How to select your CASB:CASB’s top 58 features, CSP’s risk score and

first 90 days oprationplan Himani Singh

Oct 2016

AgendaAccording to Gartner, Cloud Security Access Brokers(CSAB) is one of the top 10

leading technologies in the IT industry. That said, it is also a live technology that keeps maturing over the time, and we

expect more features to be added to it.

This presentations Covers 58 CASB’s features helps in CASB’s evaluation CASB methods to score a cloud service provider An outline for first 90 days operation strategy of CASB

An into to CASB technologyMost of the IT,HR and other business software is delivered as software-as-a-Service (SaaS) from the

cloud. With this mode, CISO/CIO has lost their single security-policy enforcement points(SPEPs) they used to have in traditional networks.

SPEPs are distributed in the cloud, while CISO/CIO still needs visibility, resource protection and control in the cloud.

CASB is the answer to that and its definition includes the following– The 5 A’s

• Secure access to any app, any device, at any time, for any user and from anywhere

– Visibility into five W’s • who(user), when(time), what( resource and activity), why, which app (app access).

– Data security and data protection for data • on-the-move, in-use and data-at-the-rest in the cloud or on device.

– Compliance, access control and threat protection

Do you need CASB?

Does your organization really need it?– If you have limited cloud apps then full flash CASB is probably not for you.– You can use CASB’s discovery functionality to find shadow IT in your

organization. Most CASB vendors offer it either for free or for a small fess.

When do you need it?– If your organization have a hybrid cloud– IT and/or other BUs (support, sales, marketing) are managing their own

cloud apps.– IT and other BU’s have future plan for cloud implementation.– You need visibility, data protection, compliance and access control in the

cloud.

A Overview of CASB deploy mode

Corporate office, Servers, devices, laptopUnmanaged mobile

or personal devices Remote users

IaaSAWS, Azure, Soft

layer

PaaSOracle cloud, Google API,

Bluemix

SaaSBox, workday, O365

FW or SWG Proxy

URL rewrite redirection, traffic redirection using DNS, IDM, IDaaS, SSO, SAML

CASB

Visibility Data Protection

Continuous Monitoring

Data Governance Compliance

Threat Protection

CASB Proxy mode

Enterprise Integration

Visibility Data Protection malware protectionContinuous Monitoring compliance

CASB API Mode

CASB

Corporate office, Servers, desktop, mobile

Unmanaged mobile or personal devices

Remote user

FW or SWG Proxy

Detailed information can be found at http://www.slideshare.net/Himani-Singh/cloud-security-overview-part-1

Yes to CASB, then what?

Since CASB has lots of moving parts not only different service, software, agents but multiple deploy mode and functionality.

This presentation covers the 59 much needed CASB features, a score-card cloud service provider(CSP) and a 90 day plan to operate CASB and continuous monitoring to take full advantage of your CASB.– “Selection the Deployment mode” depending on the service you wants to

protect SaaS, IaaS or PaaS. More info can be found in part one http://www.slideshare.net/Himani-Singh/cloud-security-overview-part-1

Consider facts and do your due diligence

After the selection of CASB’s deployment mode, consider more facts:-• How much tolerance your organization have towards latency? Remember CASB

will introduce some amount of latency. • CASB integration can introduce the extra work such as installing a agents on

end-device, network change, DNS redirection• Discovery is the first step

• Take advantage of a CASB vendor’s discovery service to understand your network

• Make an matrix of priority vs cost vs latency to select the correct balance• Covering for CASB’s functions in following area

• Visibility, Compliance, Data Security, Threat Protection and Access Policies.

Covering the basics- Visibility Visibility Description

CASB log based discovery OR Active inline based discovery

Discover your network, both sanctioned and unsanctioned apps, user action and traffic load. This is a mature feature and most CASBs offers it.Check the vendor’s app database update frequency. You would like to have the latest apps’ and modified apps’ signatures are included. This is a must have feature.

CASB log based discovery with LDAP/active directory integration

The integration will provide the lP and user mapping, which is helpful to identify a user name. This is also useful for user-name based queries and action.Enterprise integration(IP to user mapping): Most vendors have this mapping with active or inline proxy and few offers for log bases CASB .It is better to have for both the modes.

Data visibility Type of files uploaded, shared, public shared and where data is being transferred or stored in the cloud.

User activity User action such as share, public share, download and edit.

Top user, top app, top location A graphical view of top user, top app and top location.

Device, OS and location identification Which device and OS is used at which time and from which location.

