In conversations with customers, a frequent question comes up that I thought I’d answer: why do I need a cloud access security broker (CASB) when I have my trusted firewall? A CASB will help you protect your cloud and SaaS apps from cybersecurity attacks, insider threats, and potential data loss.
Firewalls vs CASB
Firewalls are your front line perimeter of protection. They will show you the category of applications in use, show you where data is going, and allow you to whitelist (approve) and blacklist (deny) specific applications. What they won’t do, however, is give you the visibility into whether there are any new applications in use that you haven’t whitelisted or blacklisted. This exposes a gap for a period of time.
Firewalls also will not provide you granular visibility; in other words, they won’t allow you to do a deep dive into user actions, which is critical if you’re worried about malicious users or insider threats. Furthermore, they will not explore anomalies in your organization’s cloud application usage and will not provide information regarding whether or not the applications your employees are using are compliant with key regulations.
I suspect some companies may be over-relying on their firewalls without realizing there’s an equally important control plane needed to protect data-in-the-cloud apps.
A CASB fills this important gap by providing visibility into your employees’ cloud application usage and helping you protect your corporate data from cybersecurity threats with granular controls and enhanced threat detection. It will help you discover Shadow IT, detect anomalous activity, set policies and controls, and investigate alerts for cloud applications that go well beyond your firewall.
This is especially important in healthcare and financial services. With the European General Data Protection Regulations (GDPR) requirements coming in May 2018, you’ll want to get a handle on this now.
Let’s dig into some key issues and how we can address them:
Discovering new SaaS applications in use
You’ve whitelisted and blacklisted applications and feel in control. Ask yourself these questions:
- How will you know when an employee is using a new application?
- Which files are being uploaded and downloaded to and from the application?
- How secure are the applications?
- What compliance criteria does the SaaS app meet?
- Does the SaaS app comply with the regulations in my industry?
It’s not enough to have summary reports of cloud usage. You’ll want to be proactively alerted about changes such as new apps, growth in usage, non-compliant apps used, etc. You’ll need a solution that will operate and send you alerts right away. The right CASB solution will do this for you.
Getting granular visibility into user activities in SaaS apps
Based on traffic logs, you can gain full visibility into:
- Who sent and received data?
- How many bytes of data were transmitted to which application (identified by its IP and/or URL)
- From which source IP address was data transmitted?
Furthermore, for sanctioned apps, you can gain full visibility into specific actions and files by “connecting” your apps to Cloud App Security. The app connector will give you a complete look at any activity and files in your connected apps, from any location and any client.
Why would you need this information? For rich insights, visibility, and control. Additionally, in the event you need to conduct an internal investigation, you’ll want to see which files have been uploaded/downloaded to which applications, focusing on high-risk users when needed. Pivoting into the actions of specific users helps you assess if user credentials have been compromised or if there is malicious insider activity. Finally, you can quarantine files and users until your investigation is complete.
Detecting anomalies and abnormal behavior
Will your firewall alert you if a user starts to download significantly more data than what they have downloaded in the past week or year? Perhaps a user has been compromised or you have a malicious insider – either way, it’s important to get to the bottom of this. A good CASB solution uses advanced machine learning techniques to learn how each user interacts with each SaaS application and, through behavioral analysis, assesses the risks in each transaction. This includes simultaneous logins from two countries, the sudden download of terabytes of data, or multiple failed login attempts that may signify a brute force attack. It’s important to identify changes in your organization’s cloud usage patterns.
You can set policies for alerts on top of your CASB solution. Wouldn’t you want an immediate alert if you’d set your whitelist and blacklist application list use and there’s a new application being used that’s going through? In other words, you’ve gone through the trouble to identify all the applications you want to approve or deny for your organization but this becomes a static list in some respects, as there are multiple entry points to some applications.
There are thousands of SaaS applications and it’s important to understand their pedigree, what the developer’s intent was, and where the application resides. These elements are typically unknown to IT organizations given the sheer volume of SaaS apps available. Most of the time, users of these applications don’t know or understand the risks involved. A good CASB solution should provide information about these apps and their potential risks so you’ll know which SaaS applications meet specific compliance requirements (FISMA, PCI, HiPAA, etc.).
Firewalls are still used to control access, but users are still able to upload and download data through universal ports 443 and 80. It’s not enough to identify the apps they’re downloading – you need to understand the risks to which you and your business are being exposed, and those risks continuously change.
Cloud App Security, Microsoft’s CASB solution, provides an up-to-date security assessment of over 13,000 cloud applications rated with 59 risk factors. We’ll work alongside your existing firewalls and gather information to answer questions and help you understand your SaaS app usage. Our solution is agentless. Our security assessment will let you know:
- Which certifications and compliance measures the SaaS application meet
- Which security measures and controls the SaaS apps have in place
- Whether this vendor is a well-known company or not
You can configure the importance of each attribute to customize your own report.
Furthermore, we provide you granular controls for controlling data in SaaS apps and taking powerful remediation actions such as quarantine. With Cloud App Security you can also identify anomalies in your cloud usage that may be indicative of a breach, leveraging behavioral analytics and anomaly detection.
Cloud App Security is a part of Microsoft’s Enterprise Mobility + Security (EMS) E5 Suite. Together with Microsoft Intune, Azure Active Directory, Azure Information Protection, and Microsoft Advanced Threat Analytics, we provide a holistic and innovative security solution set that helps you protect your identities, devices, apps, and data both on-premises and in the cloud.
Want to experience Cloud App Security in real time? Visit the Cloud App Security website to discover the cloud apps in your organization and start controlling them today!
Hayden Hainsworth (@hhainsworth)
Customer & Partner Experience Program Leader, Cybersecurity Engineering
Cloud + Enterprise Division