How to Embrace SaaS while Managing Risks with a CASB Solution

How to Embrace SaaS while Managing Risks with a CASB Solution

Recently I had the opportunity to blog about Masergy's Office 365 security monitoring solution. That post took an in-depth look at why traditional security tools just don't measure up to the unique challenges of securing Software as a Service (SaaS); namely, because they aren’t comprehensive or scalable. That's why a Cloud Access Service Broker (CASB) is needed. CASBs are designed to work with any and all SaaS applications by delivering add-on security capabilities and analytics that are mandatory to enable detection and response for cloud apps.

Over the last few months, I've had the opportunity to sit in on beta testing with Masergy customers. The initial report from the SaaS discovery tool is always a big eye opener for the customer security team. SaaS discovery represents one of the most important capabilities in the CASB toolbox because it catalogs all SaaS usage by employees.

It's quite common to have hundreds of applications on the list. Depending upon an application's specific purpose, this implies there is likely widespread loss of visibility and control of sensitive data being uploaded by users. That's enough to keep any CISO awake at night, and it certainly justifies CASB investment.

The SaaS model itself is not a security problem. On the contrary, mature SaaS vendors likely have the economies of scale to afford proper security implementation that many mid-sized enterprises have to skimp upon. But much like Infrastructure as a Service (IaaS) /Platform as a Service (PaaS), SaaS relies on a shared security model with responsibilities assigned to both parties.

Summary of SaaS Tenant Security Risks

  • Assessing SaaS vendor inherent security risks that are not readily measurable nor apparent.
  • Restricting sensitive data from being uploaded into cloud apps, sanctioned or unsanctioned, and share into insecure environments.
  • Enabling quick detection of stolen credentials and malicious insider usage, and responding to incidents before serious damage is done.
  • Extending protection to mobile devices where agents or management is impractical
  • Preventing cloud apps from turning into malware conduits.
  • Regulating identities and enforcing appropriate authentication to streamline user experience and productivity while managing tasks.

Shared Security Models for Cloud

Responsibility SaaS PaaS IaaS On-Prem
Data
Account & Access Controls
Identity & Access Management (IAM)
Application
Network Virtualization
Operating System
Virtualization
Hardware (Servers + Storage)
Networking
Physical Infrastructure
Enterprise / Cloud Tenant
Cloud Provider

Gartner defines four equally important functional pillars that a CASB solution must deliver: visibility, compliance, data security, and threat protection. These four capabilities are mandatory to address the tenant security responsibilities listed above and are essential for cloud security success. The following four considerations should be taken into account when evaluating and deploying CASB solutions.

Saas Discovery and Reputation

By nature, assessing a SaaS vendor's security capabilities (above) is inherently opaque and requires significant investigation and due diligence. Hence, security certifications for SaaS vendors carry a lot of weight, and reputation is also critical. As part of their service, leading CASB vendors include a reputation service which evaluates the security maturity of an entire catalog of SaaS vendors. Risk scores must be provided so that IT security teams can make informed decisions about whether or not certain cloud apps should be trusted and used by employees.

However, before you go exercising control, take note that consumerization trends have shown that heavy-handed approaches to security often backfire, so the most effective strategy is to "coach" employees to use more secure options. But if the risks of dubious cloud apps are ultimately unacceptable and user practices don't adjust accordingly, application blocking can and should be used.

Identity and Two-Factor Authentication

As soon as the cloud application count goes above one or two, having employees managing their own identities and passwords quickly become a tangle of security risks and poor user experience. So integration with Identity and Access Management (IAM) is mandatory for managing risk and optimizing user experience. Better yet, an integrated IAM with the CASB solution will accelerate deployment and increase the CASB's value for organizations that have yet to roll it out. Of course, if you already have IAM, the CASB solution must be able to support multiple identity vendors. Risk-based authentication is effective at balancing user experience with security control. When risky behavior or activity is detected, a user request should be sent to re-authenticate using an additional second factor.

