Hardly a day goes by without a widely reported breach or hacking event in a major enterprise. Deloitte has the misfortune of being today's top information security news story. In this case, it's been reported that Deloitte email servers, hosted on Microsoft Azure, were compromised after hackers gained access to a privileged user's credentials. The attackers had wide access to Deloitte's email system for a couple of months before the breach was discovered.
- Agentless real-time protection - only an agentless CASB can secure cloud access from any device. Paired with managed vs unmanaged device detection, a CASB like Bitglass would have allowed them to identify access from hackers' unmanaged devices, and provide restrictions over what could be accessed from those devices, limiting the scope of damage, or preventing it entirely.
- User behavior analytics - CASBs provide full visibility into user behaviors across all applications. In this case, the compromise would likely have been detected using even very simple techniques, such as simultaneous access to cloud app(s) from multiple locations.
- Step-up multifactor authentication - Given the ongoing access to this account over time, it seems clear that Deloitte did not have multifactor authentication (MFA) in place for this privileged user. A CASB with built-in identity capabilities can add MFA to any application, including those that don't support MFA natively. Or, step-up MFA can be used, triggering a request for an additional factor only when suspicious activity is seen, such as when a user is logging in from new devices or locations, or when their behavior deviates significantly from established baselines.
As the drumbeat of cloud-related compromises continues to hit the news, it is becoming more and more clear that most of these compromises are not related to the security of the cloud itself. Rather, they are related to enterprise use of the cloud and failure to put proper security controls in place with tools like a CASB.