What’s new in the world of Data Protection? For a closer look at how cloud apps are increasing data risk and what role CASB can play in your data protection strategy, be sure to check out our new Data Protection Dialogues episode on How to select the right CASB.
Like most progressive companies, you've probably got CASB on your shopping list. Cloud applications have changed everything. Your sensitive data has left yesterday's on-prem networks and is now distributed everywhere, with your users accessing this sensitive information from anywhere with unmanaged devices. You need more control over your data than ever before; however, legacy, network-centric security tools offer little to none. So, CASB seems like a natural next step, right?
Think again. While CASB seems to restore the control your organization needs, your security posture is only as strong as the comprehensive security strategy you put in place around the tools and technologies you purchase. That said, let's explore how you can build a best-of-breed CASB strategy.
Why is CASB so hot?
Cloud applications have transformed everything and, chances are, your organization could be using too many to count across all areas of your business. While the agility of the cloud is undoubtedly game-changing, these applications rely on your company’s most prized possession–data–to operate. This brings increased risk to your business as moving data outside of your network means it’s easily accessible for both authorized users and attackers alike without the right security precautions in place to restore control.
API CASB, also known as out-of-band CASB, can govern data-at-rest in these applications, prevent dangerous file sharing and even oversharing. Considering that in the old data center world, you may not have had great control over who could access and share your app data, CASB seems like a giant leap. While this is true, we must remember that CASB is just part of a larger, more holistic data protection strategy for today’s cloud-first world.
The convergence of CASB, SWG, and DLP
Essentially, cloud applications are just a destination that users connect to, which means that controlling user-to-destination connections leads most enterprises to consider a secure web gateway (SWG) solution. Designed to control what users can and cannot access, the security industry is quickly realizing that there’s a natural overlap between SWG and CASB data protection, not to mention the need for a DLP to glue everything together. So what does this look like?
When you think about it holistically it becomes a bit more clear. Start with inline SWG/CASB to control what locations and cloud apps your users can and cannot connect to based on risk. With that setup, you’ve got the right plumbing for your data flows. But should the data even leave the premises? Add DLP to the mix to quickly find and control sensitive data in motion. Lastly, dial in API CASB for your data that made it up to your cloud apps’ destinations to make sure any data that made it up to your cloud apps gets secured from accidental sharing or data loss. Since you already have DLP, you can even bring your same sensitive data controls up to your API CASB, which makes life much simpler.
Do you have the right CASB mindset?
Now that we can see the big picture, what should be the right approach when formulating a foolproof CASB strategy?
Architecture
A comprehensive CASB strategy starts with a unified, cloud-delivered zero trust platform that handles your business-critical traffic inline instead of relying on API CASB and hard-to-manage, hard-to-scale, point products. Moreover, this platform must be powerful enough to inspect SSL traffic across all ports for hidden threats to your data. Lastly, from an architectural standpoint, your zero trust platform should be fully integrated, meaning it can handle other security needs beyond data protection. This includes securing local breakouts, identifying and remediating advance threats via AI and ML sandboxing. Finding a platform that does all of this will minimize operational complexity.
Integrated DLP
Next, once you have the right architecture, it’s all about centralizing unified, best in class DLP engine. Unfortunately, many companies who don’t do this end up with multiple DLP policies spread over network appliances, endpoints, and point-product CASB, causing many unwanted complexities and administrative challenges.
On the other hand, centralizing on one DLP policy makes protecting your sensitive data incredibly easier, as it allows you to create a single DLP policy that is applied to all areas of your business, including branch offices, mobile users, and SaaS apps, to secure data-at-rest.
Real-time data protection
Although out-of-band CASB is easy to implement and satisfies the need to control data-at-rest, security teams will often move on to other projects without putting the proper tools in place to improve real-time visibility and inspection. A complete Data Protection platform built for both inline and API inspection provides a granular look at data-at-rest and data-in-motion to help you and your team make better data protection decisions and quickly identify unauthorized uses of shadow IT. Essentially, think of inline data protection as the first building block to set up the proper paths to the apps your data should go to vs. the ones it shouldn’t.
Governing data-at-rest
Now, with the right solution in place to control what data should leave your network and what sanctioned apps need to be secured, you’re ready to start thinking about out-of-band CASB to protect your data at rest. Here’s where things get easy. Remember those policies you set up when deploying your integrated DLP? Those inline policies are ready to be applied to your data-at-rest. Overlay those policies on your SaaS data, and you’ll be able to find the sensitive data you need governance over, allowing you to quickly identify who can access and share this data.
For example, you can make sure this sensitive information isn’t dangerously shared via open internet links or overshared to unauthorized groups. It’s tremendously empowering to have this level of control, which is something—until now—didn’t really exist in the traditional, data center application world. Best of all, when you have the right security cloud platform, you can start scanning these SaaS apps for the arrival of dangerous malware and Sandboxing and AI/ML to quickly identify lurking files that shouldn’t be co-mingling with your precious sensitive data.
Maintaining security posture
Now that you have total control over your sensitive data-at-rest and in-motion, it’s time to think about your applications themselves and whether or not they are vulnerable to attacks via a misconfiguration during deployment. Considering that most of the world’s most significant breaches are brought about due to simple cloud misconfiguration, ensuring your applications are in good standing is an essential box to check.
By implementing Cloud Security Posture Management and SaaS Security Posture Management, you can easily find these dangerous gaps and quickly remediate them. Therefore, when building out your CASB and DLP strategies, look for a solution with built-in compliance frameworks and the ability to continuously scan for public and SaaS app misconfigurations. Again, while considering your CASB DLP strategy, look for a solution that incorporates Browser Isolation for added, necessary security.
Controlling unmanaged BYOD
If anything over the last year taught us, it’s that work-from-anywhere is here to stay—in some form—for the unforeseeable future. While this flexibility is terrific for businesses and employees, it does yield some security challenges, such as enabling third-party access to sensitive data without incurring additional risk and securely providing unauthorized BYOD devices access to your data for these third-parties to do their jobs. Traditionally, these challenges are typically solved with reverse proxies, however, doing this is incredibly complex and often fraught with usability issues resulting in poor user experiences.
Another more straightforward approach to solving the above is Browser Isolation. Browser Isolation streams data to third-party devices in the form of pixels. By streaming data as pixels, BYOD devices can't download, copy/paste, or print the data they're viewing. It's fully interactive within the browser, but nothing persists on the BYOD device, significantly lowering risk.
Rethinking it all
Sure, simple CASB does offer more control over your data than legacy, network-centric approaches. That said, CASB is only one aspect of a comprehensive security strategy that considers user and device access, visibility, remediation, compliance, and decreased risk.
For a more in-depth look into what it takes to build a comprehensive data protection strategy, be sure to check out our new video series, Data Protection Dialogues.