Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Agenda
According to Gartner, Cloud Security Access Brokers(CSAB) is one of the top 10
leading technologies in the IT industry.
That said, it is also a live technology that keeps maturing over the time, and we
expect more features to be added to it.
This presentations
Covers 58 CASBs features
helps in CASBs evaluation
CASB methods to score a cloud service provider
An outline for first 90 days operation strategy of CASB
Enterprise
Integration
PaaS
Oracle cloud,
Google API,
Bluemix
SaaS
Box,
workday,
O365
Visibility
Data Protection CASB
Data
Governance
Continuous Monitoring
Compliance
CASB
Visibility
Data Protection malware
protection
Continuous Monitoring
compliance
FW or SWG
Proxy
Corporate
office, Servers,
desktop, mobile
Threat
Protection
URL rewrite redirection, traffic redirection using DNS, IDM, IDaaS, SSO,
SAML Unmanaged
FW or SWG Proxy
Remote users
mobile or
Corporate office, Servers,
personal devices
devices, laptop
Unmanaged
mobile or
personal devices
Remote user
Description
Discover your network, both sanctioned and unsanctioned apps, user action and traffic load. This is a mature
feature and most CASBs offers it.
Check the vendors app database update frequency. You would like to have the latest apps and modified apps
signatures are included.
This is a must have feature.
The integration will provide the lP and user mapping, which is helpful to identify a user name. This is also useful
for user-name based queries and action.
Enterprise integration(IP to user mapping): Most vendors have this mapping with active or inline proxy and few
offers for log bases CASB .
It is better to have for both the modes.
Data visibility
Type of files uploaded, shared, public shared and where data is being transferred or stored in the cloud.
User activity
Which device and OS is used at which time and from which location.
Ability to group applications based on categories, e.g. business, HR, social, file storage etc.
Service category
Description
The personal identification information (PII) must be protected from internal and external resources.
CASB should be able to distinguish traffic between employees enterprise and personal access, because A CASB
should skip employees' personal information.
Must comply with HIPPA act for at least the first two title.
CASB should be able to identify PCI, trigger an alert, block any PCI data to a cloud app that is not PCI compliant.
Many more
Description
Use different technique of pattern matching to identify the sensitive data. That data can be either leaving
the organization or stored in the cloud.
This matching is done regular expression or DLP predefined sensors.
Predefined sensors
A CASB must able to identify PII, PCI, HIPPA and other predefined sensors to identify addresses, namezip, email-address and more.
Fingerprinting is one of the technique to create custom pattern matching when sensitive data dont fall
into any pre defined categories.
There are many ways to create a fingerprinting, one of them is hashing. In this method a hash for sensitive
documents is created and stored in proxys cache. This stored hash is matched against the hash of user
data (data-on-move, data-at-rest or data-in-use); if any matched found an action will be taken
Allow user to create the custom DLP pattern based Keywords, exact match or directories methods.
Explaining all the methods are beyond the scope of this document.
Validation mechanisms for Credit CASB should have a mechanism to validation of the card, SSN.
cards, Social security numbers
Description
Provide almost real time data monitoring, that means data-at-rest must be matched as
soon as it is uploaded.
If match found, appropriate action such as alert, block, quarantine, legal hold, encryption is
taken.
In this case, pattern matching can done in real time when data-at-move, if match found an
appropriate action is taken same as above .
A CASB must provide a way to integrate the 3rd party DLP engine for data scan.
For example, A custom can use a external DLP engine in conjunction or instance of CASBs
integrated DLP engine. *
Field/file level encrypted can be done while data in transition (proxy based )
Field level tokenization on CC, SSN, email, name and other
Using the username with IP address will allow the correct access rights.
CASB in API mode, can probe data stored in cloud app, if classified as sensitive then take an
action as encrypt, quarantine, tokenization,DRM, log or alert.
Some clients prefer to use its own keys. A CASB vendor may allow the users to use its key
and managed.
Description
CASB in API mode, can probe data stored in cloud app, if classified as sensitive then take an
action as encrypt, quarantine, tokenization, DRM, log or alert.
CASB should apply the data classification tags such as DRM to prevent the copying or
downloading .
A CASB should be able to scan and take action on the files those are password protected.
ICAP integration
A CASB proxy should allow the ICAP integration to either support 3rd party DLP solution or
help releasing the proxy resources.
A MDM kind of security for a mobile device is quite important, that includes
selective wipe,
contextual access,
limited access right,
upgraded authentication
Description
A CASB should block the traffic if that any of the element matches the
rouge URLs, IPs, hosts name, source IP or location
User accounts is been hacked, a hacker might be using the some level of
Obfuscation to transfer the data
Ability to provide and preserve the event logs, these so and ability to find
the co-relationship between events.
Reset a account
User activity across multiple SaaS app should tracked for visibility
Description
Detects anomalies, threats, and misuse of resources (if this is not a current
feature set, should be on the road map)
Limited access based on device, e.g a user can only view the data but cant
download it
Force the dual authentication (or strong auth) for following condition, such
as
mobile user, 3 failed login attempts, unusual location or usual action
It is an extra protection layer
Able to convert the security policy from on-premises devices (firewalls, next
generation firewalls) to CASB.
This feature can save a lots of work for security admin.
Description
A CASB provide the CSPs risk score that is calculated based on many
factors such as App reputation, trustworthiness, known breach etc.
A CPSs risk score can play an important role because an organization may
configure the security posture based on CSPs risk score.
A CASB vendors should consider following facts to score the CSP.
Track cloud apps Service Organization Control (SOC) to ensure the security
rule is been applied and maintained. Check for the compliance certificates
such as e.g. SOC2, PCI, HIPPA, ISO 27001etc
CSP should maintain the activity logs for user, admin for its data center.
CSP should provide the logs for end user activity.
Have CSP secure its Data center?
Description
Legal implications :
If any cloud service provider must follow all rules in legal
implication defined in enterprise user license agreement, such as
Usage monitoring
Reporting
Orphan account and data
Large amount of data
Enterprise integration for user identity
Enjoy
You have a security control point in the cloud
Cloud glossary
Web app:
Only used by web browser and have a combination of server side and client side script. Online shopping,
webEx, eBay and more
Cloud app :
Service delivered by cloud that can be deceived by web browser or a native client. In most cases web
interface is used as alternative methods. Cloud app example is: outlook on your mac/window or office 365
login, box, Evernote, salesforce and more.
Data can be accessed in offline mode by download is locally and can be synched periodically.
Shadow IT:
A user targeted cloud app or unseasoned app used organization personal without organization IT approval.
Cloud glossary
Cloud Glossary
Cloud glossary
Cloud glossary