Karthik Venkatachalam Shanmugasundaram,
Head of Secure by Design
NIUM

Introduction: In the advent of startups, where most of the organizational assets are in cloud, firms tofocus on their core product without trading off security and regulatory obligations are looking out for COTS (Commercial Off the Shelf) security products like CASB. Also post pandemic, the organizations have genetically modified their DNA to accommodate remote and hybrid work culture. This has instigated cascading rippled effect on enterprise risk in the form of Shadow IT adoption and geometric progression in usage of BYOD (Bring Your Own Device).

Organizations have started noticing lots of queer user and entity behavior like misconfigurations of S3 bucket containing sensitive data as public or be it storing company sensitive/confidential information and client details from Customer Relationship Management (CRM) tools to their personal shared drives causing conflagration to firms in the form data exfiltration, floundered reputation and hefty regulatory penalties. Adding fuel to the cart is the insider threat diffusion whose detection has become murky mist and their containment untenable. All of this has made CASB inevitable and integral part of Enterprise Security.

CASB:

CASB- Cloud Access Security Broker is a hybrid software that can work on-premises and with to monitor cloud usage between cloud network users and cloud applications through centralized policy enforcement based on organizational business context. It enables business to use cloud cybersafe to significant extend by tracking and protecting movement of sensitive/Personally identifiable Information (PII) / Privacy / Confidential information. CASB helps organization abide by industry and regulatory compliance mandates, convoys firms from attacks and lets employees off the hook from introducing more risks to the organization.

Modus Operandi of CASB:

The following steps indicate the working of CASB.

1) Discovery & Identification: CASB solution performs Auto Discovery and detects list of all third-party cloud services that are being used in the organization and details of employees who are using the same.

2) Classification: After detecting all the cloud services that are being used in the enterprise, CASB determines the risk severity of the application based on various factors such as functionality of the application, data that are being stored and how it is transmitted.

3) Monitoring & Alerts: The monitoring and scanning of such cloud applications and the risk associated with them are alerted by integrating with SIEM or Notification tool or SOAR tools through use case automation.

4) Remediation: The Security / IT teams can analyze the alerts and remediate the same by taking appropriate and timely action.

CASB Deployment Options:

CASB can be deployed in three different ways Reverse Proxy, Forward Proxy and API- Control. There is an enhanced model where in two of the above models can be clubbed and deployment of CASB can be done in multimode. Industry is experiencing a major spike in the adoption of SaaS (Software as a Service) based multi-mode CASB deployments model.

a) Forward Proxy: Forward Proxy is placed in the middle between the user and the internet there by introduced additional layer of defense. This CASB is for gaining insights into outbound web traffic.

b) Reverse Proxy: Reverse Proxy is like forward Proxy and helps with filtering the incoming traffic and routes it to the appropriate servers.

c) API Control: API based CASB provides ready to fit / plug in integration with other SaaS or Cloud Service Providers API and helps with monitoring and controlling data usage in cloud.

CASB Use Cases for Organizations:

Some of the enterprise use cases of CASB are as follows:

1) Hybrid Solution: CASB is a Hybrid solution that can cover both Cloud and On-premises assets of the organization.

2)Out of Band CASB (Data at Rest Protection)- Scanning all the sensitive/ Personally identifiable (PII) / Confidential/ Payment Card Industry Data Security Standards (PCI DSS) data, Source Code and Other custom category of data across all the different repositories and internal pages, Discovery, classification and indication of which file/ folder/ Location which data category is present.

3)In line CASB (Data in Transit Protection): Preventing users from Sharing, uploading and posting any company internal, Sensitive and Confidential information from social media websites via company provided managed assets were CASB agents are deployed.

4) Detection and usage of Shadow IT ( Third Party software like online PDF converter) by employees to convert sensitive pdf documents to words and vice versa ,downloading any random software from any random unauthentic website which may have higher probability of malware or virus installed in the exe file that is getting downloaded and installation of freeware or pirate software by employee for convenience without awareness which could land the organization in license issues and fines are some of the classic scenarios which can be prevented via CASB which can Detect the installation attempt and usage of such Shadow IT resources.

