Cloud Access Security Brokers – The New Frontier of Active Cyber Defenses

One of the fastest technology growth areas for cloud security involves what is known as a Cloud Access Security Broker (CASB). At my last count there are over 20 vendors that currently occupy this market space, which only emerged from the lab in 2010/2011 [See the non-comprehensive list of vendors at end of this article]. I believe with this growth trajectory, accompanied by the formulation of a standard integration framework and a common set of cloud security certification standards (such as FedRAMP), that CASBs will form the foundation for adaptive security capabilities for the foreseeable future.

CASBs – On Guard in the Cloud

Gartner defines CASBs as “on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.” Gartner states that CASBs have become a necessary cloud security control technology, regardless of the industry vertical, for organizations adopting multiple cloud services.

CASBs offer tremendous promise from an adaptive security perspective since CASBs can fill in the security gaps otherwise encountered when an enterprise moves from internal, premises-based applications to cloud apps like Salesforce, Google Apps, or Office 365. CASBs are ideal for multi-cloud and multi-service environments since they can provide a unified security policy across all cloud apps. With cloud security breaches, malware, and surveillance in mind, Gartner expects enterprises will rapidly adopt Cloud Access Security Brokers to secure their data in the cloud. In fact, Gartner predicts that “This technology will become an essential component of SaaS deployments by 2017. By 2016, 25% of enterprises will secure access to cloud-based services using a CASB platform, up from less than 1% in 2012, reducing the cost of securing access by 30%.” – Gartner, The Growing Importance of Cloud Access Security Brokers

According to Gartner, CASBs deliver four types of functionality:

1. Visibility — CASBs provide shadow IT discovery and sanctioned application control, as well as a consolidated view of an organization’s cloud service usage and the users who access data from any device or location
2. Compliance — CASBs assist with data residency and compliance with regulations and standards, as well as identify cloud usage and the risks of specific cloud services.
3. Data Security — CASBs provide the ability to enforce data-centric security policies to prevent unwanted activity based on data classification, discovery and user activity monitoring of access to sensitive data or privilege escalation. Policies are applied through controls, such as audit, alert, block, quarantine, delete and encrypt / tokenize, at the field and file level in cloud services.
4. Threat Protection — CASBs prevent unwanted devices, users and versions of applications from accessing cloud services. Other examples in this category are user and entity behavior analytics (UEBA), the use of threat intelligence and malware identification.

Gartner notes that a CASB platform is generally designed to focus on third-party cloud apps and services, not network infrastructure or on-premises applications. Forrester has a slightly different name for CASBs and provides an outlook of the CASB market in its report – Brief: The Emergence Of The Cloud Security Gateway. The report outlines two segments for cloud security capabilities: 1) cloud data protection, and 2) cloud access security intelligence. Forrester notes that these two segments are being consolidated into cloud access security gateways (CASGs). Forrester’s definition extends the capability of this class of technology to include network level security functions, providing orchestration to automate courses of action across multiple CSP or on-premises infrastructure enforcement points.

Security Integration: CASB Pain or Payoff

Whichever term you prefer, this cloud access security technology works by intermediating, via cloud-based APIs, or “proxying” traffic (either reverse or forward proxy) between cloud apps and users. In general, security integration is the key design challenge facing CASBs as well as the most important payoff that CASBs offer. In general, CASBs should integrate with:

1. Existing security infrastructures of cloud service providers and on-premise enterprise security systems, such as next-generation firewalls, directory systems, key management systems, network access control, and security information and event management products. Enterprises will be reluctant to adopt CASB solutions if they have to manage an entirely separate security system that is dedicated to just third-party cloud apps.
2. Cloud apps and data they are intended to protect; and,
3. Endpoints whether they be mobile or fixed assets. CASBs must protect not only data stored in the cloud and access to the cloud, but cloud data on the consumption device as well.

