How to select your CASB:

CASBs top 58 features, CSPs risk

score and first 90 days oprationplan
Himani Singh
Oct 2016

Agenda
According to Gartner, Cloud Security Access Brokers(CSAB) is one of the top 10
leading technologies in the IT industry.
That said, it is also a live technology that keeps maturing over the time, and we
expect more features to be added to it.
This presentations
Covers 58 CASBs features
helps in CASBs evaluation
CASB methods to score a cloud service provider
An outline for first 90 days operation strategy of CASB

An into to CASB technology

Most of the IT,HR and other business software is delivered as software-as-a-Service (SaaS) from
the cloud. With this mode, CISO/CIO has lost their single security-policy enforcement
points(SPEPs) they used to have in traditional networks.
SPEPs are distributed in the cloud, while CISO/CIO still needs visibility, resource protection and
control in the cloud.
CASB is the answer to that and its definition includes the following
The 5 As
Secure access to any app, any device, at any time, for any user and from anywhere

Visibility into five Ws

who(user), when(time), what( resource and activity), why, which app (app access).

Data security and data protection for data

on-the-move, in-use and data-at-the-rest in the cloud or on device.

Compliance, access control and threat protection

Do you need CASB?

Does your organization really need it?
If you have limited cloud apps then full flash CASB is probably not for you.
You can use CASBs discovery functionality to find shadow IT in your
organization. Most CASB vendors offer it either for free or for a small fess.

When do you need it?

If your organization have a hybrid cloud
IT and/or other BUs (support, sales, marketing) are managing their own
cloud apps.
IT and other BUs have future plan for cloud implementation.
You need visibility, data protection, compliance and access control in the
cloud.

A Overview of CASB deploy mode

IaaS
AWS, Azure,
Soft layer

Enterprise
Integration

PaaS
Oracle cloud,
Google API,
Bluemix

SaaS
Box,
workday,
O365

Visibility
Data Protection CASB

Data
Governance

Continuous Monitoring

Compliance

CASB Proxy mode

CASB API Mode

CASB
Visibility
Data Protection malware
protection
Continuous Monitoring
compliance
FW or SWG
Proxy
Corporate
office, Servers,
desktop, mobile

Threat
Protection

URL rewrite redirection, traffic redirection using DNS, IDM, IDaaS, SSO,
SAML Unmanaged
FW or SWG Proxy
Remote users
mobile or
Corporate office, Servers,
personal devices
devices, laptop

Detailed information can be found at

http://www.slideshare.net/Himani-Singh/cloud-security-overview-part-1

Unmanaged
mobile or
personal devices
Remote user

Yes to CASB, then what?

Since CASB has lots of moving parts not only different service, software, agents but
multiple deploy mode and functionality.
This presentation covers the 59 much needed CASB features, a score-card cloud
service provider(CSP) and a 90 day plan to operate CASB and continuous
monitoring to take full advantage of your CASB.
Selection the Deployment mode depending on the service you wants to
protect SaaS, IaaS or PaaS. More info can be found in part one
http://www.slideshare.net/Himani-Singh/cloud-security-overview-part-1

Consider facts and do your due

diligence
After the selection of CASBs deployment mode, consider more facts: How much tolerance your organization have towards latency? Remember CASB
will introduce some amount of latency.
CASB integration can introduce the extra work such as installing a agents on enddevice, network change, DNS redirection
Discovery is the first step
Take advantage of a CASB vendors discovery service to understand your network

Make an matrix of priority vs cost vs latency to select the correct balance

Covering for CASBs functions in following area
Visibility, Compliance, Data Security, Threat Protection and Access Policies.

Covering the basics- Visibility

Visibility

Description

CASB log based discovery

OR
Active inline based discovery

Discover your network, both sanctioned and unsanctioned apps, user action and traffic load. This is a mature
feature and most CASBs offers it.
Check the vendors app database update frequency. You would like to have the latest apps and modified apps
signatures are included.
This is a must have feature.

CASB log based discovery with

LDAP/active directory integration

The integration will provide the lP and user mapping, which is helpful to identify a user name. This is also useful
for user-name based queries and action.
Enterprise integration(IP to user mapping): Most vendors have this mapping with active or inline proxy and few
offers for log bases CASB .
It is better to have for both the modes.

Data visibility

Type of files uploaded, shared, public shared and where data is being transferred or stored in the cloud.

User activity

User action such as share, public share, download and edit.

Top user, top app, top location

A graphical view of top user, top app and top location.

Device, OS and location identification

Which device and OS is used at which time and from which location.

