Why a CASB is Essential to any Cloud and Enterprise Security Strategy

Federal IT managers are accelerating their migration of applications and data to the cloud, as they recognize that the cloud is critical for maintaining efficient operations and delivering improved citizen services in an increasingly digital world. The cloud has become the cornerstone of the federal government’s overall IT modernization strategy, providing a path for government managers to digitally transform their organizations, while phasing out older systems that have become too costly to maintain.

Consequently, government managers are adopting a mix of on-premise, hybrid and multiple cloud infrastructures to address the diverse needs of their missions. As a result, security is a challenge in these mixed environments, as IT and security operation teams struggle to maintain visibility and accountability across multiple infrastructures.  This situation has spurred the need for an integrated cyber security approach that weaves cloud and on-premise systems into government organizations’ broader security strategies.

The rise of the Cloud Access Security Broker

Cloud Access Security Brokers (CASB) help agencies gain a point of control to unify security measures across on-premise and cloud infrastructures. By using a CASB, agencies can apply multiple layers of security to cloud services and High Value Assets (HVAs) from a single platform and extend on-premise security policies related to data loss prevention (DLP), encryption, access management, anomaly detection and behavior tracking, to the cloud.

In fact, by 2022, 60% of large enterprises will use a CASB to govern some cloud services, up from less than 20% today, according to Gartner. "Cloud access security brokers have become an essential element of any cloud security strategy, helping organizations govern the use of cloud and protect sensitive data in the cloud. Security and risk management leaders concerned about their organizations’ cloud use should investigate CASBs,” according to Gartner's 2018 Critical Capabilities for CASBs.

How CASBs Work

CASBs are deployed between an agency’s cloud application or HVA and the end user population, via a network gateway or API interface, providing visibility and control of the cloud service and data residing in the cloud.  CASBs provide a comprehensive view of an agency’s cloud usage and risks – detecting those employees who are using cloud services that are not compliant with an agency’s security controls (a.k.a. Shadow IT).

With the move to the cloud and the proliferation of software-as-a-service applications that come along with it, as well as the trend toward Bring-Your-Own-Devices (BYOD), this opens doors for government employees to use cloud apps and services that do not comply with their organization’s security controls. More alarming, many security operations teams do not know how many of these unvetted cloud services are running in their environments.

A CASB solution provides an agency complete visibility into which applications are being utilized and who is using them, while preventing them from violating a security policy, either accidentally or deliberately.  A CASB discovers Shadow IT by analyzing event logs from firewalls, proxies and other systems.  To be effective, a CASB should monitor usage through intuitive dashboards and reports, as well as generate risk assessments on demand -- a key requirement for most compliance regulations.

A CASB solution provides an agency complete visibility into which applications are being utilized and who is using them, while preventing them from violating a security policy, either accidentally or deliberately.

As agencies attempt to gain better visibility and control of their critical information and where it resides in their infrastructure, both in the cloud and on-premise, a robust information protection strategy is critical with DLP solutions gaining in popularity.  A CASB allows security teams to safeguard data in cloud apps with the same DLP policies, workflow and dashboard used for their endpoints, networks and data centers.  For example, a CASB such as Symantec’s CloudSOC integrates Symantec’s DLP capability providing information protection and visibility across cloud, on-premise and end point via the same policy and dashboard.

File-level encryption is another capability CASBs can enhance, helping to secure data before it ever reaches the cloud. This allows organizations to automatically encrypt sensitive files in cloud apps and manage access to those files.

Down the Road

Agencies will step up migration to the cloud, especially with the emergence of new services based on technologies such as artificial intelligence, machine learning and advanced analytics. Many agencies are already reaping benefits, including rapid access to on-demand resources, automation of updates, business continuity, improved collaboration, reduced IT costs and scalability. As agency managers continue their journey into the cloud or multiple clouds, they will need CASBs to provide a deep level of visibility into cloud usage and risks, as well as to apply governance over cloud data, protect against threats and more easily ensure compliance.

To do this, agencies will require solutions built and validated to work on government networks. Symantec’s CASB and DLP solutions have received an “In Process” designation from the Federal Risk and Authorization Management Program (FedRAMP) under sponsorship of the Department of Homeland Security (DHS). An “In Process” designation indicates that Symantec is actively working on the documentation and controls required to achieve a FedRAMP authorization, and that DHS is reviewing the documentation with the intent to provide an Authority to Operate that meets the FedRAMP requirements. Agencies will soon have a FedRAMP authorized integrated cyber defense solution available to ensure their secure transition to the cloud.