Professional Documents
Culture Documents
ACCESS
SECURITY
BROKER
Securing
Cloud
Applications
& Services
an
executive
guide
Eric Andrews
Gerry Grealish
The ideal elastic enterprise, where companies can adapt to achieve
the business agility, collaborative capabilities and cost efficiencies
needed to effectively compete in today’s market, requires a modern
cloud security model that moves with the data, the user, and the
application.
— Eric Andrews
VP of Cloud Security, Symantec
Securing TABLE OF CONTENTS
click to navigate
Cloud
2 INTRODUCTION A FUTURE IN THE CLOUD
3 Migration to the Cloud Office
5 Rethinking the Security Stack for the Cloud
6 Cloud Access Security Brokers (CASBs)
—A New Solution for Cloud App Security
18 Data Classification
19 Policy Enforcement
20 Encryption and Tokenization
an
22 CHAPTER THREE THREAT DETECTION &
executive 24 The Evolving Role of IDS/IPS INCIDENT RESPONSE
24 Deep Visibility of Cloud Activity
guide
25 Cloud Threat and Anomaly Detection
28 Malware Detection
Eric Andrews 28 Continuous Monitoring and Incident Analysis
Gerry Grealish
Rehan Jalil 30 CHAPTER FOUR COMPLIANCE & DATA PRIVACY
32 Baseline Security Certifications
The cloud empowers organizations to be more agile, collaborative, and cost-efficient, but benefits of 32 Data Use Restrictions
the cloud come with security challenges. How do you gain visibility into what cloud apps people are 34 Secure and Monitor Regulated Data
using and if they are safe? How do you ensure sensitive documents are not being shared inapprop- 34 Protect Regulated Data with Tokenization or Encryption
riately? How do you adhere to critical compliance regulations? How do you protect against malicious 34 Limit Access to Regulated Data
activity? This book addresses all of these questions so you can be safe and secure in the cloud. 35 Monitor and Log Interactions with Regulated Data
a future
While the expansion into the cloud Similar to the advent of other major
has many benefits, security and data information technologies such
privacy professionals are being chal- as email or the web, the rampant
65% lenged to provide security and gov- adoption of cloud apps and ser-
2022 ernance for cloud applications. Many vices is driving the need for a new
CISOs lie awake at night wondering: class of security solution to help
33%
in the cloud
Are sensitive documents being shared organizations protect their data
10 % 2017 inappropriately? How do I ensure ma- that sits inside cloud applications.
licious users are not hacking into my
2013
cloud apps? Which apps should I trust
with business-critical information?
Emerging Cloud Office Are we adhering to critical internal
Email, Chat, File Sharing, and external compliance regulations?
Conferencing, Social, Office Apps.
Estimates by Gartner, 2015.
Introduction
2 CHAPTER ONE DISCOVERY & SHADOW IT ANALYSIS SECURING CLOUD APPLICATIONS & SERVICES 3
Rethinking the
Security Stack
for the Cloud
The layers of security technology
that have traditionally been
deployed in the enterprise have
a blind spot with regards to the
cloud. For example, enterprise
next-generation firewalls, intrusion
There is no longer an detection and intrusion prevention
systems (IDS/IPS), vulnerability
inside or outside of the scanning, network forensics,
network; the cloud security information and event
has become every management (SIEM), and data
loss prevention (DLP) systems
organization’s de facto were designed to protect assets
extended enterprise. that are owned and operated by
the IT organization. In general,
these systems were not designed
to protect corporate data trans-
ferred to third-party solutions
hosted outside the enterprise and
The Expanding accessible by users anywhere. The
Enterprise Network need for these traditional security
functions hasn’t gone away, but a
The network perimeter that many traditional security technologies such as the firewall were
new implementation model suitable
designed to defend has been punched full of holes to facilitate access to third-party cloud
to protect sensitive data in the
apps and services by remote employees, customers, and suppliers. And in this new world of
cloud environment is required.
ubiquitous cloud access, organizations are putting a growing share of their business-critical
data in the cloud, which is increasing the volume of traffic and business data flowing between
employees to the internet. There is no longer an inside or outside of the network; the cloud
has become every organization’s de facto extended enterprise. In this new reality, security
must follow the data, follow the application, and follow the user.
