Rock the CASBah

What is it?

Cloud Access Security Brokers (also known as CASB), is usually pronounced “KAZ-BEE” in a style reminiscent of the 1982 hit by The Clash. “Rock the CASBah”, is a technology that arrived not long after the rise of Cloud Computing showing yet again that security is usually a thought behind the functionality we desire.  “Can we do this?”  “Yes, we can, and here’s how we do it.”  “Cool.  So, how do we secure it?”  Blank stares follow.

A CASB essentially sits between you and your chosen cloud, either public or private, and are either on-premises, cloud-based (SaaS), or hybrid enforcement points.  Their role is to interject your security policies on-the-fly as the resources are accessed to make sure that nothing nefarious happens (there is that word again).  Rather than being a one-trick pony, a CASB can enforce a broad number of security policies which can include single sign-on (SSO), authorisation, encryption, logging and alerting, malware detection and prevention, device profiling, and even mapping credentials to resources.  There are many other uses, but let’s not get ahead of ourselves here!

Another term you may hear when dealing with CASB is “Tokenisation” which is basically switching something sensitive, such as your data, for something that is not – the token.  This token maps to the data through a tokenisation system kind of like how you would check your coat at a fancy restaurant and the clerk gives you a number.  The token itself is practically useless to try to understand what data it is mapped to; only the tokenisation system knows.  The tokenisation system should be protected with the best practices and level applied to the rest of the data – you don’t want it to become the weak link!  When the tokenisation system gets the right token, it can “detokenize” the data for access, kind of like going to the post office with a delivery notice to get your online purchases.

According to Gartner, by 2020 up to 60% of large enterprises will use a CASB solution to govern cloud services whereas presently less than 10% do.  If you’re not talking about CASB now, you probably will be very soon.  Not only is it more than just the large enterprises that may benefit, but smaller businesses, without the exorbitant security budgets, can also benefit from the flexible options available in the market right now.

Where do I start?

The obvious question is to ask yourself if you need CASB, but first, ask yourself if you have any cloud services now or will soon.  Odds are you do, and you will.  With the rise of AWS, Azure and the like as well as the endless number of private clouds available, CASB should be on your radar and closing into the centre fast.  Rare is the organisation that is completely in-house these days to exercise nearly full control.  Even using a colocation datacentre allows a fair degree of control, just like in-house, but moving to the cloud presents unique challenges.

Many organisations I have spoken with over the past five years or more have adopted a cloud-first strategy and endeavour to have any new systems as cloud-based while migrating existing systems to the cloud at the same time.  CASB, as you can understand, is a critical safeguard of this mass exodus of locally-controlled systems and data.

Let’s just say that you have all your systems in-house and something bad happens.  You can quickly run to the server room and pull a cable out of a router or firewall.  Maybe the Internet or Email goes down for a bit while you get it sorted out, but you’re in control.  Now, let’s imagine you are fully-cloud based and you’re breached.  Someone nefarious has access to your cloud.  You run to the same server room and pull the cable.  Only now the bad guys still have access and you don’t.  You’ve effectively turned yourself into an island and the guy getting voted off the island at Tribal Council and getting their torch extinguished is the one holding the blue copper cable (or fibre).  Thanks, Survivor!

If you answered yes to anything cloud in relation to your business, you need CASB as part of your Cyber Security Strategy.  In terms of vendors, you should start with, you have a few options. According to either Gartner or Forrester, there are a few leaders, but you should always consider the challenges and others because they may offer something specific that you really need.  Get the right people involved and do your homework.

How do I make it work?

There are a few ways to implement CASB, but it essentially sits between you and your cloud of choice.  Its role is two-fold, but the roles are not mutually inclusive.  You can perform security or management or, as I recommend, both.  Security, in general, is the prevention of risk relating to your cloud computing.  Management could be considered as mitigation of risk.  There is probably little point to implementing security without some means of managing it.  If we focus too much on the “before” of a breach, we flounder badly when it comes to the “During” and “After” of same.  Also, the more you know about what is happening and has happened, the better positioned you will be from here on out.

