In the past, cyber-security measures were focused on devices installed in data centers and organizations.
However, with the recent rapid increase in the cloud-first trend, a growing range of information assets now reside in external cloud services (such as SaaS, PaaS and IaaS).
This article discusses how cloud-based data should be managed and protected.
Cloud Access Security Brokers – the hot topic in cloud security?
A trend toward “asset-free ICT” and greater penetration of location-independent workstyles, resulting from workstyle transformation initiatives, are driving cloud use by companies and individuals.
In this environment, the question is whether information is being appropriately managed within cloud services. Many companies and organizations perceive the risks associated with the use of cloud services and subsequently establish a range of rules.
However, the fact is that the proper management of such services is still not common.
To prepare for security deficiencies in cloud services, users have turned their attention recently to cloud access security brokers (CASBs).
Cloud access security brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed.
CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.
Security products and services supporting CASBs are slowly starting to appear, with many of the key U.S. analyst firms reporting on the state of this market at the end of 2017.
By 2020, 60% of large enterprises will use a CASB to govern cloud services, up from less than 10% today.
Inherent risks in using cloud services
When using cloud services, the following risks must be considered.
- Non-malicious transfer of information by employees
- External access to information due to service use configuration errors (accounts, access rights, etc.)
- Information leaks due to inadequate handling of vulnerabilities
- Unintended disclosure of information to third parties by cloud service providers (inadequate checks of contract details)
- Unintended suspension of cloud services, or transfer of business to another company
In other words, there are other important considerations in addition to establishing policies governing cloud use and access control. These include monitoring service usage and evaluating cloud service security and business continuity.
Using CASBs to enhance security when accessing the cloud
CASBs consists of four elements: visibility, compliance, data security, and threat protection. The specific functions realized by each element are explained below.
CASBs can clarify how users are accessing their cloud services and help shape the necessary policies to enable secure operation.
Having an understanding of a wide range of information enables risk analysis and rule establishment. This can include which devices are used for access, where the access occurs, data volume and frequency of uploads, file sharing status, content analysis regarding the inclusion of confidential information, and security status of cloud service configurations.
CASBs can check for the existence of files on cloud services that are in breach of internal policies and then rectify any problems found.
Keywords, character patterns, document fingerprints, metadata, and other information are used to analyze files and detect any information in breach of internal policies. Administrators can take appropriate action based on alert notifications to protect important information and prevent leakage.
CASBs can use company encryption keys to automatically encrypt files uploaded to the cloud to ensure the security of those documents in the cloud.
When storing personal or other sensitive information, tokenization technology can be used to convert original data into random data values without any intrinsic meaning, so that even if files are leaked, third parties are unable to get any information from them.
CASBs can protect data from a range of threats by using anti-malware to detect known attacks, ransomware, and cloud-based suspicious behavior. They can also monitor internal illegal behavior patterns, by detecting access from untrusted locations and logins from unauthorized accounts, and by monitoring appropriate behavior and authorization of privileged users.
Products and services that support CASBs include these functions, while use and phased adoption of each of the CASB functions should facilitate the enhancement of cloud service security.
Step 1. Use visibility functionality to understand cloud usage.
Step 2. Use any highlighted cloud use problems to establish cloud use policies/rules.
Step 3. Feed the established rules into compliance functionality to restrict methods of use.
Step 4. Use visibility, compliance and threat protection functionality to monitor usage, and use data security functionality to protect files.
Focus on cloud service security measures to be deployed in the future
Use of cloud service security measures is likely to increase as one layer of an organization’s multi-layer cyber-security protection.
In the future, it will become even more important to use cloud-specific measures combined with existing security measures, in preparation for the more complex and advanced cyber attacks that we expect to emerge.