Relying on cloud app's native security leaves a data blind spot for organizations that need to protect data. App vendors like Google and Salesforce are primarily responsible for the security of the application and infrastructure, not the data. Data security then becomes the responsibility of the enterprise. Being able to control access as well as protect data is an extremely important task for organizations.
Traditionally, IT would issue a regulated device to an employee and have complete control over the device, the network, and everything in between. As technology evolves, many organizations no longer control their own infrastructure, instead taking advantage of cloud apps.
The challenge with deploying cloud apps is the increased risk of data leakage. In a BYOD-centric world where cloud apps are accessible from any unmanaged device, anywhere, security must evolve to become data-centric. You not only want to be able to protect sensitive data at rest within these cloud apps, but also control access to data - limiting access in the riskiest contexts.
A Cloud Access Security Broker can provide complete data protection for both data at rest in the cloud and data in motion as it's downloaded to an end-user's device. There are many key elements to a CASB:
- Real-time inline protection: Not all CASBs are created equal. Some only leverage APIs which provide some visibility and control but no real-time protection. Select CASBs like Bitglass take a hybrid approach, using both APIs and proxies to protect data at download.
- Data Leakage Prevention: With content-aware DLP, a CASB can ensure that data is protected at download with a full spectrum of controls - from watermarking to outright blocking.
- Audit and visibility: The ability to know what files users are accessing, how data is being shared, and more.
- Identity: CASBs offer integrated identity management to properly authenticate users with single sign-on.
- Cloud Encryption: For organizations in some sectors, encrypting data-at-rest in the cloud is critical to adopting apps like Salesforce. With a CASB, you can control your own encryption keys, achieve separation of systems, and maintain usability and functionality of Salesforce while encrypting various fields.
In the case of one customer, for example, the organization needed a complete CASB that could control access to Office 365 from any device, remediate PII in real time, and encrypt data in Salesforce without the security drawbacks of platform encryption.