According to Gartner’s Magic Quadrant for Cloud Access Security Brokers, 60% of large enterprises will use a CASB to govern cloud services by 2020, up from less than 10% today. As large enterprises increasingly adopt cloud services for operational tasks, they are using CASBs to enforce governance and compliance policies on cloud usage.
When evaluating CASB offerings, enterprises look at several criteria in addition to the solution’s ability to address security and compliance requirements, including the CASB’s ability to scale, integrate with existing infrastructure, and address data privacy requirements. As part of evaluating how a CASB can maintain customer data security and privacy, CISOs often bring up the solution’s ability to provide Role-Based Access Control (RBAC) capabilities.
RBAC is a “Must-Have” in Enterprise CASB Deployments
As with traditional RBAC systems, RBAC capabilities within a CASB regulate access to specific product features based on roles assigned to individual users. A user who manages DLP policy incidents may be different from the user who defines DLP policies for the company. Similarly, the user who analyzes the company’s cloud usage analytics and generates reports may be different from the security administrator who governs access to the CASB application and manages user accounts. An administrator is able to assign separate roles within a CASB for each of these users so they can only access the relevant section of the product.
The separation of security roles is important for large enterprises, which usually have multiple teams handling various aspects of security. A security analytics team may require different access permissions to analyze cloud usage metrics to spot indicators of anomalous usage, while the corporate compliance team will require separate access permissions to create Service Groups and define governance policies for the entire organization. Separation of roles allows for streamlining of the security operations for the enterprise. Furthermore, RBAC controls allow these teams to operate on the principle of “least privilege” so each team has limited exposure to information contained within the CASB platform.
Next-Gen RBAC: Data Jurisdictions
As CASB platforms are used to address complex security requirements, customers demand more control in the way they govern the CASB usage for their organization. While role-level RBAC is critical to implementing a structured system and workflow, leading CASBs now provide more granularity in their RBAC capabilities, allowing customers to implement restrictions on the data sets that users can access. For example, one CASB user can be restricted to analyzing usage data for the North America office, while another CASB user is responsible for EMEA office.
Data level RBAC, or data jurisdictions, is being implemented increasingly by enterprises, especially those in highly regulated sectors like public sector, financial, and energy, as they scale their compliance management. In managing a globally distributed workforce, these enterprises assign local security manager(s) for each location who are responsible for monitoring and reporting on cloud usage for that office.
For example, a large public sector organization has over 20 locations across the United States assigned a Compliance team to each of their offices and defined data jurisdictions for each of their office locations. So, when a user in their California office logged into Skyhigh and generated a report on high risk cloud services used in the last week, it reflected cloud usage by employees in California alone. The same report generated by her colleague from the Texas office showed completely different metrics as they reflected usage from that office. These reports are sent to the Global Compliance team at HQ, which consolidated findings and used insights to feed into defining governance policies for the entire organization.
According to a recent Gartner report, in 2018, 40% of Office 365 deployments will rely on third-party tools to fill in gaps in security and compliance, which is a major increase from fewer than 10% in 2015. As security admins introduce new security solutions to secure cloud services used by employees, they must also have to implement controls to reduce the risk of data exfiltration from security applications. By enforcing data level RBAC controls in their CASB deployments, admins can limit exposure to sensitive data and reduce the risk of data exfiltration by malicious insiders.
As new vulnerabilities show up every day, security and compliance requirements are increasing in number and complexity. To address these requirements, enterprise security teams are implementing multiple strategies and applications, and CASBs are becoming an important part of this solution. As CASB adoption grows, they are expected to deliver robust scalability and privacy controls (of which advanced RBAC controls are just one example) which enable security teams to scale their compliance management processes and enable cloud usage within the organization.