Cloud

CASBs Provides Visibility and Security for Enforcing Rules in the Cloud

IT administrators find it easy to control access to resources with cloud access products.

Erin Cunningham is a writer and editor based in Maryland with experience writing about state and local government, education, technology and more.

Cloud computing is viewed as established technology for a growing number of organizations, including those at the state and local government level.

State and local agencies previously reluctant to embrace the cloud now find the flexibility and security of cloud services exceed their expectations. But security becomes paramount when moving applications, such as email, to the cloud.

With traditional security measures, government agencies can protect assets on-premises. To extend enterprise security policies to cloud-based resources, government agencies are beginning to purchase cloud access security brokers. CASBs enforce on-premises enterprise security policies when agencies access cloud-based resources.

CASBs have become an essential element of many organizations’ cloud security strategies, helping them govern the use of the cloud and protect sensitive data, says Gartner analyst Steve Riley.

“As organizations and governments have moved to cloud, the data still belongs to the organization or the government, but it’s being processed or stored on somebody else’s computer. And in that environment, how do you have consistent policy and governance across 10, 50 or 100 applications? It’s statistically impossible,” Riley says.

He adds, “So, CASBs emerged as a tool to address this problem, and they are doing it quite well. Using cloud services, the CASB becomes the enforcement point for things like encryption, data loss prevention, user behavior monitoring and access control. So, now you’ve got one control panel essentially to monitor and set policies across all of your services. They’re very useful for all verticals.”

Charlotte, N.C., Gains Visibility and Control with a CASB

CASBs primarily serve to improve visibility, data security, threat protection and compliance, says Randy Moulton, chief security officer of Charlotte, N.C., which recently selected Bitglass as the city’s CASB solution.

“They can act as a firewall in the cloud,” Moulton says. For example, a CASB allows administrators to view who is going to a website, including people who are trying to penetrate it.

“You can get that visibility through the CASB and lock that person out, as a typical firewall would do,” he says. “It also allows you to control access to certain types of data.”

That can help aid data loss prevention efforts, Moulton says: “So, with a CASB, you have the same visibility and the same controls now in your cloud environment that you historically had on-premises in a data center.”

A CASB also can help state and local governments with compliance requirements, including for the Health Insurance Portability and Accountability Act, which regulates data privacy and security provisions for medical data, he adds.

“If you’re looking at moving a significant portion of what you had on-premises to the cloud, you need to look into a CASB,” Moulton says.

Agencies Use CASBs to Get Control of Shadow IT

Missouri’s state security team was concerned with the use of shadow IT in the cloud, according to Theresa Frommel, Missouri’s deputy CISO.

“Our user base is large, and the existing tools in our stack did not have the ability to granularly identify usage,” Frommel says. “Being a state entity, we are bound by a number of federal regulations and attempt to do our due diligence to ensure state data is protected.”

The state selected a CASB solution in 2015, choosing Skyhigh Networks, which was then the only option compliant with the Federal Risk and Authorization Management Program (the FedRAMP benchmark is commonly used by states when selecting cloud-based services). In 2018, McAfee acquired Skyhigh Networks.

“Not only did we find in excess of 2,000 shadow IT sites being utilized out of the gate, but the integration of a CASB solution allows for continued visibility,” Frommel says. “It assists with maintaining control of our assets and preventing data loss incidents.”

Randy Moulton, chief security officer of Charlotte, N.C.,

You don’t want to be in the next news article about someone who gave up a whole bunch of data.”

Randy Moulton Chief Security Officer, Charlotte, N.C.

One of the most common uses has been to determine use of sites that change file types, such as converting a Word document to a PDF.

“Many users do not realize we provide the tools for this use case, and we get an opportunity to educate users about the risks. CASB integration works by sending a span of encrypted, tokenized traffic to the provider,” Frommel says. “No user data is associated with the traffic except to an authorized state of Missouri analyst. The CASB interface shows the high-risk sites in use, and an analyst can determine which sites should be allowed or blocked based on the risk information provided by the vendor.”

Maricopa County, Ariz., began using the McAfee Skyhigh CASB several years ago.

“With the advent of cloud services, we recognized the traditional security perimeter was changing,” says Robert O’Connor, the county’s CISO. “As such, we needed a new way to provide appropriate protections.”

The primary benefit of the CASB, he says, is in preventing cyberthreats by securing data stored in multiple locations, when accessed from multiple locations.

O’Connor also suggests that before a government agency — or anyone else — adopts a CASB, it’s important to understand the business processes of all departments.

“Being in tune with the business requirements is the primary step in protecting them properly,” he says.

Moulton says that some organizations may believe when moving applications to the cloud that there is some inherent security there, but that is not the case.

“You can’t just ignore security in the cloud,” he says. “You don’t want to be in the next news article about someone who gave up a whole bunch of data.”

Photography by Peter Taylor