Nitrobsolutions
Blog
A World Without Borders.
photo
August 2, 2017
980 79

The transition to cloud applications allows companies and businesses to be more agile, to respond and be more available than ever before, as well as to engage in and focus on their core businesses
The eBay Company, one of the pioneers of electronic commerce was established about 20 years ago, when people purchasing from virtual shops run by anonymous sellers in some unknown place in the world were regarded as "crazy". During the last ten years there has been a constant increase of considerable percent in purchases from those shops that have become, in practice, a central arena for electronic commerce and they operate alongside the physical stores. This change in consumer culture and the manner in which they do business would never have happened without data security systems. The electronic marketing revolution dragged along behind it a change in the behavior and consumer culture patterns of every one of us. Currently we are witnesses to a revolution in organizations and businesses that is leading them into the digital era.

The way we have conducted business for dozens of years and our work environment as workers and managers is changing. The manner in which we gather information, share and consume information is transforming the way in which businesses operate and is making work processes easier and more productive.

Organizations need to redefine the boundaries of the organization that has expanded in the direction of the cloud, which is not under the control of the organization. These new challenges bring us to ask the questions, whether that organizational perimeter in which we have invested, over the course of all these years, regarding data security products, is still effective? Is the actual activity of the employees to be found in those organizational buildings and branches that previously defined the workplace?

The Mobile Revolution and transition to Cloud Service Providers make it difficult for data security teams to enforce the organization's policy and make it harder to follow up on processes and gather information regarding threats in an environment where every device has access to data irrespective of whether the device is managed or not managed. Harm to visibility in this critical part of the network could result in a disaster for digital businesses and has consequences for the entire developing digital economy.

The technology is known as Cloud Access Security Broker (CASB), and its role is to supply organizations with an acceptable level of security in the transition of applications and organizational data to the cloud. According to Gartner, an essential data security technology for 2016 is CASB and it is necessary to place it at the top of the list of priorities. Data security companies recognized the potential of CASB and rushed to complete the data security solutions for the cloud by acquiring niche companies and among them the Israeli companies Adallom and Cloudlock, which were sold to Microsoft and Cisco, and other companies such as Skyfence/Imperva and Elastica, which were sold to Forcepoint and Symantec, and others.

The CASB System is under the organization's control and allows it visibility, information concerning the degree of risk facing the organization and control of activities within the cloud application.

A system whose function is to protect cloud applications has to deal with some levels.

User level: Examination of user behavior. The system must supply information such as: What are the users doing, from where was the access made, are permitted actions being performed, have accounts and identities been stolen and is there currently access from everywhere in the world, was there sharing with users outside the organization or just with an authorized group of people? Examples: If a user downloads a large file from a particular sharing, an action that the user does not usually perform, a warning will be sent or continuation of the activity will be prevented for that user. If the user performs an action vis-à-vis Office365 from Israel and four hours later we see access of that user from China, we can deduce that the account was stolen and is being misused. At the data level: The system assists in understanding whether sensitive data exists in the cloud when it is not supposed to be there, if such data exists it should be encrypted or removed to prevent leaking of the sensitive data and compliance with the regulative laws.

The system must provide real time protection for data including handling malware files that could reach the cloud services before the arrival of the data (In Transit – Data in Motion) or files already found in the cloud (Data at Rest). Remember that employees can install cloud applications on computers/laptops that are not managed and to which the defense mechanisms found on managed organizational computers do not apply. Access from devices that are not managed facilitates, on the one hand, access of the employee to corporate data, but on the contrary, offers access for malicious attributes that could make use of data, erase it, make changes and even plant malware that could reach the entire organization. An example of this: An organizational computer synchronizes files to Onedrive and SharePoint and since these services are located in the cloud the employee installs these applications also on his home computer and thereby synchronizes those organizational files with his home computer. Applications level: The CASB System supplies data concerning applications in use, what third party applications exist that have permission to access data in the cloud, what the degree of risk is in using them, how to control and prevent them from access to information in the cloud.

CASB solutions can be implemented via two manners of access: Proxy-based access requires definitions and installation of an Agent on the user's side, the Forward Proxy or without definitions on the user's side when using Reverse Proxy.
API – Agentless access using API, does not require infrastructure changes or change in the manner in which the user connects. Each of the methods of access has its advantages and disadvantages and therefore the CASB manufacturers adopt a Hybrid solution that includes both manners of access.

When connecting with an (Out of Band) API, the connection is direct with the cloud application, thus the data itself does not pass through either is it saved in the CASB, but is located only in the user's environment. With this access there is no need to install Agents on the users' devices and consequently the user experience is not impaired. Security solutions can be supplied for Mobile users and non-managed users.

API access facilitates reaching historic data already found in the cloud (Data at Rest), which enables the system to scan data existing in the cloud even before implementation of the CASB System. The system has the capability to search for sensitive files, to check their compliance with standards such as PCI, to perform actions such as encryption of sensitive files and if necessary also to erase those files from the cloud. Use of API also allows traffic between two cloud applications (Cloud to Cloud) to be examined and not only between users and the cloud.

The disadvantage of API – CASB is a system that works only with cloud applications that provide a Cloud Native API and is not in real time, like working with Proxy. Proxy-based systems have the capability of blocking data from entering and exiting the cloud (In Transit) in real time.

In Summary
CASB is the technology that provides a solution for data security but allows organizations, first and foremost, to develop their businesses and is essential for maintaining the business and benefiting from the advantages of cloud applications that are at the heart of business activity.

Organizations adopting the transition to the cloud must implement data security tools at a level similar to that executed in the organization's local network. To provide visibility, monitoring and enforcement of data security policy at every location where the organization's data is to be found.