Search based on application category

Ability to group applications based on categories, e.g. business, HR, social, file storage etc.

Service category

Able to classify apps based on SaaS, PaaS and IaaS.

Covering the basiccompliance

Compliance

Description

Personal Identification Information

(PII)

The personal identification information (PII) must be protected from internal and external resources.
CASB should be able to distinguish traffic between employees enterprise and personal access, because A CASB
should skip employees' personal information.

Health Insurance Portability and

Accountability (HIPPA)

Must comply with HIPPA act for at least the first two title.

Payment Card Industry Data

Security Standard (PCI DSS)

CASB should be able to identify PCI, trigger an alert, block any PCI data to a cloud app that is not PCI compliant.

Many more

Covering the basic-Data Loss Prevention

DLP

Description

Blocking sensitive data leakage

using pattern matching

Use different technique of pattern matching to identify the sensitive data. That data can be either leaving
the organization or stored in the cloud.
This matching is done regular expression or DLP predefined sensors.

Predefined sensors

A CASB must able to identify PII, PCI, HIPPA and other predefined sensors to identify addresses, namezip, email-address and more.

Custom DLP pattern:

Figureprinting

Fingerprinting is one of the technique to create custom pattern matching when sensitive data dont fall
into any pre defined categories.
There are many ways to create a fingerprinting, one of them is hashing. In this method a hash for sensitive
documents is created and stored in proxys cache. This stored hash is matched against the hash of user
data (data-on-move, data-at-rest or data-in-use); if any matched found an action will be taken

Custom DLP pattern: keywords,

directories , exact match

Allow user to create the custom DLP pattern based Keywords, exact match or directories methods.
Explaining all the methods are beyond the scope of this document.

Validation mechanisms for Credit CASB should have a mechanism to validation of the card, SSN.
cards, Social security numbers

Covering the basic Data Loss Protection

DLP

Description

DLP by API almost real time

Provide almost real time data monitoring, that means data-at-rest must be matched as
soon as it is uploaded.
If match found, appropriate action such as alert, block, quarantine, legal hold, encryption is
taken.

DLP by inline proxy

In this case, pattern matching can done in real time when data-at-move, if match found an
appropriate action is taken same as above .

DLP on structured and unstructured data

Pattern matching should be done on both structured and unstructured data

External DLP integration

A CASB must provide a way to integrate the 3rd party DLP engine for data scan.
For example, A custom can use a external DLP engine in conjunction or instance of CASBs
integrated DLP engine. *

Field level/ file level encryption and filed level

Tokenization in real time

Field/file level encrypted can be done while data in transition (proxy based )
Field level tokenization on CC, SSN, email, name and other

Enterprise/LDAP/SSO/active directory integration

Using the username with IP address will allow the correct access rights.

E-discovery, classification, encryption and tokenization

on data at rest

CASB in API mode, can probe data stored in cloud app, if classified as sensitive then take an
action as encrypt, quarantine, tokenization,DRM, log or alert.

Users own crypto keys

Some clients prefer to use its own keys. A CASB vendor may allow the users to use its key
and managed.

Covering the basic Data Loss Protection

DLP

Description

E-discovery, classification, encryption and tokenization

on data at rest

CASB in API mode, can probe data stored in cloud app, if classified as sensitive then take an
action as encrypt, quarantine, tokenization, DRM, log or alert.

Digital right management

CASB should apply the data classification tags such as DRM to prevent the copying or
downloading .

Watermark adding and detection

CASB can add watermark or detect watermark.

Key management and customers own crypto keys

Some clients prefer to use its own keys.

A CASB vendor should support customer encryption keys on its on-premise or cloud
solution. CASB vendor should be able to security manage it.

Data that is password protected

A CASB should be able to scan and take action on the files those are password protected.

ICAP integration

A CASB proxy should allow the ICAP integration to either support 3rd party DLP solution or
help releasing the proxy resources.

BOYD security for MDM

A MDM kind of security for a mobile device is quite important, that includes
selective wipe,
contextual access,
limited access right,
upgraded authentication

Covering the basic Threat Protection

Threat protection features

Description

Malware identification by using the

database of known rough IPs, URLs, hosts
and location

A CASB should block the traffic if that any of the element matches the
rouge URLs, IPs, hosts name, source IP or location

Anomalous behavior( between SaaS

apps): Ability to track when large volume
of data being exchanged between
multiple SaaS apps

User accounts is been hacked, a hacker might be using the some level of
Obfuscation to transfer the data

Event logs preservation

Ability to provide and preserve the event logs, these so and ability to find
the co-relationship between events.