Search based on application category Ability to group applications based on categories, e.g. business, HR, social, file storage etc.

Service category Able to classify apps based on SaaS, PaaS and IaaS.

Covering the basic–compliance Compliance Description

Personal Identification Information (PII)

The personal identification information (PII) must be protected from internal and external resources. CASB should be able to distinguish traffic between employees’ enterprise and personal access, because A CASB should skip employees' personal information.

Health Insurance Portability and Accountability (HIPPA)

Must comply with HIPPA act for at least the first two title.

Payment Card Industry Data Security Standard (PCI DSS)

CASB should be able to identify PCI, trigger an alert, block any PCI data to a cloud app that is not PCI compliant.

Many more

Covering the basic-Data Loss Prevention DLP Description

Blocking sensitive data leakage using pattern matching

Use different technique of pattern matching to identify the sensitive data. That data can be either leaving the organization or stored in the cloud.This matching is done regular expression or DLP predefined sensors.

Predefined sensors A CASB must able to identify PII, PCI, HIPPA and other predefined sensors to identify addresses, name-zip, email-address and more.

Custom DLP pattern: Figureprinting

Fingerprinting is one of the technique to create “custom pattern matching” when sensitive data don’t fall into any pre defined categories. There are many ways to create a fingerprinting, one of them is hashing. In this method a hash for sensitive documents is created and stored in proxy’s cache. This stored hash is matched against the hash of user data (data-on-move, data-at-rest or data-in-use); if any matched found an action will be taken

Custom DLP pattern: keywords, directories , exact match

Allow user to create the custom DLP pattern based Keywords, exact match or directories methods. Explaining all the methods are beyond the scope of this document.

Validation mechanisms for Credit cards, Social security numbers

CASB should have a mechanism to validation of the card, SSN.

Covering the basic– Data Loss ProtectionDLP Description

DLP by API – almost real time Provide almost real time data monitoring, that means data-at-rest must be matched as soon as it is uploaded.If match found, appropriate action such as alert, block, quarantine, legal hold, encryption is taken.

DLP by inline proxy In this case, pattern matching can done in real time when data-at-move, if match found an appropriate action is taken same as above .

DLP on structured and unstructured data Pattern matching should be done on both structured and unstructured data

External DLP integration A CASB must provide a way to integrate the 3rd party DLP engine for data scan. For example, A custom can use a external DLP engine in conjunction or instance of CASB’s integrated DLP engine. *

Field level/ file level encryption and filed level Tokenization in real time

Field/file level encrypted can be done while data in transition (proxy based ) Field level tokenization on CC, SSN, email, name and other

Enterprise/LDAP/SSO/active directory integration Using the username with IP address will allow the correct access rights.

E-discovery, classification, encryption and tokenization on data at rest

CASB in API mode, can probe data stored in cloud app, if classified as sensitive then take an action as encrypt, quarantine, tokenization,DRM, log or alert.

User’s own crypto keys Some clients prefer to use its own keys. A CASB vendor may allow the users to use its key and managed.

Covering the basic – Data Loss ProtectionDLP Description

E-discovery, classification, encryption and tokenization on data at rest

CASB in API mode, can probe data stored in cloud app, if classified as sensitive then take an action as encrypt, quarantine, tokenization, DRM, log or alert.

Digital right management CASB should apply the data classification tags such as DRM to prevent the copying or downloading .

Watermark adding and detection CASB can add watermark or detect watermark.

Key management and customer’s own crypto keys Some clients prefer to use its own keys. A CASB vendor should support customer encryption keys on its on-premise or cloud solution. CASB vendor should be able to security manage it.

Data that is password protected A CASB should be able to scan and take action on the files those are password protected.

ICAP integration A CASB proxy should allow the ICAP integration to either support 3rd party DLP solution or help releasing the proxy resources.

BOYD security for MDM A MDM kind of security for a mobile device is quite important, that includesselective wipe, contextual access, limited access right, upgraded authentication

Covering the basic –Threat ProtectionThreat protection features Description

Malware identification by using the database of known rough IPs, URLs, hosts and location

A CASB should block the traffic if that any of the element matches the rouge URLs, IPs, hosts name, source IP or location

Anomalous behavior( between SaaS apps): Ability to track when large volume of data being exchanged between multiple SaaS apps

User accounts is been hacked, a hacker might be using the some level of Obfuscation to transfer the data

Event logs preservation Ability to provide and preserve the event logs, these so and ability to find the co-relationship between events.

