The widespread adoption of software-as-a-service (SaaS) applications has fundamentally changed the way modern employees do their jobs and accomplish their corporate goals. For the majority of enterprises, cloud adoption was driven by ease of adoption, as well as the collaboration and sharing functionality made possible by cloud applications. However, an unintended consequence of the rush to cloud implementation is significantly increased security risks.
The ease of implementing SaaS-based applications has opened the floodgates when it comes to the way today’s employees work. Indeed, the consumerisation of IT continues to push personal cloud applications into the enterprise and complements the implementation of strategic and IT-driven cloudification. With “working from anywhere” now a standard expectation of workers — particularly since the COVID-19 pandemic began — organisations are striving to allow users and their devices to securely connect to any application located in the cloud or the corporate network. The challenge is to enable this seamless connectivity, while providing a safe and secure place to do business. With the adoption of multicloud environments and the declining reliance on the corporate network to host and run applications, the internet has begun to fill the role of the corporate network. In response to this change, IT departments must keep pace with current trends and ensure they are seeing the bigger picture when it comes to who is accessing which applications to live up to their core responsibility of implementing effective security controls for all data streams.
While it can be tedious to train every employee to consistently use security best practices with SaaS applications — including unsanctioned ones — at all times, the failure to do so can be costly. To overcome the cloud security challenge for enterprises, the traditional Cloud Access Security Broker (CASB) approach as a separate overlay to protect organisations‘ assets was invented by Gartner in 2012. CASB is a security service that ensures the safe usage of cloud applications and services to prevent accidental data leakage. It is primarily used for controlling the use of SaaS applications, but can also be used to address portions of cloud service providers such as S3 buckets in AWS. Now, after nearly ten years, CASB has many facets and goes beyond the classic shadow IT requirement of providing the IT team control over data at rest and in motion in multicloud environments and corporate networks.
Keeping control of the extended network
With the extension of the corporate network to the cloud, corporations face various security challenges. As SaaS applications are built for sharing, users often inadvertedly share critical business data. The use of unsanctioned SaaS apps, known as shadow IT, and risky user behaviours, such as sharing inside information outside of the corporate network, increase risk. Additionally, SaaS applications can easily become a conduit for data theft, data exposure, or malware propagations if they are operated outside of the IT department’s set of security controls and left unchecked for malicious intent on an ongoing basis. As SaaS application usage is spread across a broad range of applications and groups, it can become a challenge to keep track of compliance violations. A unified assurance of permitted best practices and data flows needs to be established first. In short, CASB has to take on various legitimate roles as an important player in the overall security posture of an organisation in order to prevent the exposure of data, whether accidental or intentional.
CASB technology has been designed to deliver dedicated services for SaaS visibility and control of data exposure, which requires not only looking at the traffic that is inline (in motion) but also at rest within the SaaS application itself. This requires specific API-based access to SaaS applications in order to look inside the cloud and determine the risk of data exposure and automatically correct it. Unlike on-premises-focused security products, CASBs are designed to identify and protect data stored in external systems. An effective CASB service provides a central location for policy and governance concurrently across multiple cloud services — for users and devices — and granular visibility into and control over user activities and sensitive data.
What’s more, according to Gartner, CASB coverage should apply broadly across the SaaS, platform as a service (PaaS), and infrastructure as a service (IaaS) cloud service delivery models. For SaaS coverage, CASBs commonly work with the most popular content collaboration platforms (CCPs), CRM systems, HR systems, ERPs, service desks, office productivity suites, and enterprise social networking sites. Some of the systems extend support to less common SaaS applications through custom plug-ins or automated learning of application behaviour. For IaaS and PaaS coverage, several security brokers govern the API-based usage (including console access) of popular cloud service providers (CSPs) and extend visibility and governance to applications running in the cloud.
A platform approach to regain visibility
The traditional approach to address the risks associated with SaaS is adding a CASB service as a separate overlay to report on SaaS usage and provide some level of control. Most of the time this happens independently of the rest of the organisation’s security offerings, which means it is a separate data protection function. Such an approach to CASB adds unnecessary complexity without solving the key challenges of SaaS usage. Modern working requirements call for real-time visibility and access control of user activity across sanctioned and unsanctioned applications, which only a highly integrated security approach can provide. A fully integrated security platform model eliminates the traditional overlay architectures and simplifies policy creation and administration, ensuring data is protected and compliance is maintained.