Anomaly detection on user or app bases

Single user is downloading large amount of data at old hours

Or unsanctioned locations
Or Single user logged in in different apps at different location

Orphan accounts detection

Accounts from ex-employee should be detected, data should be cleaned.

Any access to any orphan account should immediately detected

Reset a account

Reset or block an account

Integrate with IAM

User activity across multiple SaaS app should tracked for visibility

Integration with SIEM

Have a unified security view

Covering the basic-access control

Extended features

Description

User and entity behavior analytics (UEBA)

used on multiple SaaS for beach detection

Detects anomalies, threats, and misuse of resources (if this is not a current
feature set, should be on the road map)

Contextual access to resources

Limited access based on device, e.g a user can only view the data but cant
download it

Authentication update or dual

authentication

Force the dual authentication (or strong auth) for following condition, such
as
mobile user, 3 failed login attempts, unusual location or usual action
It is an extra protection layer

Supports unmanaged devices

With or without agent

Automatic policy conversion for security

eco-system

Able to convert the security policy from on-premises devices (firewalls, next
generation firewalls) to CASB.
This feature can save a lots of work for security admin.

Access control based on parameters

Access to a resource based on user, location, OS, device, app category,

country, personal account vs corporate account, sender, receiver and user
action
e.g EU dont allow data to leave the country, so for a EU based policy must
make sure that data is stored in the center located in EU.
e.g, A customer can use an non-trusted app to share a file but an employ
cant

CSAB Vendors proxy security measure

What about CSABs security

Description

Regular software update: For malware and

new SaaS apps

Vendor should regularly and frequently update the app-signature database,

malware signature update .

Software update and DevOPS security

Should have secure method to do the release management,

Software upgrade should be transparent for customer

Data center security

Data center is been secured, how keys is been secured

Event backup plan

Check what is the event backup plan if case system crash

Regular PAN testing

Does the CASB vendor go through regular PAN testing

Check support and professional services

Always a good idea to check support and professional services personal,

you will interact with those people more.

Does the CASB doing the due diligence for scouring a

cloud service provider(CSP)?
CASB should score its CPS on
following factors

Your CASB vendor should cover the following factors

while reviewing CSP.
These review results should be displayed on the web
interface

CSP risk score is important

A CASB provide the CSPs risk score that is calculated based on many
factors such as App reputation, trustworthiness, known breach etc.
A CPSs risk score can play an important role because an organization may
configure the security posture based on CSPs risk score.
A CASB vendors should consider following facts to score the CSP.

CSP Compliances on regular bases

Track cloud apps Service Organization Control (SOC) to ensure the security
rule is been applied and maintained. Check for the compliance certificates
such as e.g. SOC2, PCI, HIPPA, ISO 27001etc

CSP activity logs and Data center protection

CSP should maintain the activity logs for user, admin for its data center.
CSP should provide the logs for end user activity.
Have CSP secure its Data center?

CSPs security measures

Identity, default settings and authentication:

Default passwords is been resets, anonymous access is blocked.

CSP is has integration with enterprise directories (LDAP, Active

directory )
Enterprise integration for authentication (FW users)

Single Sign On methods

Does the CASB doing the due diligence for scouring a

cloud service provider(CSP)?
Extended features

Description

CSPs security measures

Legal implications :
If any cloud service provider must follow all rules in legal
implication defined in enterprise user license agreement, such as

Data share( name, phone etc),

Data retention period after account termination

Account termination rights and contract

Service contract renewal

Intellectual property ownership

CSP reputations:

If CSP have experience breach in its service in past? If

yes, what measure they took to prevent it?
Does CSP go through regular pen testing?

Any of the hosted site had malware or botnet ?

Data Protection :

Data protection for multi-tenanty, keep all tenants data

safe.
what level of encryption for data-at-rest

If your decided to deployfirst 90 days

To take full advantage of your CASB, plan the deployment progresses through steps into discovery, control
and access policy, data protection, monitor and managing the usages.
Discovery method
Discovery can be done by security device logs or inline.
Make a list of sanctioned and unsanctioned apps and along with risk scores.
Create a baseline for apps per user, usage per apps, usages per locations and more.
Make a matrix for apps, risks and usages for both sanctioned and unsanctioned apps.
Encourage other BUs to get involved into the process.

Monitoring and control

Monitoring can achieved in both API and inline mode, the only difference is data monitoring is either inline or done by
probe to the SaaS server.
Based on your organizations policy, grant the access right, create policies for access, block and alert for the applications.
Keep modifying the policies based on risk-scores.
Get creative while planning for cloud governess, access and control.
Encryption and tokenization based on sensitive data.

