1 Introduction
Organizations are embracing the use of cloud services because of the benefits that they bring in terms of speed to deployment, flexibility and price. However, the use of these services is not well integrated into the normal IT access governance processes and technologies that are found within organizations.
While access to on-premises IT systems is usually well managed through access governance, the same does not always apply to cloud services. In addition, employees and associates can use personal cloud services to perform their jobs without reference to their employer. To compound the problem, mobile devices may also be used to access these services from outside of the organizational perimeter.
This has led to challenges around the governance of cloud services needed to ensure compliance with laws and regulations as well as to manage cyber threats. The requirements for control over the transmission, processing and storage of personal data from the upcoming GDPR is one example of these challenges. The uncontrolled use of cloud services also increases cyber-risks; cyber adversaries may obtain unauthorized access to steal or corrupt data held in these services, as well as to plant malware that could then infect the organization using them.
In an ideal world, the functionality to manage access to cloud services and to control the data that they hold would be integrated with the normal access governance and cyber security tools used by organizations. However, these tools were slow to develop the required capabilities, and this has led to a market in CASBs (Cloud Access Security brokers) to plug the gap. It is notable that some of the CASBs on the market have already been acquired by major security software vendors and are being integrated into their toolsets.
KuppingerCole has analysed this market segment and recommends that CASBs should provide functionality that enables customers to:
- Detect Cloud Service Usage– Identifying the cloud services being used from within an organization and providing control over their use is a key capability to manage risk. The first generation of CASBs focussed on this area providing coarse grained discovery and control using network traffic analysis and proxy gateways.
- Control Usage of Cloud Services– access to the cloud services should be controlled so that business critical and regulated data can only be moved into approved cloud services. While employees should easily be able to access approved services, their access rights should be controlled in the same way as for other IT systems. Ideally, the access controls should be based on existing organizational directories and provide seamless access for authorized use of the approved services. Many cloud services provide granular access control capabilities, and these should be exploited.
- Protect against Cyber Risks– there are many different ways in which there could be unauthorized access to a customer’s data held in a cloud service. A CASB should provide capabilities to detect cyber-threats threats to business-critical data and to protect against malware, unauthorized access and data leakage. Ideally this protection should include techniques such as encryption to protect sensitive data. However, encryption and tokenization of data can impact on the functionality of SaaS applications.
- Support Compliance - many organizations depend upon their data being processed and protected in a way that is compliant with laws and regulations. To support this need, the product should provide “out of the box” capabilities aligned with specific regulations. Ideally these capabilities should be independently certified or, at least, the vendor should be able to provide examples of customers who have successfully used the product to achieve compliance.
CASBs provide a valuable tool for organizations to improve the governance over their usage of cloud services. Organizations should be considering CASBs that provide all of the functionality described above in a way that is well integrated with their existing governance and processes and security toolsets. However, it is important for a customer using these products to understand their specific requirements and select products that match these.