4 Fundamentals of an Effective Cloud Access Security Broker

George Teas is the director of federal systems engineering at Blue Coat Systems.

The federal government’s efforts to eliminate legacy systems and modernize federal IT is paying off. According to a recent Government Accountability Office report, $2.8 billion has already been saved by closing 3,125 data centers since 2011, and that’s just the data reported from 19 out of 24 agencies that participated in the Federal Data Center Consolidation Initiative. The same report also suggests another 2,078 closings will result in an additional $5.4 billion in savings by the end of fiscal 2019.

Other initiatives such as the president’s fiscal 2017 budget proposal for a $3.1 billion IT modernization fund, the Federal Risk and Authorization Management Program and the Federal Information Technology Acquisition Reform Act coupled with projections that the federal demand for cloud computing services will reach $6.2 billion in fiscal 2020, could lead to an explosion of modernized cloud-based technologies; technologies that can present significant security concerns for agencies.

As critical information is migrated to the cloud to achieve greater operational efficiencies, new risks for agencies already struggling with the current threat landscape are introduced. Traditional network perimeters are no longer sufficient and cloud environments present new opportunities for data loss and cyberattacks.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The rapid adoption of cloud services is driving the need for a new type of cloud security solution—cloud access security brokers—that can help the federal government to protect sensitive information residing in cloud environments.

The Role of a CASB

CASBs play an important role within the agency environment by providing critical visibility and control of how cloud apps and services are used. These solutions can provide agencies with the tools and analytics needed to determine who is using an application, how much data is being moved and where the risks exist.

Federal IT security professionals can monitor and govern users by use and apply policies to maintain data security across all endpoints. CASBs also allow agencies to govern data by replacing sensitive data with a random tokenized or encrypted value, providing incident response, as well as forensics for monitoring, logging and capturing application activities. The risk of leaking sensitive data or personally identifiable information can be significantly mitigated by combining these factors with data loss prevention capabilities extended to applications.

CASB solutions are designed to provide visibility and control into cloud application risk, but just like cloud services, not all brokers are the same. It is important to look at specific capabilities to ensure that government funds are being invested wisely. An effective CASB solution must have these four components:

1. Cloud App Discovery and Analysis

Cloud apps are a big contributor to shadow IT or third-party IT solutions such as employee-adopted devices, apps and cloud services not sanctioned by the IT department. These can open up gaping security holes. Visibility is the first priority when determining a cloud strategy and an effective CASB should provide shadow IT discovery as well as risk analysis to include detailed cloud app ratings, usage analytics and continuous reporting. Instead of allowing shadow IT to create blind spots on agency networks, cloud app discovery and analysis can discover shadow IT, identify and block risky apps, identify inefficiencies, ensure compliance and sanction appropriate apps to be used by employees or contractors.

2. Data Governance and Protection

To prevent unwanted activity such as the inappropriate sharing of sensitive content like source code, confidential information or other important records with personally identifiable information, a CASB should provide the ability to enforce data-centric security policies. It should also support encryption and tokenization of compliance-related data to enforce privacy and security and provide an additional layer of protection.

3. Threat Protection and Incident Response

Agencies need visibility into events and tools to quickly gather and analyze information about the event. Malicious attackers are likely to gain access to a network infrastructure through user credentials that get them in through the front door and bypass protective measures. They can also use cloud apps to disseminate malware or advanced persistent threats.

If these events are not detected immediately, it is just a matter of time before an agency is infiltrated with malware. To prevent malicious activity such as data exfiltration due to account takeover, session hijacking or insider activity, continuous monitoring is needed to check on user behavior.

While no network is 100 percent immune from security incidents, a CASB can help to identify and block malware from being uploaded or shared within cloud environments and provide tools for incident response.

4. Compliance and Data Privacy

Government agencies are reluctant to hand over control of sensitive data to third-party cloud service providers. A CASB can help compliance and security professionals ensure cloud apps and services have appropriate security certifications; certain clouds are blocked from receiving specific types of regulated data; and, regulated data that needs to be placed in the cloud is secured per compliance guidelines.

The cloud empowers the federal government to be more agile, collaborative and cost-efficient. CASBs can enable agencies to be more productive and secure by providing critical visibility into, and control of, cloud applications and services.

Has your agency factored CASBs into its cloud migration strategy? If not, it’s time to consider these four fundamental components to ensure an effective cloud security posture.