Anomaly detection on user or app bases Single user is downloading large amount of data at old hours Or unsanctioned locations Or Single user logged in in different apps at different location

Orphan accounts detection Accounts from ex-employee should be detected, data should be cleaned.Any access to any orphan account should immediately detected

Reset a account Reset or block an account

Integrate with IAM User activity across multiple SaaS app should tracked for visibility

Integration with SIEM Have a unified security view

Covering the basic-access control Extended features Description User and entity behavior analytics (UEBA) used on multiple SaaS for beach detection

Detects anomalies, threats, and misuse of resources (if this is not a current feature set, should be on the road map)

Contextual access to resources Limited access based on device, e.g a user can only view the data but can’t download it

Authentication update or dual authentication Force the dual authentication (or strong auth) for following condition, such as mobile user, 3 failed login attempts, unusual location or usual actionIt is an extra protection layer

Supports unmanaged devices With or without agent

Automatic policy conversion for security eco-system Able to convert the security policy from on-premises devices (firewalls, next generation firewalls) to CASB.This feature can save a lots of work for security admin.

Access control based on parameters Access to a resource based on user, location, OS, device, app category, country, personal account vs corporate account, sender, receiver and user action e.g EU don’t allow data to leave the country, so for a EU based policy must make sure that data is stored in the center located in EU.e.g, A customer can use an non-trusted app to share a file but an employ can’t

CSAB Vendors proxy security measure What about CSAB’s security Description Regular software update: For malware and new SaaS apps

Vendor should regularly and frequently update the app-signature database, malware signature update .

Software update and DevOPS security Should have secure method to do the release management, Software upgrade should be transparent for customer

Data center security Data center is been secured, how keys is been secured

Event backup plan Check what is the event backup plan if case system crash

Regular PAN testing Does the CASB vendor go through regular PAN testing

Check support and professional services Always a good idea to check support and professional services personal, you will interact with those people more.

Does the CASB doing the due diligence for scouring a cloud service provider(CSP)?

CASB should score its CPS on following factors Your CASB vendor should cover the following factors while reviewing CSP.These review results should be displayed on the web interface

CSP risk score is important A CASB provide the CSP’s risk score that is calculated based on many factors such as App reputation, trustworthiness, known breach etc.

A CPS’s risk score can play an important role because an organization may configure the security posture based on CSP’s risk score.A CASB vendors should consider following facts to score the CSP.

CSP Compliances on regular bases Track cloud app’s Service Organization Control (SOC) to ensure the security rule is been applied and maintained. Check for the compliance certificates such as e.g. SOC2, PCI, HIPPA, ISO 27001etc

CSP activity logs and Data center protection CSP should maintain the activity logs for user, admin for its data center.CSP should provide the logs for end user activity.Have CSP secure its Data center?

CSP’s security measures Identity, default settings and authentication:• Default passwords is been resets, anonymous access is blocked.• CSP is has integration with enterprise directories (LDAP, Active directory ) • Enterprise integration for authentication (FW users)• Single Sign On methods • Multi-factors authentication, password plus soft token, SMS code, phone/email code

Does the CASB doing the due diligence for scouring a cloud service provider(CSP)?

Extended features Description CSP’s security measures Legal implications :

If any cloud service provider must follow all rules in legal implication defined in enterprise user license agreement, such as

• Data share( name, phone etc),• Data retention period after account termination• Account termination rights and contract• Service contract renewal • Intellectual property ownership

CSP reputations:• If CSP have experience breach in its service in past? If yes, what measure

they took to prevent it?• Does CSP go through regular pen testing?• Any of the hosted site had malware or botnet ?

Data Protection :• Data protection for multi-tenanty, keep all tenants data safe.• what level of encryption for data-at-rest

If your decided to deploy–first 90 days• To take full advantage of your CASB, plan the deployment progresses through steps into discovery, control

and access policy, data protection, monitor and managing the usages. • Discovery method

– Discovery can be done by security device logs or inline.– Make a list of sanctioned and unsanctioned apps and along with risk scores.– Create a baseline for apps per user, usage per apps, usages per locations and more.– Make a matrix for apps, risks and usages for both sanctioned and unsanctioned apps.– Encourage other BU’s to get involved into the process.

• Monitoring and control– Monitoring can achieved in both API and inline mode, the only difference is data monitoring is either inline or done by

probe to the SaaS server.– Based on your organization’s policy, grant the access right, create policies for access, block and alert for the applications.– Keep modifying the policies based on risk-scores.– Get creative while planning for cloud governess, access and control.– Encryption and tokenization based on sensitive data.