This integration challenge has been taken up by the Cloud Security Alliance (CSA) which has formed a group known as the CSA Open API Working Group. The group wants to develop vendor-neutral guidelines to facilitate the growth of CASBs. The CSA Open API Working Group charter  is to help enterprises evaluate and integrate with cloud APIs via CASBs and other cloud security services, using open standards and definitions that everyone can assess and understand. Another goal of the working group is to provide a collaborative group of technical professionals that represent the cloud computing and security communities, helping drive innovation in cloud service adoption and meet compliance and security focused on improving the adoption rate of cloud security services. The group intends to accomplish these goals through the following activities:

1. the creation of an open set of API standards
2. the creation of a reference architecture that many security tools and services can integrate with for use within cloud service environments.

These activities and deliverables will leverage many of the existing artifacts already available through CSA. For example, the Cloud Security Alliance has also defined categories of service for cloud security – Defined Categories of Service 2011.  All together, these measures, if implemented in a vendor-neutral way, should improve the overall “openness” of cloud providers themselves as more CASBs integrate with them natively.

Let’s examine a few of these integration challenges / capability promises further.

Authentication

A variety of authentication tools to enable secure data sharing among authorized applications have been developed, but are not widely employed in today’s cloud computing systems. Some commercial examples include Windows CardSpace, OpenID, and PRIME. Other advances include time-bound, ticket-based or Elliptic Curve Cryptography (ECC)-based mutual authentication schemes; and, multi-tier and multi-factor authentication approaches. Strong authentication of software components in the cloud environment and for end clients is crucial for ensuring that the principals requesting access to data are legitimate and the threat of session hijacks or phishing attacks is minimized. A CASB can help to ensure that all cloud apps and users leverage a strong authentication approach while incorporating a trusted identity store, either by authenticating users directly against the corporate directory, or through federation with a trusted third party cloud identity provider. [Note: Some CASBs are able to act as a cloud identity provider, as pointed out by Bitglass in its CASB Guide.]

For example, Skyhigh Networks’ offers a reverse proxy mode that allows enterprise IT departments to establish reverse proxies to intermediate traffic between on-premises sources and cloud services. The Skyhigh reverse proxy server coordinates traffic between client devices, single sign-on services and cloud services. When a cloud service prompts a user to authenticate, the request is first sent to the Skyhigh proxy. There, the proxy applies security controls and validates the request, which is then sent to the single sign-on service. This approach takes advantage of the Security Assertion Markup Language (SAML).

A key advantage of the reverse proxy mode is it does not require an agent on client devices. This is especially important when employees use personal mobile devices to access cloud services. Software agents can create conflicts on devices, have to be designed to work on multiple platforms, as well as stay up-to-date with operating system changes. Routing traffic through a proxy avoids these issues.

CASBs may also benefit from research into consumer visible controls, aka user-managed access (UMA). UMA technology lets an individual control the authorization of data sharing and service access made between cloud services on the individual’s behalf. One example of UMA research is the Kantara initiative that is aimed to “… address the harmonization and interoperability challenges that exist between enterprise identity systems, Web 2.0 applications and services, and Web-based initiatives.” Another example of user-managed access research is provided by researchers at Purdue who propose An Entity-centric Approach for Privacy and Identity Management in Cloud Computing. This research leverages an Active Bundle (AB) scheme for privacy preservation of sensitive information and a zero knowledge approach for an anonymous identification method. The AB scheme is able to provide users with control over their data, allowing them to decide what and when data will be shared.

With anonymous identification, it is possible to prove a claim or assertion (authenticate) without actually disclosing any credentials. However, in many cases the user needs to provide some PII to receive the information desired or to complete a transaction. In addition, there are situations where multiple parties are involved in the same transaction and need different information from the user. In these cases, an AB is created by the user’s platform (the AB is essentially a secure wallet service) that includes the PII that needs to be disclosed. This AB is a token that includes the PII to be disclosed, metadata, access control policies, and a VM that contains the code for protecting PII data on untrusted hosts – it enforces the disclosure policies.

