Agencies may already have tools in place to track the presence of sensitive information within internal systems, but the process becomes far more complicated when cloud services are involved. Cloud access security brokers (CASBs) can help solve this challenge.
The issues that arise from staff use of cloud services — which can range from complete infrastructure deployments to specialized cloud-based apps — come in two forms.
An employee can use cloud services without the knowledge of agency IT staff. He could sign up for a new service on his own, then transfer sensitive information into the cloud account.
But the danger doesn’t stop there. Even when employees make use of vetted and approved cloud services, they can configure security settings that violate agency policies. For example, an employee using an approved cloud storage service might share a file via his or her personal email address or accidentally make an internal file available on the public web.
What Is a CASB?
CASBs provide protection by inserting themselves between the end user and a cloud service, then injecting security controls that enforce internal security policies. They allow agencies to maintain requirements for access control, encryption, firewalling, malware protection and more, even when data resides in external systems.
CASB solutions come in two primary forms. They may exist as on-premises devices that sit on the network in a location where they can intercept and inspect traffic headed to the cloud.
These solutions are effective across a wide range of cloud services, but require that the user send traffic through the device. A CASB may also exist as a cloud-based solution that leverages an application programming interface to interact with cloud services.
Although these solutions can reach deeply into a cloud service and perform detailed monitoring, they are unable to detect the use of cloud services where the agency lacks an enterprise agreement with the service.
While CASBs are quickly gaining steam in the private sector, adoption can lag in federal agencies when technology leaders haven’t seen the direct benefits. Let’s take a quick look at ways that CASBs might play an important role in a federal agency.
MORE FROM FEDTECH: Find out how agencies can successfully migrate data to the cloud.
CASBs Give Agencies Visibility into Cloud Usage
One of the primary advantages of a CASB is that it gives an agency’s technology team insight into how employees are using the cloud. This includes the detection of shadow IT services, where employees may have adopted unvetted cloud services or misused approved ones.
CASBs provide monitoring and enforcement capabilities that prevent employees from violating a security policy, either accidentally or on purpose.
For example, if an agency allows employees to use a cloud-based file-sharing service only with coworkers, the CASB can detect an attempted share with an external party and either block it or alert administrators.
CASBs Provide DLP Capabilities
Many agencies already deploy data loss prevention services on their own networks, but these systems lack visibility into the movement of data within a cloud service. CASBs can examine data placed in the cloud and monitor sensitive data for DLP violations.
For example, if an agency prohibits the storage of Social Security numbers in the cloud, the CASB may be configured to enforce this rule. The CASB would scan existing content in the cloud service, search for unauthorized material and block future attempts to move such content into the cloud.
MORE FROM FEDTECH: Find out how OMB plans to revamp the TIC program to give agencies more flexibility to move to the cloud.
Agencies Achieve Encryption in the Cloud
Encryption is a tried-and-true security control for the protection of sensitive information. Agencies have long relied upon encryption to reduce the sensitivity level of information stored in the cloud, but they also must decide whether to implement the encryption themselves or give the encryption keys to the cloud provider.
CASBs mitigate this risk by introducing encryption before the data reaches the cloud service and handling the key management tasks.
An agency might, for instance, configure a CASB to intercept and encrypt all files heading to the cloud, then transparently decrypt data returning from the cloud.
This provides the end user with a seamless experience, but dramatically reduces the impact of a breach at the cloud provider.
Cloud computing holds great promise for federal agencies offering employees access to a wide range of capabilities that allow them to better serve their constituents. Cloud access security brokers help mitigate the risks associated with cloud computing, smoothing the road to adoption.