In a recent discussion on Cloud Access Security Brokers with a prospective Bitglass customer, the CISO came into the meeting convinced that the only risk of data leakage from public cloud apps is external sharing. I immediately knew that this person had already been served up a healthy dose of propaganda from an API-only Cloud Access Security Broker. External sharing is definitely a critical issue that must be addressed when deploying a CASB, but it is far from the only issue. Let's take a look at a couple.
External Sharing - Definitely a top-of-mind challenge, what's different about most cloud apps when compared to internal applications is that today's cloud apps (especially File Sharing & Sync apps) were developed with sharing as a cornerstone of the solution. It couldn't be easier to log into OneDrive or Box and share a file containing sensitive content to someone outside of the company.
CASBs on External Sharing - CASBs, including Bitglass, leverage APIs provided by cloud application vendors in order to discover external sharing, match against data leakage prevention policies, and take programmatic actions (such as removing the external share).
BYOD - In the relatively simple (and recent) past, the point of consumption of corporate data was a locked down managed corporate laptop. We knew what the device was, and we had the ability to prohibit unwanted devices from connecting to corporate apps. Unfortunately, anyone on any device is able to reach a public cloud app like Salesforce and with relatively few exceptions (and assuming they have a username/password), log in and access corporate data.
CASBs on BYOD - Proxy-based CASBs are a much-needed first-line-of-defense for cloud applications. They can make the distinction between managed and unmanaged devices, and provide risk-appropriate access depending on a very broad set of contextual variables. Some can even protect downloaded documents with encryption or rights management, redact sensitive content, or watermark files for constant visibility.
Managed Devices - While certainly more secure than BYOD, providing safe access to cloud data from managed devices is no walk in the park either. Today's cloud apps not only make it super easy to share data externally, but they also make it super easy to proactively sync sensitive data down to devices. Combine this with the fact that today's managed devices are routinely attached to insecure wifi networks, regularly left in airport security lines, and are increasingly used for personal apps, and you have a recipe for disaster. No longer can the managed device be a "trusted" part of the network.
CASBs on Managed Devices - As with BYOD, proxy-based CASBs can ensure that only appropriate data is made available to users given a certain context. Want to ensure that a spreadsheet containing 10,000 customer records is encrypted before being sync'd to a device, a CASB can help with that.
The conclusion? Today's cloud apps are complex beasts with a lot of potential paths for data to leak. Make sure you're thinking about cloud data leakage comprehensively. And if you're thinking about a CASB, Bitglass can help.