Cloud Access Security Brokers offer a wealth of functionality - from encryption to mobile data protection, data leakage prevention, and more. Since these tools are typically being deployed for the first time in most enterprises, it can be difficult to decide where to start!
As a vendor, we have the unique perspective of being able to participate in the decision making and deployment process for all of our customers, and over hundreds of deployments, patterns and similarities emerge. I thought I'd share with you the 3 most common starting CASB policies - the initial policies that we see put into place.
Note that these are the first policies we see across all verticals - depending on your industry and specific business needs, your starting point might be different. If you're in financial services, for example, DLP and encryption are likely at the top of your list.
- Access Control
Leading CASBs offer a range of variables on which access control decisions can be made - managed vs. unmanaged device, access method, location, role, and more. Many of our customers want to start by distinguishing between managed and unmanaged devices, and provide different levels of access depending on device type.
The rationale is clear - an unmanaged device represents more risk to the organization than a managed device, so while some access should be extended, it should be in a more restricted fashion. We commonly see this type of policy tied with access method policies, which distinguish between web, client app, email, etc.
What might a policy look like for an app like Office 365? Users on managed devices have full access to O365 with no restrictions. That same user accessing O365 from an unmanaged device might have web and activesync email access, but no ability to sync OneDrive data in a mobile app because huge amounts of corporate data on an unmanaged device is too risky.
- Mobile Data Protection
Ironically, the biggest security issue facing most organizations when they deploy cloud apps is what happens to all of that sensitive data when it's downloaded or synchronized to thousands of employee devices (both managed and unmanaged)? A CASB will allow you to do things like enforce basic device security functions, such as PIN codes and encryption, apply protection features like encryption or rights management upon download, and selectively wipe corporate data (without agents or profiles). This ensures that your "mobile" cloud data is secure.
What might a policy look like for Google Apps, as an example? If a user leaves the company, automatically selectively wipe corporate data from all devices, and log the user out from all cloud app sessions immediately upon their account being deactivated in Active Directory.
- External Sharing
If the cloud app(s) that you are protecting include a sharing component, you'll likely want to get a handle on that ASAP. CASBs typically use APIs to integrate into cloud applications to allow you to do things like scan data-at-rest, look for sensitive information, and identify external or public shares. From there, you might employ one of several workflows, including quarantine, share removal, or file encryption.
How might the policy look in Box? All files shared external or publicly that also contain PII or credit card data will be quarantined (share removed) until the share can be evaluated to ensure that the share is legitimate and required.
With that, you're off to the races with your initial CASB deployment. From there, user behavior analytics will start to recognize user behavior and offer proactive actions like step-up multifactor authentication, you can start rolling out field and/or file level encryption, data leakage prevention policies paired with dynamic actions like rights management or redaction can tighten your risk exposure, and more.
With a well designed, cloud-hosted CASB, you can have these types of policies up and running in minutes. Try Bitglass out today.