cloud access security brokers (casbs)

Cloud Access Security Brokers (CASBs) ISACA Los Angeles September Dinner MeetingSeptember 13, 2016

Jeff MargoliesPrincipal, Cyber Risk ServicesDeloitte & Touche [email protected]

Cloud Access Security Brokers (CASBs) #YearOfTheCASBSCopyright © 2016 Deloitte Development LLC. All rights reserved. 2

Cloud cyber risk point of view

Cloud Access Security Brokers (CASBs) #YearOfTheCASBsCopyright © 2016 Deloitte Development LLC. All rights reserved. 3

Adoption of cloud technologies is hereDelivery models

On-demand and scalable compute,

storage and networking hosted by a

provider

Collection of tools needed

for application development hosted by a

provider

Applications hosted by a provider and consumed by customers over the internet


Adoption of cloud technologies is hereDeployment models

The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services

The cloud infrastructure is operated solely for a single organization. It may be managed by the organization itself or by a third party and may be located on-premises or off-premises

The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns

The cloud infrastructure is a combination of two or more clouds (private, community or public)


Consumer/Shadow ITBusiness and consumers using cloud with or without cyber controls

Third-party RiskEnterprises are dependent on cloud providers’ controls

Concentrated RiskCloud providers are a bigger target because “that’s where the data is”

Modern Attack SurfaceThe walled enterprise is replaced by a hybrid, more complicated technology environment.

Controls GapTraditional cyber risk controls need to extend to the cloud at a time when many enterprises are barely keeping up with existing threats

There are a variety of cyber risks associated with moving to the cloud, yet there is also opportunities


There are business opportunities

At the same time, the cloud represents an opportunity for cyber risk:

Cloud providers in the “business of IT”, with better hygiene

Cloud providers are better equipped for the fight

Free up enterprises to focus on more advanced cyber risk capabilities


Deloitte Advisory’s Secure.Vigilant.Resilient.TM approach helps organizations align investments in a comprehensive, balanced, and agile program tailored to the their unique business strategy and cyber risk profile

Perfect security is not feasible! The objective isn’t to secure the cloud, but to manage cyber risk as you move to the cloud

Cloud Cyber Risk

GovernanceCross-functional coordination and management to address security program requirements of the enterprise

ResilientStrengthening your ability to recover when incidents occur

SecureEnabling business innovation by protecting critical assets against known and emerging threats across the entire enterprise

VigilantGaining detective visibility and preemptive threat insight to detect both known and unknown adversarial activity


While cloud providers’ security is often a focus, managing cyber risk is a shared responsibility between the enterprise and the cloud provider


While initial focus is often compliance, many organizations are looking at aligning controls to the actual risk in the cloud

Mat

urity

Time since Cloud Adoption

Achieve required compliance through the protection of regulated data

Integrate cloud technologies into the enterprise security architecture

Adapt controls to the evolving threats by discerning the context, relevance and required response

Compliant

Risk-aligned

Adaptive


The software industry is evolving to address cyber risks in the cloud

CASB Emerging Capabilities

Identity as a Service (IDaaS) – the first and most mature capability in the cloud security market

Data protection and governance is rapidly maturing into a common set of CASB capabilities

As enterprises mature, more advanced capabilities are emerging – will CASBs add capabilities or will there be more acquisitions and partnerships?

IDaaS

Virtualization SIEM Governance

AnalyticsWorkflowOrchestration


CASBs


Data Protection &

Privacy

Vigilance

Risk Management

CASB

As customers migrate to the cloud, a new set of capabilities and requirements have emerged

Visibility into cloud usage to discover Shadow IT

Ranking and scoring the security capabilities of the cloud providers

Dashboards to enable decisions about risk and compliance in the cloud

Define and enforce cloud polices and standards

Monitor security information and events for malicious activity/usage within cloud services

Dashboards to enable security operations teams

Intelligence to identify threats to your cloud services and providers

Identify, prioritize and remediate vulnerabilities for cloud services

Visibility into data usage in the cloud

Centralized data protection policy management

Application of data protection and privacy controls like encryption, tokenization, data loss prevention, and digital rights management for use with cloud services


CASBs are emerging as a new control point and becoming important for managing cyber risk in the cloud

Who are the players

A new class of security products (tools and services) that reside between the enterprise and a cloud provider that acts as an extension to enterprise controls across risk management, data privacy & protection, and monitoring for cloud-based services.

Definition

Common problems Typical capabilities

• Understand cloud usage and risk exposure

• Manage risk and compliance

• Protect data and privacy

• Monitor security activity and threats

Technology companiesin the space

• Shadow IT• Ability to manage and

measure risk in the extended enterprise

• Lack of consistent data protection and privacy across cloud providers

• Inadequate visibility in cloud activity

30+

CASB Providers


CASBs differentiate in three specific areas – deployment model, integration approach, and the cloud providers they support

Mobile devices

Sanctioned/ Unsanction

ed

Extended enterpriseTraditional enterprise

UsersSystems

CASB

Deployment model• Onsite vs. cloud-based• Agent vs. agentless

Cloud providers• Sanctioned vs. unsanctioned• SaaS vs. IaaS• Provider specific controls

(encryption, tokenization, user behavior, etc.)