This token may be given to the CASB which acts as the trusted security agent for the AB. In this case, the AB gets two pairs of public/private keys from the CASB, where the first pair of keys is used for encrypting the AB and the second pair of keys is used for signing/verifying the signature of PII included in the AB. Next, the AB sends a request to the CASB asking it to record the AB’s security information, which includes its name, a decryption key, and the trust level that a CSP or other host must satisfy to use the AB. The decryption keys are given by the CASB only to hosts that are entitled to access the AB based on the dissemination policies contained in the AB. For example, the CASB can also give it to the CSP or other parties needed to complete the transaction.

Unified Security Policy Enforcement

CASBs must integrate with the security frameworks used by cloud applications and the network infrastructure to prevent the creation of multiple security management silos. For example, if the enterprise has a DLP or blacklist policy that says block these types of files in email, then the same policy should be applied universally whether the enforcement point is the email scanner for the desktop or smartphone, for Exchange, for a network gateway, or a CASB providing DLP.

Key Management

Current cloud data centers sometimes employ poor key management. For example, cryptographic keys that form the basis for protection may be stored in a way that makes them visible to CSP insiders. Even when it has been encrypted, data at rest and data in transit remains vulnerable to attacks by operators, technicians, and even other tenants. Ultimately, the use of encryption by the CSP creates trade‐offs between confidentiality and legitimate monitoring for abuse or other kinds of situational awareness.

This issue concerning data protection by CSPs is one of the shortcomings that spurred the development of CASBs. CASBs that offer encryption solutions can offload much of the key management workload from the cloud services provider or the enterprise. However CASBs must integrate their solution with the cloud application, the enterprise users’ platforms, and any key manager specified by the enterprise. Encryption capabilities also extend to smartphones as CASBs can help secure against data loss for mobile users that interact with the CSP. Therefore, integrations with mobile base platforms, MDMs and MAMs are also needed by CASBs.

Generally, CASB encryption solutions are deployed through four integration options:

1. Reverse proxy — This can be deployed as a gateway on-premise or a SaaS option. [Note: A reverse proxy is a proxy designed to hide an internal server and act as an intermediary for traffic originating on an internal server.] The on-premise option provides full control over key management by the enterprise with no access by the CASB. However, the functionality provided by the target application will be affected. With CASB-hosted reverse proxy, there may be indirect access to the key management system and keys/tokens being used in the cloud by the CASB.
2. Forward proxy — This integration option can be deployed as a CASB-hosted solution or on-premise, and some CASBs may deploy software agents on endpoint devices that actually employ the cryptographic services. The CASB typically provides encryption keys/tokens to the endpoints using asymmetric key distribution techniques or VPN connections. It may use self-signed digital certificates or supported third parties, or it may provide key management solutions that are managed by the enterprise.
3. API mode — This option effectively moves the encryption engine to the CSP itself. This mode also enables organizations to perform data security inspection functions on all data “at rest” in the cloud application or service. The CASB may offer on-premises or hosted key management options. API mode makes it possible to take advantage of a growing number of native data protection tools offered independently by the target cloud applications themselves, whereby they perform encryption / tokenization functions, but the end users still control the keys.
4. Endpoint agent — No CASB can operate exclusively on the endpoint, but several CASBs offer optional endpoint software for purposes such as cloud application discovery and tracking, routing to the proxy, and object encryption and decryption.

Hotbed of Activity

The CASB market space is currently a hotbed of activity as several providers have been acquired or formed partnerships over the last year. Besides Microsoft’s purchase of Adallom, there have been several moves of late that have brought the CASB model closer to existing information security products. For example, Blue Coat Systems recently acquired two CASBs — Perspecsys and Elastica — and has moved to integrate their respective offerings with Blue Coat’s Web gateway security products, as well as other offerings. In addition, earlier this year Adallom and Elastica formed partnerships with Hewlett Packard Enterprise and Cisco, respectively, to integrate their CASB platforms with the vendors’ traditional security offerings.

