What Is a CASB, and How Will the Cloud Smart Strategy Increase Its Use?

The Office of Management and Budget’s Cloud Smart strategy, released in draft form this fall, emphasizes that agencies need to ensure they have continuous data protection and awareness when they move to the cloud. 

That focus will likely lead to a greater adoption of cloud access security brokers, Bloomberg Government has noted. The report notes that “agencies will need to place greater emphasis on governmentwide intrusion detection and prevention systems, such as the EINSTEIN program, and tools like cloud access security brokerage (CASB) that rely on virtual and logical — rather than physical — control of data.”

As FedTech has noted, CASBs can provide federal IT leaders and security pros with a unified control point for visibility into cloud applications, use and data. Beyond visibility, these experts say, CASBs also offer help with compliance, data protection and threat protection capabilities, since they allow agencies to track data flowing in and out of cloud apps and also help monitor users. Therefore, CASBs seem well-suited to help agencies achieve the kind of data protections and awareness Cloud Smart calls for.

CASB solutions are expected to become more popular. Gartner predicted in November 2017 that, by 2020, 60 percent of large enterprises will use a CASB to govern cloud services, up from less than 10 percent at that time.

Cloud Smart will likely guide federal cloud policy and adoption for years to come. Security, along with procurement and workforce, is an essential element of Cloud Smart, and the policy recognizes that existing government information security policies, like the Trusted Internet Connections initiative, have been impediments to federal cloud adoption. That is why cloud security experts think Cloud Smart will lead to more adoption of CASB solutions. 

What Is a CASB Solution?

Srini Gurrapu, chief cloud evangelist at McAfee, tells sister site BizTech that CASBs serve as that “one unified cloud access security control point, and the platform that provides that consistent visibility and the control across all the cloud services that the organizations are using.”

CASB vendors scan, evaluate and report on which cloud applications are already running on organizations’ networks. They provide audits, policy, data loss prevention and additional security controls for applications outside networks, specifically Software as a Service apps like email, file sharing and consumer relationship management.

As Tim Hanrahan, manager of cloud client services at CDW, notes in a blog post, CASB solutions help ensure compliance since they add security to cloud-based apps that have multiple data center locations “by enforcing things like data residency.” CASBs also provide “intelligent analytics to ensure no unwanted access based on learned behavior,” Hanrahan says.

VIDEO: HUD and GSA leaders discuss the factors that go into federal cloud migrations. 

How Will Cloud Smart Lead to More CASB Adoption?

When agencies move apps and data to the cloud, that changes the nature of their network visibility and data protection, the Cloud Smart strategy notes. “As data transits various networks and comes to rest in various locations, such as an end user’s device, Identity and Credential, and Access Management (ICAM) and encryption become increasingly important,” the strategy says.

Agencies act as custodians and guardians of their data on behalf of the public, and therefore “each agency should determine its own governance model for cloud-hosted data that aligns with their identity and credential management systems,” the strategy says. When agencies work with cloud service providers, they need to have service level agreements in place that give agencies “continuous awareness of the confidentiality, security, and availability” of their data.

Additionally, “agencies should be made aware if their data resides on third-party information systems, provided with access to log data, and notified promptly if a cyber-incident or other adverse event occurs,” the strategy adds. Agencies should think through agreements with all of their partners “regarding access to and use of log data for their information security operations.”

Further, agencies and their partners “should regularly engage in reciprocal information sharing in an effort to combat malicious cyber behavior.”

Add all of that up and it seems to be a recipe for CASBs, according to cloud security vendors. “The intent of the Cloud Smart strategy is to drive further cloud adoption by removing the barriers that have held a lot of agencies back. Security is one of three pillars of that strategy,” says Chris Townsend, vice president of federal for Symantec.

“In the past, agencies often have found that their existing security solutions for on-premises systems and data do not extend easily to the cloud,” Townsend says. “As they migrated applications to the cloud, they often lost some measure of both visibility and protection. CASB closes that gap.”

Ultimately, he says, the Trump administration’s goal “is not just to improve cloud security, but to improve security as a whole, and CASB makes that possible.”

MORE FROM FEDTECH: Find out how agencies can successfully migrate data to the cloud. 

The Benefits of CASB Solutions for Agencies

Sanjay Beri, CEO of cloud security firm Netskope, notes that “CASBs provide protection of sensitive information and protection against malware and threats in their SaaS apps” and public cloud or Infrastructure as a Service infrastructure. “Given the highly sensitive information resident in many federal organizations, these are important for federal organizations,” he says.

Under the Obama administration’s Cloud First policy, when agencies were making their initial forays into cloud services, “they tended to treat on-premises and cloud systems as independent channels,” Townsend notes. But that is no longer the case.

“As they deepen their investment in cloud-related services — one of the primary goals of the administration’s IT modernization strategy — they are looking to treat cloud as an integral part of the overall enterprise and their enterprise cybersecurity strategy,” he says. “CASB does just that.”

Like other CASB solutions, Symantec’s CASB provides visibility into the use of shadow IT — “something that is otherwise difficult to do when users are accessing applications and data through the cloud,” Townsend says.

Townsend notes that Symantec’s CASB “in conjunction with our DLP solution, enforces an agency’s governance policies to data wherever it goes — whether that’s in the cloud, at an endpoint, in storage, in email or on the web.”

MORE FROM FEDTECH: Find out how OMB plans to revamp the TIC program to give agencies more flexibility to move to the cloud. 

Why FedRAMP-Compliant CASB Solutions Are the Best Bet

It should be noted that, as of now, there is only one CASB that is certified by the General Services Administration’s Federal Risk and Authorization Management Program, and that is Skyhigh Networks, which is owned by McAfee. 

FedRAMP provides the necessary controls and processes to ensure that cloud services “operate in a safe and secure environment, minimizing any risks of compromise and breach of the service from both external and internal resources,” Beri notes. “When dealing with sensitive information such as that which is resident in government organizations, the need for a certified solution increases.”

Townsend agrees, and notes that the goal of the FedRAMP program “is to streamline the acquisition of cloud solutions by providing a standardized approach to cloud security” and “provides agencies with the assurance that a solution meets baseline requirements.”

“Without FedRAMP agencies would need to develop and enforce security requirements on a case-by-case basis,” he adds.

Beri says Netskope is currently at the FedRAMP “in process” stage for its CASB solution with the Department of Health and Human Services as a sponsor, and “has plans for FedRAMP Moderate authorization in mid-2019.” Netskope also has plans to achieve “FedRAMP High, as well as Impact Level 4,” which is required by the Defense Department.

Meanwhile, Symantec has received an “in process” designation from FedRAMP for both its CASB and data loss prevention solutions, under the sponsorship of the Department of Homeland Security, “an important step toward receiving an Authority to Operate,” Townsend says.

“Products that receive this designation are listed on the FedRAMP marketplace,” he adds. “We are making a strategic push to ensure our products meet the stringent FedRAMP requirements.”