As enterprises look to secure their data in the cloud, there is a significant amount of uncertainty about how to architect a solution that meets security and compliance objectives. Many IT teams already have security products aimed at enforcing policies across data on premises and they, naturally, are interested in enforcing these policies in the cloud. There is also growing recognition that we are moving to a world where the network edge is eroding, and existing solutions lack a control point for data as it is stored in the cloud and accessed from a variety of locations, both remote and on-premises, and a variety of devices, both managed and unmanaged. To address these requirements, Gartner has stated that a cloud access security broker (CASB) is a “required technology” for enterprises adopting the cloud.
A CASB addresses both sides of cloud adoption: user-driven cloud adoption (shadow IT) and IT-driven cloud adoption (sanctioned IT). There are numerous questions that arise as companies begin to explore CASB including:
- How do the capabilities of CASB compare with existing security solutions?
- How does CASB integrate with existing security technologies?
- Can a CASB address both shadow IT and sanctioned IT with one deployment?
- What are the advantages/disadvantages of different deployment architectures?
To clear the confusion, Skyhigh has partnered with leading security vendors and cloud providers to develop a reference architecture for cloud security that addresses the above questions. This reference architecture distills best practices from over 500 CASB deployments and provides a blueprint for enterprises as they evaluate and deploy a CASB. First, this document covers basic functional areas of cloud security as defined by industry analysts. Next, the document explores existing security solutions and how they apply to the cloud, followed by the functions of a CASB. Finally, this document provides five detailed deployment architectures for the most common CASB deployment modes.
By creating a new cloud security reference architecture, Skyhigh is providing a roadmap to help with the transition to an IT security environment in the cloud that is based on open standards.
– Niall Wall, SVP of Business Development and International Expansion, Box
While CASB is an essential element in a cloud security project, it’s important to note that cloud security requires a holistic approach. According to Gartner, “CASBs provide a number of critical points of integration with the environment, and these integration points play an important role in preventing enterprise security delivery from becoming yet another silo. CASB integration points cover identity and access management (IAM) integration; reuse of data security policies for the cloud; and event integration with technologies such as security information and event management (SIEM) for a single view of an organization’s security events, plus support for a number of existing security processes such as incident response.”
While no two cloud security projects are the same, they usually involve a CASB and a combination of web proxy, firewall, security information event management, data loss prevention, identity management, mobile device management, information rights management, and/or user behavior analytics solutions. A CASB orchestrates security processes using the policies, identity, device registration, usage data, encryption keys, etc. maintained in these systems. A CASB utilizes five primary deployment modes to enforce policies for shadow IT and sanctioned IT including log collection, proxy chaining, packet capture, API, and reverse proxy.
The reference architecture presented in this document follows these six fundamental tenets that are essential to a successful cloud security project:
- Aim to enable, not prevent the use of cloud services
- Address cloud security holistically, creating policies that can be applied consistently across all cloud services
- Leverage and extend existing security infrastructure rather than rip and replace it
- Introduce no friction to the end user (i.e. no new agents)
- Plan for access from on-premises and remote locations, as well as third-party users (e.g. customers, suppliers)
- Accommodate access from both managed and unmanaged devices (i.e. BYOD)