Despite the rapid adoption of cloud applications, some enterprises continue to show hesitance towards migrating to the cloud. Their concern is primarily around the security of cloud applications.
Most cloud service providers (CSP) operate under the shared responsibility model. What this means is that the cloud service provider takes responsibility for the underlying infrastructure security of their platform, but it is up to the customer to ensure that the cloud application is being used in a secure manner by employees.
For their part, the CSP makes sure that the platform is free of vulnerabilities, kept up-to-date, and protecting from inappropriate physical access. They’re also responsible for the uptime of the application along with preventing natural disaster-related incident.
The customer is responsible for making sure that employees aren’t sharing data with unauthorized parties, or uploading highly sensitive data to the cloud application. They’re also responsible for meeting their compliance and governance requirements.
[pullquote]To meet their end of the security responsibility, enterprises are increasingly looking to 3rd party security solutions for help.[/pullquote] Cloud access security brokers (CASBs) are one of the most comprehensive cloud security solution available in the market.
A cloud access security broker (CASB) is a cloud-based or on-premises security tool that gives enterprises extra protection and capabilities for their cloud services. It exists between the enterprise and the cloud, giving them more control over permissions, detecting threats, and monitoring everyone who has access to the cloud application. The additional security is necessary for any business using the cloud to ensure that their data is as protected in the cloud as it once was in on-premises data centers.
Improved Access Control
Giving unfettered access to a cloud application can create security nightmares. Employees should only be given the minimum amount of access that would allow them to still perform their job duties. Because a cloud application can be accessed from any device, any location, and at any time, there are certain security precautions that should be taken when using a cloud application.
As an example, an employee who is attempting to log into a cloud application using a public WiFi connection and an unmanaged device should be prohibited from accessing the cloud application, or at the very least, prevented from downloading sensitive data to the unmanaged device. CASBs provide a suite of capabilities to ensure that inappropriate access to a cloud application is prevented.
Encryption and tokenization are two commonly used security technologies to protect data from unauthorized access. CASBs can encrypt data in the cloud using enterprise owned keys. Some CASBs even offer function preserving encryption.
Enterprises can either encrypt all data that goes to the cloud application, or just the ones that are highly sensitive.
According to the 2017 Verizon Data Breach Report, 81% of hacking related incidents took advantage of weak or stolen passwords. The rise in phishing attacks and its growing sophistication means that enterprises are at an ever growing risk of a data breach caused by a compromised account.
CASBs protect enterprises from threats rising from internal employees and external hackers who may attempt to compromise an account. CASBs constantly monitors user behavior in cloud application in order to understand what the typical behavior looks like across users. It then uses that model as a way to detect anomalous activities that may indicate that a real threat is occurring. As stated earlier, compromised accounts can have a dire impact on cloud service security because research shows that employees have a tendency to use the same password across multiple cloud services. If one account is compromised, that account could be used as a vector to hack into a user’s other cloud application accounts.
Data Loss Prevention
CASBs prevent unauthorized people from gaining access to data in the cloud while preventing highly sensitive information from being uploaded to a cloud application. One of the core capabilities of a CASB is cloud data loss prevention that uses things like keyword match, regex, data fingerprints, etc, to identify sensitive data being uploaded to or stored in the cloud. They can then apply appropriate security policies and enforcement actions to prevent data loss incidents.
According to Gartner, by 2020, 85% of enterprises will be using a CASB to protect their cloud infrastructure.
For more security-related articles and information from us here at Bit Rebels, click here!