The eBay Company, one of the pioneers of electronic commerce was established about 20 years ago, when people purchasing from virtual shops run by anonymous sellers in some unknown place in the world were regarded as “crazy”. During the last ten years there has been a constant increase of considerable percent in purchases from those shops that have become, in practice, a central arena for electronic commerce and they operate alongside the physical stores. This change in consumer culture and the manner in which they do business would never have happened without data security systems. The electronic marketing revolution dragged along behind it a change in the behavior and consumer culture patterns of every one of us. Currently we are witnesses to a revolution in organizations and businesses that is leading them into the digital era.
The way we have conducted business for dozens of years and our work environment as workers and managers is changing. The manner in which we gather information, share and consume information is transforming the way in which businesses operate and is making work processes easier and more productive.
The organizational data is migrating to the cloud or is generated initially in the cloud using SaaS applications such as Google Apps or Office 365. At present, users are undergoing the most significant revolution in which they have the ability to access data from different locations and various devices, thereby transforming every lost hour to a work hour.
This change in the boundaries of the organization significantly increases the potential area for attacks thereby increasing the risks and organizations are not always aware of threats that could emerge from unexpected directions as a result of adopting those new technologies. The valuable organizational data does not exist only on servers on the company’s premises and on an isolated island. The data is now accessible to everyone from any device, from any location and this is of course known to hackers, who are prepared to exploit the weaknesses of the technology, the protocols and services of the cloud.
Organizations need to redefine the boundaries of the organization that has expanded in the direction of the cloud, which is not under the control of the organization. These new challenges bring us to ask the questions, whether that organizational perimeter in which we have invested, over the course of all these years, regarding data security products, is still effective? Is the actual activity of the employees to be found in those organizational buildings and branches that previously defined the workplace?
This change causes the CISO and the organization in general to replan the manner of defending the organizational data located outside the organization and which is accessible from any place in the world and not just from the premises of the organization. After more than a decade during which we took care of protecting only the environment under our control, it is now necessary to replan the organizational data security concept so that it will be suited to protecting the organization’s assets that are no longer under its control.
The Mobile Revolution and transition to Cloud Service Providers make it difficult for data security teams to enforce the organization’s policy and make it harder to follow up on processes and gather information regarding threats in an environment where every device has access to data irrespective of whether the device is managed or not managed. Harm to visibility in this critical part of the network could result in a disaster for digital businesses and has consequences for the entire developing digital economy.
In 2015 Gartner specified a data security technology for organizations seeking to transfer organizational data to the cloud and to access it from the Internet. The technology will provide a level of protection similar to that in the world where corporate systems were internal (“On-prem”).
The technology is known as Cloud Access Security Broker (CASB), and its role is to supply organizations with an acceptable level of security in the transition of applications and organizational data to the cloud. According to Gartner, an essential data security technology for 2016 is CASB and it is necessary to place it at the top of the list of priorities. Data security companies recognized the potential of CASB and rushed to complete the data security solutions for the cloud by acquiring niche companies and among them the Israeli companies Adallom and Cloudlock, which were sold to Microsoft and Cisco, and other companies such as Skyfence/Imperva and Elastica, which were sold to Forcepoint and Symantec, and others.
Before the transition to the cloud, users had access to organizational resources using VPN and Remote Access, behind products such as NGFW/IPS/WAF that supplied an acceptable level of protection. Currently the estimation according to Gartner is that in 2018 about 25% of the traffic belonging to the organization will not pass through the organization’s infrastructures at all, meaning that the investments made in organizations will supply protection for only 75% of the organization’s traffic. The content itself that is generated and is located on SaaS cloud services such as Office 365, Salesforce, Dropbox is not protected. Traditional data security technologies are not efficient since they are not located on the traffic route, and furthermore they cannot be placed in the cloud and certainly not vis-à-vis every cloud service.
To understand our areas of responsibility as service consumers, we shall provide a few examples: IaaS/AWS – construction of VPC and EC2 Instance is the responsibility of the client, Amazon is responsible for the level of SaaS/Dropbox. Hypervisor – the cloud service provider is in charge of the application. If the user’s identity is stolen or sensitive data is transferred to a competitor, we as an organization are responsible for this. SaaS/Office 365 – Microsoft is in charge of protecting the network at the Data Center and for ensuring that the application works correctly and consistently, but as an organization we are responsible for our users and what they do with the data itself.
