Neil MacDonald, vice president and analyst at Gartner, moderated a panel of CISOs and security directors who discussed why they deployed CASBs and how they used them. The panelists included Jerry Archer, senior vice president and chief security officer at Sallie Mae, based in Newark, Del.; Gerard Brady, global CISO at Morgan Stanley, based in New York; Alissa Johnson, CISO at Stryker Corp., based in Kalamazoo, Mo.; and Richard Puckett, senior director of security operations and cyber intelligence at General Electric, based in Fairfield, Conn.
MacDonald started the discussion by outlining how CASBs have emerged in recent years to become a control point for enterprises on the many cloud apps and services used by their employees. He explained how cloud access security brokers use a variety of different capabilities to protect enterprises, such as cloud app discovery, user authentication, usage monitoring and data protection -- including encryption and data loss prevention (DLP) features.
MacDonald also said the CASB market has swelled to include 18 to 20 core vendors and an estimated $180 million in revenue across those vendors.
"It went from zero to a real market in just these past four years," MacDonald said.
The business case for cloud access security brokers
MacDonald asked the panelists what drove CASB adoption in their respective enterprises. Archer said regulatory compliance was the biggest reason for going with CASBs. "The primary driver for this, more than anything else, was the need for compliance. In our case, it was the FFIEC information security handbook," he said.
Richard Puckettsenior director of security operations and cyber intelligence at General Electric
Archer also said Sallie Mae's goal was to encrypt all financial data, but still maintain functionality to the enterprise cloud services on which employees had come to rely. He said the encryption component was crucial, because Sallie Mae wanted to ensure that no one outside the organization, including the cloud providers themselves, could view or access the data. "We can encrypt all the data as it leaves our environment and goes into a cloud provider, and only we have the key," Archer said. "The cloud provider can never disclose the information in any way, shape or form, because it's fully encrypted."
Morgan Stanley's Brady said the problem of shadow cloud usage was so pressing that his company had multiple CASB efforts -- and different vendors -- going on at the same time. "We started looking at visibility first, so we could have a process around incident response and also governance for sanctioning cloud usage," he said. "We did move into using CASBs for encryption earlier on as well, and now, we're probably reconsolidating those efforts under a single CASB over the next several months."
Johnson said when she joined Stryker last year, she was asked by management to identify the "low-hanging fruit" of security concerns. "I thought the low-hanging fruit, after going to a cloud access security broker, literally was shadow IT," she said. "I found out I had over 2,000 cloud services in use, and I didn't even know there was 2,000 in existence."
Puckett said the pressing issue for his company was preventing data from escaping GE's environment and moving to the cloud without any controls.
"You can't have a reasonable risk conversation if you're not taking some form of measurement," Puckett said. "When GE looked, we found that there was massive crowdsourcing across the spectrum of cloud providers, from SaaS [software as a service] to PaaS [platform as a service] and IaaS [infrastructure as a service], and it was the permeations of that were creating data leakage telemetries that were concerning."
Puckett also said that counting on cloud security policies alone to prevent employees from using unsanctioned services or engaging in risky activity is "a fantasy."
Handling shadow cloud services
Puckett said GE has become "a little more progressive in a positive way" regarding official approval of cloud services since the company began working with CASBs. The security team may find that employees are using shadow cloud services that have yet to be approved by the IT department, but Puckett said as long as usage can be monitored and determined to be within GE's security policies, the company won't block those services. "We do allow and tolerate specific unsanctioned cloud providers for use in a business context, as long as they're being used with the right guidelines," Puckett said.
Johnson said Stryker doesn't immediately block access to unapproved cloud apps and services; instead, the company's CASB, Skyhigh Networks, will alert employees that the usage may be in violation of Stryker's security policies, which MacDonald referred to as an example of "soft controls," rather than hard controls. "Hopefully, this makes [the policy] more acceptable and digestible instead of making people angry because you blocked them," Johnson said.
Brady said Morgan Stanley blocks many cloud apps and services, but like GE, the financial services company makes exceptions "where it makes sense." But because Morgan Stanley found the number of unsanctioned cloud services being used by employees was "in the thousands," Brady said the company had to implement some hard controls to prevent corporate data from being exposed via those services.
Archer said Sallie Mae tries to do more whitelisting of cloud services than blocking of unsanctioned services, but he also said the company takes unsanctioned usage of any cloud service very seriously. "Our policy states that if anybody uses an unsanctioned service outside the corporation resulting in the exfiltration of sensitive data, they are subject to disciplinary action up to and including termination," he said. "So, if we catch them using DLP, they go through a serious investigation process."
But Archer said his security team looks at all of the data leaving the corporate environment and moving to the cloud via his CASB's DLP features, which he said are good for stopping employee misuse, but aren't adequate for preventing external threat actors from exfiltrating data. "As you all know, DLP basically stops stupid, but it doesn't stop real hackers," Archer said. "So, we try to catch stupid anywhere we can, and stupid will pay a price for that."
Puckett said data generated by cloud access security brokers can help enterprises, such as GE, vet potential cloud services for official approval. For example, he said, a cloud service may not just lack security controls, such as SSL or encryption, but they may also have terms and conditions that are "hostile" to the enterprise. "Some of the multi-tenant providers will say 'If you put data in our provider, if belongs to us,'" Puckett said.
But Puckett said the problem of managing cloud services is "not getting better with age," because it's no longer just the enterprise-to-cloud link that security managers have to monitor. Puckett said he sees more and more cloud services communicating and sending corporate data between one another, such as data moving from an IaaS workload to a SaaS, and then to a storage service.
"Those off-network permutations are getting harder and harder to watch, because they're expanding at a geometric rate," he said. "We do need to start to talk about what is the next evolution of this [CASB model], because it's not a problem we can chase."
In closing, the panelists said that cloud access security brokers have become an indispensable part of their respective security postures and offered advice to audience members about working with CASBs. Archer said it's important for enterprises to remain flexible when contracting with CASBs. "I think the biggest thing is I'd say is, don't get committed to one name, because it's all going to change -- and it's going to change a lot faster than you think," he said.
Brady agreed, saying that although CASBs deliver crucial cloud security controls, enterprises should keep in mind that the space is bound to fluctuate and shift as it grows." We're definitely not in a mature market just yet," Brady said.
Puckett said enterprises need to devise strategies for handling sanctioned and unsanctioned cloud services, exiting cloud services, and handling encryption keys before they implement a CASB model. "If you don't have those three things, then good luck to you, because culture will trump security every single time," he said.
Johnson encouraged the audience to use the visibility and metrics provided by CASBs to their advantage in discussions not just with fellow security team members, but upper management as well. "The best way to have that conversation is by having good data," she said. "And the amount data I get from my cloud access security broker has helped me so much with board-level presentations and presentations to the senior leadership team."