Select CASB–evaluate on 58 feature, CSP's risk score and first 90 days plan
-
Upload
himani-singh -
Category
Technology
-
view
196 -
download
1
Transcript of Select CASB–evaluate on 58 feature, CSP's risk score and first 90 days plan
How to select your CASB:CASB’s top 58 features, CSP’s risk score and
first 90 days oprationplan Himani Singh
Oct 2016
AgendaAccording to Gartner, Cloud Security Access Brokers(CSAB) is one of the top 10
leading technologies in the IT industry. That said, it is also a live technology that keeps maturing over the time, and we
expect more features to be added to it.
This presentations Covers 58 CASB’s features helps in CASB’s evaluation CASB methods to score a cloud service provider An outline for first 90 days operation strategy of CASB
An into to CASB technologyMost of the IT,HR and other business software is delivered as software-as-a-Service (SaaS) from the
cloud. With this mode, CISO/CIO has lost their single security-policy enforcement points(SPEPs) they used to have in traditional networks.
SPEPs are distributed in the cloud, while CISO/CIO still needs visibility, resource protection and control in the cloud.
CASB is the answer to that and its definition includes the following– The 5 A’s
• Secure access to any app, any device, at any time, for any user and from anywhere
– Visibility into five W’s • who(user), when(time), what( resource and activity), why, which app (app access).
– Data security and data protection for data • on-the-move, in-use and data-at-the-rest in the cloud or on device.
– Compliance, access control and threat protection
Do you need CASB?
Does your organization really need it?– If you have limited cloud apps then full flash CASB is probably not for you.– You can use CASB’s discovery functionality to find shadow IT in your
organization. Most CASB vendors offer it either for free or for a small fess.
When do you need it?– If your organization have a hybrid cloud– IT and/or other BUs (support, sales, marketing) are managing their own
cloud apps.– IT and other BU’s have future plan for cloud implementation.– You need visibility, data protection, compliance and access control in the
cloud.
A Overview of CASB deploy mode
Corporate office, Servers, devices, laptopUnmanaged mobile
or personal devices Remote users
IaaSAWS, Azure, Soft
layer
PaaSOracle cloud, Google API,
Bluemix
SaaSBox, workday, O365
FW or SWG Proxy
URL rewrite redirection, traffic redirection using DNS, IDM, IDaaS, SSO, SAML
CASB
Visibility Data Protection
Continuous Monitoring
Data Governance Compliance
Threat Protection
CASB Proxy mode
Enterprise Integration
Visibility Data Protection malware protectionContinuous Monitoring compliance
CASB API Mode
CASB
Corporate office, Servers, desktop, mobile
Unmanaged mobile or personal devices
Remote user
FW or SWG Proxy
Detailed information can be found at http://www.slideshare.net/Himani-Singh/cloud-security-overview-part-1
Yes to CASB, then what?
Since CASB has lots of moving parts not only different service, software, agents but multiple deploy mode and functionality.
This presentation covers the 59 much needed CASB features, a score-card cloud service provider(CSP) and a 90 day plan to operate CASB and continuous monitoring to take full advantage of your CASB.– “Selection the Deployment mode” depending on the service you wants to
protect SaaS, IaaS or PaaS. More info can be found in part one http://www.slideshare.net/Himani-Singh/cloud-security-overview-part-1
Consider facts and do your due diligence
After the selection of CASB’s deployment mode, consider more facts:-• How much tolerance your organization have towards latency? Remember CASB
will introduce some amount of latency. • CASB integration can introduce the extra work such as installing a agents on
end-device, network change, DNS redirection• Discovery is the first step
• Take advantage of a CASB vendor’s discovery service to understand your network
• Make an matrix of priority vs cost vs latency to select the correct balance• Covering for CASB’s functions in following area
• Visibility, Compliance, Data Security, Threat Protection and Access Policies.
Covering the basics- Visibility Visibility Description
CASB log based discovery OR Active inline based discovery
Discover your network, both sanctioned and unsanctioned apps, user action and traffic load. This is a mature feature and most CASBs offers it.Check the vendor’s app database update frequency. You would like to have the latest apps’ and modified apps’ signatures are included. This is a must have feature.
CASB log based discovery with LDAP/active directory integration
The integration will provide the lP and user mapping, which is helpful to identify a user name. This is also useful for user-name based queries and action.Enterprise integration(IP to user mapping): Most vendors have this mapping with active or inline proxy and few offers for log bases CASB .It is better to have for both the modes.
Data visibility Type of files uploaded, shared, public shared and where data is being transferred or stored in the cloud.
