The cloud is a crowd pleaser, but security is often unamused. As the software as a service landscape expands, so does the data and users connecting to it.
Cloud apps and web-based security properties are colliding. It's security's job to find where and how to blend security components. The cloud is a sore spot for security, but cloud access security broker (CASB) capabilities — discovery, data loss prevention, threat protection, encryption and logging — should sit between every kind of app a company houses.
Companies should consider mixing and matching CASB capabilities because draping a single vendor or solution across all apps is unnecessary, according to said Ramon Krikken, distinguished VP analyst at Gartner, while speaking during the virtual Gartner 2020 Security & Risk Management Summit Wednesday.
If a company is already working with a patchwork of vendors, security needs to pay attention to the details. Maybe the company only needs CASB for firewall log feeds, for example.
"A lot of CASB buying decisions are made around discovery capabilities," said Krikken. It could be discovery of shadow IT, cloud app usage or data.
CASB is also applied to adaptive access control, where only approved individuals can access certain apps, and data loss prevention (DLP) for controlling the flow of data.
Gaps in proxies
For many apps, endpoints manage the access point. "It matters what talks to what," said Krikken. IT and security have unmanaged and managed endpoints, unmanaged/unapproved cloud apps, and managed/approved cloud apps.
CASB integration is sensitive to the architecture of an organization's cloud and IT. Organizations can deploy CASB in two ways:
- When an end user interacts with a cloud app, "you can say, 'Let's connect to the cloud APIs that are available for doing things like monitoring, data inspection, logging," said Krikken. CASB can detect activity using the APIs and either act on the endpoint or monitor their activity.
- Or, organizations can "deploy the CASB in line as a proxy," to perform a more real-time policy enforcement, said Krikken.
The choice "matters in terms of the kinds of capabilities that you can bring to bear," said Krikken, and the use cases that best suit the business.
For example, while IT can technically configure APIs at will, APIs are not created equal. "If I want to prevent a certain piece of data being downloaded from a cloud application, it is very difficult, if not impossible, to do via an API integration," said Krikken. A proxy server, however, can pick up on the gaps in traffic inspection APIs leave.
The forward proxy is used when there are some managed endpoints "and we want to see what they're doing, regardless of what it is that they're talking to," or managed/unmanaged apps, said Krikken. However, forward proxy doesn't capture traffic from unmanaged endpoints — enter reverse proxy.
Reverse proxy "sits right in front of that cloud application and regardless of where the traffic comes from," but stops short of covering unapproved apps, said Krikken.
Traditional proxy servers, such as firewalls, act similarly to CASB proxies but also fail to address all types of apps or endpoints.
"One thing that is important here is that one of the use cases is never covered by any of these CASB architectures," said Krikken. " You have an unmanaged endpoint, talking to an unmanaged or an unapproved cloud application, because there's just nothing that gets in between the traffic."
But Krikken recommends security not to just grab and deploy certain CASB features. "When you essentially start with the feature that you need, then you can work your way back to the integration options that are required."
For example, organizations shouldn't request DLP for all cloud apps but instead define when DLP is required, like uploading or downloading data from the cloud. If companies can segment where certain features are absolutely necessary, they may come to find where their architecture can "bear" more CASB.
"It also allows you to look at other solutions that live side by side with CASB, and either on which CASB depends, or with which CASB needs to coexist in order to function properly," said Krikken.
Finding where CASB interacts with existing solutions is also key to its deployment. "You may already have various things that are either a prerequisite for CASB, or that overlap in such a way that you need to make them work together," said Krikken. Adaptive access control, for example, needs to work in conjunction with identity and access management to account for user directories or single sign on.