Cloud Access Security Brokers (CASBs) ISACA Los Angeles September Dinner MeetingSeptember 13, 2016
Jeff MargoliesPrincipal, Cyber Risk ServicesDeloitte & Touche [email protected]
Cloud Access Security Brokers (CASBs) #YearOfTheCASBSCopyright © 2016 Deloitte Development LLC. All rights reserved. 2
Cloud cyber risk point of view
Cloud Access Security Brokers (CASBs) #YearOfTheCASBsCopyright © 2016 Deloitte Development LLC. All rights reserved. 3
Adoption of cloud technologies is hereDelivery models
On-demand and scalable compute,
storage and networking hosted by a
provider
Collection of tools needed
for application development hosted by a
provider
Applications hosted by a provider and consumed by customers over the internet
Cloud Access Security Brokers (CASBs) #YearOfTheCASBsCopyright © 2016 Deloitte Development LLC. All rights reserved. 4
Adoption of cloud technologies is hereDeployment models
The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services
The cloud infrastructure is operated solely for a single organization. It may be managed by the organization itself or by a third party and may be located on-premises or off-premises
The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns
The cloud infrastructure is a combination of two or more clouds (private, community or public)
Cloud Access Security Brokers (CASBs) #YearOfTheCASBsCopyright © 2016 Deloitte Development LLC. All rights reserved. 5
Consumer/Shadow ITBusiness and consumers using cloud with or without cyber controls
Third-party RiskEnterprises are dependent on cloud providers’ controls
Concentrated RiskCloud providers are a bigger target because “that’s where the data is”
Modern Attack SurfaceThe walled enterprise is replaced by a hybrid, more complicated technology environment.
Controls GapTraditional cyber risk controls need to extend to the cloud at a time when many enterprises are barely keeping up with existing threats
There are a variety of cyber risks associated with moving to the cloud, yet there is also opportunities
Cloud Access Security Brokers (CASBs) #YearOfTheCASBsCopyright © 2016 Deloitte Development LLC. All rights reserved. 6
There are business opportunities
At the same time, the cloud represents an opportunity for cyber risk:
Cloud providers in the “business of IT”, with better hygiene
Cloud providers are better equipped for the fight
Free up enterprises to focus on more advanced cyber risk capabilities
Cloud Access Security Brokers (CASBs) #YearOfTheCASBsCopyright © 2016 Deloitte Development LLC. All rights reserved. 7
Deloitte Advisory’s Secure.Vigilant.Resilient.TM approach helps organizations align investments in a comprehensive, balanced, and agile program tailored to the their unique business strategy and cyber risk profile
Perfect security is not feasible! The objective isn’t to secure the cloud, but to manage cyber risk as you move to the cloud
Cloud Cyber Risk
GovernanceCross-functional coordination and management to address security program requirements of the enterprise
ResilientStrengthening your ability to recover when incidents occur
SecureEnabling business innovation by protecting critical assets against known and emerging threats across the entire enterprise
VigilantGaining detective visibility and preemptive threat insight to detect both known and unknown adversarial activity
Cloud Access Security Brokers (CASBs) #YearOfTheCASBsCopyright © 2016 Deloitte Development LLC. All rights reserved. 8
While cloud providers’ security is often a focus, managing cyber risk is a shared responsibility between the enterprise and the cloud provider
Cloud Access Security Brokers (CASBs) #YearOfTheCASBsCopyright © 2016 Deloitte Development LLC. All rights reserved. 9
While initial focus is often compliance, many organizations are looking at aligning controls to the actual risk in the cloud
Mat
urity
Time since Cloud Adoption
Achieve required compliance through the protection of regulated data
Integrate cloud technologies into the enterprise security architecture
Adapt controls to the evolving threats by discerning the context, relevance and required response
Compliant
Risk-aligned
Adaptive
Cloud Access Security Brokers (CASBs) #YearOfTheCASBsCopyright © 2016 Deloitte Development LLC. All rights reserved. 10
The software industry is evolving to address cyber risks in the cloud
CASB Emerging Capabilities
Identity as a Service (IDaaS) – the first and most mature capability in the cloud security market
Data protection and governance is rapidly maturing into a common set of CASB capabilities
As enterprises mature, more advanced capabilities are emerging – will CASBs add capabilities or will there be more acquisitions and partnerships?