User activity User action such as share, public share, download and edit.
Top user, top app, top location A graphical view of top user, top app and top location.
Device, OS and location identification Which device and OS is used at which time and from which location.
Search based on application category Ability to group applications based on categories, e.g. business, HR, social, file storage etc.
Service category Able to classify apps based on SaaS, PaaS and IaaS.
Covering the basic–compliance Compliance Description
Personal Identification Information (PII)
The personal identification information (PII) must be protected from internal and external resources. CASB should be able to distinguish traffic between employees’ enterprise and personal access, because A CASB should skip employees' personal information.
Health Insurance Portability and Accountability (HIPPA)
Must comply with HIPPA act for at least the first two title.
Payment Card Industry Data Security Standard (PCI DSS)
CASB should be able to identify PCI, trigger an alert, block any PCI data to a cloud app that is not PCI compliant.
Many more
Covering the basic-Data Loss Prevention DLP Description
Blocking sensitive data leakage using pattern matching
Use different technique of pattern matching to identify the sensitive data. That data can be either leaving the organization or stored in the cloud.This matching is done regular expression or DLP predefined sensors.
Predefined sensors A CASB must able to identify PII, PCI, HIPPA and other predefined sensors to identify addresses, name-zip, email-address and more.
Custom DLP pattern: Figureprinting
Fingerprinting is one of the technique to create “custom pattern matching” when sensitive data don’t fall into any pre defined categories. There are many ways to create a fingerprinting, one of them is hashing. In this method a hash for sensitive documents is created and stored in proxy’s cache. This stored hash is matched against the hash of user data (data-on-move, data-at-rest or data-in-use); if any matched found an action will be taken
Custom DLP pattern: keywords, directories , exact match
Allow user to create the custom DLP pattern based Keywords, exact match or directories methods. Explaining all the methods are beyond the scope of this document.
Validation mechanisms for Credit cards, Social security numbers
CASB should have a mechanism to validation of the card, SSN.
Covering the basic– Data Loss ProtectionDLP Description
DLP by API – almost real time Provide almost real time data monitoring, that means data-at-rest must be matched as soon as it is uploaded.If match found, appropriate action such as alert, block, quarantine, legal hold, encryption is taken.
DLP by inline proxy In this case, pattern matching can done in real time when data-at-move, if match found an appropriate action is taken same as above .
DLP on structured and unstructured data Pattern matching should be done on both structured and unstructured data
External DLP integration A CASB must provide a way to integrate the 3rd party DLP engine for data scan. For example, A custom can use a external DLP engine in conjunction or instance of CASB’s integrated DLP engine. *
Field level/ file level encryption and filed level Tokenization in real time
Field/file level encrypted can be done while data in transition (proxy based ) Field level tokenization on CC, SSN, email, name and other
Enterprise/LDAP/SSO/active directory integration Using the username with IP address will allow the correct access rights.
E-discovery, classification, encryption and tokenization on data at rest
CASB in API mode, can probe data stored in cloud app, if classified as sensitive then take an action as encrypt, quarantine, tokenization,DRM, log or alert.
User’s own crypto keys Some clients prefer to use its own keys. A CASB vendor may allow the users to use its key and managed.
Covering the basic – Data Loss ProtectionDLP Description
E-discovery, classification, encryption and tokenization on data at rest
CASB in API mode, can probe data stored in cloud app, if classified as sensitive then take an action as encrypt, quarantine, tokenization, DRM, log or alert.
Digital right management CASB should apply the data classification tags such as DRM to prevent the copying or downloading .
Watermark adding and detection CASB can add watermark or detect watermark.
Key management and customer’s own crypto keys Some clients prefer to use its own keys. A CASB vendor should support customer encryption keys on its on-premise or cloud solution. CASB vendor should be able to security manage it.
Data that is password protected A CASB should be able to scan and take action on the files those are password protected.
ICAP integration A CASB proxy should allow the ICAP integration to either support 3rd party DLP solution or help releasing the proxy resources.
BOYD security for MDM A MDM kind of security for a mobile device is quite important, that includesselective wipe, contextual access, limited access right, upgraded authentication
Covering the basic –Threat ProtectionThreat protection features Description
Malware identification by using the database of known rough IPs, URLs, hosts and location
A CASB should block the traffic if that any of the element matches the rouge URLs, IPs, hosts name, source IP or location
Anomalous behavior( between SaaS apps): Ability to track when large volume of data being exchanged between multiple SaaS apps
User accounts is been hacked, a hacker might be using the some level of Obfuscation to transfer the data
Event logs preservation Ability to provide and preserve the event logs, these so and ability to find the co-relationship between events.
