CloudAccessSecurityBrokeror:HowILearnedtoStopWorrying

andLovetheCloudKyongAn,DirectorofConsulting Services

Palerra,Inc.05/19/2016

Agenda

• Cloud• CSA’sTreacherous12• CloudAccessSecurityBrokerDefinition• TypesofCASB• ProsandCons• Findings

CloudIntroduction

• CloudapplicationsareSaaS,PaaS andIaaS offerings• Transformstheneedforexpensiveapplicationimplementationsandhardwareacquisition• Reducestotalcostofownership• ExamplesoflargerCloudServices

• OfficeAutomation:Office365,GoogleApps• ServiceDesk:ServiceNow,Jira,Zendesk• CRM:Salesforce• HR:Workday• IAM:Okta,Ping• Infrastructure:AmazonWebServices,Rackspace,MSFTAzure• FileSharing:Box,GoogleDrive,MSFTOneDrive/Sharepoint,Dropbox

• Potentiallysignificantimpactonaudit

CASBIntroduction

• CASBsareapplicationsandservicesdesignedtomonitorandprotectanenterprise’suseoftheCloudthroughanalysisofenterprise’sdataandtransactions• CASBisanewspace,GAformany2014- 2015• Marketandsolutionsarebeingdefined– manysolutionscovervaryingaspectsofCloudSecurityandFunctionality• 5%ofcompaniesusethemnow,estimated85%ofcompanieswillusethemby2020

CASBBenefits

• Compliance• ThreatProtection• Visibility• DataSecurity

CASBUseCases– Compliance

• UserandadministratoractionsandcontextinCloudServices• CloudAppsecuritycontrolsmonitoringandautomatedremediation• Configurablepoliciestotracehowusersconsumeandusecloudapplicationsandinfrastructure• Partialfileandcontentmonitoringandencryptionforcertainmodes

CASBUseCases– ThreatProtection

• Userbehavioranalytics(UBAs)todeterminesuspicioususageacrossCloudAppswithautomatedresponses• Threatfeedsandanalysestoprovidecontextofpotentialmaliciousactivity• Preventativeaccesscontrolsbaseduponaccesscontextforcertainmodes• Contentingressandegressthroughthecloudtodetectmaliciouscontentforcertainmodes

CASBUseCases– Visibility

• DashboardsandcontentaggregatorsforusageofCloudAppsforusers,adminsandservices• Automatedalertingandreportingbasedonthreats,custompoliciesandsecuritycontrols• UserBehaviorAnalytics,showingabnormaluserbehavior• Incidentmanagement,resolvingtickets and• Consistentcross-cloudcontrolofthepolicyofcloudapplicationsandinfrastructure.• ShadowIT

CASBUseCases– DataSecurity

DLP• Dataatrest,datainmotion,datainuse• SomefunctionsofaDLPprovidedbycertainmodes

• Patternrecognition ofdataingressandegress throughCloudApps• Preventionofdatausagewithcontent inspection

• ScanningdataatrestinapplicationsfordatadiscoveryusingthenativediscoveryAPIsofthecloudserviceprovider(forexample,GoogleApps,BoxandSalesforce).

CASBUseCases– DataSecurity

Encryption

• File-levelobjectscanbeencryptedonuploadordownloadfromacloudapplication• Field-levelobjectscanbeencryptedbeforebeingplacedintotheSaaSapplication• Userscanhavetheabilitytocontroltheencryptionkeys• EncrypteddatamaynotbeaccessiblebetweenCloudAppsunlessKeyManagementorCloud

Tokenization

• SomeCASBplatformsofferanoptiontotokenizedata• Field-levelpersonaldetailscanbeobfuscated

CloudThreats– CSA’16Treacherous12

1. DataBreaches2. CompromisedCredentials/IAM3. InsecureAPIs4. SystemandAppVulnerabilities5. AccountHijacking6. MaliciousInsiders

7. AdvancedPersistentThreats8. DataLoss9. DueDiligence10. NefariousUseandAbuse11. DenialofService12. SharedTechnologyIssues