If your decided to deploy–first 90 days• Usage

– DLP and compliance – Create policies based on User and Entity Behavior Analytics (UEBA) information

• E.g. one user is using different SaaS apps from different location in a short time period• A user is downloading a large volume of data

– Real time enforcement• Create context access policies based on mobile, user, location, os and more. E.g. mobile device has different access than

desktop”• Upgraded authentication based on location, device or OS

– Usage monitoring• Reporting • Orphan account and data • Large amount of data• Enterprise integration for user identity

first 90 days threat protection

• Threat protection– Add the database for the known attacks, malware, IP’s , URL– Established the baseline for system, create the alert if the baseline is

been breached. – Prevent• Plan for attack, prevention and isolation of the application,system• Watch for a application’s for risk-score

– When detect an incident• Confirm, prioritize, investigate, report, update the system• Modify the policy

Enjoy

You have a security control point in the cloud

Cloud glossary • Web app:

– Only used by web browser and have a combination of server side and client side script. Online shopping, webEx, eBay and more

• Cloud app :– Service delivered by cloud that can be deceived by web browser or a native client. In most cases web

interface is used as alternative methods. Cloud app example is: outlook on your mac/window or office 365 login, box, Evernote, salesforce and more.

– Data can be accessed in offline mode by download is locally and can be synched periodically. • Shadow IT:

– A user targeted cloud app or unseasoned app used organization personal without organization IT approval.

• Payment Card Industry Data Security Standard (PCI DSS)– Security standard for organizations that handle branded credit cards from the major card schemes

including Visa, MasterCard, American Express, Discover, and JCB

Cloud glossary • Personally Identifiable Information (PII):

– Can be defined as an medical, educational, financial, legal and employment information about an individual that can be used directly or indirectly or with the connection of other information can identify or locate that person.

• Health Insurance Portability and Accountability (HIPPA):– HIPAA Act (of 1996) provides data privacy and security provisions for guarding medical information of an

indusial. It has five acts.• Title 1: It protect the health insurance coverage who lose/changes jobs, specific diseases and pre-

existing conditions, and prohibit from setting lifetime coverage limits. • Title II : U.S. Department of Health and Human Services must establish national standards for

processing electronic healthcare transactions, implement secure electronic access to health data and to remain in compliance with privacy regulations set by HHS.

• Title III includes tax-related provisions and guidelines for medical care.

Cloud Glossary

• Advance threat protection or threat protection: – is a security solutions that detect and block hacking based or advance malware attacks to steel sensitive

data. Most of the times, these solutions includes endpoints agents, malware protection system, network device, database for rouge IP,URL and a centralized management system for co-relate the data.

• Internet Content Adaptation Protocol (ICAP)– Is a http-like lightweight protocol, that is used to extend transparent proxy server functionality (in a

standardized way )to help deliver value-added service such as content filter( DLP), virus scanning, ad insertion, language translation or content translation.

– Off loading these services to the ICAP server release the resources on http transparent proxy. – Proxy accept the connection and hold the request, while proxy uses ICAP to pass the content to the DLP

solution ( on the ICAP server) for the inspection. Since proxy itself is not doing the inspection, its resources are free and it can accept more connection. ICAP solution returns the request back with scan results, if no sensitive data found request is been forwarded otherwise http request is been dropped.

Cloud glossary

• Structured and Unstructured data :– Structure data: A data with columns and can be easily searchable by basic algorithms. Examples

include spreadsheets and relational databases.– Unstructured data is like human use and searching is hard. Example is emails, binary, word docs,

social media posts, images, audio and more• Identity and Access Management (IAM)

– It is mission critical security practice that ensure the enables the right individuals to access the right resources at the right times for the right reasons.1

– IAM solution providers are Okta, onelogin, PingIdetity, Centrify• Identity as a service (IDaaS)

– An IAM cloud based service, that is used by an organization to authentic a user or service using Single Sign-on(SSO using SAML or OIDC) for multiple software and cloud-based applications. It can be for multi-tenant or dedicated organizations.

Cloud glossary • XaaS: Anything as a Service• DaaS : Desktop as a Service • IaaS: Infrastructure as a Service• SaaS: Software as a Service • BDaaS: Bigdata as a Service• HDaaS: HaDoop as a Service • BaaS : Backup as a Service • SCaaS : Security as a Service • MaaS : Monitoring as a Service• DRaaS : Disaster recovery as a Service