CASBs: How to make the public cloud feel private
There’s been a lot of discussion so far about the public cloud and the possible dangers of trusting enterprise data to it. In a previous blog post, I also discussed a few ways to mitigate these risks.
One simple way is to keep all enterprise storage inside the network–basically, an on-premise approach. But what that means is that the enterprise is giving up the well-known benefits of public cloud storage such as OpEx versus CapEx, pay-only-for-what-you-use, elasticity, and savings on power, cooling, network infrastructure, IT staff, etc. So, short of shunning the public cloud entirely, what can an administrator do? Is there a way to get the benefits of the public cloud but with the confidence you have storing data inside your data center or a private cloud?
The Key Lies In the ‘KEY’
There is indeed, and you can achieve this with systems that give you zero-knowledge privacy. A great example that people can relate to is one of a bank safe deposit box. An individual may rent a bank safe deposit box to store documents of a confidential nature, but will rarely, if ever, trust the bank so much that he/she will let the bank have access to the documents. Individuals always ensure that they have a key to their safe deposit box, without which the box cannot be opened.
It is ironic that a number of businesses or their employees who store data using public cloud storage services don’t take this simple precaution. Software solutions that rely on zero-knowledge privacy basically make sure that the keys are given back to those who own the data–and not left with the cloud storage provider.
In spite of its obvious importance, privacy tends to be largely unregulated in most countries. Most privacy policies published by cloud storage vendors usually aren’t guaranteeing privacy so much as informing their customers how they intend to use the data that is placed on their storage systems. Many of them allow themselves to utilize your information for secondary use such as marketing and advertising.
More importantly, though, a number of cloud storage vendors publish semi-annual transparency reports which show how many times governments have asked them for information about users and their data. Laws in many countries require online services and cloud storage providers to turn over this information–many times without the knowledge of the customer to whom the data belongs. Trusting cloud storage vendors with your data completely could also mean that employees of the vendor could have access to the information business customers store on their systems.
CASB? What’s That?
A way to achieve zero knowledge privacy on the web is to use a CASB solution. CASB stands for ‘Cloud Access Security Broker,’ and while CASBs can perform a number of functions such as giving you reporting on cloud usage, enforcement of compliance, etc.–one of the more useful functions they can perform is that of data security. By encrypting the data that your enterprise sends to cloud storage destinations before it leaves the enterprise network, with keys that are known only to the enterprise, they ensure a level of security that isn’t otherwise possible when using cloud storage.
Many cloud storage vendors will insist they’re securing your data via encryption–and they are–but with their keys. Going back to our analogy of using a safe deposit box, this would be like the bank assuring you that your confidential documents are safe in their custody–but with them having access to your data along with you. Even some of the more recent announcements cloud storage and services vendors have made around using customer key management are merely bolt-ons to their original premise–where they still do the primary encryption using a key known to them, and then encrypting that key with a customer key which is then stored in a neutral location like a cloud HSM. At this point, while the customer can take some comfort that the customer keys are involved in encryption, they’re merely the outermost layer–while the primary encryption key is still known to the cloud vendor.
With a true zero-knowledge implementation, a CASB can give you the following:
-Data access only to you–with keys known only to you.
-If the cloud provider is compromised, or the disks holding your data are stolen, your data will be undecipherable.
-If the cloud provider has to comply with the government to turn over your data, the government will still have to approach you to gain access to the data.
Can I Host My CASB In a VM Online?
This is a logical question and one that we sometimes encounter. The answer really depends on the enterprise and their security posture.
Strictly speaking, an enterprise’s encryption keys used for CASB should never leave their network premises. But in many cases, with remote offices where the ability to have a machine (or VM) hosting the CASB software could be challenging, enterprises may choose to host their CASB in a trusted VM. While this technically means their keys are in the ‘cloud’ it is vastly more secure than to trust your keys with a cloud provider because enterprises typically have full control over the VM–they can shut it down, take it offline or destroy it if they choose to.
Are CASBS Worth The Effort?
Good question. Here are a few facts:
-Gartner estimates that around USD 1.3 trillion will be purchased in cloud subscription services between 2014 and 2017.
-CASB will be a USD 3.1 billion market by the end of 2017.
-During the RSA conference earlier this year (Feb 2015), CASB was recognized as going “From Non-existent to Gartner’s #1 Security Technology in 3 years.”
-Here’s what Gartner has to say about CASB: “Since their emergence in 2012, CASBs have grown in importance and today are the primary technical means of giving organizations more control over SaaS security. This technology will become an essential component of SaaS deployments by 2017… By 2016, 25% of enterprises will secure access to cloud-based services using a CASB platform, up from less than 1% in 2012, reducing the cost of securing access by 30%.”
If your enterprise is a serious consumer of cloud storage services, or if you’re considering becoming one, you’ll certainly do well to consider a CASB solution. Keep in mind that CASB solutions come in various flavors. Gartner defines four CASB pillars–Shadow IT, Compliance, Threat Detection, and Data Security. For the security of your digital assets in the cloud, make sure to pick a solution that addresses data security.