1 Introduction
Organizations are embracing the use of cloud services because of the benefits that they bring in terms of speed to deployment, flexibility and price. However, the use of these services is not well integrated into the organizations IT access governance processes and technologies.
While access to on-premises IT systems is usually well managed through access governance, the same does not always apply to cloud services. In addition, employees and associates can use personal cloud services to perform their jobs without reference to their employer. To compound the problem, mobile devices may also be used to access these services from outside of the organizational perimeter.
This creates challenges around the governance of cloud services that is needed to ensure compliance with laws and regulations as well as to manage cyber threats. The requirements for control over the transmission, processing and storage of personal data from the recent EU GDPR is one example of this. The uncontrolled use of cloud services also increases cyber-risks. Cyber adversaries may obtain unauthorized access to steal or corrupt data held in these services, as well as to implant malware that could then infect the organization using them.
In an ideal world, the functionality to manage access to cloud services and to control the data that they hold would be integrated with the normal access governance and cyber security tools used by organizations. However, these tools were slow to develop the required capabilities, and this has led to a market in CASBs (Cloud Access Security brokers) to plug the gap. It is notable that some of the CASBs on the market have already been acquired by major security software vendors and are being integrated into their toolsets.
KuppingerCole has analysed this market segment and recommends that CASBs should provide functionality that enables customers to:
- Detect Cloud Service Usage– Identifying the cloud services being used from within an organization and providing control over their use is a key capability to manage risk. The first generation of CASBs focussed on this area providing coarse grained discovery and control using network traffic analysis and proxy gateways.
- Control Usage of Cloud Services– access to the cloud services should be controlled so that business critical and regulated data can only be moved into approved cloud services. While employees should easily be able to access approved services, their access rights should be controlled in the same way as for other IT systems. Ideally, the access controls should be based on existing organizational directories and provide seamless access for authorized use of the approved services. Many cloud services provide granular access control capabilities, and these should be exploited.
- Protect Data held in Cloud Services: regulated and sensitive data held in cloud services should be protected against unauthorized access and disclosure. The product should support the discovery and classification of both structured and unstructured data in cloud services as well as policy-based data security controls such as encryption, tokenization and pseudonymization without impact on the functionality of the service.
- Protect against Cyber Risks– there are different ways in which there could be unauthorized access to a customer’s data held in the cloud service. A CASB should provide capabilities to detect cyber-threats threats to business-critical data and to protect against malware, unauthorized access and data leakage.
- Support Compliance - many organizations depend upon their data being processed and protected in a way that is compliant with laws and regulations. To support this need, the product should provide “out of the box” capabilities aligned with specific regulations. Ideally these capabilities should be independently certified or, at least, the vendor should be able to provide examples of customers who have successfully used the product to achieve compliance.
CASBs provide a valuable tool for organizations to improve the governance over their usage of cloud services. However, it is important for a customer using these products to understand their specific requirements and select products that match these.