In this post, we're diving into security for data-at-rest inside of cloud applications, and how a CASB can help.
Many cloud app vendors encrypt data-at-rest
in their cloud infrastructure. However, the application vendor controls the encryption key, effectively reducing the value of such encryption to each customer. Furthermore, data residency requirements in many countries require that sensitive data never leaves the country.
The advantage of using a CASB for cloud encryption is that it allows the enterprise to control their own encryption keys, ensuring that nobody can gain access to corporate data without the knowledge of the enterprise.
The downside of using a CASB for cloud encryption is that some application functionality may be affected. Specifically, encrypted data cannot be processed by the SaaS application servers. For example, if you encrypt a field with monetary values, the cloud app is not able to report on sum totals of those dollar values appropriately.
Another issue with using a CASB for cloud encryption is that encrypted data cannot be searched. To overcome this limitation, first generation CASB solutions watered down the encryption to cyclic ciphers. In such solutions, searching the plaintext data for a keyword is accomplished by searching the encrypted data for the encrypted form of the keyword.
Unfortunately, cyclic ciphers are weak and easily cracked via chosen plaintext attack. Some products enhance cyclic ciphers with 256-bit AES encryption, but limit the number of initialization vectors in order to maintain searchability. For example, one cloud encryption vendor advertises “millions” of initialization vectors. One million is approximately 220, i.e, 256-bit AES encryption with one million initialization vectors is effectively 20-bit encryption, which certainly doesn’t pass the requirements of any security conscious organization.
One thing to review with any vendor you assess is resiliency in the face of constantly changing cloud applications. First generation cloud encryption CASB products rely on large teams of engineers that scramble to update their software whenever cloud application providers update their apps. This can be a daily occurrence, resulting in poor availability and negative continuity. The challenge is that modern SaaS applications use client-side AJAX for most of their UI. First-generation CASB products rely on hand-coded logic for such applications, and frequently break when the application is updated.
Shameless plug: Bitglass has solved these limitations of first-gen CASBs and Cloud Encryption Gateways.
To help provide more color on what CASBs do, we have created The Definitive Guide to Cloud Access Security Brokers. We're providing the entire document via a series of posts on this blog. Of course, if you prefer to binge read your Definitive Guides much like you binge watched Breaking Bad on Netflix, you can download the whole thing immediately, right here.