Critical CASB Requirements in Financial Services

Cloud applications pose several unique challenges in financial services enterprises.  The following are the critical requirements that a CASB must support for enterprises in financial services.

1. Zero-Day Shadow IT Discovery: Business usage of unmanaged cloud applications may violate compliance and leak sensitive financial information. By analyzing proxy or firewall logs, a CASB can identify the cloud apps used in your organization. First-Gen CASBs use app signatures to identify apps, thereby missing changes to existing apps or activity in new apps as they come online. A Next-Gen CASB uses automated indexing of apps for up-to-date recognition of risks.

2. Zero-Day Security for Unmanaged Applications: Customers need to interact with business users via consumer applications.  For example, a customer may wish to share documents on a consumer file-sharing service such as Dropbox with a banker. The banker needs to be able to consume the documents, but not upload sensitive data to the consumer application.  First-Gen CASBs use app signatures to identify data upload paths, and cannot keep up with new apps or changes in apps. A Next-Gen CASB automatically identifies data leakage paths via machine learning techniques.  

3. Zero-Day security for Managed Applications: Enterprise applications such as Office 365 must be restricted to managed devices when accessed on thick clients.  Controlled access with DLP must be enforced on unmanaged devices, particularly for applications such as WorkDay, where employees require access at home to manage vacation and benefits. First-Gen CASBs require agents on each device, use app signatures to identify app URLs, and cannot keep up with new apps or changes in apps. A Next-Gen CASB with AJAX-VM technology can automatically control any application, and dynamically keep up with changes in app URLs.

4. Searchable Encryption:  In some cases, users might need to store highly sensitive information in cloud applications.  Such data is best encrypted prior to leaving the enterprise network in a manner that preserves application functionality such as search and sort.  For example, certain fields in the Salesforce application may contain business critical data.  First-Gen CASBs use deterministic encryption or tokenization in order to support search and sort. Such obfuscation techniques are easily reversible and provide little protection against organized attacks.  A Next-Gen CASB uses searchable, sortable true encryption and is not subject to attacks.

5. Zero-Day Threat Protection: Cloud based file-sharing is a new path for the spread of malware. Files can be shared by external parties, or uploaded by users on unmanaged devices.  In either case, Zero-Day Threat protection is required for stopping these threats before they spread into the enterprise.  Next-Gen CASBs include such Advanced Threat Protection as an inherent part of the architecture.