The CASB System is under the organization’s control and allows it visibility, information concerning the degree of risk facing the organization and control of activities within the cloud application.
A system whose function is to protect cloud applications has to deal with some levels.
User level: Examination of user behavior. The system must supply information such as: What are the users doing, from where was the access made, are permitted actions being performed, have accounts and identities been stolen and is there currently access from everywhere in the world, was there sharing with users outside the organization or just with an authorized group of people? Examples: If a user downloads a large file from a particular sharing, an action that the user does not usually perform, a warning will be sent or continuation of the activity will be prevented for that user. If the user performs an action vis-à-vis Office365 from Israel and four hours later we see access of that user from China, we can deduce that the account was stolen and is being misused. At the data level: The system assists in understanding whether sensitive data exists in the cloud when it is not supposed to be there, if such data exists it should be encrypted or removed to prevent leaking of the sensitive data and compliance with the regulative laws.
The system must provide real time protection for data including handling malware files that could reach the cloud services before the arrival of the data (In Transit – Data in Motion) or files already found in the cloud (Data at Rest). Remember that employees can install cloud applications on computers/laptops that are not managed and to which the defense mechanisms found on managed organizational computers do not apply. Access from devices that are not managed facilitates, on the one hand, access of the employee to corporate data, but on the contrary, offers access for malicious attributes that could make use of data, erase it, make changes and even plant malware that could reach the entire organization. An example of this: An organizational computer synchronizes files to Onedrive and SharePoint and since these services are located in the cloud the employee installs these applications also on his home computer and thereby synchronizes those organizational files with his home computer.
Applications level: The CASB System supplies data concerning applications in use, what third party applications exist that have permission to access data in the cloud, what the degree of risk is in using them, how to control and prevent them from access to information in the cloud.
Many cloud applications utilize identification and permissions processes of existing systems such as Google / Facebook / LinkedIn / Office 365 / Salesforce and others, consequently there is no need to create a new user for the various cloud applications and the OAuth verification technology accomplishes this. An example of this: A particular application allows me the possibility of connecting with the Google account without creating a new specific user for that application, also the user also requests full permission for Google Drive of that user. From this moment that third party application has the authorization to reach my Contacts and has access to Google Drive without the need to receive approval from me. This is also true for accounts relating to Office 365, which is the most widespread SaaS application in the world, and a third party application that used an Office 365 account for identification would have access of reading/writing / erasing from OneDrive, access to my list of contacts and my emails. Here the CASB System begins to operate and will identify third party applications, will present to me access to my cloud systems and will even prevent access to organizational resources without my knowledge.
CASB solutions can be implemented via two manners of access: Proxy-based access requires definitions and installation of an Agent on the user’s side, the Forward Proxy or without definitions on the user’s side when using Reverse Proxy.
API – Agentless access using API, does not require infrastructure changes or change in the manner in which the user connects. Each of the methods of access has its advantages and disadvantages and therefore the CASB manufacturers adopt a Hybrid solution that includes both manners of access.
When connecting with an (Out of Band) API, the connection is direct with the cloud application, thus the data itself does not pass through either is it saved in the CASB, but is located only in the user’s environment. With this access there is no need to install Agents on the users’ devices and consequently the user experience is not impaired. Security solutions can be supplied for Mobile users and non-managed users.
API access facilitates reaching historic data already found in the cloud (Data at Rest), which enables the system to scan data existing in the cloud even before implementation of the CASB System. The system has the capability to search for sensitive files, to check their compliance with standards such as PCI, to perform actions such as encryption of sensitive files and if necessary also to erase those files from the cloud. Use of API also allows traffic between two cloud applications (Cloud to Cloud) to be examined and not only between users and the cloud.
The disadvantage of API – CASB is a system that works only with cloud applications that provide a Cloud Native API and is not in real time, like working with Proxy. Proxy-based systems have the capability of blocking data from entering and exiting the cloud (In Transit) in real time.
CASB is the technology that provides a solution for data security but allows organizations, first and foremost, to develop their businesses and is essential for maintaining the business and benefiting from the advantages of cloud applications that are at the heart of business activity, such as Office 365 and Salesforce, as well as cloud infrastructures such as AWS and Azure.
Organizations adopting the transition to the cloud must implement data security tools at a level similar to that executed in the organization’s local network. To provide visibility, monitoring and enforcement of data security policy at every location where the organization’s data is to be found.