How to Best Secure the Cloud
In Part One, we discussed modern business trends like the move to the cloud, BYOD, the shared responsibility model of security, and how each of them necessitates the use of a cloud access security broker (CASB). CASB platforms typically leverage proxies and cloud apps’ APIs to protect data across cloud apps. CASBs that use forward and reverse proxies can monitor and data in real time, in transit, and on devices. Through API integration, CASBs can also take action, limiting access to sensitive data in some of these high-risk cloud apps. When used in tandem, proxies and APIs enable a number of capabilities for end-to-end cloud protection.
Discovery services are a core component of any modern CASB. Generally speaking, these capabilities allow enterprises to identify where their data is stored by monitoring it as it moves to various endpoints. Discovery is a service frequently sought by companies that are beginning to use the cloud and are wondering where their data goes once it leaves their network. Obviously, it is also useful for mature firms who use the cloud, have a great deal of proprietary data, and want to identify potential threats like shadow IT (unsanctioned cloud applications). However, discovery services alone are not enough to ensure cloud security.
Data loss protection (DLP) is another critical component of any cloud security system - it is an umbrella term that covers a number of capabilities CASBs offer in varying degrees. By watermarking files, CASBs can detect when they are opened and provide a host of information about their end users. Digital rights management (DRM) is a system wherein users are required to prove their identity by logging into a company portal before they can access certain files. With redaction, sensitive text within files and emails can be replaced with a string of characters that hide the information. As a final example of DLP, some CASBs can encrypt structured and unstructured data at upload, at download, and at rest.
User and entity behavior analytics (UEBA) are an integral part of any advanced CASB system. Through UEBA, CASBs can take a number of sophisticated, automated actions to protect data. For example, they correlate user accesses, geographic locations, and a host of other variables to identify suspicious activity. If a firm’s employees only use Android devices and only travel within the United States, UEBA capabilities can block accounts trying to access data from Apple devices and other countries. Similarly, if a user’s account downloads a file from Africa within five minutes of downloading a file in New York, a CASB like Bitglass can detect that the account has separate individuals using it (based upon impossible travel times). It can then prevent further downloads or just block requests for sensitive files. UEBA is an integrated component of a complete CASB platform and is built to interoperate with DLP, identity management, and other core data protection features.
While there are many concerns associated with using the cloud, CASBs provide the breadth and depth of tools required to ensure security. Join us in Part Three to learn about the capabilities you need for mobile security.