5) API integration with commonly used SaaS tools widely used in the market (Ex: Slack, O365 and G- Suite) to detect and prevent users from sharing any sensitive and confidential data

6) Browser Isolation to prevent browsing of Uncategorized & Risky Websites by Employees via both Managed Devices and Unmanaged devices : Preventing browsing of uncategorized and risky websites by end users via the Organization provided assets ( Laptops/desktops/thin/ thick-clients) and preventing users from sending data and attachments from any unmanaged devices like BYOD ( Bring your Own Device) in those cases where organizations allow employees to access the company repositories and resources ( Ex: Mail box, File Storages or Critical inhouse or SaaS applications) by spinning up additional instances and isolating them from company network.

7) Identifying Compromised User Accounts using UEBA (User and Entity Behavior Analytics): CASB helps in identifying the compromised accounts using in build and custom anomaly detection by alerting the administrators on various unusual behavioral patterns like

a) Impossible travel (For ex: A request coming from a specific user belonging to UK and within 15 minutes another request coming from the same user from a different IP belonging to US)

b) Activities from Infrequent Country: Based on the analysis of the past transaction, we know from which countries the usual traffic flows in and suddenly, a steep deviation in the flow of traffic from country where historically such huge quantum of traffic has never been observed.

c) Auto-Email forwarding Configured to externally email address: Alerting the administrators whenever any employee of the organization has configured external email address (Personal email id orany other non-company email id) in the auto email configuration rule and preventing them from sharing any confidential/Sensitive/Company internal email to any other external domain email id. These alerts when configured via CASB can help administrators to take immediate actions to quarantine the specific user account to prevent any potential harm to the organization.

8) CASB Integration with SIEM: CASB tools can be integrated with SIEM (Security Information and Event Management) tools for forwarding all the DLP (Data Leakage Prevention) Logs. These logs can be correlated with other logs to detect, analyze and assess potential risk to the organization and prevent them from any serious data breach/ internal and external attack attempts.

9) CASB Integration with SOAR: CASB can be integrated with SOAR platform ( Security Orchestration, Automation and Response ) for DLP related Threat & Vulnerability Management, Incident Response and Operations Automation of raising tickets automatically in the ticketing systems and also auto-close with automated steps for standard use cases based on the playbook automation that has been developed by the organization and configured in the tool to reduce significant workload to the SOC analysts in the organization. This will provide them with more time to do more productive automation and other challenging analysis.

10) Endpoint and MDM (Mobile Device Management) DLP Capabilities: CASB solutions have capabilities to detect, alert and prevent Data Leakage from endpoint and Mobile Devices by embedding the Endpoint DLP and MDM (Mobile Device Management) capabilities to existing features. Although some of the solutions are already offering and some of them are working on the rolling out these capabilities as part of their upcoming releases.

11) Data Leakage prevention from both Structured and Unstructured Data: CASB provides detection, alert and prevention of copy of a specific cell, row or column from structured data sources like Relational Databases via a feature by name EDM (Exact Data Match) wherein the organization can fingerprint identified critical databases. Unstructured data storage sources like file storage or non- relational databases which stores in the form of key value pair can also be prevented by using a feature called IDM (Index Data Match) wherein the Content that are being posted/shared/ copied / Pasted is compared against the fingerprinted non - relational databases and file storage on the percentage basis. Any of the internal users or external attacker attempts to copy any specific row, column or cell and files from the fingerprinted relational databases, non-relational databases and File Storage can lead to trigger of DLP alerts to the Administrator and CASB has capability to prevent the users from copying, pasting or sharing it via a file to any other external domain by centralized policy configuration.

Most of the time organization looks at protecting the information assets from external threats and overlooks into the data leakage possibilities from insider threats like disgruntled employee. Some of the important attacks in the records have happened because of insiders due to misconfiguration, negligence and lack of security awareness of employees. To prevent all the above, Organizations can look at embedding CASB solutions as part of their Security Strategy and prevent the deadliest threat of data leakage from all the possible sources.