Cloud relief: Achieving SaaS security

Enterprise cloud apps are fast becoming the future of business computing, but many organisations still have concerns around security. Although keen to make the move, these organisations won’t commit to the cloud unless they know their sensitive customer, employee and business data remains visible and under the IT team’s control. 

Google, Microsoft and other major cloud vendors have invested heavily in securing their infrastructure and protecting their applications from cyber attack. Any kind of breach, malware or DDoS attack on these services would be sure to land them on the front pages and is therefore to be avoided at all cost. However, the control over the data itself lies squarely with the customer. Theft of user credentials, regulatory compliance failure, and data leakage due to improper controls all rest on the shoulders of the IT department, not on the cloud app vendor. It is therefore extremely important that organisations put in place a means to protect corporate data from these sorts of risks.

Finding the right solution to secure cloud apps is not easy. IT teams want advanced data security and threat protection capabilities, visibility into apps, devices and data flows and a solution that can help them meet compliance requirements. Cloud Access Security Brokers (CASBs) have emerged in recent years as a data-centric solution for securing Software as a Service (SaaS) apps end-to-end, from cloud to device. By intermediating or “proxying” traffic between cloud apps and end-user devices, CASBs offer IT administrators granular access control and deep visibility over corporate data – critical functionality for organisations moving from internal, premises-based apps to the cloud.

Finding harmony between IT and employees

When BYOD was less prevalent, employees naturally accepted a poor user experience as a necessary evil. Today, however, employees are quick to refuse IT solutions that reduce productivity and that impede on their privacy. Enterprises must find more user-friendly solutions that enable a more productive, mobile workforce.

Finding a CASB that can meet these key requirements will help to prevent employees from “going rogue” and working around IT. In this respect, usability is a key consideration. Consumer apps have set a high bar for users, and employees now expect that same standard of usability in the workplace. Employees also have not only an expectation, but a right to personal privacy. Gone are the days when it was acceptable for IT to capture personal traffic in the security dragnet. Finally, employees want the IT teams to help, not hinder with mobility. They want to have the latest devices and access corporate data without restrictions – regardless of whether the device belongs to their company. 

The makings of a comprehensive CASB

While enabling mobility is often a boon to productivity, cloud apps also make data access much easier, which can pose a threat to security. A complete CASB must close the gap by protecting data-at-rest and data-in-motion across all devices. Cloud, mobile, discovery, and identity are the core components of a CASB which, when put together, provide total data protection.

Data in SaaS apps 

CASBs protect corporate data both in the cloud and on any device in real-time. API integration into cloud apps is used to scan and protect data-at-rest, and proxies are used for inline, real-time protection for data being accessed via both managed and unmanaged devices. Using built-in APIs, CASBs are able to scan and identify sensitive content stored in apps like Office 365 and Google Apps, and apply granular access controls to data. With traditional solutions, access control capabilities are limited and IT is forced to simply allow or block access. With a CASB, IT administrators have more flexibility in extending access with awareness of context and content.

User-behaviour analytics is a great tool in tracking and identifying suspicious or risky user activities. By tracking user activities, CASBs can generate a baseline behavioural profile, and alert on deviations so that IT can take immediate action. Visibility can also help IT build security policies that minimise risk of data loss without impeding on employee workflows. 

Data on mobile devices

Data must be protected at rest in the cloud, at rest on mobile devices, and in transit - making cloud and mobile inseparable components of a complete security solution. The CASB data-centric approach to security ensures that corporate information stays protected on any device, anywhere.

If an organisation focuses entirely on securing devices instead of securing data, they create a big risk of data leakage. An employee can, for example, download a file with sensitive customer information to a managed device, move that file over to an unmanaged device, and perhaps upload that file to an unsanctioned cloud application. If the devices were secured without other data-centric protections, IT would lose visibility and control over that file. With a CASB, a content-aware DLP engine can encrypt, DRM, and watermark data in real time, ensuring that sensitive information stays protected no matter whether it is on a managed or unmanaged device. 

Another risk faced by organisations when it comes to enabling secure mobile and BYOD is the threat of lost and stolen devices. CASBs are capable of enforcing a wide array of device security policies on any device, functionality that has historically only been possible on managed devices. CASBs can require use of a PIN or passcode for added security and can even selectively wipe sensitive data from any mobile device. 

Shadow IT discovery

Data leaving the corporate network and heading to high-risk destinations is a major concern for enterprises. High-risk destinations take many forms – malware command and control sites, anonymisers like Tor, “shadow IT” cloud applications, and more. Each of these destinations represents a risk of sensitive data exfiltration and must be identified in a timely fashion. CASBs offer discovery services that analyse proxy or firewall data to identify vulnerable traffic between the network and high-risk destinations. Destinations associated with known malicious activity can be identified in order to remediate high-risk endpoints and users. 

Secure authentication for SaaS apps

In many organisations, individual accounts are created within each cloud app, without a centralised identity system – a practice that can make provisioning new accounts and securely authenticating users more difficult. A complete CASB features an integrated identity management solution or works with an existing identity management infrastructure to enable secure authentication across all cloud apps. Secure authentication, often necessary to achieve regulatory compliance, can drastically reduce the attack surface that hackers can use to access corporate data.

Ultimately, with cloud and BYOD becoming a workplace expectation, IT must be able to secure corporate data no matter where it resides. Focusing on securing data that resides in the network is no longer enough, and the traditional technologies used to do this will inevitably make way for a new generation of data security solutions.

Eduard Meelhuysen, Head of EMEA at Bitglass
Image Credit: Wright Studio / Shutterstock