cloud access security broker or: how i learned to stop...
TRANSCRIPT
CloudAccessSecurityBrokeror:HowILearnedtoStopWorrying
andLovetheCloudKyongAn,DirectorofConsulting Services
Palerra,Inc.05/19/2016
Agenda
• Cloud• CSA’sTreacherous12• CloudAccessSecurityBrokerDefinition• TypesofCASB• ProsandCons• Findings
CloudIntroduction
• CloudapplicationsareSaaS,PaaS andIaaS offerings• Transformstheneedforexpensiveapplicationimplementationsandhardwareacquisition• Reducestotalcostofownership• ExamplesoflargerCloudServices
• OfficeAutomation:Office365,GoogleApps• ServiceDesk:ServiceNow,Jira,Zendesk• CRM:Salesforce• HR:Workday• IAM:Okta,Ping• Infrastructure:AmazonWebServices,Rackspace,MSFTAzure• FileSharing:Box,GoogleDrive,MSFTOneDrive/Sharepoint,Dropbox
• Potentiallysignificantimpactonaudit
CASBIntroduction
• CASBsareapplicationsandservicesdesignedtomonitorandprotectanenterprise’suseoftheCloudthroughanalysisofenterprise’sdataandtransactions• CASBisanewspace,GAformany2014- 2015• Marketandsolutionsarebeingdefined– manysolutionscovervaryingaspectsofCloudSecurityandFunctionality• 5%ofcompaniesusethemnow,estimated85%ofcompanieswillusethemby2020
CASBUseCases– Compliance
• UserandadministratoractionsandcontextinCloudServices• CloudAppsecuritycontrolsmonitoringandautomatedremediation• Configurablepoliciestotracehowusersconsumeandusecloudapplicationsandinfrastructure• Partialfileandcontentmonitoringandencryptionforcertainmodes
CASBUseCases– ThreatProtection
• Userbehavioranalytics(UBAs)todeterminesuspicioususageacrossCloudAppswithautomatedresponses• Threatfeedsandanalysestoprovidecontextofpotentialmaliciousactivity• Preventativeaccesscontrolsbaseduponaccesscontextforcertainmodes• Contentingressandegressthroughthecloudtodetectmaliciouscontentforcertainmodes
CASBUseCases– Visibility
• DashboardsandcontentaggregatorsforusageofCloudAppsforusers,adminsandservices• Automatedalertingandreportingbasedonthreats,custompoliciesandsecuritycontrols• UserBehaviorAnalytics,showingabnormaluserbehavior• Incidentmanagement,resolvingtickets and• Consistentcross-cloudcontrolofthepolicyofcloudapplicationsandinfrastructure.• ShadowIT
CASBUseCases– DataSecurity
DLP• Dataatrest,datainmotion,datainuse• SomefunctionsofaDLPprovidedbycertainmodes
• Patternrecognition ofdataingressandegress throughCloudApps• Preventionofdatausagewithcontent inspection
• ScanningdataatrestinapplicationsfordatadiscoveryusingthenativediscoveryAPIsofthecloudserviceprovider(forexample,GoogleApps,BoxandSalesforce).
