Cloud service use is booming across the federal government. Cloud services contract obligations were expected to increase by about 32 percent in fiscal year 2018, reaching an all-time high of about $6.5 billion, according to an analysis by Bloomberg Government.
That includes not just Software as a Service applications like Microsoft’s Windows 10 and Office 365 but Infrastructure as a Service and Platform as a Service from the likes of Amazon Web Services, Microsoft’s Azure, Google Cloud, Oracle and others. Cloud service adoption is expected to continue to accelerate in 2019 under the Trump administration’s “Cloud Smart” strategy.
All of those cloud services can lead to increased security risks, however. That’s where cloud access security brokers come in for agencies. CASBs can provide federal IT leaders and security pros with a unified control point for visibility into cloud applications, use and data, according to cloud security experts. Beyond visibility, these experts say, CASBs also offer help with compliance, data protection and threat protection capabilities, since they allow agencies to track data flowing in and out of cloud apps and also help monitor users.
Srini Gurrapu, chief cloud evangelist at McAfee, tells sister site BizTech that until now, most organizations’ security practices have been built on the assumption that they owned their infrastructure and security perimeter. Security was built around endpoint protection, patching and anti-malware and less so on data security.
“When you move to the cloud, you don’t have a choice,” he says. “Now, you don’t own the infrastructure, but you are putting your applications and data on somebody else’s premise. So, this is the opportunity to understand your data, to understand your users, to understand your business workflows, and secure the data and the workflows and the identities.”
What Is a CASB Solution?
As organizations are trusting cloud to host their applications and data on SaaS, or IaaS or PaaS cloud services, they need one unified control point to give them that visibility and the control for all their applications, usage and data, Gurrapu says. “A CASB is precisely that,” he notes. “It’s that one unified cloud access security control point and the platform that provides that consistent visibility and the control across all the cloud services that the organizations are using.”
As Tim Hanrahan, manager of cloud client services at CDW, notes in a blog post, CASBs scan, evaluate and report on which cloud applications are already running on organizations’ networks. They provide audits, policy, data loss prevention and additional security controls for applications outside networks, specifically SaaS apps like email, file sharing and consumer relationship management.
CASBs also ensure compliance, Hanrahan says, since they add security to cloud-based apps that have multiple data center locations “by enforcing things like data residency.” CASBs also provide “intelligent analytics to ensure no unwanted access based on learned behavior,” Hanrahan says.
CASB use is expected to grow over the next few years. Gartner predicted in November 2017 that by 2020, 60 percent of large enterprises will use a CASB to govern cloud services, up from less than 10 percent at that time.
How CASB Solutions Can Help Feds
Given their many uses, CASBs have a lot of applicability for federal agencies. Eric Andrews, vice president of cloud security at Symantec, tells BizTech CASBs can help organizations, like my federal agencies, that are trying to get a handle on all of the cloud apps they have deployed.
“What are all of the apps and services that people are going to? How risky are these cloud apps and services?”
CASBs can help agency IT leaders with reporting for compliance and certification as well, he notes. McAfee adds that CASBs can “identify sensitive data in the cloud and enforce DLP policies to meet data residency and compliance requirements.”
CASBs also help agencies with data security. “How do I track all of this sensitive content that may be flowing in and out of these cloud apps?” Andrews says. That can include source code, personally identifiable information, credit card information or healthcare information. “How do I track that and make sure it doesn’t get exposed inadvertently, with proper policies and controls and even tokenization and encryption?” Andrews says.
Additionally, CASBs offer agencies threat protection. This is especially valuable at large agencies with thousands of users accessing cloud services. “How do I monitor all of these user accounts?” Andrews says. “Now that I have a lot of activity, I might have 20,000 credentials floating around for my Office 365 account. If any one of those credentials gets compromised, that rouge actor can have direct access to my content.” CASBs help organizations “detect and respond to negligent or malicious insider threats, privileged user threats. And comprised accounts,” McAfee says.
In a separate blog post, Hanrahan notes that there are three main models for deploying CASBs.
The first approach is to work on the application program interface level, which is an “out-of-band solution” because it does not sit directly between the request and the data. “Rather, it works directly with known API’s of specific cloud applications,” Hanrahan says. “For example, a CASB that employs API as its primary access protection methodology will have written its software to work directly with cloud apps” like Office 365.
The second approach is a reverse proxy. Many organizations use a reverse proxy for certain data flows and understand the basic concept, Hanrahan notes.
“A proxy is an intermediary that sits between a requestor (client) and one or more data sources (servers),” he says. “This is an ‘in-line’ approach to securing cloud apps because it sits directly in the network traffic path. A reverse proxy broker’s connections are coming from the internet to your app servers. This approach can also hide the information behind it coming from the original source.”
The final approach is a forward proxy one, the opposite path of a reverse proxy. Both use a proxy to sit between requests and data, and both are considered in-line. However, forward proxies “filter connections going out to the internet from clients sitting behind the firewall,” Hanrahan says.
“Specific to CASB, the biggest thing forward proxies offer is the ability to integrate any application,” he adds. “While this sounds great, there is always a cost or benefit associated with any feature. The downside to working with any application is that it can be more difficult to deploy, reduces end-user privacy and requires digital certs.”
Gartner refers to CASB solutions that support both proxy and API modes as multimode CASBs and notes that “they give their customers a wider range of choices in how they can control a larger set of cloud applications.”
CASB Vendors and Solutions Agencies Can Tap
As organizations consider which CASBs to deploy, Gurrapu notes that they should choose a CASB platform “that’s built for the cloud for both north-south and east-west.” That means it is a CASB platform “that’s not network-centric, but that’s built more for API.”
He also suggests choosing platform that secures both IaaS and the SaaS platform from one single console.
It should be noted that, as of now, there is only one CASB that is certified by the General Services Administration’s Federal Risk and Authorization Management Program, and that is Skyhigh Networks, which is owned by McAfee.
Gartner lists Symantec, Skyhigh and Netskope as the leaders in the CASB market, though there are numerous other players, including Cisco Systems, Microsoft and Oracle.
The CASB market is crowded, with vendors seeking differentiation across the four main use cases, Gartner says. “Some execute well across all of them, while others choose to focus on fewer of them but still offer basic functionality in all four,” the research firm notes. “When originally conceived, CASBs focused on either visibility or encryption. As products have matured, visibility remains an important use case, but additional use cases have arisen that are as important, if not more so, than visibility.”
Many Gartner clients deploy CASBs for data loss prevention and data security, for adaptive access control and for user and entity behavior analytics, “which raise the importance of a CASB from a visibility tool to a cloud service governance tool. Encryption or tokenization at the field level is not a common use case for most clients.”
It seems clear that agencies are going to be turning to CASBs more in the years ahead. “Much like firewalls have been a fundamental building block in the data security architectures of the past, cloud access security brokers are going to be the fundamental building block going forward,” Andrews says.