As more organizations move sensitive data to the cloud and “cloudify” traditionally internal applications, the need to fully secure data in the cloud has become critical. Widespread use of Software as a service (SaaS) applications has led to concern over the security gaps they present. Cloud access security brokers (CASBs) help bridge these gaps by providing a central control point for cloud service visibility, security, and compliance.
Learn about:
• How CASBs can help you leverage SaaS while maintaining security and compliance
• The four central areas of CASB functionality
• The most popular ways CASB solutions are being used to accomplish security goals
• The pros and cons of different CASB deployment options
• How to evaluate solutions to find the best match for your organization
2. www.forsythe.com
Forsythe is a leading enterprise IT company,
providing advisory services, security, hosting
and technology solutions for Fortune 1000
organizations. Forsythe helps clients optimize,
modernize and innovate their IT to become
agile, secure, digital businesses.
Sponsored by
3. Ask yourself:
a) Yes
b) No
c) Not sure
CAN YOUR ORGANIZATION DETECT
UNUSUAL OR FRAUDULENT
ACTIVITIES ASSOCIATED WITH
DATA IN THE CLOUD?
4. *2017 Thales/451 Research Data Threat Report
of respondents will use sensitive data in an
advanced technology (defined as cloud, SaaS, big
data, IoT and container) environments this year
believe their organizations are deploying these
technologies ahead of having appropriate data
security solutions in place
93%
63%
5. MANY
ORGANIZATIONS
LACK VISIBILITY
INTO THE CLOUD
SERVICES THEY
CONSUME AND
THE RISKS THEY
PRESENT
Cannot detect compromised
credentials or unmanaged devices
accessing cloud services
Struggle to verify compliance
and secure handling of data
across different services
6. Ask yourself:
a) Less than 300
b) More than 500
c) Not sure
HOW MANY CLOUD APPLICATIONS
DOES YOUR ORGANIZATION USE?
7. *Source: Symantec 2H 2016 Shadow Data Report
Symantec’s Shadow Data Report for
2H 2016 found that the average
enterprise has 928 cloud apps in use
Organizations use 20 times more
cloud apps than they think
928
20X
9. THE ROLE OF CASBs
Definition
CASBs are policy enforcement points
that sit between an organization's on-
premises infrastructure and a cloud
provider's infrastructure. They act as
gatekeepers, interposing enterprise
security policies as cloud-based
resources are accessed.
Use
CASBs examine a network's traffic and
determine if sensitive data is being sent
to the cloud. CASB solutions then apply
policies and other security controls to
ensure that sensitive data is protected.
They enable organizations to manage
and enforce policies across disparate
SaaS applications, providing a single
point of control for multiple applications
and services.
11. CASB FUNCTIONALITY AREAS
Visibility
Answers the question,
“Who’s doing what in the
cloud?” through shadow
IT discovery and
sanctioned application
control. Offers
comprehensive view of
cloud service usage,
and the users accessing
data from any device or
location
Compliance
Helps fill the regulatory
compliance capability
gaps introduced by
many SaaS providers.
Assists with data
residency issues and
controlling access to
regulated data, provides
logs for audits, and
identifies cloud usage
and the risks of specific
cloud services
Data Security
Enforces data-centric
security policies to
prevent unwanted
activity based on
classification, discovery
and user activity
monitoring of data
access. Policies applied
through controls such as
audit, alert, block,
quarantine, delete and
encrypt/tokenize
Threat Protection
Provides protection
against threats not
typically handled by
SaaS providers (e.g.,
user behavior and use of
corporate data).
Prevents unwanted
devices, users and
versions of applications
from accessing cloud
services
13. CASBs can identify the SaaS apps
being used and specify how safe
they are for the organization
ONE
SHADOW IT
DISCOVERY
14. CASBs can identify users’
access to SaaS applications
by leveraging existing single
sign-on providers or corporate
Active Directory services
TWO
ACCESS
CONTROL
ENFORCEMENT
15. CASBs provide a common point of
encryption for cloud services
THREE
ENCRYPTION
16. CASBs can verify content
within the public cloud
applications being used by
the organization, encrypting,
password protecting,
watermarking, or blocking
FOUR
DATA LOSS
PREVENTION
18. CASBs can establish
user behavior and service
baselines, so that anomalous
behavior that indicates threats
can be detected, and alerts
can be generated
SIX
BEHAVIOR
ANALYTICS
20. API-Based SolutionGateway (Reverse Proxy)Gateway (Forward Proxy)
Inline deployment between
the endpoint and cloud
service in which the device
or network routes traffic to
the CASB proxy.
Inline deployment
between the endpoint and
cloud service in which the
cloud service or identity
provider routes traffic to
the CASB proxy.
Direct integration of the
CASB and cloud service.
Depending on cloud provider
APIs, the CASB can view
activity, content, and take
enforcement action.
21. API-Based SolutionGateway (Reverse Proxy)Gateway (Forward Proxy)
Pros
• Ability to leverage current on-
premises perimeter solutions
• Architecture enables handling
of transport-layer encryption
• Facilitates Shadow IT discovery
Cons
• Doesn’t work for unmanaged
off-premises devices
• All traffic from managed endpoints
traverses the CASB; potential
privacy/compliance concern
• Users must either VPN or proxy
through the solution
Pros
• Leverages existing IDP/SSO
solutions
• Transport-layer security can
require certificate rewriting
• Proactive DLP enforcement
Cons
• Rewriting URLs can cause issues
if SaaS provider has frequent
URL updates
• Requires an existing IDP/SSO
solution to be in place
• SSL encryption can impact
deployment
Pros
• No configuration changes
to endpoints or the network
• Visibility into sanctioned apps
• Reliable insight into what data is in
the cloud, and activity logs/user
behavior associated with that data
Cons
• No real-time prevention
• API dependency is limited to
the application's API offering
• Hybrid approach (API + gateway)
may be needed to enable
features such as encryption and
tokenization for some applications
22. Ask yourself:
a) Whichever ranks highest in the Gartner Magic Quadrant
b) Ask a trusted peer in the industry
c) Makes no difference; they’re essentially the same
d) Conduct an evaluation
HOW CAN YOU DETERMINE
WHICH CASB IS RIGHT FOR
YOUR ORGANIZATION?
25. Authors:
Matthew Sickles
Director, Forsythe Security Solutions
Sriram Puthucode
VP of Systems Engineering,
Cloud Security, Symantec
www.forsythe.com
Forsythe is a leading enterprise IT company,
providing advisory services, security, hosting
and technology solutions for Fortune 1000
organizations. Forsythe helps clients optimize,
modernize and innovate their IT to become
agile, secure, digital businesses.