How enterprises are using cloud access security brokers (CASB) to take back control

Skyhigh Networks' Nigel Hawthorn explains the type of controls that CASB can facilitate

Security has retained its unenviable top spot on the list of worries about cloud use for many years now, in part because it pulls in concerns about control and compliance too. As cloud architectures have grown more complex with some sort of hybrid cloud multi-vendor setup being the norm, this has led to the rise of cloud access service broker (CASB) solutions, which are now present in the vast majority of large organisations.

Essentially, a CASB is a set of software programs that sit between an organisation's data centre and its contracted public cloud infrastructure to extend the reach of its policy-based rules and frameworks into the cloud.

Nigel Hawthorn, EMEA and privacy spokesperson at Skyhigh Networks, a provider of CASB, outlined a number of ways in which it can be deployed to increase security and compliance during Computing's Cloud & Infrastructure Summit this week.

He began by noting that the vast majority of security failures ‘in the cloud' turn out to be the fault of the customer rather than the provider. With that in mind, the fact that the average company was found by a Skyhigh Networks survey to be running 1,427 cloud applications with 80 per cent unknown to the IT department, is a major cause for concern. This situation presents obvious risks in terms of compliance with regulations such as GDPR.

CASB can help firms get a handle on the software they are running he said, as well as allowing for policy based whitelisting and blacklisting, which is likely to be far more effective than simply blocking the use of certain services by end users. Shadow IT is too complex a problem to have a binary solution, and a simple block can send users to even more risky applications.

For example, the airline Etihad now enforces risk-based acceptable use policies for shadow IT and is moving towards "predictive governance" policies.

"Airlines have a lot of personal and sensitive information from passport and credit card details to special dietary requirements," Hawthorn noted. "Etihad is making sure that users are being gently moved from high-risk to low-risk applications."

A large unnamed European bank worried about GDPR compliance has taken things further ensuring compliance over a range of cloud service providers (CSPs).

"They needed services across multiple services so that employees can have flexibility in the providers they work with," Hawthorn said. "And they needed both proxy deployment for employee control and API deployment to control data uploaded to the cloud by business partners."

In this case machine learning solution was implemented on the CASB platform in order to alert IT of unusual behaviours without throwing up masses of false positives.

DuPont deployed Skyhigh's CASB to investigate employees' activity in Office 365 to allow forensic analysis of the root causes of security incidents, even where they occurred outside of Office 365, such as in Box, Dropbox or Salesforce. Analysing users' activity on Office 365 makes it easier for DuPont to pin down causes of internal security breaches.

Meanwhile US healthcare provider Blue Cross Blue Shield is using CASB to extend the reach of its data leak prevention (DLP) from SaaS to custom applications and to audit and remediate AWS security configurations on its VMs.

"They were keen to avoid Verizon / Dow Jones type attacks when of the data held in S3 buckets 35 per cent of all document were found to be unencrypted and shared externally, with six per cent being sent using personal email addresses and three per cent ending up on the web," said Hawthorn.

CASB enables much more granular control across cloud and hybrid cloud services to ensure governance and security policies, he explained in conclusion.