The Growing Importance of Cloud Access Security Brokers
Organizations risk fragmented, complex and noncompliant use of cloud-based resources. Many solution providers are appearing offering cloud access security broker capabilities consolidating a variety of disparate approaches. We outline the capabilities you should look for when selecting a CASB.
- The increasing use of cloud-based applications reduces IT's visibility and control of enterprise data, especially when accessed from unmanaged devices.
- There is an emerging market for brokered security services to interject security controls between users and the cloud-based services they consume.
- Cloud access security broker (CASB) platforms are emerging that are capable of providing multiple types of security services, including identity services, from a single solution.
- Encryption services are an option, but have specific challenges if software as a service (SaaS)-level encryption is needed.
- Multiple vendors are converging on this opportunity from a number of adjacent markets.
- Consider "unified" CASBs capable of providing multiple security policy enforcement capabilities from a single platform to avoid separate siloed solutions.
- Ensure the usage logs and entitlements database of the CASB can be exported and integrated into the organization's current log management and security information and event management (SIEM) systems.
- When evaluating encryption capabilities of cloud security brokers, require certification such as Federal Information Processing Standard (FIPS) or proof of independent testing, especially when tokenization is used.
- Request specific road maps from the organization's secure Web gateway (SWG) provider for CASB capabilities, and consider leveraging its capabilities as an alternative to purchasing a separate CASB solution.
- Favor providers that offer flexible delivery alternatives — on-premises physical appliances, virtual appliances, software and cloud-based — and support hybrid scenarios where the organization can flexibly mix and match approaches.
For business leaders and information security professionals looking to securely enable the use of cloud-based services from managed and unmanaged devices, CASBs offer a solution without compromising the need to ensure compliance with enterprise security policies.
Gartner research has discussed the emerging market for cloud services brokerages (CSBs; see "Defining Cloud Services Brokerage: Taking Intermediation to the Next Level") — entities that add value to one or more cloud services on behalf of the consumers of that service. CSBs are emerging that are security-focused. As organizations consume more cloud-based services, security policies that govern this access are disparate or nonexistent (see Figure 1).
Source: Gartner (May 2012)
To reduce complexity, improve overall security policy enforcement and extend policy enforcement to unmanaged devices, CASB platforms are emerging. These are variants of a CSB designed to enforce multiple security policies such as encryption, data loss prevention (DLP), identity and entitlements administration, authentication (including single sign-on [SSO]), logging, and alerting as cloud services are consumed, providing consistent policy enforcement across multiple cloud providers (see Figure 2).
Source: Gartner (May 2012)
In "Hype Cycle for Cloud Security, 2011," we defined a cloud security gateway (in this research referred to as a "broker") as an on-premises or cloud-based security policy enforcement point placed between cloud service consumers and cloud service providers to interject enterprise security policies as public or private cloud-based resources are accessed. This capability can be delivered as a service from the cloud, on-premises or both.
Different elements of CASB platforms are at different levels of maturity, some of which have applicable standards and others that do not:
- The Internet Content Adaptation Protocol (ICAP) standard1 supports the offloading of anti-malware scanning.
- For auditing and logging, events should be exportable in Syslog.2
- Microsoft's Kerberos should be supported for local authentication.
- For federation, standards such as OpenID, Security Assertion Markup Language (SAML) and WS-Federation should be supported.
- For provisioning of cloud identities, Simple Cloud Identity Manage (SCIM)3 is immature.
- For encryption services, standard algorithms such as Advanced Encryption Standard (AES) should be supported and tested for compliance against standards such as FIPS.
As organizations embrace cloud computing, and as the number of mobile and unmanaged devices continues to increase, traditional network and endpoint-based security controls are difficult to use. CASBs enable organizations to enforce consistent security policies when accessing cloud-based services in a way that is transparent to end users using physical appliances, virtual appliances or cloud-based services (see Figure 3).
Source: Gartner (May 2012)
Security and compliance are two of the highest-rated concerns regarding the adoption of cloud computing.4 CASBs offer a way for enterprises to adopt cloud-based services and the use of the services from managed and unmanaged devices without compromising the need to ensure compliance with enterprise security policies. Because this is an emerging technology, current adoption rates are low. We expect CASB platforms to be adopted by 25% of enterprises by 2016. To ease adoption, cloud-based CASB solutions are capable of delivering policy enforcement without requiring the deployment of an appliance or software, and without requiring traffic from mobile users to be routed back to an enterprise data center for enforcement of security policies.
- Enables organizations to get visibility, control and compliance of its users' consumption of cloud-based services
- Enables organizations to apply a consistent set of policies across multiple disparate cloud providers
- Can be used to enforce and demonstrate policy compliance on internal and public cloud-based services
- Is able to enforce policies from unmanaged (e.g., bring your own devices [BYODs]), regardless of location
- Reduces complexity by consolidating disparate security policy services into a single platform
- Overlapping capabilities of SWGs, identity as a service (IDaaS) providers, identity bridges and CASBs confuse potential customers, slowing adoption.
