Cloud Access Security Brokers: Better the Devil you Know

As my colleague noted in his recent blog on cloud security, the traditional method of controlling risks exposed in the use of Software as a Service (SaaS) has been to ban access completely. But this approach is based on the naïve, and often false, assumption that employees do not have access to the Internet outside of their corporate devices and networks.

Stay current on your favourite topics


In reality, banning access to certain SaaS providers simply encourages users to access those services via personal devices or from outside of the corporate network, creating shadow IT and a blind spot for IT risk officers. An alternative approach is to permit monitored and controlled access.

The question then turns to how best to monitor and control SaaS usage. A number of cloud access security brokers (CASB) have emerged over recent years to help address this challenge. While the CASB market is evolving quickly, most providers tend to have similar capabilities.

The first step is simply discovering the extent of SaaS usage within an enterprise. This is typically done by analysing web proxies and router logs, and referencing that information against an up-to-date register of SaaS providers. Most CASB solutions will also classify each cloud service in terms of the risk they expose, typically using standard control criteria specified by the Cloud Security Alliance. Factors such as security policies (such as whether a provider encrypts data at rest and in transit), policies regarding data ownership and other terms and conditions all contribute towards these ratings.

With usage data and risk classifications in hand, an organization can start to understand the benefits and risks exposed by each service provider, and decide which cloud services to officially adopt or block. This process can also yield cost efficiencies by eliminating shadow IT and helping to identify overlapping services that can be consolidated.

SaaS services deemed too risky can be blocked by re-configuring web proxies or firewall rules. To simplify this process, some CASB solutions auto-generate configurations for popular proxies and firewalls. Those configurations not only block access but can also steer users from blocked services to sanctioned alternatives of a similar nature.

However, using cloud services off-the-shelf that have been sanctioned can still expose an enterprise to significant risks. Given that financial services institutions are subject to stricter IT controls and regulatory obligations than some other industries, monitoring against uncontrolled or unsanctioned usage of SaaS applications is critical. To assist in that process, most CASB solutions have solid DLP (Data Loss Prevention) features. When used in conjunction with Single Sign-On and Mobile Device Management solutions, these features offer effective controls against misappropriation of sensitive data.

Key capabilities include:

  1. Real-time monitoring and analytics: IT control officers need to be alerted to any patterns of abnormal user behaviour, in particular when that behaviour involves uploading data to cloud services.
  2. Contextual (location-based) access control: Monitoring location-based access information can help identify compromised accounts. More sophisticated forms of access control can also provide tiered privileges to users depending on their location. For example, users may have full rights to download and edit a document while onsite, but be restricted to view-only rights when outside the corporate network.
  3. Encryption, tokenization and integration with Key Management Interoperability Protocol (KMIP): Integration with on-premise key management for encrypting or tokenizing data stored on cloud services is crucial, particularly in order to preserve essential functions like keyword search and sorting.
  4. Compliance and regulatory checks: Given the sensitivity of certain data sets, it is essential that firms are able to scan data stored (as well as transmitted) on cloud services for compliance with relevant regulations.
  5. Privileged access audit logs: Individuals with privileged access rights can pose greater vulnerabilities with respect to information security and it is therefore recommended that firms maintain audit logs to monitor the behaviour of those users.These are just some of the essential elements that are important for organisations to control risks posed by SaaS usage. The CASB market is fast growing and competitive. Vendors are continuously adding new features and enhancing capabilities. This bodes well for organizations looking for an off-the-shelf solution. The difficulty is deciding which one is right for your organization.

Would you like to know more about our work?

The author

Mark Wong

Mark Wong

Associate Partner, Hong Kong

Mark has over 12 years of investment banking IT experience, including application development, architecture, support, project management and people management. He is a certified AWS solutions architect, and was previously with Deutsche Bank, responsible for their equity derivatives market making and proprietary trading platform in the APAC region.