If your decided to deployfirst 90 days

Usage
DLP and compliance
Create policies based on User and Entity Behavior Analytics (UEBA) information
E.g. one user is using different SaaS apps from different location in a short time period
A user is downloading a large volume of data

Real time enforcement

Create context access policies based on mobile, user, location, os and more. E.g. mobile device has different access than
desktop
Upgraded authentication based on location, device or OS

Usage monitoring

Reporting
Orphan account and data
Large amount of data
Enterprise integration for user identity

first 90 days threat protection

Threat protection
Add the database for the known attacks, malware, IPs , URL
Established the baseline for system, create the alert if the baseline
is been breached.
Prevent
Plan for attack, prevention and isolation of the application,system
Watch for a applications for risk-score

When detect an incident

Confirm, prioritize, investigate, report, update the system
Modify the policy

Enjoy
You have a security control point in the cloud

Cloud glossary
Web app:
Only used by web browser and have a combination of server side and client side script. Online shopping,
webEx, eBay and more

Cloud app :
Service delivered by cloud that can be deceived by web browser or a native client. In most cases web
interface is used as alternative methods. Cloud app example is: outlook on your mac/window or office 365
login, box, Evernote, salesforce and more.
Data can be accessed in offline mode by download is locally and can be synched periodically.

Shadow IT:
A user targeted cloud app or unseasoned app used organization personal without organization IT approval.

Payment Card Industry Data Security Standard (PCI DSS)

Security standard for organizations that handle branded credit cards from the major card schemes including
Visa, MasterCard, American Express, Discover, and JCB

Cloud glossary

Personally Identifiable Information (PII):

Can be defined as an medical, educational, financial, legal and employment information about an individual
that can be used directly or indirectly or with the connection of other information can identify or locate that
person.
Health Insurance Portability and Accountability (HIPPA):
HIPAA Act (of 1996) provides data privacy and security provisions for guarding medical information of an
indusial. It has five acts.
Title 1: It protect the health insurance coverage who lose/changes jobs, specific diseases and preexisting conditions, and prohibit from setting lifetime coverage limits.
Title II : U.S. Department of Health and Human Services must establish national standards for
processing electronic healthcare transactions, implement secure electronic access to health data and to
remain in compliance with privacy regulations set by HHS.
Title III includes tax-related provisions and guidelines for medical care.

Cloud Glossary

Advance threat protection or threat protection:

is a security solutions that detect and block hacking based or advance malware attacks to steel sensitive
data. Most of the times, these solutions includes endpoints agents, malware protection system, network
device, database for rouge IP,URL and a centralized management system for co-relate the data.
Internet Content Adaptation Protocol (ICAP)
Is a http-like lightweight protocol, that is used to extend transparent proxy server functionality (in a
standardized way )to help deliver value-added service such as content filter( DLP), virus scanning, ad
insertion, language translation or content translation.
Off loading these services to the ICAP server release the resources on http transparent proxy.
Proxy accept the connection and hold the request, while proxy uses ICAP to pass the content to the DLP
solution ( on the ICAP server) for the inspection. Since proxy itself is not doing the inspection, its resources
are free and it can accept more connection. ICAP solution returns the request back with scan results, if no
sensitive data found request is been forwarded otherwise http request is been dropped.

Cloud glossary

Structured and Unstructured data :

Structure data: A data with columns and can be easily searchable by basic algorithms. Examples
include spreadsheets and relational databases.
Unstructured data is like human use and searching is hard. Example is emails, binary, word docs,
social media posts, images, audio and more
Identity and Access Management (IAM)
It is mission critical security practice that ensure the enables the right individuals to access the right
resources at the right times for the right reasons.1
IAM solution providers are Okta, onelogin, PingIdetity, Centrify
Identity as a service (IDaaS)
An IAM cloud based service, that is used by an organization to authentic a user or service using
Single Sign-on(SSO using SAML or OIDC) for multiple software and cloud-based applications. It
can be for multi-tenant or dedicated organizations.

Cloud glossary

XaaS: Anything as a Service

DaaS : Desktop as a Service
IaaS: Infrastructure as a Service
SaaS: Software as a Service
BDaaS: Bigdata as a Service
HDaaS: HaDoop as a Service
BaaS : Backup as a Service
SCaaS : Security as a Service
MaaS : Monitoring as a Service
DRaaS : Disaster recovery as a Service