Executive s Guide to Cloud Access Security Brokers

Transcription

1 Executive s Guide to Cloud Access Security Brokers

2 Contents Executive s Guide to Cloud Access Security Brokers Contributor: Amy Newman 2 2 Why You Need a Cloud Access Security Broker 5 You Can t Achieve Cloud Security Without Mobile Security Securing Office 365 with a Cloud Access Security Broker

3 Why You Need a Cloud Access Security Broker By Amy Newman C loud computing is about more than just a new platform or storage medium it is changing the very nature of how enterprises operate. For many enterprises, cloud apps are delivering on much-hyped promises, according to The Cloud Security Spotlight Report, from data protection firm Bitglass. More than half of the 1,010 IT security professionals surveyed in the report say they believe cloud does indeed deliver on its promise of flexibility and availability, and 48 percent say it achieves the much-talked about cost reductions. The cloud is also helping facilitate two other equally game-changing trends: mobility and BYOD. The rise in mobile device usage has resulted in employees expecting anytime, anywhere access to applications and data. Developing and supporting these initiatives and resources internally requires significant investment and costs more than many organizations are willing or able to commit. By utilizing cloud-based software-as-a-service (SaaS) applications, an enterprise can reap the benefits of a highly available, always-updated and upgraded infrastructure without making the capital investment. With SaaS apps, organizations have access to business functionality, typically at a lower cost than what they would pay to purchase, operate and maintain similar on-premise applications. Also, because the software is hosted remotely, users don t need to invest in additional hardware. SaaS removes the need for organizations to handle the installation, set-up, and upkeep and maintenance. As public cloud apps like Office 365 and Salesforce gain traction with organizations of all sizes and stripes, cloud has become a dominant, driving force, serving as the catalyst for change in many IT departments. Not all of this change is positive, however. Despite their many advantages, cloud-based applications bring a loss of control, as data is housed on third-party servers and data proliferates outside of corporate firewalls, bringing several security concerns into the picture. For many enterprises, particularly those in heavily regulated industries like healthcare and financial services, security and compliance challenges continue to hamper adoption. As cloud applications have taken off, traditional security tools, which are designed for internal, premises-based applications, come up short. These tools have a place, and cloud-based application vendors rely on them to prevent breaches like denial of service attacks, malware outbreaks and widespread data exfiltration events. The cloud 2 Back to Contents

4 app vendor, however, is protecting only against attacks that target the application and its underlying network infrastructure a subset of the broader security risks an enterprise faces. Businesses are on their own to protect against attacks that target data and users. And, indeed, according to the Bitglass study, security professionals are most concerned about unauthorized access through misuse of employee credentials and improper access controls, hijacking of accounts, and malicious insiders all risks that are outside the scope of most SaaS vendors security coverage. A New Security Tool for a New Era of Computing Cloud access security brokers (CASBs) are a category of security tools that help enterprises bridge this gap to deploy public cloud apps like Microsoft Office 365, Salesforce and Box in a safe manner, particularly when mobile devices are involved. CASBs secure the data regardless of the platform from which it is accessed. They intermediate or proxy traffic between cloud apps and users. Once proxied, these tools provide visibility (e.g., audit logs, security alerts and compliance reports) and data security (e.g., access control, data leakage prevention and encryption) for data both stored in the cloud and synced from the cloud to the device. Since CASBs serve as a proxy between cloud apps and users, they are able to see all traffic to and from those cloud apps, and they can inspect and secure data. CASBs provide visibility, identity, access control and data protection when the user accesses the SaaS application. For organizations with sensitive data to protect, particularly those in heavily regulated industries, CASB solutions provide the security and assurance needed to make cloud apps a viable choice. More organizations are taking notice and choosing this security option. According to Gartner, by 2016, 25 percent of enterprises will secure access to cloud-based services using a CASB platform. The right CASB solution will ensure that end-user experience and business requirements align so that the cloud can deliver on its promise of enterprise agility. CASB architectures mainly support two proxy methods forward and reverse. Each type has its advantages and disadvantages. Most CASBs support both to maximize usability. Forward proxies, for example, can be used for all application types, but they are difficult to deploy in a distributed environment with a mobile workforce. They cannot separate personal and corporate traffic, and require installation and user acceptance of self-signed digital certificates at each point of use. Reverse proxies, in contrast, are simple to deploy and use. They can be deployed for any device or location but do not need to be configured on mobile devices or firewalls. With a reverse proxy, only corporate traffic is vetted, which allows the user to access a personal version of a cloud application directly. Total Data Protection: The Bitglass Advantage Bitglass proxies all enterprise traffic into and out of protected cloud applications. This security-as-a-servicesolution uses a series of proxies to deliver total protection. Reverse proxy mode is leveraged for most applications to balance privacy and the end-user experience with protection to the business. Forward, Activesync, IMAP and SMTP proxies are used where appropriate. Through its CASB service, Bitglass offers total data protection, securing data in the cloud, at access, on devices and on the corporate network. Cloud data doesn t reside only at-rest inside of cloud applications: It is synchronized to myriad devices and downloaded by users. Hence, securing cloud data requires an end-to-end, datacentric approach to security that protects corporate data at all four locations. Bitglass encrypts corporate data at rest in cloud apps in the organization s private cloud, combining the security of a private cloud with the flexibility of the public cloud. Bitglass patented approach to cloud encryption simultaneously maintains robust security (e.g., AES Back to Contents

