The Importance of Extending Your Security Policies to the Cloud

As millions of workers move from the confines of their employer’s network to apply safe physical distancing measures by working from home, securing data gets more complicated. Providing adequate protection for your critical data can be even more challenging if your VPN just wasn’t designed for the level of traffic you now need. 

Many feel that cloud applications are the apparent solution for keeping businesses up and running while protecting people from the coronavirus. But you still need to protect your data. As unthinkable as it seems, indications are that our cyber adversaries are stepping up attacks in an attempt to leverage this global crisis to their advantage.

When much of the security industry attended the RSA conference in San Francisco in late February, the world was only beginning to understand the scope of today’s pandemic. In light of what has happened since RSAC, the conversation Brilliance Security Magazine had there with leading CASB, CipherCloud surfaces as even more relevant. 

A cloud access security broker (CASB) acts as a gatekeeper, allowing an organization to extend the reach of its security policies beyond its on-prem infrastructure. With the notable exception of heroic first responders, medical providers, food providers, and other critical services, most of the world is not going to work, at least for a few weeks. Those that are fortunate enough to be still employed are working from home. A CASB is a vital tool for keeping everyone’s data safe as cloud applications help businesses communicate and collaborate effectively. 

Salah Nassar, VP of Marketing at CipherCloud

BSM had the singular pleasure of meeting with Salah Nassar, VP of Marketing at CipherCloud, during the RSAC event. When asked about how CipherCloud got its start, Salah said, “When we initially started, we were an encryption company for businesses adopting Salesforce. Companies would adopt SalesForce, and then they wanted to protect all their customer records and the other sensitive data that they had moved to the cloud. We were a field-level encryption company. And then, from 2011 to 2013, Office 365 started to become popular. People started adopting Box and many other cloud applications. Lines of business were beginning to make decisions around specific cloud applications. They were coming to us saying we need similar functionality for our other cloud applications. 

“So we built out a data loss prevention solution with an ability to locate and identify a customer’s data, both structured and unstructured. We can protect this data by policy. It started with what you would expect a CISO or a CIO to ask first, who’s using what apps?” They needed visibility. 

To get a sense of how CASB adoption is going, we asked Salah to share his viewpoint. He told us, “From a cloud adoption perspective, I’d say most organizations are at 60%, to 70%, maybe 80% adopted. From a security perspective, the CASB market is only about 30% penetrated.”

What About VPNs?

CipherCloud believes that VPNs are not the right solution for working from home. A recent CipherCloud blog post explains that VPNs are slow: A VPN can get notoriously slow on the public Internet because of routing traffic through central hubs. How would that impact productivity during business hours?

VPNs are expensive: VPN servers or concentrators are costly appliances and can manage a limited number of clients. A sudden spike in remote logins may result in frequent server crashes, terminating thousands of active connections.

VPNs are complicated: VPN configurations and management can get extremely tricky for the IT department. A single policy setup can involve setting up the encryption, department-specific subnet configuration, key or certificate association, etc. Managing multiple clients through multiple hubs can get extremely taxing.

A data-centric approach for secure workplace collaboration

Cloud-native organizations create and share data in the cloud, between clouds, and to organizations outside of their enterprise. Once a user has access to the data in cloud applications, they can often do whatever they want with little oversight. 

To enable tighter control and enable collaboration, it is imperative to facilitate protection around the data and the users accessing the data. A CASB creates a security perimeter around the data and deploys a host of data protection controls, such as data loss prevention, user behavior analytics, threat protection, and contextual access controls.

CipherCloud’s web site asserts that their CASB solution, CASB+, is tailor-made to address the security challenges with the cloud-mobile digital transformation, allowing organizations to achieve Zero-Trust cloud security. Here is how CASB+ enables secure remote collaboration from any location and device:

  • Secure mobile access: The agentless architecture of CASB+ ensures quick, frictionless deployment, delivering full CASB functionality without any resource-intensive installation of agents, and expensive upkeep.
  • Zero trust identity protection: As cloud-based collaboration rapidly grows, organizations need assurance that users accessing the SaaS applications are who they say they are. CASB+ combines with IDaaS solutions to deliver end-to-end user and data security from any device, any location, to all trusted cloud applications, enabling zero-trust cloud security. While the IDaaS solutions verify the user at the door, CASB+ Adaptive Access Controls allow contextual access based on managed or unmanaged devices, time of the day and geolocation, and can terminate the connection or step up the authentication based on any data access anomaly.
  • Visibility and threat protection: CASB+ logs all the user activity in sanctioned clouds, allowing you to shut down unauthorized users and malicious activities. CASB+User and Entity Behavior Analytics (UEBA) monitors all user, device, and application activities and detects anomalous behaviors using deep machine learning algorithms.  
  • Prevent data leaks across multiple touchpoints: Cloud DLP is essential to prevent leakage of sensitive data in motion or at rest. CASB+ Cloud DLP provides a consistent policy to identify and protect sensitive data in emails and cloud apps, preventing accidental data loss. CASB+ can also be integrated with existing enterprise DLP solutions, enabling consistent policy application across the enterprise.
  • Secure offline data shares: While DLP allows you to secure all the data in the cloud, it is equally essential to ensure the same data remains secure when it gets downloaded and shared with external collaborators. CASB+ Information Rights Management (IRM) enables last-mile data protection by encrypting sensitive data, reports, and emails during downloads, allowing data decryption only through an IRM client installed on authorized devices. On the loss of a device, the data access can be remotely revoked, along with digitally shredding any sensitive content on the device.
  • Encrypt before upload: CASB+ data protection solution identifies and encrypts sensitive content in motion, before it gets hosted in the cloud, allowing organizations to retain exclusive control over the sensitive data and delivering end-to-end zero-trust protection without compromise.

Looking forward

Traditional VPNs are running out of steam. According to Gartner, 60% of the enterprises will phase out their VPNs in favor of zero-trust network access. CASBs focus on providing organizations with deep data visibility, adaptive access controls, and real-time data protection against zero-day threats. They are an ideal solution for BYOD users. The future belongs to human-centric security with data and identity at the center stage. 

Steven Bowcut is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Instagram, and LinkedIn.