Anomaly detection on user or app bases Single user is downloading large amount of data at old hours Or unsanctioned locations Or Single user logged in in different apps at different location
Orphan accounts detection Accounts from ex-employee should be detected, data should be cleaned.Any access to any orphan account should immediately detected
Reset a account Reset or block an account
Integrate with IAM User activity across multiple SaaS app should tracked for visibility
Integration with SIEM Have a unified security view
Covering the basic-access control Extended features Description User and entity behavior analytics (UEBA) used on multiple SaaS for beach detection
Detects anomalies, threats, and misuse of resources (if this is not a current feature set, should be on the road map)
Contextual access to resources Limited access based on device, e.g a user can only view the data but can’t download it
Authentication update or dual authentication Force the dual authentication (or strong auth) for following condition, such as mobile user, 3 failed login attempts, unusual location or usual actionIt is an extra protection layer
Supports unmanaged devices With or without agent
Automatic policy conversion for security eco-system Able to convert the security policy from on-premises devices (firewalls, next generation firewalls) to CASB.This feature can save a lots of work for security admin.
Access control based on parameters Access to a resource based on user, location, OS, device, app category, country, personal account vs corporate account, sender, receiver and user action e.g EU don’t allow data to leave the country, so for a EU based policy must make sure that data is stored in the center located in EU.e.g, A customer can use an non-trusted app to share a file but an employ can’t
CSAB Vendors proxy security measure What about CSAB’s security Description Regular software update: For malware and new SaaS apps
Vendor should regularly and frequently update the app-signature database, malware signature update .
Software update and DevOPS security Should have secure method to do the release management, Software upgrade should be transparent for customer
Data center security Data center is been secured, how keys is been secured
Event backup plan Check what is the event backup plan if case system crash
Regular PAN testing Does the CASB vendor go through regular PAN testing
Check support and professional services Always a good idea to check support and professional services personal, you will interact with those people more.
Does the CASB doing the due diligence for scouring a cloud service provider(CSP)?
CASB should score its CPS on following factors Your CASB vendor should cover the following factors while reviewing CSP.These review results should be displayed on the web interface
CSP risk score is important A CASB provide the CSP’s risk score that is calculated based on many factors such as App reputation, trustworthiness, known breach etc.
A CPS’s risk score can play an important role because an organization may configure the security posture based on CSP’s risk score.A CASB vendors should consider following facts to score the CSP.
CSP Compliances on regular bases Track cloud app’s Service Organization Control (SOC) to ensure the security rule is been applied and maintained. Check for the compliance certificates such as e.g. SOC2, PCI, HIPPA, ISO 27001etc
CSP activity logs and Data center protection CSP should maintain the activity logs for user, admin for its data center.CSP should provide the logs for end user activity.Have CSP secure its Data center?
CSP’s security measures Identity, default settings and authentication:• Default passwords is been resets, anonymous access is blocked.• CSP is has integration with enterprise directories (LDAP, Active directory ) • Enterprise integration for authentication (FW users)• Single Sign On methods • Multi-factors authentication, password plus soft token, SMS code, phone/email code
Does the CASB doing the due diligence for scouring a cloud service provider(CSP)?
Extended features Description CSP’s security measures Legal implications :
If any cloud service provider must follow all rules in legal implication defined in enterprise user license agreement, such as
• Data share( name, phone etc),• Data retention period after account termination• Account termination rights and contract• Service contract renewal • Intellectual property ownership
CSP reputations:• If CSP have experience breach in its service in past? If yes, what measure
they took to prevent it?• Does CSP go through regular pen testing?• Any of the hosted site had malware or botnet ?
Data Protection :• Data protection for multi-tenanty, keep all tenants data safe.• what level of encryption for data-at-rest
If your decided to deploy–first 90 days• To take full advantage of your CASB, plan the deployment progresses through steps into discovery, control
and access policy, data protection, monitor and managing the usages. • Discovery method
– Discovery can be done by security device logs or inline.– Make a list of sanctioned and unsanctioned apps and along with risk scores.– Create a baseline for apps per user, usage per apps, usages per locations and more.– Make a matrix for apps, risks and usages for both sanctioned and unsanctioned apps.– Encourage other BU’s to get involved into the process.
• Monitoring and control– Monitoring can achieved in both API and inline mode, the only difference is data monitoring is either inline or done by
probe to the SaaS server.– Based on your organization’s policy, grant the access right, create policies for access, block and alert for the applications.– Keep modifying the policies based on risk-scores.– Get creative while planning for cloud governess, access and control.– Encryption and tokenization based on sensitive data.
