There are now many Cloud Access Security Broker (CASB) Products on the market. These are claimed to help improve cloud governance and compliance but do they really help?
Organizations are choosing to use cloud services to increase agility, to innovate and to get closer to their customers. Cloud services provide a cost-effective solution to these needs as well as to deliver commodity functionality at lower cost.
However, cloud services are outside the direct control of the customer organization and using them hands over the control of the service and infrastructure in to the CSP (Cloud Service Provider). This makes a governance based approach essential and this must be implemented through processes covering the acquisition, security and assurance supported by an appropriate management structure.
Some important concerns around the use of cloud services include:
- The geographic location where the customer’s data is held and processed and the potential for the Cloud Service Provider (CSP) and their staff to access this data.
- Government Access – The way in which governments can legally require access to the data being processed without seeking the permission of the cloud customer. The recent revelations around access to Yahoo emails by the US government is an example.
- GDPR – The European General Data Protection Regulation (GDPR) coming into force in May 2018 is another challenge for organizations holding personal data relating to people in Europe.
However, you can only govern the services that you know you are using, and many organizations are unware of the extent to which cloud services are being exploited. Employees and associates can use their own personal cloud services to perform their jobs without reference to their employer. Line of business managers can acquire cloud services without performing a risk assessment or considering the impact of these services on compliance.
To implement governance, you need to be able to control who can use which cloud services and for what purposes. You also need to be able to ensure that data is held in the cloud in a way that complies with laws and regulations as well to protect it against leakage. So, in practical terms, technology is needed to support this governance led approach. In an ideal world, this functionality would be provided by the range of existing security tools and technologies already in use. Many of the capabilities are already there but Cloud Access Security Brokers (CASB) integrate these into a useable form.
KuppingerCole has analysed the market for CASB and recommends that these products should provide functionality that enables customers to:
- Detect Cloud Service Usage– the use of cloud services which have not been subject to an organizational assessment of the compliance risks and data protection requirements is a common concern for many organizations. Identifying the cloud services being used from within an organization and providing control over their use is a key capability to manage this risk.
- Control Usage of Cloud Services– access to the cloud services should be controlled so that business critical and regulated data can only be moved into approved cloud services. Employees should easily be able to access approved services and prevented from moving important data to non-approved services. This should be an extension of existing Access Governance processes and technologies. The controls should be based on existing organizational directories and should provide seamless access to approved services.
- Protect against Cyber Risks– there are different ways in which there could be unauthorized access to a customer’s data held in the service. A product should provide capabilities to detect threats to business-critical data and protect against unauthorized access and data leakage.
- Support Compliance – many organizations depend upon their data being processed and protected in a way that is compliant with laws and regulations. To support this need, the product should provide “out of the box” capabilities aligned with specific regulations. Ideally these capabilities should be independently certified or, at least, the vendor should be able to provide examples of customers who have successfully used the product to achieve compliance.
Most leading cloud service providers implement more rigorous and more effective technical security controls around their service than most organizations can afford for their in-house IT. However, the responsibilities for security and compliance are shared. Many of the real risks come from how cloud services are used. If there is no clear policy for which services an employee can use, don’t be surprised if they use their personal ones. If personal data held by the organization is not identified and protected don’t be surprised if you are subject to regulatory or legal penalties. CASBs do not replace the need for cloud governance – they provide practical support for the essential cloud governance processes.