The cloud access security broker (CASB) market has been around for 5 years. Since its inception, the market has gone through major changes. Most CASB vendors started by providing visibility and control over shadow IT cloud services that individual employees procure on their own without the approval or even knowledge of the IT department. Next, CASB vendors extended cloud security controls to sanctioned SaaS applications such as Office 365, Box, and Salesforce. More recently, CASB vendors have extended their solutions to IaaS platforms and the custom applications that enterprises deploy on these platforms.
CASBs will become a standard, critical control point every bit as much as enterprise firewalls have been over previous decades.
Gartner, 10 Best Practices for Successful CASB Projects, November 8, 2017, Neil MacDonald
The CASB market is reaching a new stage of maturity with hundreds of large enterprises using a CASB. Today, enterprises must navigate an increasingly crowded marketplace with dozens of companies claiming CASB functionality with widely different capabilities, giving rise to confusion and complexity for enterprises looking to evaluate solutions. However, best practices are emerging showing the path toward a successful CASB project. To that end, Gartner recently published their latest report about the CASB market titled 10 Best Practices for Successful CASB Projects (download a copy here).
Gartner has organized its CASB best practices around 3 phases of CASB adoption: plan, evaluate, and deploy.
1) Gain Visibility
When considering a CASB, the first place to start is what Gartner calls “a cloud application discovery project.” This will let you see which cloud services employees use and the risk posture of each of these cloud services. However, different CASB vendors have differing sized databases that may or may not be enriched with adequate information around risk:
The quality and depth of these security posture databases vary widely. In addition, the value of the database has not been commoditized as keeping it current requires a significant ongoing investment by the CASB vendor and is a major differentiator among providers¹.
Gartner recommends to select a CASB provider that can provide detailed visibility into:
-Cloud services usage by category (file sharing, collaboration, payroll, CRM and so on).
-Cloud provider security posture assessment against a rich set of attributes. The CASB vendors will assign an overall “trustability” rating – for example, from 1 to 100.
-Personal use of sanctioned cloud services. This is also true in infrastructure as a service (IaaS), with cloud services such as Amazon Web Services (AWS) where developers and others create personal accounts.
-Unknown and risky storage of sensitive data¹.
This phase also enables security leaders to direct employees to use enterprise-ready sanctioned cloud applications in place of a potentially risky shadow cloud app. Lastly Gartner recommends gaining continuous visibility into cloud usage because “there will always be new cloud services introduced worldwide and business units will adopt them…the security posture of cloud services you are using will change, and you need visibility into this.”
2) Plan for Adaptive Access and Identity Integration
Gartner recommends organizations to integrate their CASB with existing Identity service provider such as Okta, Ping Identity, or Azure AD. This allows the CASB to enforce adaptive and context-aware access control such as taking “the user’s location, the time of day, the time of last access and so on” into consideration. Below are several common adaptive access scenarios that Gartner clients implement using a CASB:
-Access to sensitive cloud applications can be blocked entirely if the user is in a hostile geographic region or if a data residency restriction prevents the user from accessing the data from out of region.
-Unmanaged devices such as a personal home computer are not allowed to access critical enterprise-managed cloud services (such as Office 365 or Salesforce) that may or may not be Windows-based. Scenarios need to account for mobile and Mac access as well.
-Alternatively, users on unmanaged devices are allowed to access the critical application, but with reduced functionality — typically “read only” with no ability to download data locally, rather than blocking these unmanaged devices.
-Scenarios where the device, the OS or the browser represent additional risk such as out-of-date OSs (e.g., Windows XP, Android 4.x and earlier, iOS 6 and earlier), out-of-date browsers (for example, IE6 and earlier) or unpatched systems¹.
As a best practice, it is recommended that the CASB project owner talk to individual application owners and:
Engage in a risk-based conversation with the business owner on how to handle unmanaged devices… and mitigate at least some of the risk to a level that is acceptable to the business unit application owner and security¹.
3) Closely Scrutinize the Need to Encrypt/Tokenize Outside of the SaaS Provider
Some organizations may be required to encrypt structured data in cloud applications for various reasons (e.g. [CC1] data residency laws such as GDPR). In such cases, one option is to opt for the cloud service provider’s native encryption capabilities. Gartner disfavors this approach because:
You do not want (or need) to manage each one of these [encryption] functions individually¹.
Instead Gartner recommends using a CASB to encrypt data in cloud applications because:
This significantly eases the burden of having to perform such a critical function for each cloud service that requires it. For many organizations, this use case alone justifies the decision to use a CASB instead of the cloud service provider for key management¹.
4) Plan to Extend Scope to IaaS and PaaS Visibility and Monitoring
Recent high profile vulnerabilities surrounding AWS configuration such as unsecured S3 buckets underscore the need to extend the same visibility and control applied to SaaS applications to an organization’s IaaS deployment. Having realized this, Gartner recommends considering a CASB that extends:
API support for visibility and control of sensitive data at the IaaS and platform as a service (PaaS) layers by integrating with cloud provider APIs to gather and analyze:
-Administrative access and activities
-Logs of all API-based access
-Data entering and leaving via APIs to IaaS or PaaS
-Risky configurations by assessing the security posture of the cloud infrastructure (for example, data stores exposed to the public internet) — ideally, this would replace the need for cloud infrastructure security posture assessment (CISPA) point products such as Evident.io
-Sensitive data stored in IaaS data stores, file shares, object stores and databases
-Malware stored in IaaS data stores, file shares, object stores and databases¹
5) Favor Multimode CASBs
CASBs come in several flavors. Some CASBs operate in proxy mode only, where they sit inline between a user and the cloud application. Others take the API approach to securing cloud applications, integrating directly with the cloud application APIs. Gartner favors CASB providers that take a multimode approach, being deployable in either proxy or API modes such as:
-Forward proxies require some type of endpoint modification such as deployment of an agent, VPN client or proxy autoconfiguration (PAC) file. Endpoint agents introduce complexity in deployment and platforms supported, especially for bring your own device (BYOD). Forward proxies also have to deal with how to get visibility into SSL/TLS-protected traffic, typically by some type of man-in-the-middle approach. However, increased use of certificate pinning breaks this.