If your decided to deploy–first 90 days• Usage
– DLP and compliance – Create policies based on User and Entity Behavior Analytics (UEBA) information
• E.g. one user is using different SaaS apps from different location in a short time period• A user is downloading a large volume of data
– Real time enforcement• Create context access policies based on mobile, user, location, os and more. E.g. mobile device has different access than
desktop”• Upgraded authentication based on location, device or OS
– Usage monitoring• Reporting • Orphan account and data • Large amount of data• Enterprise integration for user identity
first 90 days threat protection
• Threat protection– Add the database for the known attacks, malware, IP’s , URL– Established the baseline for system, create the alert if the baseline is
been breached. – Prevent• Plan for attack, prevention and isolation of the application,system• Watch for a application’s for risk-score
– When detect an incident• Confirm, prioritize, investigate, report, update the system• Modify the policy
Enjoy
You have a security control point in the cloud
Cloud glossary • Web app:
– Only used by web browser and have a combination of server side and client side script. Online shopping, webEx, eBay and more
• Cloud app :– Service delivered by cloud that can be deceived by web browser or a native client. In most cases web
interface is used as alternative methods. Cloud app example is: outlook on your mac/window or office 365 login, box, Evernote, salesforce and more.
– Data can be accessed in offline mode by download is locally and can be synched periodically. • Shadow IT:
– A user targeted cloud app or unseasoned app used organization personal without organization IT approval.
• Payment Card Industry Data Security Standard (PCI DSS)– Security standard for organizations that handle branded credit cards from the major card schemes
including Visa, MasterCard, American Express, Discover, and JCB
Cloud glossary • Personally Identifiable Information (PII):
– Can be defined as an medical, educational, financial, legal and employment information about an individual that can be used directly or indirectly or with the connection of other information can identify or locate that person.
• Health Insurance Portability and Accountability (HIPPA):– HIPAA Act (of 1996) provides data privacy and security provisions for guarding medical information of an
indusial. It has five acts.• Title 1: It protect the health insurance coverage who lose/changes jobs, specific diseases and pre-
existing conditions, and prohibit from setting lifetime coverage limits. • Title II : U.S. Department of Health and Human Services must establish national standards for
processing electronic healthcare transactions, implement secure electronic access to health data and to remain in compliance with privacy regulations set by HHS.
• Title III includes tax-related provisions and guidelines for medical care.
Cloud Glossary
• Advance threat protection or threat protection: – is a security solutions that detect and block hacking based or advance malware attacks to steel sensitive
data. Most of the times, these solutions includes endpoints agents, malware protection system, network device, database for rouge IP,URL and a centralized management system for co-relate the data.
• Internet Content Adaptation Protocol (ICAP)– Is a http-like lightweight protocol, that is used to extend transparent proxy server functionality (in a
standardized way )to help deliver value-added service such as content filter( DLP), virus scanning, ad insertion, language translation or content translation.
– Off loading these services to the ICAP server release the resources on http transparent proxy. – Proxy accept the connection and hold the request, while proxy uses ICAP to pass the content to the DLP
solution ( on the ICAP server) for the inspection. Since proxy itself is not doing the inspection, its resources are free and it can accept more connection. ICAP solution returns the request back with scan results, if no sensitive data found request is been forwarded otherwise http request is been dropped.
Cloud glossary
• Structured and Unstructured data :– Structure data: A data with columns and can be easily searchable by basic algorithms. Examples
include spreadsheets and relational databases.– Unstructured data is like human use and searching is hard. Example is emails, binary, word docs,
social media posts, images, audio and more• Identity and Access Management (IAM)
– It is mission critical security practice that ensure the enables the right individuals to access the right resources at the right times for the right reasons.1
– IAM solution providers are Okta, onelogin, PingIdetity, Centrify• Identity as a service (IDaaS)
– An IAM cloud based service, that is used by an organization to authentic a user or service using Single Sign-on(SSO using SAML or OIDC) for multiple software and cloud-based applications. It can be for multi-tenant or dedicated organizations.
Cloud glossary • XaaS: Anything as a Service• DaaS : Desktop as a Service • IaaS: Infrastructure as a Service• SaaS: Software as a Service • BDaaS: Bigdata as a Service• HDaaS: HaDoop as a Service • BaaS : Backup as a Service • SCaaS : Security as a Service • MaaS : Monitoring as a Service• DRaaS : Disaster recovery as a Service