Agencies undergoing digital transformation are combining on-premise, hybrid, and multiple cloud solutions into their environments. To that end, agencies need to weave cloud security and protection of on-premise systems into their broader security strategy for a true, defense-in-depth approach.
Cloud Access Security Brokers (CASB) can help agencies apply multiple layers of security to cloud services in a single platform, as well as extend on premise security policies associated with data loss prevention, encryption, access management, anomaly detection, and behavior tracking to the cloud.
Described as a gatekeeper, a CASB is a software tool or service that sits between an organization’s on-premises infrastructure and a cloud provider’s infrastructure. A CASB allows the organization to extend security policies beyond its own infrastructure.
“Extending on-premise security policy and enforcement to cloud applications, users, and data is important groundwork to ensure cloud security,” said Chris Townsend, Symantec’s vice president of Federal. “Additionally, using technologies such as CASBs, Data Loss Prevention (DLP), proxy security, and behavioral analytics is critical to mitigating risk associated with cloud services.”
A CASB provides a comprehensive overview of an agency’s cloud usage and risk. Moreover, it can flag those who are using cloud services that are not compliant with FedRAMP.
In today’s digital world employees are sometimes using services known as Shadow IT, that do not comply with their organization’s security controls and requirements. CASBs provide continuous discovery of all cloud services in use, including thousands of services uncategorized by firewalls and web proxies, according to the Skyhigh report, How FedRAMP and CASBs Help Agencies Comply with FITARA. Skyhigh was recently acquired by McAfee.
The technology uses a registry of cloud services to track usage based on up-to-date cloud provider URLs and IP addresses not available in firewall and web proxy solutions. A CASB also provides a detailed assessment of each service’s security controls and compliance with FedRAMP, according to Skyhigh, which offers a FedRAMP-compliant cloud access security broker product for government.
Agencies also gain visibility into data stored at rest in the cloud by performing on-demand scans of data for sensitive content. Plus, CASBs tie in with DLP technology by helping agencies extend their DLP policy enforcement to cloud services. CASBs provide a unified DLP policy engine, incident reporting, and remediation workflow for all cloud services.
As the Skyhigh report notes, because of the sensitivity of data being stored and risk of threat, agencies may need to implement security controls not offered by the cloud provider. In that case, using a CASB, an agency manager could encrypt data stored in the cloud with encryption keys under the direct control of the agency rather than the cloud provider. Agencies could also enforce granular access control policies to limit access to data.
The bottom line, it’s not a very compelling acronym, but look out for CASBs. They’ll help agencies integrate cloud visibility and controls with broader security solutions for DLP, access management, and web security for a more comprehensive view of internal and external threats. The combination of behavioral analytic tools and FedRAMP-compliant cloud products and services provide an enhanced overall security posture, and the opportunity to cook up a completely incomprehensive string of upper-case characters…