Email is the #1 attack vector. Cloud Account Takeover is the #1 attack target. A CASB is the best way to protect against these threats.What does a CASB do?
Gartner first defined the term Cloud Access Security Broker (CASB) in 2011, when most IT applications were hosted in the data center and few companies trusted the cloud. Most online services were primarily aimed at the consumer. At the time, CASB products were designed to provide visibility for Shadow IT and limit employee access to unauthorized cloud services.
Today, organizations have embraced the cloud, replacing many of their datacenter applications with Software as a Service (SaaS) or moving much of their IT into infrastructure (IaaS) providers like Amazon or Azure. Instead of limiting access, CASB's have evolved to protect cloud-hosted data and provide enterprise-class security controls so that organizations can incorporate SaaS and IaaS into their existing security architecture.
CASBs provide four primary security services: Visibility, Data Security, Threat Protection, and Compliance. When comparing CASB solutions you should first make sure that they meet your needs in each of these categories.
Why Do We Need a CASB?
A CASB identifies all the cloud services (both sanctioned and unsanctioned) used by an organization's employees. Originally, this only included the services they would use directly from their computer or mobile device, often called "Shadow IT." Today, it is possible for an employee to connect an unsanctioned SaaS directly to a an approved SaaS via API. This "Shadow SaaS" requires more advanced visibility tools.
Shadow IT Monitoring: Your CASB must connect to your cloud to monitor all outbound traffic for unapproved SaaS applications and capture real-time web activity. Since nearly all SaaS applications send your users email notifications, your CASB should also scan every inbox for rogue SaaS communication to identify unapproved accounts on an approved cloud services.
Shadow SaaS Monitoring: Your CASB must connect to your approved SaaS and IaaS providers to monitor third party SaaS applications that users might connect to their account. It should identify both the service as well as the level of access the user has provided.
Risk Reporting: A CASB should assess the risk level for each Shadow IT/Shadow SaaS connection, including the level of access each service might request (i.e. read-only access to a calendar might be appropriate, read-write access to email might not.) This allows you to make informed decisions and prioritize the applications that need immediate attention.
Event Monitoring: Your CASB should provide information about real-time and historical events in all of your organization’s SaaS applications. If you do not know how the applications are being used, you can not properly control them or properly assess the threats facing your organization.
A CASB enforces data-centric security policies by offering granular access controls or encryption. It incorporates role-based policy tools, data classification and loss prevention technologies to monitor user activity and audit, block or limit access. Once, these were stand-alone systems. Today it is vital that they are integrated into the organization's data policy architecture.
Data Classification: Your CASB should identify personally identifiable information (PII) and other confidential text within every file, email or message. Taking this further, it should be capable of applying policies to control how that sensitive information can be shared.
Data-Centric Access Management: Your CASB should allow you to manage file permissions based upon the user's role and the type of data the file contains using cloud-aware enforcement options that work within the context of the cloud service.
Policy-based Encryption: Your CASB should be able to encrypt sensitive information across all your cloud services to ensure data security, even after files leave the cloud.
A CASB protects cloud services from unwanted users or applications. This might include real time malware detection, file sandboxing or behavior analytics and anomaly detection. New threats require new protections, so the list should include anti-phishing, account-takeover detection and predictive (A.I.) malware technologies.
Anti-phishing Protection: Phishing attacks are the #1 source of data breaches every year, but few CASBs offer phishing protection for cloud-based email. For a technology that is protecting your cloud environment, anti-phishing is a must. It has been proven over and over again that your email provider is not a viable solution to the phishing problem.
Account Takeover Protection: Your CASB should monitor every user event (not just logins) to identify anomalous behavior, permission violations, or configuration changes that indicated a compromised account.
URL Filtering: Your CASB should check every email, file, and chat messages for malicious links.
Real Time Malware Detection: Your CASB should scan every email and file for active code and malicious content before it reaches the inbox.
