robybret - Fotolia
With enterprise adoption of cloud access security brokers gaining momentum, use cases for these software tools -- which sit between an organization's on-premises infrastructure and cloud services to help enforce security policies -- have started to expand as well.
Though service visibility and cloud data loss prevention continue to be the biggest drivers, more organizations have begun exploring the use of CASBs for a broader range of compliance, data security and threat protection purposes.
The first to coin the term CASB about five years ago, Gartner has reported significant growth in the market since 2013, with credible products becoming available from several venture-capital-backed startups. The analyst firm predicted that by 2020, 85% of all large companies will deploy a CASB capability, compared to barely 5% as recently as 2015.
Cloud access security brokers have become a high priority for information security and IT departments at enterprises that have moved beyond the early adopter phase to active usage of cloud computing, according to Jim Reavis, CEO of the Cloud Security Alliance (CSA), a nonprofit organization that promotes security assurance. These tools have begun to function as a critical "intermediary between enterprises and cloud providers to provide a unified security console for an organization's wide variety of cloud services," he said.
As the CASB market has developed, so have uses for the technology. Increasingly, organizations are looking to use CASBs to identify anomalies in data movement between on-premises and cloud apps and also between cloud services. With workloads that move to the cloud, malware identification, encryption and cloud data loss prevention have all become important, said Andras Cser, vice president and principal analyst of security and risk at Forrester Research.
Forrester pegged the overall size of the CASB market at the end of 2016 as $525 million to $600 million and estimated that the market is growing at an astonishing rate of 50% to 60% annually. In a Q4 2016 report, Cser identified some of the major vendors in this space as Skyhigh Networks, Symantec's Blue Coat, Cisco CloudLock and Netskope.
Other emerging use cases include using CASBs to connect via APIs to an infrastructure as a service or platform as a service, such as Amazon Web Services and Microsoft Azure, and to monitor access and data movement there, Cser noted.
CASBs give organizations a way to extend and enforce their activity and data security policies to the cloud, said John Krull, CIO at Seattle Public Schools. Organizations that are moving to the cloud need to ensure that internal business rules, policies and procedures are applied to cloud resources. This applies to both files and applications.
Before cloud storage and software as a service (SaaS) were common, access to data files and applications could be controlled onsite by IT. But with data increasingly becoming resident in the cloud, traditional methods for managing access and enforcing policies no longer work, Krull said. A CASB offers a central mechanism for applying policies and actions to cloud resources even as users access those resources.
But there are other uses as well, he said. While not all CASB vendors provide the same services, most provide visibility into what you're doing in the cloud, some level of compliance controls, data loss protection and threat mitigation capabilities.
"Combined, they provide the ability to manage who has access to what data, enforce rules around use of the data, ensure integrity of the data, and provide threat assessment and response," Krull said. CASBs have the automation capabilities to actually train the users on document security and to assess their data sharing practices. "When applied systemically and with governance controls, it can help users follow best practices," he added.
Eastern Michigan University in Ypsilanti, Mich., has been using Cisco CloudLock's cloud-hosted CASB for about 18 months. The primary goal is to protect against loss and exposure of sensitive data in the cloud, according to Allan Edwards, senior information security analyst at EMU.
Before signing up for the technology, the university did a proof-of-concept run with CloudLock and discovered all sorts of sensitive EMU data stored on Google Drive accounts. The university now uses the CASB service to uncover instances where people might be storing sensitive information in the cloud and gets them to remove it. "We send users notifications automatically when there is a high likelihood of a Social Security number or a credit card number in their Google Drive and ask them to remove that data," Edwards said.
Allan Edwardssenior information security analyst, Eastern Michigan University
The CASB service has helped the university's threat intelligence team discover some unauthorized account usage that it was able to lock down. "The big challenge is deciding what is noise and what is signal when setting up rules" for alerts on sensitive data and potentially dangerous user activity in the cloud, he added.