- There are few standards for the application and exchange of security policy information (see Note 1).
- Solutions that require a forward proxy component require an agent, VPN or configuration changes at the endpoint to force traffic for inspection, complicating deployment scenarios on unmanaged devices. Solutions relying solely on reverse proxy inspection may not work correctly on all cloud-based sites — for example, if client-side logic rewrites URLs.
- Solutions that use a network-based proxy of any type for policy enforcement are more limited in their abilities to enforce policy on local, native mobile applications.
There are multiple categories of security capabilities that a CASB platform could provide, with these eight broad categories (see Figure 4) being the most common:
- Device profiling and policy conformance
- Identity services
- Audit and logging services
- API and protocol enforcement
- Encryption services
- DLP services
- Malware protection
- End-user portal services
Source: Gartner (May 2012)
These security services should be context-aware (see "The Future of Information Security Is Context Aware and Adaptive"), capable of supporting context-aware security policy enforcement based on runtime context at the time the cloud-based service is accessed. The importance of each of the eight categories is detailed next:
- Device Profiling and Policy Conformance — A critical capability of a CASB is the ability to understand the profile of the device that is requesting access. Based on policy conformance, access can be complete, partial or blocked. In addition, the CASB should be able to assess mobile device policy attributes, such as if the device is password protected, encrypted or jailbroken. It is not necessary that the CASB become a full mobile device management (MDM) provider, but it should be able to ascertain the device's profile and capabilities before enabling access and may be capable of basic device attribute provisioning such as certificates.
- Identity Services — There are several core identity services that a CASB should provide. At a minimum, the CASB should support the administration of identities and entitlements of users directly or via integration with an enterprise directory store. Coarse allow/deny authorization decisions should be supported — for example, blocking access to salesforce.com from unmanaged devices. As an option, more-granular authorization services are possible. CASBs should also provide support for alternative authentication options (including application or device certificates), regardless of the capabilities of each individual cloud service to accept a particular authentication method.
- In addition, the CASB should have the ability to map or transform a user's identity into whatever form the cloud service provider needs using security token translation services or via password vaulting, delivering the convenience of SSO for the user and improving corporate control over service access. User provisioning to provision/deprovision user identities into cloud-based services is also a possibility, but is less common. This requires support of the cloud service provider's APIs for the provisioning and deprovisioning of users, or the support of a provisioning standard, such as SCIM.3
- Auditing and Logging Services — This architecture of the CASB enables it to see all interactions between users and the service. These interactions can be logged and used for audit and compliance purposes. Successful and unsuccessful access attempts can be logged, as well as what cloud services were accessed and when. The enterprise should be able to control what is audited, and export the logs for use in enterprise log management, compliance and SIEM systems.
- Encryption Services — By supporting encryption capabilities and key management, CASBs offer a way to secure
sensitive enterprise data stored in the cloud so that it is protected from viewing
by other tenants of the SaaS infrastructure and from SaaS administrators. However,
CASB-based encryption is a complex issue, and there are multiple ways this might be
- In its simplest form, the CASB can look for file attachments within the cloud conversation stream. The file can be intercepted, encrypted and then sent to the cloud provider as an encrypted attachment, but may break a cloud search (see Note 3).
- Alternatively, CASBs may provide a cloud encryption gateway (typically a proxy at the application level), which performs encryption, tokenization or on an item-by-item basis as data flows through the proxy. The encrypted or tokenized data can then be stored in a cloud-based SaaS application, such as salesforce.com.5 Cloud encryption gateways typically provide a choice of various encryption and tokenization (see Note 4) algorithms, depending on the strength of protection required and how much format preservation is necessary. However, this approach is SaaS-specific, so adapters will be needed for each SaaS application to be protected.6
- In either of these approaches, it is imperative for the CASB to offer multiple options for the storage and management of the encryption keys. These include on-premises-based options, where the enterprise maintains direct control of the keys and support for hardware-based key management solutions.
- DLP — Depending on the configuration, a CASB should be able to see traffic before it is encrypted, or decrypt SSL traffic streams to identify potentially sensitive content within the session. These services will be able to monitor for predefined sensitive data within the traffic steam and log an alert to block transactions that violate a predefined policy. For example, downloading sensitive client contact information to a kiosk-type PC may be prohibited; however, the same action on a corporate-managed PC would be acceptable. This capability can also be used to ensure that sensitive information is not stored in cloud applications. We don't expect full DLP capabilities initially, but CASBs should be capable of simple keyword, general expressions and file type detection, which Gartner classifies as "channel DLP" (see "Guidelines for Selecting Content-Aware DLP Deployment Options: Enterprise, Channel or Lite"). Longer term, advanced offerings should be able to be integrated with enterprise DLP offerings to consume policies and definitions.
- Malware Protection — As an increasing number of cloud-based applications are accessed by nonenterprise devices from nonenterprise networks, the ability of the enterprise to defend against malware attacks diminishes and a compromised machine could reveal authentication attributes or residual information. Some CASBs will offer the ability to assess and monitor if a machine appears to be infected. A secondary consideration is to inspect file-based uploads and downloads for malware to avoid the spread of malicious content.