Advanced Threat Sandboxing: Your CASB should test suspicious files in an emulation environment to detect and stop zero-day threats.
Regulated organizations require auditing and reporting tools to demonstrate data compliance and a CASB should provide all the necessary auditing and reporting tools. More advanced solutions offer policy controls and remediation workflows that enforce regulatory compliance in real time for every industry, from GDPR and SOX to PCI and HIPAA.
SIEM Integration: Your CASB should collect and correlate user, file and configuration events from each cloud application installed in your organization’s environment and make them visible through your organization’s existing reporting infrastructure.
Auditing: Your CASB should have access to historical event data for retrospective compliance auditing as well as real-time reporting.
Enforcement: Your CASB should be able to move and encrypt files, change permissions, filter messages or use any number of cloud-native tools to ensure compliance through automated policies.
Email Security from your CASB
As you may have noticed, across all the CASB criteria, email security is a major component. Can this really be that important? After all, so few CASBs include email security.
No matter the motivation, email continues to be the most common vector for enterprise breaches. Phishing and pretexting represented 98% of social incidents and 93% of breaches last year. Protection for the cloud must include protection for cloud-based email. Without cloud-based email security, a CASB is not truly providing full cloud security and is just acting as a simple Shadow IT tool.
What's Wrong with CASBs?
CASB vendors have been around for the past 5-7 years, VCs have invested over $500M into these companies and Gartner has been promoting them with very bullish growth predictions. But still, a recent report shows only 7% of companies have adopted CASBs as a security solution and all CASB vendors combined have sales somewhere between $50M to $100M a year, making it a very small market. So, what's wrong with all these CASBs?
A report sponsored by several CASB vendors and published last week gives us a hint (download, requires email). Spoiler : The report provides a good description of the different cloud security threats, but the inevitable conclusion is not stated: Most CASBs do not address the security threats described in the report. Here's why.
Most CASBs Don't Solve the Biggest Problem: SaaS Email
If only 7% of enterprises implemented a CASB solution then maybe the threat isn't there? But the report actually shows 81% of the 1,900 CISOs surveyed are concerned about cloud security.
The report shows only 24% have any plans to look into CASBs in the future. So, what is wrong? Where is everyone else?
The report gives us a hint. It tells us that the most commonly adopted corporate SaaS application is email, by a total of 44% of the organizations surveyed:
As we know from numerous other reports, email is indeed the top source of the attacks companies are experiencing. For example the recent Verizon Data Breach Investigations Report points to email as “the road most traveled to deliver malware into organizations” and finds that most data loss begins with a phishing email.
So the most of these CASBs, the companies that claim to secure your SaaS, don't solve the biggest security threat on the most common SaaS application we are using? Can we then trust them with the rest? This is probably why most customers that have deployed a CASB perceive it as a nice-to-have visibility tool and not a security prevention solution. At the end most of their customers use them mainly to provide "Shadow IT" reports. No wonder they are not taking off.
Proxy-based DLP has critical blind-spots
The report describes a CASB as a proxy “placed between cloud service consumers and cloud service providers”, which is a good description for the sponsoring vendors although it excludes Avanan, because although we consider ourselves to be a CASB, we do not use a proxy. Proxies are a powerful limitation when trying to address the biggest security concerns in public clouds.
Proxies also have limited visibility to your cloud:
- Proxies can only see data from employees from within the company but miss files that are shared by non-corporate collaborators like customers or partners.
- Proxies cannot understand the context of a shared file: is it dropped into a private folder or folder accessible by anyone, etc.
- Proxies cannot monitor or are limited in monitoring desktop agent. A single malicious file or confidential document will be synced to every users’ phone or desktop via the native app with the proxy being none the wiser.
- Proxies cannot monitor API connections to third party SaaS. It is easy for a user to grant third-party access to files and contacts via connections that will never pass through the proxy.
The greatest irony is that if the proxy goes down, only outside collaborators will have access to your data.