1
investment in third-party IT and continuous reporting.
challenges posed by the use of are designed to help organiza- in the cloud as a service, but may
solutions, including cloud apps
cloud apps and services and the tions enable the productivity and services, without oversight also be deployed on-premises in
new cloud security technology gains offered by cloud apps and from the IT organization. Cloud conjunction with your web proxies or
that addresses these challenges, services by providing critical apps are a big contributor to as a standalone solution. Effective
Shadow IT, as employees or lines
known as Cloud Access Security visibility and control of how these of business can easily onboard
CASB solutions need to cover a
Broker (CASB) solutions. services are being used. They these services directly and they wide range of scenarios, including
help information security teams: immediately improve productivity. sanctioned and unsanctioned apps,
DATA GOVERNANCE
business and personal accounts on
AND PROTECTION
sanctioned apps, mobile devices and
Identify and evaluate all the Encrypt or tokenize sensitive content desktops, and managed and unman- Provide the ability to enforce
1 4
cloud apps in use (Shadow IT) to enforce privacy and security aged devices. To address all of these data-centric security policies
to prevent unwanted activity,
scenarios, comprehensive CASB
such as inappropriate
solutions leverage the following:
Enforce cloud application management Detect and block unusual account sharing of content. Support
2 5
2
policies in existing web proxies or firewalls behavior indicative of malicious activity encryption and tokenization
of compliance-related data.
APIs Many of the major cloud apps have well-defined
Enforce granular policies to govern Integrate cloud visibility and controls APIs that can be leveraged for monitoring activity,
3 6 analyzing content, and modifying settings as needed.
handling of sensitive information, with your existing security solutions
including compliance-related content
GATEWAYS Sitting between the users and their cloud apps, a gate- THREAT PROTECTION AND
way can provide valuable insights into cloud activity
INCIDENT RESPONSE
SaaS has the greatest variety of services and provide a vehicle for real-time policy enforcement.
Prevent malicious activity such
and the fastest growing market. as data exfiltration due to ac-
Cloud Service Models count takeover, session hijack-
ing, or insider activity through
When migrating workloads to the cloud, there are three basic LOG DATA Existing security devices, such as firewalls or secure
continuous monitoring of user
3
types of services that organizations may adopt: web gateways, have log data that can be used to help
analyze Shadow IT. behavior. Identify and block mal-
ware being uploaded or shared
4
risks of specific cloud services.
**********
**********
PERSONAL
LOGIN
Sanctioned Personal
Gateway CASB
Apps Accounts Solution
Logs
Unsanctioned Apps to
Apps Monitor Web Proxy / FW
Agent
Apps to
Block
FINE TUNE WEB PROXIES AND
FIREWALLS; BLOCK APPS
8 9
1
Many organizations are actively embracing select business-ready cloud apps as a strategic
part of their IT infrastructure. At the same time, however, their employees are adopting
additional ad hoc cloud services to aid business productivity or for personal applications,
without IT sanction or oversight. This movement toward employee-adopted devices, apps,
and cloud services is known collectively as Shadow IT.
Shadow IT exposes an organization to risk by creating As organizations determine their cloud security
a blind spot for CIOs and CISOs. strategy, visibility is generally their first priority. While
traditional network security tools such as web proxies,
Do the Shadow IT applications have firewalls or DNS logs provide some basic insights,
appropriate security controls?
a comprehensive CASB solution provides much
Do they align with compliance requirements?
deeper visibility and can reveal detailed analyses on
Can they operate as conduits for data exfiltration? the over 10,000+ apps that permeate the landscape.
cloud app
DISCOVER SHADOW IT
IDENTIFY RISKY APPS
CIOs may want to get a baseline understanding of
Security administrators may want to identify SaaS applications
what cloud apps are being used in their organizations
that can pose a risk to their environments. For example, under-
and who is using them.
standing which apps have lax security controls, which can be
conduits for data exfiltration, or which are hosted in rogue states.
discovery
ENSURE COMPLIANCE IDENTIFY INEFFICIENCIES
Compliance officers may want to continuously monitor apps Organizations may be concerned that there are many disparate
being used by the organization and individual departments to groups using a plethora of cloud applications that provide
make sure apps have the appropriate certifications and meet similar functionality. By identifying all the apps in use and
compliance requirements. consolidating, they can trim costs and simplify management.