-APIs provide visibility in ways that proxies alone cannot; for example, visibility into data already located in cloud applications. This also includes access to cloud data by sideloaded applications in the SaaS provider that never touch any network traffic. However, APIs don’t yet provide “in-line” blocking and prevention (for example, risky sensitive data exposure is identified only after it has happened [see Note 3]). Another significant limitation is that of the estimated 10,000 cloud services, only 20 or so have suitable APIs at this point¹.
An emerging best practice is to evaluate a CASB that can extend its security capabilities to in-house developed custom applications deployed on IaaS platforms like AWS or Azure using one or more of the above deployment modes.
6) Look for Integration with Your Secure Web Gateway Vendor
Recognizing the disruption a CASB proxy deployment can have on existing network infrastructure, Gartner recommends that organizations “test how CASB will be integrated with SWG via proxy chaining.” Another primary use case for integration with an SWG or NGFW is to gain visibility into cloud usage by consuming the logs generated by the solution. Gartner recommends using the SWG for cloud malware prevention despite the potential overlap in functionality in that area. Despite the overlap between CASB and SWG, it is Gartner’s belief that:
CASB will not merge with SWG within the next five years and will continue to provide distinct, monetizable value for SWG vendors as an upsell, and for CASB vendors to enter the SWG market¹.
7) Weight Sensitive Data Classification, Discovery, Monitoring, Analytics and Protection as the Most Critical Use Cases
The real long-term value of a CASB is in its ability to accurately identify sensitive information and protect it across enterprise cloud applications. Cloud data loss prevention (DLP) as an example, is considered a critical part of a CASB deployment. Since CASB vendors vary greatly in their DLP capabilities, carefully evaluating the accuracy and feature depth of a CASB’s DLP is critical to a successful CASB project. Below are few areas Gartner believes are important:
-Detection accuracy and out-of-box-detection predefined rules with built-in dictionaries for common use cases such as medical terms, legal terms and so on.
-Machine learning against established repositories of sensitive data to reduce the time to value, and so the DLP engine can be trained for the enterprise’s specific needs.
-The ability to perform user and entity behavior analytics (UEBA) for all devices, users, data and applications to help discover genuine issues in a large volume of logs. (This is a key differentiator for leading CASBs.)
-The ability to perform risk-based assessments of the sensitive data and its usage, and to take action based on the risk. For example, blocking sensitive data from being uploaded or restricting its ability to be shared.
-Possible integration of policies with existing enterprise on-premises DLP solutions. In some architectures, this is a handoff from one DLP engine to another. Some vendors may import and understand existing DLP policies from an on-premises solution. A few vendors that play in both markets can offer customers a common DLP engine and policy set across on-premises and cloud service, but none yet offer a common console.
-The ability to protect sensitive data when it is moved out of cloud-based services to a managed or unmanaged endpoint. This is an emerging, but critically important area of evaluation. Several of the leading CASB vendors address this use case by encrypting the sensitive data themselves before it is downloaded or by wrappering with enterprise digital rights management (eDRM) using an established eDRM partner such as Absio, Ionic Security, Vera or Microsoft’s Rights Management Service (RMS)¹.
8) Keep Contract Terms Short and Be Open to Switching
CASB capabilities are evolving rapidly as security providers continue to innovate. Gartner recommends not signing overly lengthy contracts. Instead, organizations should be open to competitive displacement bids if a superior product is available. Gartner provides the following pricing guidance for CASB projects:
–For API-only CASBs: One to three cloud apps — $15/user/year
–For API and proxy: One to three cloud apps — $25/user/year
- For API and proxy: Four to six cloud apps — $45 to $65/user/year
–For API and proxy: Unlimited cloud apps — $65 to $85/user/year¹
(Gartner also provides examples of pricing for different CASB projects based on user count and feature set that you can find by downloading the full report here.)
9) Integrate with Existing Security Infrastructure and Security Operations Center Processes
Because CASBs are an integral part of an organization’s security technology stack, CASB deployments should include integration with existing security technologies like your SIEM, identity and access management IAM/IDaaS, MDM/EMM, UEBA, DLP, SWG, and enterprise key management (EKM). Gartner views SIEM as most important:
We believe the most critical integration of the CASB project will be the integration into the enterprise SIEM and security operations center (SOC) processes. For most organizations, the SIEM is the system of record for all security-related events and CASB events will be part of this. From a process perspective, the enterprise must integrate CASB event handling into standard SOC incident work ow. In the implementation, integration with DLP workflows should be one area of focus¹.
10) Phase in the CASB Control Scope and Establish Metrics for Success
Gartner recommends that organizations phase in their CASB deployment. The initial deployment should be in monitor mode to establish a baseline and perform a risk assessment and prioritization.
We recommend enterprises identify one or two cloud services that host the enterprise’s most sensitive information and start the project there, expanding to all cloud services over time¹.
In terms of gauging the success of a CASB project, the things to look at are:
- The number of cloud services actively monitored and managed
- End-user adoption
- Risky behaviors that are blocked
- Amount of time it takes to detect risky exposure of sensitive information
- DLP incidents that are self-remediated by end users
- Compromised accounts/insider threats identified, and the amount of time it took to detect and respond
¹Gartner, 10 Best Practices for Successful CASB Projects, November 8, 2017, Neil MacDonald