Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Most Common
CASB Use Cases
As people and organizations adopt cloud services, Cloud Access Security Brokers
(CASBs) have become a must-have for any information security team. CASBs provide
critical capabilities such as governing access and activities in sanctioned and
unsanctioned cloud services, securing sensitive data and preventing its loss, and
protecting against internal and external threats. In short, CASBs enable organizations
to extend their information protection policies and programs from their on-premises
infrastructure and applications to the cloud. For organizations that are considering
deploying CASB, it’s useful to consider the specific use cases they’re likely to
address within these broad topic areas as they inform functional and architectural
requirements.
2
GOVERN USAGE SECURE DATA PROTECT AGAINST
THREATS
Govern access to Office 365 Prevent data exfiltration from an Block or remediate malware
and other cloud services by IT-led to any cloud service ....................4 in IT-led and en route to/from
device ownership class ..........................7 business-led cloud services ................6
Enforce different policies
Monitor privileged accounts for personal and corporate Detect and alert on user login
and prevent unauthorized instances of the same cloud anomalies ............................................15
activity in IaaS instances .......................9 service ....................................................5
Detect anomalies such as
Monitor or control users’ Monitor sensitive data in excessive downloads, uploads,
activities within Collaboration Amazon S3 buckets ...............................8 or sharing within both IT-led and
or Social Media without business-led services .........................16
blocking those services .......................11 Enforce an activity- or data-
level policy across a category of Block and quarantine zero-day
Monitor or control advanced cloud services .....................................10 malware in the cloud ..........................19
or cross-service activities in
real time ................................................17 Enforce conditional activity- Recover from cloud-based
level policies ........................................12 ransomware infections ......................20
Protect against password
email abuse .........................................22 Enforce layered policies Prevent data infiltration involving
that include a “base” and new employees ...................................21
Monitor or control users’ “exception” policy ................................13
activities even when they are
accessing cloud services from Apply encryption based on
a mobile or desktop app or conditional factors ..............................14
sync client ..........................................23
3
SECURE DATA
Functional Requirements
1 Prevent data ▸▸ See and control usage in both IT-led and business-led
services
an IT-led to any
▸▸ Identify all unique content in motion and track its
movement
cloud service
▸▸ Be aware of context, e.g., activities such as “upload”
and “download”
to a personal Dropbox or other file ▸▸ Decrypt SSL and decode the unpublished API to
understand the transaction
sharing service
▸▸ Surface data exfiltration activities in a user interface
that is easy to understand
Deployment Requirements
▸▸ Forward proxy (monitor and control)
4
SECURE DATA
the same cloud ▸▸ See and control usage in both IT-led and
business-led services
5
PROTECT AGAINST THREATS
and en route to/ ▸▸ Decrypt SSL and decode the unpublished API to
understand the transaction
▸▸ Forward proxy
For example, detect, quarantine, and
▸▸ Reverse proxy (IT-led only, browser only)
block malware being downloaded from
any cloud service in real time
6
GOVERN USAGE
services by device
▸▸ Enforce access and activity policies based on
device attributes, including classification of
ownership class
“managed” and “unmanaged”
7
SECURE DATA
8
GOVERN USAGE
accounts
“instances” and “buckets”
and prevent
group, and other enterprise directory attributes
unauthorized
business-led services
activity in IaaS
understand the transaction
9
SECURE DATA
policy across
com)
a category of
led services
cloud services
policies at a group or organizational unit level
10
GOVERN USAGE
activities within
Banking
Collaboration
“view,” “post,” and “create”
or Social Media
business-led services
without blocking
features including regular expressions, custom
keyword dictionaries, and Boolean operators to
focus on specific risky activities (e.g., for FINRA)
11
SECURE DATA
of the organization from ANY ▸▸ Decrypt SSL and decode the unpublished API to
understand the transaction
Cloud Storage service if it is the
organization’s financial reporting
Deployment Requirements
quiet period
▸▸ Forward proxy
12
SECURE DATA
13
SECURE DATA
factors manager
14
PROTECT AGAINST THREATS
anomalies anomalies
▸▸ Forward proxy
15
PROTECT AGAINST THREATS
downloads,
“download” and “share”
uploads, or
led services
both IT-led and ▸▸ Decrypt SSL and decode the unpublished API to
understand the transaction
business-led
Deployment Requirements
services ▸▸ API (IT-led only)
16
GOVERN USAGE
17
PROTECT AGAINST THREATS
18
PROTECT AGAINST THREATS
present in IT-led cloud services ▸▸ Reverse proxy (IT-led only, browser only)
19
PROTECT AGAINST THREATS
20
PROTECT AGAINST THREATS
▸▸
21
GOVERN USAGE
abuse
signal that a password is being shared
Deployment Requirements
▸▸ Forward proxy
▸▸
▸▸
22
GOVERN USAGE
activities
client
services from a mobile ▸▸ Decrypt SSL and decode the unpublished API to
understand the transaction (for forward proxy)
or desktop app or sync
client) Deployment Requirements
For any of the real-time use cases ▸▸ Forward proxy (monitor and control)
▸▸
that require a forward proxy,
▸▸
support should be extended to
mobile apps, desktop apps, and
sync clients
23
GOVERN USAGE SECURE DATA PROTECT AGAINST
THREATS
©2018 Netskope, Inc. All rights reserved. Netskope is a registered trademark and Netskope Active, Netskope Discovery, Cloud Confidence
Index, and SkopeSights are trademarks of Netskope, Inc. All other trademarks are trademarks of their respective owners. 01/18 EB-198-1