& analysis
Security administrators may want to enforce policies that pre- Organizations may want to examine current cloud app us-
vent the riskiest apps from being used by their organizations. age along with cloud app risk analysis to select sanctioned
apps to be used by their employees.
INFORMATIONAL
ACCESS CONTROLS SERVICE CHARACTERISTICS
Does the SaaS service employ a
multi-tenant or a single-tenant
architecture, and what policies are in
place to address issues associated
with multi-tenancy, including data
cross pollination between customers
and data retention rules?
ADMIN CONTROLS
Does the SaaS service support
audit trails of administrators
and users, role-based access
SERVICE BUSINESS
control and administrative policy
CHARACTERISTICS CHARACTERISTICS
configuration and enforcement?
BUSINESS CHARACTERISTICS
Is the cloud vendor financially
stable and have additional
Discovering Rating and Analysis COMPLIANCE DATA PROTECTION enterprise customers? How long
has the vendor been in business?
comes from popular consumer apps, such as Twitter, YouTube, Which locations are involved?
and LinkedIn, along with mainstream collaboration apps Which browsers and platforms
such as Office 365, Google Drive, Box, and Dropbox. are employees using?
1
Symantec Shadow Data Report
12 CHAPTER ONE CLOUD APP DISCOVERY & ANALYSIS SECURING CLOUD APPLICATIONS & SERVICES 13
TAKE ACTION!
Continuous Mitigate Risk from Shadow IT
ACTIVE Monitoring
#
USERS Leveraging the powerful capabilities of a
and Reporting comprehensive CASB solution, here is a summary
of actions that information security professionals
The world is not static, and this is
can take to mitigate risk from Shadow IT:
APPS certainly true for the cloud. New
liverail
ensighten
zedo
gaug.es
alternatives that fit their needs and the
and compliance. Such a solution organization’s security and compliance guidelines.
5
should also leverage these insights
☐ Identify cost savings
to automate controls in web proxies
Track multiple instances of cloud apps and
TOP
to manage cloud app usage. CIOs
explore opportunities for streamlining costs
and CISOs should be able to mon- through consolidated subscriptions.
RISKIEST APPS itor high-level organizational risk
Mountain View Seattle Santa Monica Boston San Jose
United States United States United States scores to track the overall trend ☐ Block risky apps
United States United States
for their organization as well. Tune web proxy and firewall policies to block
risky apps that are inappropriate for the enterprise
< Periodic reporting of cloud app usage Getting a handle on Shadow IT is generally the
enables CIOs and CISOs to manage their first step toward a comprehensive cloud security
cloud risk profile. This reporting should
include detailed information about
strategy. Once an organization has identified which
discovered apps such as risk ratings, cloud apps and services they want to embrace, the
geographic location, and usage details next step is to establish deep visibility and control
along with summary information such
over how these apps are being used and the types
as total number of users, total number
of apps, top riskiest apps, and overall of data being uploaded and shared. A primary
risk score for the organization. concerns is proper handling and governance of sen-
sitive data, which is addressed in the next chapter.
14 CHAPTER ONE CLOUD APP DISCOVERY & ANALYSIS SECURING CLOUD APPLICATIONS & SERVICES 15
2
In addition to ensuring the use of safe cloud apps, an organization also has to monitor
and govern data usage on these apps. After all, the risk for a data breach caused by
a user inadvertently sharing sensitive content is borne by the organization, not by the
cloud app provider.
