By: Alex Burkardt|
December 6, 2019|
Bridging the CASB Gap – Extending Needed File Protections for an Emerging Security Platform
Cloud Access Security Brokers (CASBs) have been around for just a few years, but they’re quickly becoming an important component of the enterprise security stack. As the name implies, CASBs help secure organizations that are accessing public cloud applications. That’s a large percentage of the market, and growing. Gartner projects the worldwide public cloud services market will reach $214.3B in 2019, a 17.5% increase over 2018. Within that significant market, HTF Market Intelligence anticipates CASBs will grow at more than 17.80% from 2018 to 2025.
CASBs are important because they provide a set of security policies and controls between the cloud users accessing cloud applications and the cloud service providers where those applications sit. While cloud service providers do provide security, leading providers like AWS approach security as a shared responsibility between themselves and their customers. The provider’s focus is largely on the technology infrastructure layer, not risk mitigation. That leaves important compliance, threat prevention and data security responsibilities still resting with the customer organization.
CASBs, then, are a useful tool to help those organizations extend important security controls of their on-premise infrastructure to their public cloud environment. A good way to think of it is in much the same way a traditional firewall would protect on-premise applications.
Using a CASB, organizations can control who should get access to a cloud-based app, what features they should be able to use within that app, and so on. A CASB can also provide insight into what applications are being used so the organization can better understand user needs and their vulnerable attack surface.
However, practically speaking, a CASB provides a point-in-time, localized security approach. It effectively extends the physical perimeter of a local network to a new perimeter in the cloud. But it can’t prevent loss of control over cloud-based data after it has been accessed. Once a user has the data, they can still copy it, store it on insecure personal drives, share it with other parties, or have it compromised by malware or attackers. So, while a CASB can help illuminate an application’s blind spot, it does not ensure that the data itself remains safe.
VERA fills this security gap by bringing protection to the data level. It’s an ideal complement to CASB solutions. VERA protects unstructured data, and a CASB allows you to fulfill the gaps in structured data.
For example, from an unstructured data perspective, VERA can encrypt a file as it’s sent to a collaboration platform like Box. VERA lets team members use that file while it’s unencrypted, realizing the benefits of the cloud infrastructure. However, when the file starts to egress the company, the CASB would call on the VERA API to extend protections, encrypt the file, and maintain ownership of it when it leaves the protection of the CASB sphere. Here are a few examples of ways VERA can help:
Content Inspection and Apply Policies
Documents residing in OneDrive folders are sensitive. A CASB can run DLP on those files and detect sensitive content. When a policy has been defined to protect sensitive documents with VERA, the CASB solution calls the VERA API to encrypt and protect the document.
Inherent App Permissions
Documents in Box folders which are shared with external parties for collaboration are also protected by VERA and a CASB solution. When the CASB detects sensitive documents, VERA policy is executed and the permitted users are inherited from the Box folder collaborators. For example, users that have view-only rights get a policy that is different from the policy for users with read-write permissions.
Revise VERA Policies Based on Content
When documents are already protected, the CASB can decrypt the content to apply DLP on the document. When content scanning is complete and the CASB determines that the VERA policy should be escalated, the CASB will re-apply a new VERA policy based on the document’s sensitivity level.
Visibility and Analytics on Protected Documents
When customers use a CASB’s analytics engine to report on VERA-protected content, they can see which documents VERA is protecting. Administrators can run reports on protected vs. non-protected documents to understand the organization’s risk exposure.
When combined with CASB, VERA’s data-level security approach enables organizations to open up their rule set so they can be more flexible and still stay secure. This avoids locking down information in ways that can make it difficult for employees to perform their work. This ‘best of both worlds’ option fills the CASB security gap and gives organizations peace of mind that their data is secure wherever it may travel.