For example, if an agency allows employees to use a cloud-based file-sharing service only with coworkers, the CASB can detect an attempted share with an external party and either block it or alert administrators.
CASBs Provide DLP Capabilities
Many agencies already deploy data loss prevention services on their own networks, but these systems lack visibility into the movement of data within a cloud service. CASBs can examine data placed in the cloud and monitor sensitive data for DLP violations.
For example, if an agency prohibits the storage of Social Security numbers in the cloud, the CASB may be configured to enforce this rule. The CASB would scan existing content in the cloud service, search for unauthorized material and block future attempts to move such content into the cloud.
Agencies Achieve Encryption in the Cloud
Encryption is a tried-and-true security control for the protection of sensitive information. Agencies have long relied upon encryption to reduce the sensitivity level of information stored in the cloud, but they also must decide whether to implement the encryption themselves or give the encryption keys to the cloud provider.
CASBs mitigate this risk by introducing encryption before the data reaches the cloud service and handling the key management tasks.
An agency might, for instance, configure a CASB to intercept and encrypt all files heading to the cloud, then transparently decrypt data returning from the cloud.
This provides the end user with a seamless experience, but dramatically reduces the impact of a breach at the cloud provider.
Cloud computing holds great promise for federal agencies offering employees access to a wide range of capabilities that allow them to better serve their constituents. Cloud access security brokers help mitigate the risks associated with cloud computing, smoothing the road to adoption.