The very nature of cloud apps and their ability to permissions by enabling individual users to easily
simplify collaboration makes them susceptible to upload content and share that content as they see
inadvertent sharing of sensitive content as well. fit. While this is great for productivity, it can put
Cloud apps tend to democratize the setting of sharing the organization at risk if not properly governed.
data governance
(PII) or consumer payment card in- data to remain within a defined geographic
permissions that are inappropriate. formation (PCI) into cloud apps? If so, border. How do organizations ensure use
Without proper monitoring, such how is this content being shared and of this restricted data is not violating cor-
oversights can risk data exposure. secured? Inappropriate sharing of porate policies or applicable regulations?
such content may lead to compliance
violations and financial penalties.
design business
and contextual analysis enables SC Source Code Policies can also be used to enforce
a broader range of content clas-
manually
IT guidelines; for example, insisting
sification and improved accura- In addition, advanced solutions also important, as these files can remediating every that end-user devices leverage
cy. An effective CASB solution can dynamically identify cate- be opaque containers that hide up-to-date browsers with the
applies these techniques to gories of documents such as malware or sensitive content. identified exposure, latest security patches, or that
business documents, legal doc-
analyze data being uploaded and Organizations should be able to automated access to business critical sys-
stored in cloud apps. This can uments, health documents and tems be made only from managed
create custom classification pro-
help form the basis for policy computing documents — yielding
files based on criteria that may
remediation policies devices. In addition, policies can
even more flexible policy creation
creation and enforcement.
and enforcement. The ability to ac-
be unique to their environment. can save significant target threatening activity as will
be discussed in the next chapter.
curately identify encrypted files is time and effort.
18 CHAPTER TWO DATA GOVERNANCE & PROTECTION SECURING CLOUD APPLICATIONS & SERVICES 19
Data needs to be secured in all phases
outside the enterprise’s environment.
Encryption
and Tokenization
In heavily regulated industries IN-TRANSIT
TAKE ACTION!
like Healthcare, Banking and
Government, sector-specific com- Mitigate Data Loss and Exposure
pliance requirements can often
lead to a company’s determination ☐ Identify and remediate risky exposures
to not put personally identifiable Analyze existing cloud file sharing apps—such as Box,
Google Drive, Dropbox, Salesforce or Office 365—to
information (PII) and other sensi-
IN-USE identify any sensitive or compliance-related content that
tive data in the cloud. Regulations may be shared inappropriately (in other terms, perform
like HIPAA in Healthcare, GLBA in a Shadow Data Risk Assessment). Remediate these
Finance, PCI DSS in Retail, ITAR exposures to align with security policies.
To help organizations with Salesforce, and Oracle. Instead replacement token or encrypted is being processed in the cloud. loss and compliance violations.
these challenges, encryption of completely blocking data from value gets processed and stored in
A critical consideration when ☐ Coach users on appropriate behavior
or tokenization technology can cloud environments, this technol- the cloud, rendering the informa-
exploring encryption and tokeni- Track users who are acting outside corporate guidelines,
ogy replaces sensitive data with tion meaningless to unauthorized
zation solutions is to make sure such as sharing inappropriate content or using outdated
browsers and coach them with interactive messages.
they do not impact the function-
Encryption vs. Tokenization ality of the cloud app itself. Basic
☐ Enforce compliance regulations
functions such as searching or
Perform continuous monitoring of user activity to ensure
sorting can break if the solution is adherence to appropriate compliance regulations, such
not designed properly. Also look as HIPAA. Ensure data is handled with appropriate sharing
for solutions that cover multiple restrictions and encryption or tokenization is applied as
appropriate. Generate periodic reports to demonstrate
SaaS clouds. An effective CASB compliance and maintain visibility.
solution will cover all these bases.
20 CHAPTER TWO DATA GOVERNANCE & PROTECTION SECURING CLOUD APPLICATIONS & SERVICES 21
3
While many enterprise-grade cloud apps have great security features and their infra-
structure is often better protected than those of most IT organizations, the proliferation
of thousands of username/password credentials that grant access to data in cloud apps
opens up a new threat vector that needs to be protected. Rather than trying to penetrate
well fortified back-end cloud infrastructure, malicious attackers are more likely to
compromise user credentials to get access through the front door. Appearing as a valid
login, this type of attack can bypass controls a cloud app provider may impose. Given
the session is SSL encrypted, it may bypass traditional security technologies as well.
