bright ideas

Cloud Access Security Brokers: Understanding cloud risk management

Cloud Access Security Broker

The realm of Shadow IT

Cloud apps are in use everywhere, including within the enterprise. When a staff member has access to so many apps that make their life easier as a public consumer, they come to expect the same levels of service within their place of work. When the IT department can’t deliver on that level of service, the user finds another way.

Enter Shadow IT. That scary sounding phrase that conjures images of ninjas and dark magic, which, if you’re a systems admin, isn’t too far from the truth.

Shadow IT can be a real problem for companies. Suddenly your users have access to cloud storage that simply looks like another folder on their desktop. Perhaps a user wants to work on a document at home and it’s easier to stick it in DropBox than it is to use a USB drive. There’s your information, sitting out there on a public Internet cloud service. You’re now at the mercy of DropBox’s isolation and security choices.

So what do you do? Block all access for everyone to DropBox? Now your helpdesk queue is full of complaints like:

“But ‘IT Guy’, I store my novel on DropBox and I need to access it so I can write at lunch time!”


“The board uses DropBox to share financial reports so that they can access them from their iPads!”


Now, I’m not picking on DropBox here. DropBox is an amazing service and suits many peoples’ requirements for online storage, but they were a good example due to how successful they’ve been and how they’ve proliferated the market. They’re also not the only one in their niche. There’s hundreds of cloud storage apps available for consumers to quickly connect to and start saving files. There’s also thousands of other cloud apps and services in different categories all ready and waiting for your users to sign up.

So, how do you find all these apps that are in use in your environment, so that you can understand the services that your users are really wanting?

Say hello to CASB

Cloud Access Security Broker (CASB) is a relatively new service (new within the last 4 years) that does exactly what the acronym says: brokers access to the cloud (based on configurable policies) for security purposes.

Some Gartner figures from October 2015:

  • Through 2020, 95% of cloud security failures will be the customer’s fault, not the service providers.
  • By 2020, 85% of large enterprises will use a CASB product for their cloud services, which is up from fewer than 5% today.

So what does a CASB do?

Gartner (man we love those guys) likes to split the services into four categories:

  • Visibility starts at the discovery phase of implementing a CASB service. Through firewall or proxy log analysis, the CASB will identify all known cloud apps and services that have been accessed from within the network. This allows you to view the usage trends and problem areas that may be in play in your environment. Shadow IT is brought into the light!
  • Compliance ensures that compliance standards and regulations, data residency and Intellectual Property ownership rights are adhered to. CASBs provide risk assessments of tens of thousands of cloud services so that you don’t have to carry out your own assessments on every service. In effect this is a way to outsource a significant part of your IT Risk Assessment processes.
  • Data security allows policies to enforce data classification and access. Policies can take a variety of actions such as audit, alert, block, quarantine, delete or encrypt data.
  • Threat protection prevents users and devices from accessing cloud services, where required.

The visibility category is the first step in securing your cloud access, and how we answer the question I asked before: “So, how do you find all these apps that are in use in your environment?”

Once you’ve run through the discovery process, you might be surprised at just how many apps and services are in use without your knowledge or sanction, and now that you know, what do you do about it?

This is where the brilliance of the CASB service comes in, and why you would want to run the service ongoing. You could, as I said before, simply block access to the undesirable services now that you know what they are. But this “hammer approach” is exactly what irks users these days, and what gives the IT department the image of unyielding, policy-enforcing killjoys. People don’t like to be told what they can’t use, especially if they’ve been using a service to date without apparent issue.

So let them use DropBox, but control that usage. Set a data loss prevention policy that scans files for sensitive information and performs a configurable action. You can even teach the CASB what sensitive information is in your organisation by scanning payslip templates and the like. Maybe a friendly warning to the user that they might want to rethink their decision to store that file in the cloud. Maybe remove the file and let them know what you’ve done, and why. Maybe allow the file to stay in DropBox, but remove any sharing attributes that the user has applied to it so that it can’t be shared with people outside your organisation. The choice is yours, but now users can use their favourite service safe in the knowledge that their company is happy with it. Everybody wins.

Of course, some apps and services will probably need to be blocked due to their lapse in industry certifications (PCI or ISO27001, for instance), or clauses that mean they will own your Intellectual Property, or other missing requirements. The CASB will helpfully show you which apps and services these are, having done the time consuming analysis already.

Leveraging the analysis that these CASBs have already done is an interesting concept. As mentioned earlier, this can be thought of as a way to outsource or syndicate aspects of your own security and risk assessment processes. The CASB will already have an assessment of key areas such as inherent security capabilities, third party audits, legal, privacy, financial viability aspects and vulnerabilities and exploits. So why not leverage the work they have already done rather than repeat this yourself?

So how does the CASB enact these policies? It does depend a little on the provider, and some may or may not provide all options, but generally there are five approaches which can either be used individually, or grouped together:

  • Network monitoring (log analysis or network TAP) - Used for cloud app discovery and detection
  • Forward proxy – Inline, real-time policy control for cloud apps. Allows control across all cloud apps. All traffic traverses the proxy.
  • Reverse proxy – Inline, real-time policy control for cloud apps. Allows control for sanctioned apps only. Only traffic destined for sanctioned apps traverses the proxy.
  • Endpoint agent – Policy enforcement on user devices, uses mobile profiles on iOS
  • Cloud service API access – Offline, access to cloud services for at-rest data policy enforcement

The first four options in this list are all pretty self-explanatory. We’ve seen these in use with countless other network security products. As the data is accessible to the CASB service, policies can be enforced or alerted on (network monitoring).

The one that interests me is the API access method. Through the exposed APIs that cloud service providers allow access to, the CASB can gain access to your company’s context in the service and carry out policy enforcement on data that is already in there. Remember above when I mentioned an action of removing the sharing attribute on a file? This is how that gets done. It’s a very powerful tool, and again allows users to use the services, but with restrictions.

Unfortunately, the API option is only available on those services that allow API access, and of those, the ones that the CASB has incorporated into their product. But that list should be getting longer as time passes.

Allow is the new block

A phrase coined by CASB provider Netskope, “Allow is the new block” is at the heart of the CASB service. It’s too hard and time consuming to fight people over access to apps, even if you know which ones they’re using. So let the CASBs do their job, and let the users have their cake, and eat it too.

Cloud Risk Assessment

ViFX, in partnership with Netskope, are offering a Cloud Risk Assessment (CRA) to customers to discover the Shadow IT in their environment, and see just what potential risk is involved from unsanctioned cloud apps and services. Click here for more information and to sign up.

Get your FREE cloud risk assessment today!  Discover your cloud usage and risk

Author: James Brookbanks

James works with our customers to understand their application requirements, and design cloud services to support those requirements now and into the future.

15 September 2016 / 0 Comments