While Elastica and Perspecsys are both CASBs, the two vendors offer somewhat different approaches. Perspecsys is part of the cloud data protection segment of the CASB market because the vendor is focused on encryption and data governance (Skyhigh Networks and CipherCloud are other CASBs in this segment). Meanwhile, Elastica is part of the cloud access security intelligence segment due to the vendor’s concentration on cloud application discovery and monitoring (other companies in this space include Netskope and Adallom, which was acquired recently by Microsoft).

For Blue Coat, these capabilities represent a major evolution of their Secure Web Gateway, combining Cloud Access Security Broker (CASB), Advanced Threat Protection (ATP), integrated Web Application Firewall (WAF), and encrypted traffic management (SSL), significantly advancing Blue Coat’s industry-leading web and cloud security solution. Together with the CloudSOC capabilities from Elastica and the encryption and tokenization technology from the Perspecsys acquisition, Blue Coat’s Cloud Generation Gateway forms a foundation for the Blue Coat Security Platform.

Many CASBs have also been busy in extending the security services they offer through integration with third party providers or by growing these services organically. For example, Intel Security is changing its strategy as part of its vision for the Security Connected architecture to focus on integration and positioning its products for this emerging market. They have introduced some middleware layers – Data Exchange Layer (DXL) and the Threat Intelligence Exchange (TIE), aimed at building deeper integration among its own suite of products, but also with cloud providers and other third party security vendors to enable more adaptive security automation and orchestration. TIE includes the well-known McAfee antivirus to detect new objects on endpoints and determine what actions need to be taken, while DXL is the standard protocol for sharing information between products. They already have a good basis for this integration through their EPO product, along with the partners involved in Intel’s Security Innovation Alliance. Intel aims to make EPO the centralized hub at the endpoint and make workflow easier for system administrators.

Another CASB, Cloudlock, has also made solid advances in creating an integration fabric. Cloudlock is an API-only CASB. It started as a data protection cloud provider but has grown into a full-fledged CASB through adding functions organically and through third party integration (e.g., IDaaS providers, SIEM providers). Currently its Cloud Security Fabric provides services for:

• Content classification
• Central auditing
• Application firewall
• Security analytics
• User behavior analytics
• Policy automation
• Encryption management
• Incident management
• Configuration security

Researchers are also investing heavily in CASBs, developing innovative and adaptive security capabilities that reflect the intersection of different technologies. For example, Chen et al proposes a cloud-based security center that controls a collaborative network security management system consisting of Unified Threat Management (UTM) and traffic probers. A distributed security overlay network leverages a peer-to-peer communication protocol used in the UTMs collaborative module and connects them virtually to exchange network events and security rules. The cloud-based security center can instruct each collaborative UTM and prober to collect events and raw traffic, send them back for deep analysis, and generate new security rules. These new security rules are enforced by collaborative UTM and the feedback events of such rules are returned to the security center.

The cloud-based security center can instruct each collaborative UTM and prober to collect events and raw traffic, send them back for deep analysis, and generate new security rules. These new security rules are enforced by collaborative UTM and the feedback events of such rules are returned to the security center. By this type of close-loop control, the collaborative network security management system can identify and address new distributed attacks more quickly and effectively.

As CASBs mature I predict there will be greater consolidation in the market space. SDN / NFV will be also be adopted as platforms to host CASBs to provide greater agility and to integrate more deeply into multiple cloud services and the CSPs’ infrastructures. For example, the research described above may be redesigned to support SDN as the overlay network and UTM / traffic probers running as NFVs. Leveraging Splunk for correlation, analysis, and automated course of actions for mitigation could provide the scale, granularity of action, and performance necessary for a CASB.

I hope you enjoyed this quick tour of CASBs. Explore the links provided to find out more. Send ActiveCyber a comment and let us know your opinion of CASB technology and the CASB market.

List of CASBs/CASGs (with partners and recent acquisitions)