Malicious attackers can also use cloud apps for the early, such malware can invade an entire organiza-
dissemination of malware or advanced persistent tion. Clearly, a threat detection and incident response
threats (APTs). Transfer of files to the cloud through strategy for the cloud requires deep visibility into
encrypted links renders these attacks invisible to transactional events and powerful tools to analyze
traditional scanning engines, as well as cloud-to- this information quickly and efficiently. These capa-
cloud transactions. If not detected and remediated bilities are integral to an effective CASB solution.
Chapter Three
The Evolving Role Deep Visibility Cloud Threat and both rich and meaningful. They reduce the
burden on security professionals to develop
of IDS/IPS of Cloud Activity Anomaly Detection
policies that can detect aberrant behavior
Traditional intrusion detection/ An effective cloud security strategy With granular visibility into user
while achieving low false positive rates. This
prevention systems (IDS/IPS) are depends on visibility into cloud activity, CASB solutions can iden-
is because data science algorithms are able to develop user-level
covering a decreasing amount of apps and user activity. As men- tify unusual patterns or anomalies
risk in the migration to the cloud. tioned earlier, many traditional that may indicate compromised behavioral models across apps, actions, and even information
Users are accessing cloud apps security solutions have a blind credentials or malicious activity. categories (e.g., files, folders, documents, blogs) with high fidelity.
directly from any location on any spot with regard to cloud activity, In its simplest form, these patterns
Data science algorithms can integrate multiple information
device and bypassing perimeter so new control points with more can be based on thresholds. For
defenses. In addition, the nature granular insights are needed. example, if a user has too many Data sources to provide a more complete picture of a user’s estimated
risk to an organization. Such algorithms automatically scale
of cloud app interactions requires failed login attempts in a short
Science
CASB solutions can gain visibil-
deeper visibility and new tech- period of time, that is a security horizontally as the number of input signals (users, applications,
ity into cloud activity through an
niques to effectively identify and event worth alerting. actions, locations, devices, and so on) increases.
inline gateway between users and
stop threats.
cloud apps. These gateways can More sophisticated solutions apply
CASB solutions focus on moni- be deployed on-premises or in the data science and user behavior
toring and controlling the use of cloud as a service offering and analytics to track the nuanced
data in the cloud and protect it
regardless of attack type or point
provide deep visibility into cloud
transactions, not only understand-
usage patterns of each and every
employee. For example, two
Cloud Security
of entry. CASB solutions also ing which applications the user employees may be active users
provide more granular visibility is connecting to, but also which of a cloud app like Salesforce, but
into what actions users are taking actions they are taking, files they their day-to-day activities may
within cloud apps and tap new are modifying, and settings they are be quite distinct. One may review
approaches such as user behavior changing. This granular insight is reports and dashboards, whereas
analytics and anomaly detection the cornerstone of your organiza- the other may focus on data entry.
versus relying on signatures to tion’s cloud app security strategy. In this situation, a simple compa-
discover threatening activity. ny-wide threshold applied to all
In addition to gateways, CASB
employees may trigger too many
solutions gain insights by tap-
ping into well-defined APIs for
false positives. Malware Detection
major cloud apps and services. Alternatively, a baseline behavioral a malicious party, malware may While cloud app credentials introduce cloud-based content. This includes
A comprehensive These solutions can use the pattern can be established for have hijacked the user’s machine, a new threat vector that may com- providing antivirus (AV) scanning
CASB solution APIs to scan content stored in each and every user in the organi- or the user may have been engag- promise data, another concern is old engines and advanced persistent
should normalize apps, monitor user activity, and zation (illustrated on pages 26–27), ing in malicious activity. fashioned malware. The cloud can be threat (APT) solutions access to
remediate risks by modifying creating the equivalent of a finger- an effective conduit for its distribu- cloud content and activity.