- End-User Portal Services — Portal services expose access to cloud-based services to end users so that they can quickly see which cloud-based services they have access to at that time based on their current context (for example, the device they are coming from, location, time of day, and so on). Typically provided via a Web browser or local application, users will see a collection of cloud service icons that they could click to access the cloud application and be provided a seamless sign-on experience. A useful extension to this capability is to show users what applications are available that they have not yet been provided access to and provide a workflow solution for the end-user to request access.
Rather than require the purchase of yet another security gateway device for CASB services managed with disparate policies, organizations should query their SWGs, identity bridge and IDaaS providers to see whether they offer the needed capabilities. As an alternative to on-premises appliances, cloud-based CASB solutions are capable of delivering the same type of policy enforcement without requiring all traffic to be routed through an on-premises appliance. By consolidating CASB security policy enforcement, enterprises are able to provide consistent compliance and reporting across a variety of cloud services.
CASBs should offer the ability for security policy enforcement to be delivered in a variety of ways. The CASB solution should be available as an on-premises software, physical or virtual appliance and offered as a cloud-based service. Ideally, an enterprise would be able to use multiple approaches simultaneously for its users with a consistent policy shared and enforced across on-premises and cloud-based enforcement options. For example, on-premises solutions could be used for users while in the office, but cloud-based enforcement would be used when users are mobile and not connected to the enterprise network or access the cloud-based services from nonenterprise devices.
As organizations increase their use of cloud-based services, security risks are being overlooked or fragmented with siloed and disparate security policies. CASBs will help organizations provide consistent, audited, compliant security policy enforcement as cloud-based services and enterprise information assets are accessed from managed and unmanaged devices.
Multiple types of providers offer solutions that will target the need for CASB services, including cloud desktop portal providers, IDaaS providers, on-premises identity bridge providers, cloud encryption gateways and SWG vendors (see Figure 5) reflecting the core capabilities needed in a CASB platform.
Source: Gartner (May 2012)
Example CASB platform providers:
- Symantec O3
- Intel Cloud SSO
Example SWG provider (see "Magic Quadrant for Secure Web Gateways" for additional providers):
- Cisco IronPort SWG with cloud SSO
Example SOA cloud API protection provider:
Examples of IDaaS-focused providers:
- Ping Identity
- Symplified (used within Symantec O3 platform via an OEM relationship)
Examples of identity bridge providers and solutions:
- Centrify Cloud Proxy Server
- F5 Big-IP Access Policy Manager
- Identropy Scuid Identity Connector for the Enterprise (ICE)
- Radiant Logic RadiantOne VDS+CFS
- Symplified Identity Router
- UnboundID Synchronization Server
- WSO2 Identity Server
Examples of SaaS encryption providers:
- Navajo Systems (acquired by salesforce.com)
Examples of workspace portal services providers:
- Citrix Cloud Gateway
- VMware Horizon
By 2016, 25% of enterprises will secure access to cloud-based services using a CASB platform, up from less than 1% in 2012, reducing the cost of securing access by 30%.
2 The Syslog standard format is defined in RFC 5424.
3 Service Provisioning Markup Language has achieved no traction in cloud services. An alternative is emerging, the Simple Cloud Identity Management; however, it is immature and not yet widely adopted.
4 Gartner's surveys and polls consistently show that security, privacy and compliance are the greatest concerns of organizations considering cloud computing solutions. These include infrastructure as a service (IaaS) solutions, whether the organization is implementing IaaS within its own data center, outsourcing private IaaS or using public IaaS. (See "Survey Analysis: Global Adoption of Cloud Computing, a View From Above" for more details, which shows the percentage of respondents who ranked each concern among their top three.)
5 Most current solutions address salesforce.com, but have not yet expanded to other SaaS solutions. CipherCloud (see "Cool Vendors in Cloud Security Services, 2011"), Concealium and PerspecySys ("Cool Vendors in Cloud Security Services, 2010") are example of solutions that provide SaaS-level encryption capabilities.
6 An example of this capability is Intel's recently announced Cloud SSO offering using capabilities it acquired from Nordic Edge. We expect this capability to be added into McAfee's SWG offering by 1H13, for a more complete CASB platform.
For example, DLP or to signal when a file is being uploaded/downloaded so it can be inspected.
For example, looking for and blocking attacks within XML, XML malformation and poisoning, and providing protection from application-level denial-of-service attacks. This capability is a strength of service-oriented architecture (SOA) application gateway vendors, such as Layer7's Cloud Gateway, that have adapted its SOA governance technology to provide protection to cloud-based XML APIs.
Note that this will break any searching and indexing capabilities the cloud provider may offer on the attached files, since the contents of the file are now obscured from the cloud provider. An example of file attachment encryption will be used within a future version of Symantec's O3 solution.
Since there is not yet a certification for tokenization approaches, independent verification of this capability should be considered mandatory if the vendor offers tokenization as an option.