Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Cloud security,
Cloud Security Access Brokers, CASBs
four pillars, deployment mode
comparison
Himani Singh
Sept 2016
Agenda
An overview of cloud ecosystem
Security in the cloud
Cloud security solutions
What is CASB
CASBs responsibility and use cases
Deployment modes
Benefit of deployment mode
Cloud glossary
BaaS
DRaaS
DaaS
XaaS
UcaaS
ITMaa
S
IaaS
PaaS
SaaS
Cloud layers
Infrastructure as a Service (IaaS)
Software as a Service
People
Devices
Application
Business &
Technical Serv
Data
Runtimes
Middleware
Database
Software as a
Service
Operating System
Virtualization
Servers
Storage
Networking
On-premise
Platform as a Service
Infrastructure as
a Service
Private cloud
Dedicated to only one organization( not shared with other organizations)
More expensive and more secure in comparison of public clouds
On-premise private clouds, those are exclusively used by one organization on the premises. For example AWS hosting the cloud for
any military organization.
Externally hosted private clouds. This is hosted by a third party in cloud infrastructure for one organization.
Hybrid cloud
Some critical part of data is hosted in the organization and some are hosted in public. In most of the cased, there will be
tunnel or connection between public and private cloud.
Community cloud
A form of public cloud that is reserved for the member of community
Multi tenancy
Example all government in state using the same cloud
Vendors
CipherCloud, CloudLock(Cisco), Perspecsys(Bluecoat), Vaultive, Netskope
Compliance
Regulations
HIPPA
Policy
Companies
HyTrust, Trend Micro, Illumio, Dome9, Symantec , FortyCloud, Palerra, Cloud
Passage
Visibility
Threat protection
Breach detection
User behavior analytic
PaaS
Oracle cloud,
Google API,
Bluemix
Visibility
Data Protection
Continuous
Monitoring
FW or SWG Proxy
Corporate office, Servers,
desktop, mobile phone and
tablet
CASB
SaaS
Box, workday,
O365
salesforce
Data Governance
Compliance
Threat Protection
Unmanaged mobile
or personal devices
Remote users
Interne
t
CASB
NGFW
Web proxies
LDAP,
Enterprise
integratio
n
These logs can be used for defining the baseline for entity(user, app, devise)behavior.
Application risk-based-score
Many CASB vendor calculate the risk-score for an application( or an vendor)
Risk is calculated the risk on many data points such as CAS, who owns the data, review
Service Organization controls (SOC ) reports, research, CSA Trust, Physical data center
location
CASB vendors use this data-points and put in complex matrix to calculate the App-risk
score
File level
Protect data at rest ( cloud or mobile device)
Encryption done when data is upload and decrypt when downloaded.
Keys can be managed by third party or CASB itself
Same keys can be used for multiple cloud
Tokenization
Field level data obfuscation
Fields in the can be replace by the some random data ( or with some
pattern depending on Tokenization scheme)
Token is stored in token vault, and it is retrieve to read the data
Action could be
Block, selective wipe, alert
Ask for 2F authentication
Account lockout
Internet
CASB
Logs
Logs
What is discovered
Any or unknown apps can be identified
Provide the baseline for your network as cloud apps used, traffic per
app, users files and more
NGFW
Web proxies
LDAP,
Enterprise
Integration
CASB (software) is installed in the public cloud or some vendors own data center
Traffic is redirected to the Proxy before it goes to SaaS Server
While passing through, traffic is being scanned and all attributes such as app, IP,
user-name, action (and more) are being collected and analyzed for session data
Decision can be made and Polices can be applied.