5 bit encryption with 256-bit initialization vectors) and application functionality (including sorting, wildcard search and auto-complete). On the devices themselves, you can require sensitive data be automatically redacted, blocked or encrypted before it is downloaded to the device. This minimizes the risk of inadvertent leakage by employees or malicious leakage, should the device be compromised by malware. If a device is lost or an employee leaves the company, you can selectively wipe company data without installing software on the device and without MDM. It is at the access point that Bitglass truly shines. Bitglass maintains a complete audit log and detailed reports across your deployment, making it possible to see clearly who did what in each cloud app. Real-time alerts on anomalous behaviors, failed login attempts, policy violations and potential data leakage ensure that you re aware of suspicious events as they occur. Bitglass also allows you to establish the same fine-grained access controls (e.g., who can access each app, from what types of devices and from where) available with premises-based applications. Monitoring and protecting data flowing out of the network is just as important as keeping tabs on what goes in. Knowing what data is moving outside of corporate firewalls, where it is travelling and who is accessing it goes a long way toward mitigating a damaging breach. For this to occur, however, you must have a breach detection solution in place. With Bitglass Breach Discovery your organization can discover and analyze the outbound data flows in your network. Learn more about how the Bitglass CASB solution can provide total data protection for your enterprise at Back to Contents

6 You Can t Achieve Cloud Security Without Mobile Security By Amy Newman I t s no coincidence that cloud computing, mobile and bring your own device (BYOD) are the three hottest trends converging on enterprises. Cloud computing and mobile devices bring numerous benefits to enterprises and the end-user experience. Together, they make it possible for employees to work from any device, anywhere and at anytime. Employees are more satisfied and more productive working from their device of choice with which they are familiar. For the enterprise, both cloud-based applications and BYOD present ample opportunities for cost savings. BYOD programs generally shift hardware costs to the user, while cloud-based apps reduce licensing fees and eliminate many of the costs associated with traditional applications, such as data storage and time spent installing, updating and patching. Cloud-based apps and BYOD also bring with them a similar, significant downside: A loss of control. The organization must relinquish some control to the vendor holding the data, and even more significantly, the devices and other hardware from which the application is accessed. The former is typically mitigated with service-level agreements. This guaranteed level of protection ensures the application vendor prevents breaches into its infrastructure and the application is protected. This might be sufficient protection if cloud data resided only at-rest inside of cloud applications. However, cloud data is synchronized to numerous devices and downloaded by users in a variety of scenarios. The application vendor does not ensure protection for the data residing on or being transferred to or from the many endpoints; nor does it control which devices can be used to access sensitive data, leaving a security and compliance gap for enterprises. Securing cloud data requires an end-to-end, datacentric approach to security that protects corporate data in the cloud, at access, on the device and on the network. Traditional security, designed to protect on-premise access points, falls short. The Cloud Security Spotlight Report, from security firm Bitglass surveyed 1,010 IT security professionals, 68 percent of whom said that perimeter-based security is not the whole answer to securing cloud infrastructure. The major contributing factor here is that when an organization adopts public cloud applications like Office 365, Salesforce or Box, corporate data moves outside of the perimeter and 5 Back to Contents

7 beyond the reach of traditional security products. For some organizations this may be the deciding factor in cloud adoption. More than half of all respondents cited encryption of data at rest and in motion as the most effective security controls for data protection in the cloud. Access control, intrusion detection and prevention, security training and awareness, and data leakage prevention were also cited as effective technologies for data protection in the cloud. Bridging the Gap with a Cloud Access Security Broker A cloud access security broker (CASB) effectively achieves this protection. A CASB serves as a proxy between cloud apps and users. It sees all traffic flowing to and from those cloud apps, and it inspects and secures data. Once proxied, these tools provide visibility (e.g., audit logs, security alerts and compliance reports) and data security (e.g., access control, data leakage prevention and encryption) for data stored in the cloud and synced from the cloud to the device. A CASB solution provides the full spectrum of visibility, identity, access control and data protection. A CASB solution not only protects data stored in the cloud and access to the cloud, but also extends protection to cloud data that has been synchronized or downloaded to end-user devices. Capabilities like client-side file encryption of sensitive corporate data, including the ability to tie data classification policies to data transferred through the CASB, and encrypting the most sensitive data on the fly so it is accessible only to the authorized user downloading that data, ensure data remains secure throughout its lifecycle. track the source of a leak as well as deter potentially malicious behavior. A CASB solution should also enforce basic device security policies. Any device on which corporate data is synchronized must have basic security measures in place, including passcodes and encryption, before it is allowed access to cloud data. Choosing a CASB The Bitglass CASB solution transcends the network perimeter to deliver total data protection for the enterprise in the cloud, on mobile devices and anywhere on the Internet. Bitglass proxies all enterprise traffic into and out of protected cloud applications. A series of proxies (e.g., forward, reverse and Activesync) have been purposebuilt to secure cloud data as it is downloaded via any channel including browsers and native apps. The security-as-a-service application is deployable in minutes for all of the mobile devices and cloud applications you wish to protect, providing complete data protection for corporate data in the cloud, at application access points, on the device and on the network all without impacting the end-user experience. With Bitglass, sensitive data is automatically redacted, blocked or encrypted before it is downloaded to the device. This minimizes the risk of inadvertent leakage by employees or malicious leakage due to a breach. If a device is lost or an employee leaves the company, corporate data can be removed without installing software on the device or MDM. Learn more about how Bitglass can protect your mobile devices at Other functions that enterprises should look for in a CASB solution include the ability to selectively wipe cloud data from mobile devices if a device is lost or stolen or an employee leaves the company, and data tracking and fingerprinting to identify who removed a particular file from the cloud application to potentially 6 Back to Contents