IDaaS
Virtualization SIEM Governance
AnalyticsWorkflowOrchestration
Cloud Access Security Brokers (CASBs) #YearOfTheCASBSCopyright © 2016 Deloitte Development LLC. All rights reserved. 11
CASBs
Cloud Access Security Brokers (CASBs) #YearOfTheCASBsCopyright © 2016 Deloitte Development LLC. All rights reserved. 12
Data Protection &
Privacy
Vigilance
Risk Management
CASB
As customers migrate to the cloud, a new set of capabilities and requirements have emerged
Visibility into cloud usage to discover Shadow IT
Ranking and scoring the security capabilities of the cloud providers
Dashboards to enable decisions about risk and compliance in the cloud
Define and enforce cloud polices and standards
Monitor security information and events for malicious activity/usage within cloud services
Dashboards to enable security operations teams
Intelligence to identify threats to your cloud services and providers
Identify, prioritize and remediate vulnerabilities for cloud services
Visibility into data usage in the cloud
Centralized data protection policy management
Application of data protection and privacy controls like encryption, tokenization, data loss prevention, and digital rights management for use with cloud services
Cloud Access Security Brokers (CASBs) #YearOfTheCASBsCopyright © 2016 Deloitte Development LLC. All rights reserved. 13
CASBs are emerging as a new control point and becoming important for managing cyber risk in the cloud
Who are the players
A new class of security products (tools and services) that reside between the enterprise and a cloud provider that acts as an extension to enterprise controls across risk management, data privacy & protection, and monitoring for cloud-based services.
Definition
Common problems Typical capabilities
• Understand cloud usage and risk exposure
• Manage risk and compliance
• Protect data and privacy
• Monitor security activity and threats
Technology companiesin the space
• Shadow IT• Ability to manage and
measure risk in the extended enterprise
• Lack of consistent data protection and privacy across cloud providers
• Inadequate visibility in cloud activity
30+
CASB Providers
Cloud Access Security Brokers (CASBs) #YearOfTheCASBsCopyright © 2016 Deloitte Development LLC. All rights reserved. 14
CASBs differentiate in three specific areas – deployment model, integration approach, and the cloud providers they support
Mobile devices
Sanctioned/ Unsanction
ed
Extended enterpriseTraditional enterprise
UsersSystems
CASB
Deployment model• Onsite vs. cloud-based• Agent vs. agentless
Cloud providers• Sanctioned vs. unsanctioned• SaaS vs. IaaS• Provider specific controls
(encryption, tokenization, user behavior, etc.)
Integration approach• Alert vs. block/enforce
controls • API (Application Programming
Interface) vs. proxy• In-band vs. out-of-band
Cloud Access Security Brokers (CASBs) #YearOfTheCASBsCopyright © 2016 Deloitte Development LLC. All rights reserved. 15
• Discovery (e.g., cloud applications, Shadow IT) • Point in time activity
• Sanctioned applications only• Near real-time policy control • Sits on top of SaaSAPI
• Sanctioned applications (browser) only • Real-time policy control• Sits in-between endpoint and SaaSReverse
proxy
• Sanctioned and unsanctioned applications• Real-time policy control across all• Client deployment (native and mobile)Forward
proxy
Log integratio
n
CASB solution
Advantages Disadvantages
Understand inherent risk and
cloud usage
Address data at rest
End user privacy, easy to deploy
Full coverage across all
applications
No blocking, limited to what is provided via API
Data in transit focus, downtimes, lack of visibility in
cloud to cloud interaction
View only basic activity for a set duration of time
Difficult to deploy, can be intrusive,
agent usage
CASBs currently have various integration models attempting to differentiate themselves; many enterprises will need them all
Cloud Access Security Brokers (CASBs) #YearOfTheCASBsCopyright © 2016 Deloitte Development LLC. All rights reserved. 16
Getting started – adopting a CASB solution
Understand what is already in the cloud, and the business and IT strategy for moving to the cloud
Identify high priority risks, areas to extend existing security capabilities, and gaps to be filled by CASB technologies
Select a CASB technology that tactically aligns with capability gaps and key cloud providers, and strategically aligns with deployment approach
Step 1 Step 2 Step 3
Cloud Access Security Brokers (CASBs) #YearOfTheCASBSCopyright © 2016 Deloitte Development LLC. All rights reserved. 17
Deploying CASBs and Use Cases
Cloud Access Security Brokers (CASBs) #YearOfTheCASBsCopyright © 2016 Deloitte Development LLC. All rights reserved. 18
Use case Log API Reverse proxy Forward proxy
Discover unsanctioned cloud services in use and analyze high-level activity
Analyze high-level activity of sanctioned applications
Alert on user behavior and cloud usage
Control access to enterprise-owned applications
Implement granular controls on data within sanctioned applications (e.g., quarantine, block)
Control access to unsanctioned applications
Implement granular controls on data within unsanctioned applications (e.g., quarantine, block)
Redirect users trying to access unsanctioned services to sanctioned services
Example CASB use cases and corresponding integration options
Cloud Access Security Brokers (CASBs) #YearOfTheCASBsCopyright © 2016 Deloitte Development LLC. All rights reserved. 19
End user
Cloud services
Log generates list of services in use through
cloud application
discovery on firewall
Applications are classified as
either sanctioned or unsanctioned
Applications are assessed to identify risk
(legal, financial, etc.)