the data across all settings and enforcing policies. print for that user. As that user’s
These new CASB approaches for
tion. By shuttling data through SSL
apps and services activity begins to stray significantly
identifying threats harness the
encrypted pipes, malware can move
CASB solutions can provide early
A comprehensive CASB solution power of cloud computing and detection of malware within the
for easier analysis should apply all these sources of
from their normal pattern, a risk
advanced data science techniques
in and out of cloud apps without
cloud environment, helping to
rating can be elevated triggering the scrutiny of traditional scanning
and correlate information to provide deep visi- to deliver unique scalability and prevent significant damage and
appropriate alarms or policies to engines. In addition, cloud content
insights between bility into the organization’s cloud
quarantine or block that account’s
breadth of coverage.
can be shared directly between
financial impact. Suspicious con-
activity. Such solutions should tent can be quarantined, avoiding
different sources normalize the data across all apps
activity. Detecting such behavioral cloud apps, avoiding the scrutiny
any viral dissemination. Plus,
signals can be used to identify sit-
for more accuracy. and services for easier analysis and
of traditional perimeter defenses.
ongoing analysis of activity helps
uations where the user’s account
correlate insights between different Organizations can remove these ensure an organization is safe as
may have been compromised by
sources for more accuracy. blind spots by injecting various it uses the cloud.
levels of malware analysis for all
24 CHAPTER THREE THREAT DETECTION & INCIDENT RESPONSE SECURING CLOUD APPLICATIONS & SERVICES 25
A unique baseline behavioral
pattern establishes a confidence
curve for each user’s typical
behavior. Any significant deviation EXFILTRATION DATA DESTRUCTION ACCOUNT TAKEOVERS
or combination of suspicious user or hacker extracts hacker or insider destroys hacker gains unauthorized
data from a cloud app data stored in a cloud app access to a user’s cloud
events trigger appropriate alarms service account
USER
USERBEHAVIOR
BEHAVIORANALYSIS
ANALYTICS or policies to quarantine or block
that account’s activity. Examples of User behavior analysis identifies anomalous behaviors indicative
Malicious Use of attacks, like a few of the most common illustrated here.
+ 7 failed logins
CONFIDENCE READING
RISK LEVEL : LOW MED HIGH
event frequency /
file (#), size events over time
FAILED LOGINS EMAIL DELETE SCREEN DOWNLOAD UPLOAD ALL COMPANY EXTERNAL PUBLIC
ATTEMPTS 2+ LOCATIONS CAPTURE
Continuous Monitoring
and Incident Analysis TAKE ACTION!
As with any security strategy, Much like a DVR can go back in Mitigate Risk From Attacks
organizations need to prepare for time and replay your TV shows,
all stages of the threat continuum: your CASB solution should give you
before, during and after an attack in the same capability for your cloud ☐ Manage identities and credentials.
the cloud as well. activity. Rich transactional data Given that most organizations are using multiple cloud
should be able to be sliced and apps and services, and that users’ credentials repre-
Generally, Chapter 1 addresses sent new threat vectors for attack, consider an identity
diced in several ways, including:
before strategies including discov- management solution to manage credentials centrally.
ering cloud apps being used and Identity management should be tightly integrated with
FILTERING ON ATTRIBUTES your CASB solution to enable effective monitoring and
identifying which apps to sanction Filtering based on characteristics of the transaction, such as control of cloud app usage.
and which to avoid. Chapters 2 cloud service, user, action, geographic location, browser, or
platform used. In addition, filtering based on metadata, such
and 3 address during strategies
as severity of an alert or content type (e.g., PII or PCI).
including how to prevent leakage of ☐ Continuously monitor cloud
sensitive content and how to detect TIME-SCALE ANALYSIS activity for threats.
and block malicious activity. In this Examining data across different time periods of interest, This requires sophisticated analysis of anomalous
including custom time frames. These views should intersect behavior to help secure new threat vectors introduced
section we will share some insights with all the filtering options to enable quick and efficient by cloud apps and services. A comprehensive CASB
on the last stage, after. narrowing of the data set. solution enables organizations to be on the lookout for
malicious attackers that may try and steal user cre-
No matter how many security FREE-FORM SEARCH dentials, malware that may hijack sessions, or insiders
technologies you may deploy, there Performing free-form searches on transactional data, much with malicious intent.
