Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/7/2017
04:47 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Security in the Cloud: Pitfalls and Potential of CASB Systems

The transition to cloud has driven a demand for CASB systems, but today's systems lack the full breadth of functionality businesses need.

Security leaders moving to the cloud are worried about data protection. Many are considering cloud access security broker (CASB) systems to monitor security as they navigate the cloud security space.

Many organizations lack full understanding of the cloud services they use and their associated risks, interfering with compliance and protection, research shows. Meanwhile, more sensitive information is being stored with SaaS apps like Office 365, Box, DropBox, Slack, and others. 

CASB is an intermediary to give businesses "a single console approach to providing consistent security and policy management across the hundreds, and even thousands, of unique cloud services an enterprise is using," says Jim Reavis, CEO for the Cloud Security Alliance.

The need for CASB to provide visibility, compliance, data security, and threat protection has grown as IT functions move off-premise and security leaders need more granular visibility and policy management. By 2020, Gartner reports, 85% of large enterprises will use a CASB.

Understanding CASB

"The most common use case for CASBs today is to gain visibility of organizational cloud service usage -- how many cloud services, what are they used for, which departments are using them," says Reavis.

"That information is used to discover policy violations and organizational risks and allow enterprises to take corrective action," he continues. This may include automated remediation, detailed information for manual response, or integration with other security tools in the SOC.

Businesses can use CASB to understand where corporate data is going, detect suspicious activity, scan emails for malicious content and prevent the spread of malware, and stop a range of attacks.

CASB systems are also used for inline data protection, like with encryption or tokenization. This is more popular in regulated environments because it keeps cloud-based data under user control. While it has potential for the long term, says Reavis, this is challenging today because there aren't many technical standards for data protection APIs that cloud providers can use.

Two major deployment methods for CASB are API-based and proxy-based, he explains. API-based involves out-of-band deployment directly integrated with the cloud providers' API interfaces. Proxy-based CASB systems examine identified network traffic flows.

Both API- and proxy-based solutions have benefits and drawbacks. API products enable access by anyone from anywhere, but they don't eliminate access by cloud providers, says Willy Leichter, VP of product and content marketing for CipherCloud. These also depend on the quality and performance of APIs from cloud security providers.

API solutions may vary in quality or not be supported by the CASB vendor. Proxy-based systems may cause an outage for end users if a SaaS app alters its user interface.

Where today's systems fall short

While CASB systems are good for visibility, they don't help solve all the issues they highlight, says Tim Prendergast, founder and CEO at Evident.io. He likens the situation to a doctor telling a patient they have several problems but lacking the ability to fix them.

This poses a challenge to overworked security teams, which may question the benefit of buying a CASB system when they lack people to solve issues it highlights. Many may wonder whether they should have used the funds to hire more talent for assigning and solving problems.

"Data without action is kind of useless," says Prendergast. "Data has to be automatable so your team can solve the problem and move on to bigger projects."

The newness of the cloud has proven a constraint to the evolution of CASB, Reavis adds, because cloud providers still view one another as competition.

"CASBs have to take a lot of different competitive, incompatible cloud services and make a coherent picture for the enterprise," he explains. For API solutions, there is a practical challenge because APIs are inconsistent among different cloud providers.

"It will reflect tensions, competition, and lack of standards if they can't provide as rich of information as if everyone agreed on the same thing," says Reavis.

Predicting the future of CASB  

Reavis says the competitive dynamic among CASB providers is a "consequence of newness" and limits the consistency and richness of the service they can provide. However, consolidation is happening. Companies are being purchased and maintaining service with their buyers.

CASB systems will have a difficult time as teams and users become more distributed, says Prendergast. Providers may have to re-architect their systems to monitor traffic of employees logging in from different networks.

For businesses that need to protect sensitive data, CASB solutions should give deep integration with specific clouds, third-party tools, enterprise systems, and workflows, says Leichter. Tools promising advanced data protection should support complex environments and maintain the functionality of cloud applications.

David Waugh, VP of sales and marketing at ManagedMethods, warns of "proxy fatigue" among CASB customers and end users of going through a proxy. As CASB adoption increases, he expects API-based tools to be as prevalent as firewalls were in the last decade.

What to know before you buy

Security leaders weighing the pros and cons of CASB systems should think about their infrastructure before purchasing.

"In order for a CASB solution to be effective, businesses need to carefully consider what clouds are businesses-critical, what data is sensitive, and who needs to access it," says Leichter, "If data protection is applied poorly, it can be a blunt instrument that breaks important cloud functionality."

The need for CASB varies from business to business, Prendergast explains, and it's important to have realistic expectations. If you're hoping to better understand the web and SaaS services employees are using, CASB could be worth the cost.

"The reality is, there are ups and downs and pros and cons," he says. "Ask what you want to get out of it before you engage. If you're a startup or a large business, a lot of times CASB won't make sense ... There are probably 500 other security problems you should be solving before that."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PatrickF934
50%
50%
PatrickF934,
User Rank: Apprentice
6/16/2017 | 3:07:16 PM
Re: CASBs can, in fact, take action on the issues they highlight.
Thanks for your response to the article. I work with Tim at Evident.io, and while I understand your points, I want to clarify some things. Taking action is not sending the data off to a non-CASB product and throwing the issue over the wall.  Sure, if you are a legacy man-in-the-middle approach to control you can attempt to take action, but architecturally this would fail when cloud services are accessed outside the networks behind the CASB solution. "Public Cloud" is exactly that... unconstrained access from anywhere in the world. This is where the CASB approach fails. No CASB player has full API coverage for public cloud and therefore cannot lay claim that they are true hybrid coverage solutions, much less process the environments in real time and mitigate risk across the overall attack surface. Integrations with other point products is a referral network, and not core CASB remediation capability.
nets651
0%
100%
nets651,
User Rank: Apprentice
6/8/2017 | 10:32:43 AM
CASBs can, in fact, take action on the issues they highlight.
The comment by the gentleman from Evident.Io is plainly inaccurate. Multi-mode CASBs have gone far beyond Discovery for many years and can take a multitude of actions on anomalies, threats detected, DLP violations etc... both inline and out-of-band, including access control, alerting, quarantine, blocking, coaching, redirecting, encrypting/tokenizing and more. These actions can be taken across all modes, from out-of-band APIs to reverse proxy or full forward proxy.  They can be integrated with existing DLP, UBA, Threat Detection and IR solutions for end-to-end closed-loop remediation. 
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.