Callback mode
Some cloud app support the API, in that case SaaS
informs any significant changes
IaaS
AWS, Azure,
Soft layer
SaaS
Box,
workday,
O365
salesforce
PaaS
Oracle
cloud,
Google API,
Bluemix
Visibility
Data Protection
CASB
Data Governance
Compliance
FW or SWG Proxy
Corporate office,
Servers, desktop,
mobile phone and
tablet
Unmanaged
mobile or
personal
devices
Remote
users
Disadvantage
Works only for known SaaS
Most of the time it is reporting, in advanced cases decision can be made
after the fact
SaaS
Box, workday,
O365
salesforce
PaaS
Oracle cloud,
Google API,
Bluemix
Visibility
Data Protection
Continuous Monitoring
CASB
Data Governance
Compliance
Threat Protection
Enterprise
Integratio
n
agent
Unmanaged mobile
or personal devices
Remote users
Disadvantage
Reverse Proxy
This is inline mode
Traffic, both the end-user and
administration, is been
redirected to the CASB Proxy
The redirection is been used
achieved by URL rewriting
The decision is made when
traffic is been analysis
SaaS
Box, workday,
O365
salesforce
PaaS
Oracle cloud,
Google API,
Bluemix
Visibility
Data Protection
CASB
Continuous Monitoring
Data Governance
Compliance
Threat Protection
Enterprise
Integration
URL rewrite, traffic redirection, IDM, IDaaS, SSO,
Unmanaged
Corporate office, Servers,
mobile or
desktop, mobile phone and
Remote users
personal devices
tablet
SaaS
Box, workday,
O365
salesforce
PaaS
Oracle cloud,
Google API,
Bluemix
6
1
Identity
Provider
2
3
CASB
4
5
Web client
Unmanaged mobile or
personal devices
Disadvantage
Latency because of proxy in comparison to API
Single point of failure
Reverse proxy only works with browser
If SaaSs native client ( like outlook for O365) is used to send the traffic, reverse proxy will
not redirect the traffic.
Technology Integrations
MDM integration
Can be used to push the CASB agents on the mobile
Agents can be configure to forward particular domain ranges to the CASB
Advantage : traffic redirection
Technology Integrations
Identity and access management as a Service (IDaaS)
Useful in traffic redirection in the case of reverse proxy
Cloud applications single sign-on(SSO)
Advantage: traffic redirection. Bulk update and ongoing update for user,
roles.
SAML and OAuth: Single Sign-on tokens, used in allow user to authenticate
at identity provider
Reverse
Proxy( real
time)
Offline, log is
uploaded
Web client,
sanctioned apps
Visibility
Yes
Yes
Yes
Network latency
No
No
yes
yes
No
yes
Yes
Compliance
No
yes
Yes
Yes
Yes
No
No
Yes
Not applicable
yes
yes
yes
No
yes
yes
No applicable
yes
yes
yes
Reverse
Proxy( real
time)
yes
Yes
yes
Not applicable
yes
yes
No
Continuous Monitoring
yes
yes
Yes
Not applicable
No
Yes
Yes
Yes
Yes
Focused on SaaS
Focused on
SaaS
Multimode CASB
If an organization has NGFW and SWG on premises then add log-based
discovery and API-based CASB
If your concern is about many unmanaged devices/mobiles and sanctioned
apps, probably reverse proxy based is better.
If it is more of organization and managed devices, forward proxy plus API is best
approach.
Most organizations will put multimode CASB
Cloud glossary
Web app:
Only used by web browser and have a combination of server side and
client side script. Online shopping, webEx, eBay and more
Cloud app :
Service delivered by cloud that can be deceived by web browser or a
native client. In most cases web interface is used as alternative methods.
Cloud app example is: outlook on your mac/window or office 365 login,
box, Evernote, salesforce and more.
Data can be accessed in offline mode by download is locally and can be
synched periodically.
Shadow IT:
A user targeted cloud app or unseasoned app used organization personal
without organization IT approval.
Cloud glossary
Structured and Unstructured data :
Structure data: A data with columns and can be easily searchable by basic
algorithms. Examples include spreadsheets and relational databases.
Unstructured data is like human use and searching is hard. Example is emails,
binary, word docs, social media posts, images, audio and more
Cloud glossary
XaaS: Anything as a Service
DaaS : Desktop as a Service
IaaS: Infrastructure as a Service
SaaS: Software as a Service
BDaaS: Bigdata as a Service
HDaaS: HaDoop as a Service
BaaS : Backup as a Service
SCaaS : Security as a Service
MaaS : Monitoring as a Service
DRaaS : Disaster recovery as a Service