Whether security or management or both, there are four key functionalities to consider.  These include Visibility, Data Security, Threat Protection, and Compliance.  Visibility is important because it allows you to keep an eye on both sanctioned and unsanctioned activities.  Sanctioned?  Your use of cloud services such as Office 365.  Unsanctioned?  Think Shadow IT.  If you’re using Cloud, you can bet others are using it beyond your knowledge and control.

Data security is the obvious one.  Cloud computing presents a unique challenge.  While the data is yours, the systems that store and process it are probably not.  Threat protection permits you to control devices, users, and even application versions and can watch carefully for anomalies through user behaviour and other types of analytics.  Programs have their own nuances, even malware.  Compliance is become a far greater concern, especially where more and more regulations on who can do what, which what, and how.  Think about General Data Protection Regulation (GDPR) or Mandatory Data Breach Notification here in Australia.

CASB for security resides inline with your data path and can consist of an agentless deployment or agent-based deployment.  An agent-based CASB deployment requires proxy agents on each endpoint, including in the cloud itself and on the endpoints in your enterprise.  These can be difficult to deploy and are best suited where the assets are corporate-owned and managed.  Think, for example of installing endpoint protection clients.  Agentless, on the other hand, can cover all devices whether company owned or not and is much quicker to deploy.  Many of us operate in a BYOD capacity with our mobile devices and just as many would object to having a third-party exercise control over them.

Agentless deployments only concern themselves with corporate data, ignoring personal data unless otherwise configured.  Agent-based CASB, however, will concern itself with both corporate and personal data.  You must ask the right questions as to which solutions suits your enterprise best, but odds are an agentless solution may be your preferred choice; just don’t ignore an agent-based deployment until you know for sure.  Even consider Hybrid if that suits you better.

CASB for management is a more of an after-the-fact environment and can use APIs to inspect data in the cloud for events but can yield a wealth of information to allow you to stay on top of things.  You could, for example, feed data from proxy, gateway, or firewall logs into CASB for analysis on cloud-based activity such as access, application usage, and so on.

An API-only CASB can offer management-only via APIs from some of the major cloud-based services available and can give you value through some degree of visibility.  Personally, I’m more inclined to use a multi-mode CASB for both security and management.  Newer offerings even include a degree of zero-day protection against known and unknown threats and may effectively knock down the threat before it ever reaches you or you ever become aware.  You know, those things that go “bump” in the night?

The Bogeyman notwithstanding, you need to have a good understanding of your cloud computing environment and needs to know what solution works best for you.  You may lean towards a multi-mode, agentless CASB deployment or you may find an agent-based solution suits your environment better.  Ask the questions, get the answers, and make an informed decision.

Pitfalls?

The most obvious pitfall is having a cloud-first strategy that lacks adequate security controls.  The data is leaving your premises, and it can be a long way with a lot of stops in the middle before it gets back to your controlled space.  Like any road trip with many stops, your data must be secured.  The creatures that inhabit those spooky roadside rest areas exist in a virtual sense as well.  That end-to-end control must be maintained.

You should also carefully consider the type of deployment you are using because if you choose one over the other without considering your data, applications, users, and workspaces, you may find you’re leaving gaps.  Imagine, for example, an agent-based CASB deployment but you cannot take your computer on the road, so productivity could take a hit while you are away.  Many scenarios; be sure you choose the one that suits your workforce style the best.

Base your CASB implementation based on use cases over technical architecture.  Function before fashion!

Ghosts in the machine?

Like any other environment, you must secure the endpoints.  Let’s say you have CASB fully deployed, but a lax security policy allows a malicious entity to gain access to the cloud using a “trusted” system.  Yes, there are ways to mitigate this very possibility, but it illustrates that no single strategy can stand alone.  CASB, in and of itself, is not a silver bullet but is much more effective when combined with several strategies.  What strategies, you may ask?  Perhaps revising my previous articles on the ASD mitigation strategies is a good place to start.

Anything missing?

Be sure that whichever CASB solution you select aligns with both your internal infrastructure and your selected cloud services.  For the most part, the available solutions play nice with each other, but it never hurts to be sure and when having the conversation with your CASB service providers and experts, be sure to disclose these.  Odds are they’ll ask first but be prepared to cover all bases.

Still unsure?  We’re always happy to help, just let us know how we can assist!