Managing cloud risk with CASB
Gartner is calling CASB their number one technology for information security Forrester is calling the market the Cloud Security Gateway and has recently published their first wave report on the market but what is a CASB and how can you use it to manage risk?
Firstly if your business does not use the internet in any way shape or form you have no need for a CASB, for the rest of us if you don't right now you will very soon.
Normal measures of domain based IT risk management tend to follow quite a simple formula:
Risk = Asset/m x Vulnerability/m x Threat/m
(Where /m is the mitigating factor)
Traditionally it is your people using your companies IT asset connecting over your network to your or an outsourced data center you will have a fairly simple task in calculating this;
All asset variables can be known, you may even have a DLP system in place to gauge sensitivity of the information asssets to your business if not it's a fair assumption the Exec/HR/Finance laptops and desktops are most important.
You will know and can control the human and technical vulnerabilities, you have tools available to patch, block and tackle the bad guys and you will have tools in place to assess and control the threat your IT assets are up against.
However when you have an increasingly mobile workforce, access to sensitive information often granted via an API to unknown people. Your business is or is considering using unmanned and probably unmanageable IoT devices. Connecting over an internet in which people are either known or have to be considered the enemy. Connecting to cloud services which at best you know about and have a contract with by much more likely you have no knowledge of the use of. Then you have a problem and CASB comes into it's own.
What a CASB does is extend your information governance control into known and unknown cloud applications that your colleagues are using. This enables you to start to manage cloud risk however I believe the normal R=AxVxT model needs to be refined slightly:
There are three fundamental aspects to cloud risk in my view and a good CASB should be able to provide value in all of these:
Cloud asset risk - Where is the data stored? How financially stable is the cloud app owner? What security controls are provided? How 'GDPR' ready is the cloud application? Essentially how well are they taking care of your data.
Information sensitivity - How sensitive to the business is the data that is being put into cloud applications? Where is your sensitive data? Could it represent compliance risk if not handled in a particular way? Could putting it in the cloud with no mitigating controls breach your own information governance policies? Above all could it cause your business harm if it were lost?
People risk - Who is handling data across all cloud applications and are they doing so in a way you would expect or in a way that might indicate stolen credentials, a lack of understanding of information governance or even malpractice?
A good CASB should in my opinion give you visibility and control over all three of those factors, if you consider them as a Venn diagram the bit in the middle is the first place to start when applying CASB controls.
Thank you for reading this - I do work for a leading cloud security vendor however I am trying my best to be unbiased. I would welcome debate and constructive criticism.
(These opinions are my own and not that of my employer)
No you can't :-)