CASB from the Horse’s Mouth
CASB as a market was born of Neil MacDonald’s Gartner research notes. It’s grown to comprise 20-30 very different types of vendors. According to MacDonald, the CASB crew is already pulling down an estimated $180 million in annual revenue. Some vendors are even proclaiming that “2016 will be the Year of the CASB” (watch out below on the hype cycle). I examined the CASB phenomena last week; please check that post out if CASB is new to you. This week I’m returning with perspectives from a CASB early adopter panel at RSA Conference chaired by MacDonald himself.
If CASB’s the Answer, What’s the Question?
I’m glad Neil asked this! Here’s paraphrasing or summarizing how the panelists responded.
Jerry Archer, CISO: The primary need was compliance. To use SaaS, Sallie Mae needed a “safe harbor” from the FFIEC. It achieved this by encrypting sensitive information via CASB before storing it in Salesforce.
Gerard Brady, Global CISO: Visibility and compliance were Morgan Stanley’s drivers. As a security department in a financial services company, Brady’s organization can actually say “No.” It uses a CASB to block unsanctioned cloud usage and to apply data loss prevention (DLP) blocking as well. Users that don’t like this have to get an exception from the security department.
Alissa Johnson, CISO: Visibility was the driver for Stryker. Johnson’s CASB quickly found over 2,000 cloud services in use throughout the business. These discoveries “changed the conversation to one about appropriate use,” making it easier for Johnson to justify additional controls. As a medical devices company, Stryker is taking a nuanced approach to control. Some unsanctioned services with low reputations and usage may be blocked, but the general approach is to rationalize which services are used and discourage unsanctioned ones over time rather than blocking.
Richard Puckett, Senior Director, Security Operations and Cyber Intelligence: General Electric (GE) has many types of businesses under its roof, but also found visibility to be a great entry point for CASB. Puckett has taken a varied approach, working with cloud platform providers such as Box as well as with CASBs.
CASB and Data Protection Strategies
The panelist’s initial answers touched on CASBs protecting data through encryption or tokenization. On encryption, panelists discussed two challenges: key management and preserving functionality.
- Key management: One of the attractions of CASBs with cloud encryption gateway (CEGs) is the possibility for the customers to categorically advise regulators that plaintext personally-identifiable information (PII) is not stored in the cloud. Otherwise, if the cloud service provider (CSP) performs the encryption, the story gets murky. With Salesforce Platform Encryption, for example, the customer controls a tenant key encrypting key but Salesforce controls the actual data encrypting keys (through which it only has access to data pulled into memory by customer usage). Indexed field values in Salesforce are also stored in the clear.
- Preserving Functionality: However, platform-based encryption solutions tend to have the advantage of preserving all searching and sorting functionality as the core repository or database has access to the plaintext. By contrast, CASB’s have to jump through hoops to preserve functionality – Ciphercloud has dozens of format-preserving and partial encryption algorithms whereas Perspecsys (now part of Bluecoat) and Bitglass maintains local indexes and API gateways. Both approaches have advantages and disadvantages.
DLP Stops Stupid but it Doesn’t Stop Real Hackers
The panelist’s companies that used CASBs to block out-of-policy traffic highlighted the importance of DLP functionality. Some CASBs can either handle detecting and reacting to CSB-bound sensitive data and/or utilize ICAP to pass suspect traffic to enterprise DLP solutions.
I don’t remember the panelists’ talking about user behavior analysis (UBA) functionality. Through UBA, many CASBs monitor privileged user activity for anomalies (such as a salesman downloading all the customer phone numbers). However, UBA is another area where most CASBs can be quite useful.
Thoughts on the CASB Market
As I wrote last week, it’s questionable whether one CASB product could provide a comprehensive security policy enforcement point for all cloud computing use cases. Initially, CASBs have targeted SaaS usage. On the panel, however, Archer indicated that “cloud formations” are becoming increasingly complex. CASB vendors are going to have work more directly with the SaaS providers and hybrid, multi-cloud use cases to continue striking that delicate balance between providing control and preserving functionality.
Archer concludes: “You’re all going to end up in the public cloud, the clouds are going to multiply and you won’t have the luxury of putting in a single middleman.”