Skip to content

Page071

Cloud Access Security Brokers

Gartner coined the term Cloud Access Security Broker (CASB), defining the technology as, “on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on” [3].

Forcepoint describes the pillars of CASB:

  • Visibility Cloud apps unknown to IT result in information assets that are uncontrolled and outside the governance, risk, and compliance processes of the enterprise. Enterprises require visibility into cloud app account usage, including who uses which cloud apps, their departments, locations, and devices used.
  • Data Security Data loss prevention (DLP) tools are designed to stop enterprise data leaks due to unauthorized sharing but the cloud makes sharing data with the wrong people easier than ever before. If an organization uses cloud file storage, a traditional DLP product will not know what data is shared externally and who is sharing it.
  • Threat Protection It can be difficult to guard against the malicious intent or negligence of authorized users. To detect suspicious insider behavior, organizations need a comprehensive view of their normal usage patterns. Along the same lines, former employees pose significant risk, as they may have been disabled from the organizational directory, but can still access cloud apps that contain business-critical information. PWC found that security incidents attributable to former employees rose from 27% in 2013 to 30% in 2014.
  • Compliance As data moves to the cloud, organizations will want to ensure they are compliant with regional regulations that ensure data privacy and security. A CASB can help ensure compliance with regulations like SOX and HIPAA as well as help benchmark your security configurations against regulatory requirements like PCI DSS, NIST, CJIS, MAS and ISO 27001.
  • BYOD, Shadow IT, and Increased Cloud Usage
  • Phenomena such as BYOD (bring your own device) policies, the growing popularity of SaaS and cloud apps, and the rise of Shadow IT make restricting cloud app access to a defined set of endpoints a difficult task. Managed and unmanaged devices often require different policies to protect corporate data effectively. CASBs help enforce granular access policies as well as identify and categorize cloud apps in your organization [4].

Data Collection Limitation

Organizations should collect the minimum amount of sensitive information that is required.

The Organisation (sic) for Economic Co-operation and Development (OECD, discussed in Chapter 2, Domain 1: Security and Risk Management) Collection Limitation Principle discusses data limitation: “There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject” [5]. There should be a clearly-documented business need to collect sensitive data, and sensitive data should only be collected when there is no other alternative.