CASB can only be as good as the architecture it is based on. For a truly integrated approach to data protection, a broad set of functions is required to interact. This includes data loss prevention (DLP), which catches all traffic of users, both within the corporate perimeter and working from anywhere, who are accessing SaaS applications remotely. Additionally, an effective approach has to provide the appropriate performance to be able to pick up all encrypted tunnels and monitor all SSL/TLS encryption traffic. A cloud-native approach to CASB should also have the global footprint to handle the large number of SaaS transactions of decentralised users across the globe.
According to Gartner, a CASB approach should be part of the bigger picture of an overall data protection porfolio and comply with the four pillars of visibility, data security, threat protection and compliance. In order to provide an appropriate level of protection, an organisation needs full visibility into all apps, including unsanctioned apps. It is important to understand how users are working with their cloud services and applications so organisations can enforce data-centric policies to prevent unwanted activity like uploading sensitive information to unsanctioned apps in the cloud. Data security becomes relevant, as SaaS apps are not only risky due to the possibility of sensitive data leaving the network; they can also act as a new entry point for malware to make its way into a company’s network. Security gaps can only be addressed effectively when all pillars are interacting based on a centralised repository for policy and governance that allows for real-time enforcement of both data at rest and in motion.
Gartner consolidates the pillars in its SASE framework, where CASB is fully integrated with other security functions to be truly effective. A Secure Web Gateway lays the foundation and is complemented with DLP in a cloud-native approach. Data at rest (out-of-band CASB) can be controlled to prevent SaaS exposure and at the same time be scanned for DLP violations, whereas data in motion (inline CASB) can stop business-critical data loss in real time and control activity with unsanctioned shadow apps, as all filters are applied in the cloud.
Extending the CASB approach to network-based apps
Going one step further in the CASB model involves extending the control mechanism over apps to the internal network. Identifying applications in the network and restricting access via Zero Trust provides an additional level of security. An organisation might have an overview of their inventory via their Configuraton Management Database (CMDB), yet most organisations lack insight into user movement and which assets and applications are being accessed. From a security perspective, complete visibility into which applications are being used should be the preferred option to monitor and track risks or breaches. If a company is able to grant users granular access only to applications that are essential for work-related activities, versus opening up whole network infrastructures, organisations can significantly reduce their attack surface.
Such granular access controls are feasible under the principle of least privilege, which is a key tenet of a zero trust based security approach. In the wake of a number of recent security incidents involving ransomware and double extortion bribery attacks, the concept of minimising the route of access between the user and the application, wherever those applications are hosted, is a promising prospect. With a least-privilege approach, the aim is no longer to secure access to the network, but to lay comprehensive foundations that are suitable for a new security concept. This concept relies on identification technology and control mechanisms working in tandem across all users and entities in the entire construct of multicloud and internal data centre architectures. With a zero trust approach, access rights to applications and workloads are assigned to individual users and applications on a granular level, regardless of whether these applications are hosted in a data centre or a multicloud environment.
With a zero trust approach, all users start off with no access rights at all. Rights are assigned gradually based on the applications that the user needs for their role, and these rights are linked to the user’s identity. In this model, the location of the user and the application are no longer important; with a cloud-based zero trust network access approach, there is no need to involve the network at all. The control function that matches up authenticated users and their access to applications takes place via a cloud broker service, which uses the identity of the user and other context-based factors to continually monitor authorisation. This concept gives IT departments maximum visibility, as each user can only access apps securely where they have the necessary permission. Enterprise applications are rapidly migrating to the cloud to achieve greater IT agility, speed up the pace of innovation, and lower costs. But cloud simplicity often means direct access, leaving IT with no visibility into user activity and putting the organisation at risk. A real zero trust architecture requires full inline CASB functionality to protect all users, on- or off-network, and gives organisations real-time visibility into all incoming and outgoing traffic along with granular controls. In addition, the architecture lays the foundation not only for securing access to SaaS applications, but also regaining insight into internal applications, helping organisations get visibility which applications are accessed – in the network or in the cloud, without checking data security. After all, you cannot secure what you cannot see, and CASB, as part of a zero trust architecture, has enormous potential to improve the overall data protection posture of the modern enterprise and solve the decades-long challenge of vulnerability.