Many CSA members use CASBs for data protection, primarily through data masking, tokenization or encryption, according to Reavis. Some CASB products and services currently allow organizations to encrypt or to tokenize data before it is stored in the cloud and to decrypt it on the way back. The feature is designed to help companies in regulated industries comply with security and privacy requirements, such as those associated with the Payment Card Industry Data Security Standard.
"We see this as an area with a big promise of growth, but it is somewhat hampered by a lack of conformity on the part of cloud providers and a standard set of data protection APIs," Reavis said.
More enterprises are also beginning to use CASBs or similar intermediary security technologies to provide some level of security policy management for custom identity-as-a-service platforms, according to Reavis. "I believe this will be a large trend as companies increase their cloud adoption and mature their understanding and management of clouds."
More visibility and control
The common use for CASBs continues to be discovery of cloud service usage. Many organizations have little to no idea of the extent to which employees are using cloud services to store, access and share enterprise data.
Recent statistics from Skyhigh Networks, one of the first vendors in the CASB space, showed that the average enterprise had 1,427 distinct cloud services running within its networks in the last quarter of 2016. Skyhigh found that the average employee uses some 36 cloud services applications at work, including nine cloud collaboration apps and six file-sharing services. The dangers such shadow IT use poses have been well-chronicled.
Many organizations are using CASBs primarily to enumerate all the cloud services being used by employees, and to drill down into the usage patterns related to specific cloud services so they can begin to address the security issues. "This [data] is used as the main feed into cloud policy management systems, whether completely manual or integrated into SOC [security operations center] systems," Reavis said.
"There are four core areas to consider with CASBs -- visibility, compliance, data security and threat protection," said Ayse Kaya Firat, director of customer insights and analytics at the CloudLock CyberLab. "CASB specifically combats account compromise, cloud-native malware, shadow IT and data breaches."
To CASB or not to CASB
Cloud access security brokers are increasingly critical to cloud security. But organizations need to be careful when procuring the technology, Gartner warned in a February 2017 research note.
CASB platforms have begun to coalesce around compliance, visibility, data security and threat protection capabilities, and choosing from among them could become increasingly confusing for security leaders, according to analysts.
Some products that are being marketed as CASBs do not deliver the full range of capabilities leading platforms offer. And some cloud-service providers have begun offering CASB-like add-ons that can confuse the decision-making process.
Before making any CASB procurement decisions, organizations need to figure out whether native controls are sufficient for their needs. Organizations should analyze whether their security requirements justify the cost and complexity of adding a new security product to their portfolio, Gartner noted. "We strongly advise starting with a reasonably detailed listing of use cases that are specific to your exact needs," analysts urged. --J.V.
CASBs also enable greater visibility and control over the risk posed by connected third-party cloud apps. These are applications that employees often authorize and use with their corporate credentials. Such applications typically demand extensive permissions and access to corporate SaaS platforms via Open Authorization (OAuth). Many employees routinely use OAuth-connected apps without the knowledge of their IT organization, thereby exposing corporate data to new risks, Kaya Firat said.
Matt Kesner, former CIO with Fenwick & West LLP, said the Silicon Valley law firm has been examining use cases for CASBs but has yet to implement one. However, the software may be inevitable from the cloud data loss prevention standpoint. "CASBs seem to be one of the only ways to get your arms around all of your security needs. We have had a number of clients ask about their use for data loss prevention," he said. "That has been a primary driver in our investigation."
The visibility and control, which CASBs enable, makes it easier for organizations to add new cloud applications or to drive users to preferred and supported cloud resources.
"We need to protect data in a way that guarantees the [three A's -- authentication, authorization and accountability] -- of information security," Krull said. A CASB makes it possible to know who has access, to what, and ensures the user activity is logged.
How to implement data loss prevention controls in the cloud
What to consider before implementing a CASB platform
Issues to watch out for with cloud DLP