According to Gartner, Cloud Access Security Brokers (CASBs) top the list of most important technologies for information security. Gartner defines the 4 pillars of functionality for CASBs as visibility, compliance, data security, and threat protection. In this blog, we’ll look at strategies for companies looking to get visibility into cloud usage, and discuss how, if a CASB breaks one rule, they can actually create, not prevent, security vulnerabilities.
Lack of visibility is a key enterprise concern
Visibility into cloud service usage is a pressing concern for most enterprises today since, as shown in Skyhigh’s most recent Cloud Adoption and Risk Report, the average enterprise uses 1,083 different cloud services, each with its own set of security capabilities. Given that many cloud services lack even basic security capabilities – only 11% encrypt data at rest, only 16% support multi-factor authentication, and only 4% are ISO 27001 certified – IT security teams must discover which cloud services employees are using, evaluate the enterprise-readiness of the services and create and enforce policies on acceptable usage.
Visibility is also key in helping IT pinpoint high-risk usage patterns that indicate data exfiltration via shadow IT. In many cases, visibility also helps companies identify services that can be consolidated and thus realize cost savings.
1 Rule for gaining visibility without putting corporate data at risk
In order to gain visibility in an agent-less deployment, companies must provide their firewall or proxy logs for analysis by the CASB vendor. Firewall and proxy logs contain sensitive information such as employee names, email IDs and IP addresses, and companies are concerned that this information is leaving their secure network and accessed by a third party.
For example, the logs can be used to identify websites accessed by employees, which is a breach of employee privacy. Another concern is that the information can be used as a source of competitive intelligence. For instance, accessing logs of the research team of an investment bank or the product team of a technology firm can provide some direction on deals or product features that the organization is working on. And finally, leakage of this information can result in compliance violations, especially in places with strict data residency regulations. For example, the Australian Privacy Principles (APPs) hold the company responsible for any data breach on a cloud provider’s system when personal information is uploaded offshore.
So, here’s the one rule: CASBs must tokenize firewall or proxy log data before sending it outside the customer’s environment in order to ensure that only authorized enterprise users can access this sensitive data. Essentially, tokenization enables customers to use a cloud-based solution, along with all of the scalability and TCO advantages cloud provides, to discover shadow IT usage without putting sensitive firewall and proxy log data at risk of exposure. So, as a rule, only use CASBs that tokenize log data prior to ingesting it.
3 Log data tokenization best practices
1. CASBs should tokenize sensitive information before uploading it to the cloud
Before CASBs use the log information for analysis, user identifiable data must be tokenized before it leaves customer’s premises and is uploaded to the cloud. This anonymizes the details on activities performed by specific users or IPs, thus reducing the relevance of the information.
2. Information should be tokenized using the latest functions and standards
If tokenizing sensitive information is the first step, the second is to ensure that it is done using the most current industry standards and protocols. Many Fortune 500 companies require that their information be tokenized using the HMAC SHA-256 hashing algorithm, one of the most secure cryptographic standards. This is preferred over the SHA1 because it is more resistant to collision or brute force attacks, and it also overcomes limitations of the SHA1.
3. CASB providers should not have access to the sensitive information in the logs
If the objective of tokenization is to prevent third party access to sensitive information, it is not addressed if the CASB provider has access to this data. So, CASB vendors must have provisions to ensure that tokenization happens behind the customer’s firewalls and only the customer has access to the de-tokenized results. CASBs like Skyhigh accomplish this by dynamically fetching the information that resides on customers’ premises when they access the results. So, this means that the sensitive data never leaves the customers’ environment through the entire process, and yet the customers have complete visibility into the shadow IT usage. Ensuring that internal user information does not leave the customer’s organization with Skyhigh’s Privacy Guard tokenization is a key requirement at Skyhigh and has proven a significant point of differentiation for security and privacy-minded customers.
Leveraging CASB solutions to gain visibility of shadow IT cloud services significantly increases the protection enterprises have in the face of increasingly frequent data breaches like Anthem and Office of Personnel Management. But, if there is no security infrastructure in place to suppress the sensitive data from customer logs, they will become yet another vulnerability that the company has to monitor and control. By performing the required due diligence, companies can mitigate this risk and further strengthen their defenses against cybersecurity threats.