Most CASBs are Hard to Install
The report describes CASB deployment as “not trivial”:
“CASBs require significant understanding of an organization’s use cases to be effective as well as trained cloud security personnel to implement them properly.”
So, CASBs don't solve the customer's biggest concern, what they claim to solve they don't solve well, and then they are hard to install?
In our SaaS era, the idea of proxying all traffic is an outrageous notion. When cloud services communicate via ready-to-use app-store extensions and OAuth-tokens, the idea of sending all the traffic through a choking point is not acceptable by most customers and end-users. Here's what the report tells us are the main drivers for considering cloud-based security solutions:
With time to deploy being key for 52%, proxy and agent based solutions are out. Companies expect security to be implemented transparently into the SaaS or IaaS, activated with a single On/Off switch, and any end-user interaction to be native within the SaaS app. This is becoming possible through the growing richness of the APIs provided by the SaaS vendors but the proxy-based CASBs have vested too much into proxies from when API-based security was still not possible that it's just too hard for them to shift.
Once you take the proxy or agent away, these CASBs solve NONE of the concerns introduced by the report they funded:
- Email Threats
- Data Leakage Protection
- Misconfiguration of the Cloud Service
The Right Cloud Security Approach
Avanan has partnered with the leading security vendors to create a complete security stack, addressing every single one of the security concerns mentioned in the report, including email security/anti-phishing and data leakage prevention. We know no single vendor can solve it all, so that's why we partnered with all leading vendors and made it a single click of a button to implement any security solution on any SaaS.
Avanan uses cloud-native APIs to implement these security solutions without the use of a proxy. No proxy means implementation takes one click with no effect on end-users.
The report hinted at Avanan’s capabilities when it asked respondents whether they believe their legacy security solutions are capable of functioning fully in the cloud.
Avanan has cloudified the technology you trust to offer the best protection in the cloud. They can protect their data in the cloud with the same variety of tools they had within their data center, only now it's much easier - it only takes a click of a button.
Can a CASB Protect you from Phishing or Ransomware?
An Example: CASB Cannot Protect SaaS Email
One way to better understand the drawbacks of the CASB Gateway model is to look at the single greatest threat to your cloud: email. Over 90% of all breaches in the last 5 years started with an email, but no CASB vendor discusses their email malware and anti-phishing capabilities for Gmail or Office 365.
This is true of all CASB vendors, but we will look at couple from the top vendors: “Securing Office 365” and "Office 365 Safe Cloud Enablement". Each document describes in detail the protection each company offers for Office 365:
- Identify users that not using Office 365 (Shadow IT),
- Alert you to strange logins and anomalous behavior,
- Identify sensitive data and encrypt files or prevent sharing in One Drive,
- Malware detection for files uploaded or downloaded from One Drive.
Neither mentions email. Neither mentions sharing sensitive information via email or the ability to encrypt attachments. A search for "phishing" or "ransomware" turns up empty.
Email is at the core of Office 365 and GSuite. Email is at the core of business and collaboration. Email is the single most likely target for attackers and the most common way for confidential information to leak out of your organization.
This example is not unique. Most every collaboration tool, from Skype to Slack to Teams can be a vector for data loss, malware and phishing.
The Future of CASB: Where to go from here?
Today, most companies manage the problem of "Shadow IT" using traditional application-aware firewall rules, making redundant the core feature of most CASB vendors.
The malware and data leakage features offered with CASB 2.0 are limited to file sharing apps and have not kept up with the collaboration tools that are the greatest threat to business.
The single greatest threat to the CASB industry, however, is the fact that no single company can be the best at all things.
Threats are changing every day. New attacks, using new vulnerabilities and more aggressive techniques are being developed at a rate such that no vendor can possibly keep up.
Because you just cannot deploy more than one CASB proxy, it becomes a challenge to adapt to new threats and impossible to add additional layers of security.