Data Visibility, Control, and Loss Prevention

Visibility of data flowing in and out of cloud applications is best enabled with Data Loss Prevention (DLP) practices and tools. DLP is not a new capability so enterprises with existing deployments should be able to extend their existing policies via Internet Content Adaptation Protocol (ICAP) into the CASB for additional enforcement and protection of both structured and unstructured data within cloud apps. For many mid-sized organizations that don’t yet have DLP, an integrated CASB DLP option for configuring and enforcing policy is a great cost-effective option. Appropriate DLP controls are needed to enforce policies for preventing the most sensitive data entering a cloud app. Similar controls should also prevent or alert when users attempt offloading of sensitive data particularly into unmanaged devices.

The latter is the riskiest, and having an integrated Digital Rights Management (DRM) capability means that when a third party user or an internal user on an unmanaged device needs to view data, it can be done simply through web browser scripts that prevent saving, offloading and cutting and pasting of data. Finally, for the most security-conscious organizations, being able to enforce data-at-rest encryption using their own unique keys ensures that no other party, including the SaaS provider itself, can access cloud data.

Threat Detection and Response

Stolen credentials by attackers and malicious insider usage are two major threats facing cloud applications. Two-factor authentication goes a long way to mitigate stolen credentials, but it’s not always used, nor is it foolproof. Advanced analytics, or more specifically User Entity and Behavior Analytics (UEBA), is a critical capability that identifies such types of potentially malicious activity so that immediate responses can be taken including locking the account or requesting step-up authentication.

Why Masergy Managed CASB?

The nature of this technology requires advanced security monitoring and incident response. Only the largest enterprises can afford to build a Security Operations Center (SOC). A lot of data can be pulled out of a cloud app from 11:00 pm to 6:00 am when your team is sleeping. Security expertise and 24/7 monitoring are mandatory to ensure that the CASB solution is configured correctly and that incidents are quickly identified, and appropriate responses are executed.

That's what we do at Masergy. We're experts at managed detection and response, and we're excited to offer this new capability. Masergy integrates with leading CASBs from Bitglass, Netskope, and Skyhigh to provide a turnkey, cost-effective, managed CASB solution that delivers continuous monitoring and response.

When you spend the money on CASB, be sure to account for a managed service if you don't have your own SOC. Also, it's completely reasonable to push the costs of managed CASB back to the business units that are procuring SaaS. The cost of security should be tied to SaaS adoption: you can’t have one without the other.

CASB Deployment

Our Managed CASB is fully integrated with our managed detection and response platform and comes with multimode capabilities that support all forward proxy, API, and reverse proxy deployment techniques.

Whatever your CASB choice, Masergy's UES platform will readily integrate CASB events and alerts into our patented security analytics engine, thereby enhancing the overall effectiveness of our ecosystem of proprietary and third-party detection and response tools.

To learn more about how Masergy Managed CASB can help you embrace your cloud strategy, watch our on-demand webinar, Cloud Security Essentials: How to Tackle Cloud App Visibility and Data Security.

About Jay Barbour

Director of Security Product Management, Masergy
Jay brings more than 17 years of security experience to Masergy as Director of Security Product Management. He is responsible for the product vision of Masergy’s managed security services and leads the product team on execution. Previously, Jay was Director of Security Advisory Services for BlackBerry where he advised large enterprises and government agencies on mobile security. Other positions he has held include Vice President of Marketing at Intrusion, and Vice President of Product Management at Scansafe (now Cisco). Jay holds a degree in Engineering Physics from Queen’s University, Canada, an MBA from INSEAD, France, and is a Certified Information Systems Security Professional (CISSP).

We use cookies to improve your web experience, better understand how our site is used, and personalize advertising. By continuing to use this site you are giving us your consent to do this. Read more and make cookie choices by visiting our privacy policy.