An insurance company is not the enterprise whose staff should be fooling around with insecure cloud applications.
But with software-as-a-service offerings multiplying it’s hard for a CISO to find any organization that doesn’t have at least one employee who has defied policy and quietly signed up for a cloud app.
That’s what Toronto-based Manulife Financial and the city’s MaRS Discovery District — an incubator for emerging companies — found when separately they wanted to find out how many employees in their organizations were using unknown apps.
Both turned to cloud access security brokers (CASBs), which not only allow IT to find shadow cloud apps, but also to apply policies to secure them. Depending on the service, a broker can give infosec pros the ability to encrypt data in transit, or replace data with a token.
“This is a necessary part of your infrastructure,” Michael Ball, Manulife’s global chief security architect, said in a interview during this month’s SC Congress conference, where he and MaRS CIO Mark Zimmerman appeared on a panel discussing CASBs.
“We’ve spent a long time building perimeters that the lines of business have eroded. Access security brokers allow us to extend that perimeter into cloud services.”
There are a number of CASBs, including Mississauga, Ont.-based Perspecsys Inc. CipherCloud Inc., SkyHigh Networks, Netskope, Adallom, CloudLock, Zscaler, Actifio, Bitglass, Trend Micro’s SecureCloud and CloudLink (bought by EMC this year).
Cloud apps usually store data in the cloud as well, opening vulnerabilities in IT security. While many SaaS and IaaS providers offer built-in security features like data encryption, Forrester Research argued in a February report that organizations can’t solely rely on these capabilities.
According to a just-released report from Netskope, 90 per cent of data loss prevention (DLP) violations occur in cloud storage apps. Just under 18 per cent of all files in enterprise-sanctioned cloud apps violated at least one DLP policy
That’s why a number of CISOs are signing up third-party cloud data protection vendors to give them app visibility as well as key management, encryption, policy management, and data governance over data in the cloud.
Report author and analyst Andras Cser said in an email that CASBs offer ease of deployment with a relatively lower cost than other cloud encryption solutions, an integrated solution that eliminates the need to integrate and configure SIM systems, help give a handle on shadow IT and its use and prevent data loss.
On the other hand, he pointed out, CASBs aren’t always reliable and there are ways employees can bypass them. Only one — SkyHigh — offers both data protection and encryption.
Once Manulife decided it needed a CASB, about two years ago, it issued an request for proposals, Ball said. The insurer heard from CyperCloud, SkyHigh Networks and Netskope, ultimately choosing the latter.
Through an API, Netskope can integrate with Manulife’s next generation firewall, security information and event management and mobile data management solutions, he said.
“Once you’ve got the access broker in place you can do all sorts of contextual stuff,” said Ball — for example ‘This user is coming from this device from this region of the world at this time of day. Is that appropriate?’ Or set a policy that human resources staff can access the HR databases only on their corporate laptop.
Ball’s problem at Manulife is the intensely competitive financial sector he’s in, where lines of business want applications built in six months — faster than in-house development can handle. To speed development, they often turn to cloud development platforms like RackSpace, Microsoft Azure or IBM SoftLayer.
A CASB allows the company to give the green light yet still retain security controls.
At MaRS, Zimmerman’s problem is also not only the use of unsanctioned apps by the district’s 3,000 users, but ones sanctioned by lines of business that IT doesn’t know about.
Around the time MaRS was deciding to implement a single sign-on application for Salesforce, it thought it would be a good idea to see what other cloud apps people were subscribed to using a CASB. Netskope was chosen earlier this year in part because it was a member of a group of startups MaRS supported, and because Zimmerman knew the company’s Canadian manager.
MaRS’ Internet traffic was routed through Netskope to give visibility into how many cloud apps were being used. “The volume was staggering,” he recalled – almost 300 applications. None held much in the way of confidential data, but it could be concerning to some organizations.
The CIO could have flatly said no to cloud apps. But, he added, “if we are in the no business then we won’t be leading technology innovation.” Instead, MaRS has a list of approved apps.
“The most important thing for me is it’s allowed us is to have a more useful dialogue with the business,” Zimmerman said. “It’s not an either or about the tools, but ‘you’ve chosen this, how do we make it secure for you’ or ‘we have two of these, how to we decide which one we bring in?'”
Having a cloud access security broker doesn’t mean the end of educating employees about not signing up for unapproved apps, Zimmerman notes, or explaining that they can enroll but the app should only be used for specific purposes.
Forrester Research says CASBs come in five deployment types: purely cloud-based; purely on-premise; a client-side plug-in; centralized drive encryption in the cloud at a virtual or physical level; and a cloud data governance platform.
When choosing a solution Cser says CISOs should consider the vendor’s install base, the solution’s ability to scale, it’s ability to integrate with existing identity and access management systems, it’s accuracy in stopping unapproved traffic; and how fast it can be integrated.