Integration approach• Alert vs. block/enforce

controls • API (Application Programming

Interface) vs. proxy• In-band vs. out-of-band


• Discovery (e.g., cloud applications, Shadow IT) • Point in time activity

• Sanctioned applications only• Near real-time policy control • Sits on top of SaaSAPI

• Sanctioned applications (browser) only • Real-time policy control• Sits in-between endpoint and SaaSReverse

proxy

• Sanctioned and unsanctioned applications• Real-time policy control across all• Client deployment (native and mobile)Forward

proxy

Log integratio

n

CASB solution

Advantages Disadvantages

Understand inherent risk and

cloud usage

Address data at rest

End user privacy, easy to deploy

Full coverage across all

applications

No blocking, limited to what is provided via API

Data in transit focus, downtimes, lack of visibility in

cloud to cloud interaction

View only basic activity for a set duration of time

Difficult to deploy, can be intrusive,

agent usage

CASBs currently have various integration models attempting to differentiate themselves; many enterprises will need them all


Getting started – adopting a CASB solution

Understand what is already in the cloud, and the business and IT strategy for moving to the cloud

Identify high priority risks, areas to extend existing security capabilities, and gaps to be filled by CASB technologies

Select a CASB technology that tactically aligns with capability gaps and key cloud providers, and strategically aligns with deployment approach

Step 1 Step 2 Step 3


Deploying CASBs and Use Cases


Use case Log API Reverse proxy Forward proxy

Discover unsanctioned cloud services in use and analyze high-level activity

Analyze high-level activity of sanctioned applications

Alert on user behavior and cloud usage

Control access to enterprise-owned applications

Implement granular controls on data within sanctioned applications (e.g., quarantine, block)

Control access to unsanctioned applications

Implement granular controls on data within unsanctioned applications (e.g., quarantine, block)

Redirect users trying to access unsanctioned services to sanctioned services

Example CASB use cases and corresponding integration options


End user

Cloud services

Log generates list of services in use through

cloud application

discovery on firewall

Applications are classified as

either sanctioned or unsanctioned

Applications are assessed to identify risk

(legal, financial, etc.)

Development of security policies and procedures

to address identified risks

1 2 3 4

Logs

Classification Assessment

Policy creation

Firewall

1

2 3

4

Logs offer the capability to identify and classify an organization’s cloud application environment, enabling risk assessment of individual applications.

Use case example for CASB shadow IT discovery


End user API

Cloud service

Internet

1 2 3

4

Security and compliance are necessary considerations when adopting cloud-based applications. CASB solutions through API deployment offer increased non-intrusive visibility and offer actions such as data encryption and data quarantine.

Deployment model for API deployment

Data is exchanged

between the corporate

premise and the cloud service

API monitors events and data within the cloud application and

enforces defined policies

API generates reports and alerts and offers the

capabilities such as

encryption

1 2 3 4

End User accesses a cloud service through a managed/unmanaged

device


Reverse proxy

End user

Cloud services

Internet

1

2

3

4

CASB solutions through reverse proxy are configured between the cloud application and end-user device, offering visibility, compliance, data security, and threat protection. Reverse proxy solutions offer security to both managed and unmanaged devices.

Deployment model for reverse proxy

Reverse proxy allows or

rejects the request per

security policies

If allowed, the reverse proxy accesses the

cloud service to fulfill the request

Response is sent by reverse proxy back to the end user

1 2 3 4

Managed/unmanaged device makes

request to the cloud service that is

received by the reverse proxy


Forward proxy

End user

Cloud services

Explicit proxy/PAC

fileProxy chain

Domain Name

Service

Thin agent/mobile

clientInternet

1

2

34

Forward proxy CASB solutions inspect data from managed devices prior to cloud service forwarding.

Deployment for forward proxy

Request is allowed or denied by the

forward proxy per policy. Forwarded

requests pass through to the cloud service

Cloud service process request

and sends a response to the

proxy

Proxy forwards response to end

user

1 2 3 4

End user makes a request that is inspected by

the forward proxy


Q&AJeff MargoliesPrincipal | Deloitte Advisory Cyber Risk ServicesDeloitte & Touche [email protected]

LinkedIn: https://www.linkedin.com/in/jmargoliesTwitter: @jmargolies

As used in this document, “Deloitte Advisory” means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2016 Deloitte Development LLC. All rights reserved.36 USC 220506

This presentation contains general information only and Deloitte Advisory is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not asubstitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affectyour business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte Advisory shall not be responsible for any loss sustained by any person who relies on this presentation.

cloud access security brokers (casbs)

Documents