Development of security policies and procedures
to address identified risks
1 2 3 4
Logs
Classification Assessment
Policy creation
Firewall
1
2 3
4
Logs offer the capability to identify and classify an organization’s cloud application environment, enabling risk assessment of individual applications.
Use case example for CASB shadow IT discovery
Cloud Access Security Brokers (CASBs) #YearOfTheCASBsCopyright © 2016 Deloitte Development LLC. All rights reserved. 20
End user API
Cloud service
Internet
1 2 3
4
Security and compliance are necessary considerations when adopting cloud-based applications. CASB solutions through API deployment offer increased non-intrusive visibility and offer actions such as data encryption and data quarantine.
Deployment model for API deployment
Data is exchanged
between the corporate
premise and the cloud service
API monitors events and data within the cloud application and
enforces defined policies
API generates reports and alerts and offers the
capabilities such as
encryption
1 2 3 4
End User accesses a cloud service through a managed/unmanaged
device
Cloud Access Security Brokers (CASBs) #YearOfTheCASBsCopyright © 2016 Deloitte Development LLC. All rights reserved. 21
Reverse proxy
End user
Cloud services
Internet
1
2
3
4
CASB solutions through reverse proxy are configured between the cloud application and end-user device, offering visibility, compliance, data security, and threat protection. Reverse proxy solutions offer security to both managed and unmanaged devices.
Deployment model for reverse proxy
Reverse proxy allows or
rejects the request per
security policies
If allowed, the reverse proxy accesses the
cloud service to fulfill the request
Response is sent by reverse proxy back to the end user
1 2 3 4
Managed/unmanaged device makes
request to the cloud service that is
received by the reverse proxy
Cloud Access Security Brokers (CASBs) #YearOfTheCASBsCopyright © 2016 Deloitte Development LLC. All rights reserved. 22
Forward proxy
End user
Cloud services
Explicit proxy/PAC
fileProxy chain
Domain Name
Service
Thin agent/mobile
clientInternet
1
2
34
Forward proxy CASB solutions inspect data from managed devices prior to cloud service forwarding.
Deployment for forward proxy
Request is allowed or denied by the
forward proxy per policy. Forwarded
requests pass through to the cloud service
Cloud service process request
and sends a response to the
proxy
Proxy forwards response to end
user
1 2 3 4
End user makes a request that is inspected by
the forward proxy
Cloud Access Security Brokers (CASBs) #YearOfTheCASBsCopyright © 2016 Deloitte Development LLC. All rights reserved. 23
Q&AJeff MargoliesPrincipal | Deloitte Advisory Cyber Risk ServicesDeloitte & Touche [email protected]
LinkedIn: https://www.linkedin.com/in/jmargoliesTwitter: @jmargolies
As used in this document, “Deloitte Advisory” means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Copyright © 2016 Deloitte Development LLC. All rights reserved.36 USC 220506
This presentation contains general information only and Deloitte Advisory is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not asubstitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affectyour business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte Advisory shall not be responsible for any loss sustained by any person who relies on this presentation.