems but lacking the ability to fix them.

This poses a challenge to overworked security teams, which may question the benefit of buying a CASB system when they lack people to solve issues it highlights. Many may wonder whether they should have used the funds to hire more talent for assigning and solving problems.

"Data without action is kind of useless," says Prendergast. "Data has to be automatable so your team can solve the problem and move on to bigger projects."

The newness of the cloud has proven a constraint to the evolution of CASB, Reavis adds, because cloud providers still view one another as competition.

"CASBs have to take a lot of different competitive, incompatible cloud services and make a coherent picture for the enterprise," he explains. For API solutions, there is a practical challenge because APIs are inconsistent among different cloud providers.

"It will reflect tensions, competition, and lack of standards if they can't provide as rich of information as if everyone agreed on the same thing," says Reavis.

Predicting the future of CASB  

Reavis says the competitive dynamic among CASB providers is a "consequence of newness" and limits the consistency and richness of the service they can provide. However, consolidation is happening. Companies are being purchased and maintaining service with their buyers.

CASB systems will have a difficult time as teams and users become more distributed, says Prendergast. Providers may have to re-architect their systems to monitor traffic of employees logging in from different networks.

For businesses that need to protect sensitive data, CASB solutions should give deep integration with specific clouds, third-party tools, enterprise systems, and workflows, says Leichter. Tools promising advanced data protection should support complex environments and maintain the functionality of cloud applications.

David Waugh, VP of sales and marketing at ManagedMethods, warns of "proxy fatigue" among CASB customers and end users of going through a proxy. As CASB adoption increases, he expects API-based tools to be as prevalent as firewalls were in the last decade.

What to know before you buy

Security leaders weighing the pros and cons of CASB systems should think about their infrastructure before purchasing.

"In order for a CASB solution to be effective, businesses need to carefully consider what clouds are businesses-critical, what data is sensitive, and who needs to access it," says Leichter, "If data protection is applied poorly, it can be a blunt instrument that breaks important cloud functionality."

The need for CASB varies from business to business, Prendergast explains, and it's important to have realistic expectations. If you're hoping to better understand the web and SaaS services employees are using, CASB could be worth the cost.

"The reality is, there are ups and downs and pros and cons," he says. "Ask what you want to get out of it before you engage. If you're a startup or a large business, a lot of times CASB won't make sense ... There are probably 500 other security problems you should be solving before that."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PatrickF934
50%
50%
PatrickF934,
User Rank: Apprentice
6/16/2017 | 3:07:16 PM
Re: CASBs can, in fact, take action on the issues they highlight.
Thanks for your response to the article. I work with Tim at Evident.io, and while I understand your points, I want to clarify some things. Taking action is not sending the data off to a non-CASB product and throwing the issue over the wall.  Sure, if you are a legacy man-in-the-middle approach to control you can attempt to take action, but architecturally this would fail when cloud services are accessed outside the networks behind the CASB solution. "Public Cloud" is exactly that... unconstrained access from anywhere in the world. This is where the CASB approach fails. No CASB player has full API coverage for public cloud and therefore cannot lay claim that they are true hybrid coverage solutions, much less process the environments in real time and mitigate risk across the overall attack surface. Integrations with other point products is a referral network, and not core CASB remediation capability.
nets651
0%
100%
nets651,
User Rank: Apprentice
6/8/2017 | 10:32:43 AM
CASBs can, in fact, take action on the issues they highlight.
The comment by the gentleman from Evident.Io is plainly inaccurate. Multi-mode CASBs have gone far beyond Discovery for many years and can take a multitude of actions on anomalies, threats detected, DLP violations etc... both inline and out-of-band, including access control, alerting, quarantine, blocking, coaching, redirecting, encrypting/tokenizing and more. These actions can be taken across all modes, from out-of-band APIs to reverse proxy or full forward proxy.  They can be integrated with existing DLP, UBA, Threat Detection and IR solutions for end-to-end closed-loop remediation. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11856
PUBLISHED: 2020-09-22
Arbitrary code execution vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to execute arbitrary code on affected installations of OBR.
CVE-2020-16202
PUBLISHED: 2020-09-22
WebAccess Node (All versions prior to 9.0.1) has incorrect permissions set for resources used by specific services, which may allow code execution with system privileges.
CVE-2020-24333
PUBLISHED: 2020-09-22
A vulnerability in Arista’s CloudVision Portal (CVP) prior to 2020.2 allows users with “read-only� or greater access rights to the Configlet Management module to download files not intended for access, located on the CVP server, by accessing ...
CVE-2020-4619
PUBLISHED: 2020-09-22
IBM Data Risk Manager (iDNA) 2.0.6 stores user credentials in plain in clear text which can be read by an authenticated user. IBM X-Force ID: 184976.
CVE-2020-4620
PUBLISHED: 2020-09-22
IBM Data Risk Manager (iDNA) 2.0.6 could allow a remote authenticated attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious file, which could allo...