Sanctioned cloud services such as Office 365, Salesforce, Box, and Slack are used in business-critical processes and, as a result, house sensitive corporate data. 18.1% of all documents uploaded into cloud-based file sharing services contain sensitive data such as confidential IP, personally identifiable information (PII), personal health information (PHI), or financial data. While leading cloud service providers have built state-of-the-art controls into their infrastructure, enterprises are responsible for securing their employees’ usage and data.
To that end, enterprise-grade cloud services offer APIs that support visibility and policy enforcement by a CASB. Generally, these APIs support audit trails of user activity, content inspection, and scanning user privileges, sharing permissions on files and folders, and application security settings.
By 2018, 40% of Office 365 deployments will rely on third-party tools to fill in gaps in security and compliance, which is a major increase from fewer than 10% in 2015.
-GARTNER, CASB PLATFORMS DELIVER THE BEST FEATURES AND PERFORMANCE
Below are the top five ways a CASB helps enterprises secure their sanctioned cloud services.
1) Enforce DLP policies for data stored in the cloud
Companies can enforce data loss prevention (DLP) policies to detect sensitive data that has been uploaded or is existing in the cloud. For example, if the corporate policy is to prohibit credit card numbers being stored in the company’s cloud-based file sharing service, then a CASB can be used to scan pre-existing data at rest as well as inspect uploads on an ongoing basis to detect policy violations and provide multiple remediation options such as alert, block quarantine, encrypt, and delete.
DLP policies can be created natively within the CASB using advanced techniques such as data identifiers, indexed data matching, and exact data matching. API is typically the preferred deployment mode for collaboration services because it also enables policy enforcement for content created natively within the cloud service, but CASBs offer varying response times for API enforcement, which range from under 30 seconds to over 30 minutes.
2) Enforce policies from an on-premises DLP solution
Most companies have made investments in acquiring on-premises DLP solutions and building workflows to cover a number of their existing processes. A CASB can integrate with these on-premises DLP solutions to extend workflows and controls to the cloud.
For example, a CASB can be used to evaluate all files stored in Box against policies in Intel McAfee DLP and enforce the appropriate remediation action based on those policies (e.g. quarantine, delete, encrypt, etc.).
3) Enforce collaboration policies on data shared from cloud services
The increase in cloud-to-cloud traffic requires companies to enforce controls that protect sharing and collaboration within cloud services between employees and external users.
For example, a company can define a CASB policy to find all files in Box that are shared with non-approved domains such as personal email IDs and revoke sharing permissions. Policies can also be applied to revoke all untraceable shared links that can be forwarded to anyone. Using a CASB, companies can also leverage DLP policies and data classification to prevent the sharing of internal-only documents with any external party.
4) Capture an audit trail of all user activity for forensic investigations
A CASB solution captures user activity data within a cloud service for audit trails or forensic investigations.
For example, an administrator looking to investigate user activity on SharePoint Online can filter audit logs by multiple parameters including user, date, activity category (upload/download/delete/access etc.), role, and location to get to the required information.
5) Detect threats from compromised accounts, insiders, and privileged users
CASBs analyze cloud activity across multiple heuristics and leverage machine learning to detect anomalous usage pertaining to compromised accounts, insider threats, and privileged user misuse.
For instance, if a user logs into OneDrive from New York and then logs into Slack from Moscow five minutes later, the CASB will see this activity as anomalous and potentially indicative of a compromised account. Other examples of anomalies include excessive downloads by insiders and deletion of user accounts by privileged users. CASBs are able to correlate multiple anomalies to surface true threats and reduce false positive alerts.