The Cloud Security Alliance (CSA) recently teamed up with CipherCloud to start what they are calling the Cloud...
Security Open API Working Group in an attempt to universalize cloud use and define "protocols and best practices for implementing cloud data security" as a part of a framework for cloud access security brokers.
The group -- which includes CipherCloud, Deloitte, InfoSys, Intel Security and SAP -- wants to develop vendor-neutral guidelines to facilitate the growth of cloud access security brokers (CASBs). The CSA Open API Working Group charter is to help enterprises evaluate and integrate with cloud APIs via CASBs and other cloud security services, using open standards and definitions that everyone can assess and understand. Another goal of the working group is to provide a collaborative group of technical professionals that represent the cloud computing and security communities, helping drive innovation in cloud service adoption and meet compliance and security requirements simultaneously.
The importance of facilitating CASB growth
In June 2014, Gartner Inc. outlined its top ten security technologies for 2014, with CASBs at the top of the list. In a recent report entitled, "The Growing Importance of Cloud Security Brokers," Gartner also noted that by 2016, "25% of enterprises will secure access to cloud-based services using a CASB platform, up from less than 1% in 2012" and that these services will be essential to software as a service (SaaS) deployments in 2017 and beyond.
For many in the security industry, CASBs seem to offer a number of controls that can help solve some of the more challenging problems with cloud adoption. First, many organizations are currently struggling with rampant use of "shadow cloud," where employees use cloud storage, applications, hosting and other services without approval from IT departments or input from security teams. This can quickly lead to data leakage and potential exposure if breached. CASBs can act as a proxy for all traffic headed to cloud providers -- or at least the traffic destined to specific cloud services -- so they can see and filter traffic that violates policies and compliance requirements.
Second, many CASBs offer security controls that significantly enhance the meager native offerings often available within the cloud service provider environments themselves. Even for sanctioned cloud services that have been approved, monitoring data access and use, implementing identity management at a granular level, and implementing encryption of data may be challenging or impossible natively in a SaaS or other cloud environment. With a CASB service in place, some of these controls may now be available via API integration with providers like Salesforce, Microsoft Office 365, Box and others.
Pros and cons of the Cloud Security Open API Working Group
The benefits the Cloud Security Open API Working Group may offer are largely centered on improving the adoption rate of cloud security services through the creation of an open set of API standards that everyone has access to; the creation of a reference architecture that many security tools and services can integrate with for use within cloud service environments; and improving the overall "openness" of cloud providers themselves as more CASBs integrate with them natively.
There really are no immediate drawbacks to creating a vendor-neutral set of API standards cloud service providers, enterprises and CASB vendors can all leverage and work with, and the rate of innovation and improvement in cloud API creation and acceptance will likely increase.
To that end, the API standards should include specific items listed in the charter addressing the following security control areas, including:
- Data security, likely through encryption and tokenization;
- Cloud usage monitoring, with data loss prevention and content filtering through policies. This may also include user behavior tracking and anomaly detection; and
- Compliance monitoring within the cloud services environment.
Given the rate of CASB adoption suggested by Gartner, this working group is sorely needed to help security teams overcome some of the current challenges with cloud service use, including sensitive data exposure, data privacy and policy violations through shadow IT and cloud. Security teams should consider getting involved in the working group and closely monitoring its activities to see how things are progressing.
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He previously worked as CSO at Configuresoft; as CTO at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. Shackleford currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.