CASBUseCases– DataSecurity
Encryption
• File-levelobjectscanbeencryptedonuploadordownloadfromacloudapplication• Field-levelobjectscanbeencryptedbeforebeingplacedintotheSaaSapplication• Userscanhavetheabilitytocontroltheencryptionkeys• EncrypteddatamaynotbeaccessiblebetweenCloudAppsunlessKeyManagementorCloud
Tokenization
• SomeCASBplatformsofferanoptiontotokenizedata• Field-levelpersonaldetailscanbeobfuscated
CloudThreats– CSA’16Treacherous12
1. DataBreaches2. CompromisedCredentials/IAM3. InsecureAPIs4. SystemandAppVulnerabilities5. AccountHijacking6. MaliciousInsiders
7. AdvancedPersistentThreats8. DataLoss9. DueDiligence10. NefariousUseandAbuse11. DenialofService12. SharedTechnologyIssues
CloudThreats– CASB
1. DataBreaches2. CompromisedCredentialsand
IAM3. InsecureAPIs4. SystemandAppVulnerabilities5. AccountHijacking6. MaliciousInsiders
7. AdvancedPersistentThreats8. DataLoss9. DueDiligence10. NefariousUseandAbuse11. DenialofService12. SharedTechnologyIssues
OverlappingTechnologies
• CASBscancoveroverlappingfunctionality• DataLossPrevention
• AtRest• InMotion• InUse
• ShadowIT/Discovery• EnterpriseArchitectureoptimizesfunctionalityagainstredundancy
DLP
ShadowIT
CASB
TypesofCASB
• API– ConnecteddirectlytoCloudAppstopullauditandtransactionlogdataandsecurityconfigurations• Proxy– Mayrequireagentsinmobiledevicestoroutealltrafficthroughcorporatenetwork• ReverseProxy– AlltrafficisredirectedfromCloudApptoIAM(SAMLredirection)
Enterprise
CASB– Proxy
RemoteCloudApps
IAM
CASB
FirewallVPNConcentrator
Agent
Remote
PCs
Proxy
Agent
ProsandConsTypesofCASBType Pros ConsAPI • Granularvisibilityintouserbehavior
• Nonintrusive, not inthedatapathoftheCloudApps
• Expanding APIsetdirectlyconnectstoapplicationfeature
• Supports BYODscenarios
• NotallCloudAppsofferAPIsupport; capabilitiesdifferacrossproviders
• HybridapproachrequiredforsomeCASBfeatures(encryptionandtokenization)
Proxy • Visibilityintouserbehaviorandunsanctioned SaaSusage
• Transportdatainspection capability
• TheCASBis asinglepointoffailure• Nosupport forunmanagedBYOD• Allendpoint data goesthroughtheCASB• Significant policyandendpoint agentmanagement• Significant infrastructurearchitecturerequired
ReverseProxy
• BYODcoveredwithoutconfigurationchangesonendpoints
• TheCASBis apointoffailure –mobileCloudAppusagevulnerabletoCASBoutage
• Significantprerequisites – FederatedSSO• Significant configurationrequired– URLrewriting,SSO
Findings – Salesforce.com
• Departing users 'harvesting' customer, opportunities and account data for their next job• Departing users 'salting the fields' of opportunities to
prevent others from selling to them• Sensitive profile duplication (notably System Administrator)
Findings – Office 365
• Changes to Information Rights Management / Data Loss Prevention policies of O365• Emails being routed overseas while they (healthcare) are
regulated against that• Emails sent to competitor were discovered• Suspicious email activity, many potentially containing
intellectual property (meeting minutes, SOWs, customer contracts, design requirements, financials, security, customer design requirements, customer revenue workbooks, resumes, project plans, etc.)
Findings – Box / Google Drive
• Public shares where none were allowed and the shares were being accessed by someone anonymously in Nigeria • Students accessing an intellectual property folder for the
university that was unsecured• Folder collaborations with unexplained external entities (some
were sanguine, some weren't)• Other co-admins in one account was a big surprise...particularly
since one co-admin didn't even use the service• User uploaded over 10K mp3s into their corporate Box account• Data shared outside the company domain that potentially
contained Intellectual property, trade secrets, company financials and business details, and media (songs & videos) that may be copyright violations.
Findings – Amazon Web Services
• SSH and IAM keys that were 3+ years old and were still in use by former employees at one location• VPC (compute resources) created in a geo that the customer
was not using• User was logging in after hours, spinning up EC2 instances and
doing their own personal tasks (such as Bitcoin mining, gaming, storing and watching videos etc)• Users who were no longer with the company still had access to
the admin console• Instances configured with overly permissive password and
session management protections