8 Securing Office 365 with a Cloud Access Security Broker By Amy Newman T he cloud is fast becoming about more than just sharing and storing data. Proliferation of mobile devices, increased focus on user experience and a wider range of niche applications for every possible user need has led many companies to shift part or all of their IT infrastructure to the cloud. Cloud-based productivity apps are a crucial part of this infrastructure shift, and they are rapidly finding their way into the enterprise Data protection firm Bitglass Cloud Security Spotlight Report, which surveyed 1,010 IT security professionals, found that nearly one-third of respondents have deployed cloud-based productivity apps. One of the primary drivers behind this wide adoption is the expectations of today s employees to be able to access corporate assets, and communicate and collaborate from any device at anytime. Cloud-based productivity apps make this possible. Office 365 Gaining Ground Microsoft, in particular, is making an enormous push with Office 365. According to the Bitglass study, 13 percent of organizations have deployed Office 365, and another 29 percent are considering it for the near future. Microsoft Office s presence across the entire employee base gives it an inherent familiarity among users and thus an edge. Whether it s the familiar interface, ubiquitous access or the standardization Microsoft brings to productivity apps, the appeal of Office 365 extends all the way to the C-level. For many organizations, however, one hurdle must be overcome. Adopting Office 365 across the enterprise means moving corporate data outside of the firewall, raising significant compliance and security concerns for IT. Microsoft has built some security functions into the app itself, but those features come with an additional incremental monthly cost above the per-user price and significant gaps remain. Office 365 falls short in several key areas. It cannot differentiate managed from unmanaged devices and provide different levels of access to each. It also does not provide visibility, audit and suspicious activity detection. In addition, although Office 365 features are verified to meet global compliance standards, for some organizations in regulated industries (such as healthcare or retail, which must comply with HIPAA and PCI, respectively) it may not suffice, and encryption of dataat-rest and data leakage prevention capabilities may be beneficial to ensuring compliance and end-user privacy. 7 Back to Contents

9 Addressing Security Challenges Fortunately, organizations don t need to choose between the agility and flexibility of cloud-based productivity apps and a secure IT infrastructure. With a cloud access security broker (CASB) solution, they can have the best of both worlds visibility, access control and data security on par with premises-based software while benefitting from the flexibility, agility and lower total cost of ownership of a cloud-based solution. A CASB solution acts a proxy between cloud apps and users to provide data security through access control, data leakage prevention, encryption and visibility in the form of audit logs, security alerts and compliance reports. CASB solutions protect not only data stored in the cloud and access to the cloud, but also cloud data on the consumption device. Ideally, a CASB solution is designed to be completely transparent to users, providing the agility and flexibility of a cloud-based application while also providing the organization with the security it needs. Bitglass for Office 365, for example, can be deployed across your organization in minutes. No additional apps or configuration changes for devices or firewalls are needed, resulting in little or no impact to end users. Integrated single sign-on (SSO) in the form of a complete SAML Identity Provider as well as Active Directory synchronization eliminates the need for a separate SSO solution Contextual access control with variables, such as managed vs. unmanaged devices, location and geography Complete visibility into every Office 365 transaction, including a detailed audit log, insights into suspicious activity and automated alerting Data leakage prevention that automatically blocks, encrypts, applies rights management, or redacts sensitive information Files downloaded from OneDrive or sent as attachments are watermarked with a unique fingerprint that identifies who downloaded the file and when Clientless selective wipe allows you to selectively wipe company data from a device should it be lost or the employee leaves the company Bitglass for Office 365 delivers full visibility and granular control of sensitive corporate data in the cloud, during access and on client devices, putting Office 365 on par with premises-based software. Learn more about how Bitglass can enrich your Office 365 experience at security. With Bitglass, six critical data security and visibility features ensure your Office 365 data is secure and compliant. 8 Back to Contents