CloudThreats– CASB

1. DataBreaches2. CompromisedCredentialsand

IAM3. InsecureAPIs4. SystemandAppVulnerabilities5. AccountHijacking6. MaliciousInsiders

7. AdvancedPersistentThreats8. DataLoss9. DueDiligence10. NefariousUseandAbuse11. DenialofService12. SharedTechnologyIssues

OverlappingTechnologies

• CASBscancoveroverlappingfunctionality• DataLossPrevention

• AtRest• InMotion• InUse

• ShadowIT/Discovery• EnterpriseArchitectureoptimizesfunctionalityagainstredundancy

DLP

ShadowIT

CASB

TypesofCASB

• API– ConnecteddirectlytoCloudAppstopullauditandtransactionlogdataandsecurityconfigurations• Proxy– Mayrequireagentsinmobiledevicestoroutealltrafficthroughcorporatenetwork• ReverseProxy– AlltrafficisredirectedfromCloudApptoIAM(SAMLredirection)

Enterprise

CloudUsage

CloudApps

IAM

Firewall PCs

Remote

Enterprise

CASB– API

CloudApps

IAMCASB

Firewall PCs

Remote

Enterprise

CASB– Proxy

RemoteCloudApps

IAM

CASB

FirewallVPNConcentrator

Agent

Remote

PCs

Proxy

Agent

Enterprise

CASB– ReverseProxy

CloudApps

IAM

CASB

Firewall PCs

Remote

ReverseProxy

VPNConcentrator

ProsandConsTypesofCASBType Pros ConsAPI • Granularvisibilityintouserbehavior

• Nonintrusive, not inthedatapathoftheCloudApps

• Expanding APIsetdirectlyconnectstoapplicationfeature

• Supports BYODscenarios

• NotallCloudAppsofferAPIsupport; capabilitiesdifferacrossproviders

• HybridapproachrequiredforsomeCASBfeatures(encryptionandtokenization)

Proxy • Visibilityintouserbehaviorandunsanctioned SaaSusage

• Transportdatainspection capability

• TheCASBis asinglepointoffailure• Nosupport forunmanagedBYOD• Allendpoint data goesthroughtheCASB• Significant policyandendpoint agentmanagement• Significant infrastructurearchitecturerequired

ReverseProxy

• BYODcoveredwithoutconfigurationchangesonendpoints

• TheCASBis apointoffailure –mobileCloudAppusagevulnerabletoCASBoutage

• Significantprerequisites – FederatedSSO• Significant configurationrequired– URLrewriting,SSO

Findings – Salesforce.com

• Departing users 'harvesting' customer, opportunities and account data for their next job• Departing users 'salting the fields' of opportunities to

prevent others from selling to them• Sensitive profile duplication (notably System Administrator)

Findings – Office 365

• Changes to Information Rights Management / Data Loss Prevention policies of O365• Emails being routed overseas while they (healthcare) are

regulated against that• Emails sent to competitor were discovered• Suspicious email activity, many potentially containing

intellectual property (meeting minutes, SOWs, customer contracts, design requirements, financials, security, customer design requirements, customer revenue workbooks, resumes, project plans, etc.)

Findings – Box / Google Drive

• Public shares where none were allowed and the shares were being accessed by someone anonymously in Nigeria • Students accessing an intellectual property folder for the

university that was unsecured• Folder collaborations with unexplained external entities (some

were sanguine, some weren't)• Other co-admins in one account was a big surprise...particularly

since one co-admin didn't even use the service• User uploaded over 10K mp3s into their corporate Box account• Data shared outside the company domain that potentially

contained Intellectual property, trade secrets, company financials and business details, and media (songs & videos) that may be copyright violations.

Findings – Amazon Web Services

• SSH and IAM keys that were 3+ years old and were still in use by former employees at one location• VPC (compute resources) created in a geo that the customer

was not using• User was logging in after hours, spinning up EC2 instances and

doing their own personal tasks (such as Bitcoin mining, gaming, storing and watching videos etc)• Users who were no longer with the company still had access to

the admin console• Instances configured with overly permissive password and

session management protections

Appendix