Cloud Access Security Brokers Give Agencies a View into the Cloud
Moving data seems so simple with all of the cloud-based solutions available to get information from laptop A to desktop B. Think of the things you say to your coworkers without a second thought:
“I stored the files in Box.”
“I’ll send you a Dropbox link.”
“The deck is in Google Slides.”
These services give employees flexibility to get their jobs done from any location, and allow organizations to store data in more modern and efficient ways.
In the federal sector, migrating information to the cloud is an especially important goal for agencies, which are working to consolidate data center use and comply with the administration’s Cloud Smart strategy.
As agencies move their information to the cloud, their network perimeters expand. This is less of a problem than it used to be, as IT security professionals have adapted to monitoring endpoints rather than perimeters.
But endpoint monitoring works best when the information originates from or ends up within your own cloud environment. How can you monitor for intrusions when that massive report lives on Microsoft OneDrive and moves to a new desktop via WeTransfer?
MORE FROM FEDTECH: The Cloud Smart strategy may make CASBs more inviting.
Agencies Can Enforce Security in the Cloud with CASBs
Cloud services do have their own security. They require passwords or two-factor authentication, at the very least; they encrypt data once it arrives and they have the ability to instantly revoke access if activity looks suspicious.
But agencies often want to see what’s happening for themselves, and are beginning to consider the use of cloud access security brokers to ensure that malicious or damaging material doesn’t slip in through a break in the cloud.
A CASB, whether as an on-premises device or a cloud-based solution, gives an agency the ability to see what only its cloud provider could see before, and allows the agency to enforce its own internal security policies even within the external cloud environment.
Among the problems a CASB can catch:
• Unauthorized users trying to remove data from the network or insert data where it doesn’t belong;
• Data shared with nonagency personnel or unauthorized agency personnel;
• Information that doesn’t belong where it’s located (for instance, personally identifiable information in an unsecure space);
• Settings that have been changed so that they are not compliant with requirements.
Once a problem is spotted, the CASB can either mitigate the problem or point out to the cloud provider what needs to be done.
Insider Threat Mitigation Becomes Easier to Apply in the Cloud
Encryption is a major mitigation tool — agencies commonly rely on it to conceal sensitive data in the cloud — but when a cloud provider is involved, the agency must decide whether or not to surrender its encryption keys to an outside party. With a CASB, that decision is made; the CASB can do the encrypting before the information even gets to the cloud, and decrypt it on the way back to the agency.
This is particularly valuable when it comes to insider threat mitigation. Not all insider threats are deliberate; think of a worker trying to get data from his personal computer onto his work laptop, or accidentally sharing a work file on a public site. A CASB can spot this as it’s happening, and either encrypt the material to keep it safe or block the action altogether.
An agency, no matter its security standard or posture, whether its storage is on-premises, in a private environment or a hybrid one, can have a higher standard of protection with a CASB. Many of the top-tier security brokers provide CASB offerings these days.
In a world that’s becoming ever more dependent on the cloud, the use of a CASB can ensure an increased level of security in an increasingly shady world.
This article is part of FedTech's CapITal blog series. Please join the discussion on Twitter by using the #FedIT hashtag.