like you would with a Google search engine, including the
is no such thing as 100% prevention
ability to perform Boolean operations, grouping, and phrases.
of all incidents. For this reason,
☐ Identify and prevent malware.
organizations need the proper tools
With such tools, organizations can Malicious attackers can harness the cloud for dissem-
to effectively respond to incidents,
ination of malware, avoiding the scrutiny of traditional
including the ability to perform analyze cloud activity to triage anom- security. Develop a strategy to detect malware in the
detailed analysis of what happened alous user behavior, examine data cloud early to avoid a larger problem down the road.
and why. breaches, investigate compliance
violations, or support legal inquiries. ☐ Implement strong incident analysis.
Leveraging deep visibility, as
Furthermore, CASB solutions should The ongoing security life cycle is a practice that
discussed earlier, a comprehen-
be able to efficiently share the rich implements solutions, learns from real-world activity,
sive CASB solution can collect rich and updates tools based on these learnings. Deploy
information that they’ve captured
transactional details that reveal strong analysis capabilities upfront to enable effective
with external analysis tools, such incident response and provide valuable insights that
the relevant history leading up to
as traditional SIEM systems, digital will help improve your security solution over time.
an incident. For example, when
forensics tools, or APT solutions.
examining a data breach, security
professionals may want to know
who was accessing the file, what
changes were made, what per-
missions settings may have been
The preceding chapters cover various
modified and by whom, and other
aspects of securing access to compliance-
relevant details.
related content in the cloud. The next
chapter focuses on the specific challenges
Security is a continuous life cycle where insights gained from past compliance officers face when considering
events help improve an organization’s security posture in the future. cloud apps and services.
28 CHAPTER THREE THREAT DETECTION & INCIDENT RESPONSE SECURING CLOUD APPLICATIONS & SERVICES 29
4
When enterprises make the decision to adopt cloud apps and services, they are choosing to
hand control of their data to third-party cloud service providers. For some types of data, this
is not a problem, but for consumer financial data, patient medical records, sensitive prod-
uct-related data, or personally identifiable information (PII), the cloud introduces a series of
compliance challenges. As a result, data compliance and privacy professionals take a keen
interest in how data is being treated in cloud apps and services.
compliance
OTHER REGULATED DATA TYPES
Many other industries have their own compliance measures. Educational institutions need to adhere to the guidelines specified in the
Family Educational Rights and Privacy Act (FERPA). Manufacturers of defense related products need to adhere to the data security
measures defined in the International Traffic in Arms Regulations (ITAR). Agencies and law enforcement groups dealing with data such as
fingerprints and biometrics must follow the security guidelines specified by the Criminal Justice Information Service (CJIS). Finally, many
institutions specify their own internal security guidelines that all of their units must comply with, for both on-premises and the cloud.
& data privacy THREE AREAS WHERE CASB PLAYS A CRITICAL ROLE
Given the strict nature of compliance requirements and the penalties for exposing sensitive data,
enterprises and organizations need to ensure that they meet specific requirements in the cloud.
CASB solutions are playing a critical role in helping compliance and security professionals ensure:
2. Certain clouds are blocked from receiving specific types of regulated data.
Chapter Four
32 CHAPTER FOUR COMPLIANCE & DATA PRIVACY SECURING CLOUD APPLICATIONS & SERVICES 33
Secure and Monitor
Regulated Data
There are many cases where an CASB solutions help ensure they requires that it must be placed Organizations need to TAKE ACTION!
enterprise cloud application use comply with relevant data privacy in the cloud. These solutions can independently create Support Compliance
case will require regulated data and governance guidelines. For set consistent data protection
transaction logs of
be accessible to the cloud appli- example, CASBs can be used to: policies across multiple sanc- and Data Privacy
cation that the business unit has tioned cloud apps and can ensure activity associated with
adopted. Examples where infor- SECURE ALL REGULATED DATA
that the authorized users of these cloud apps and services. ☐ Ensure the cloud apps and services that
mation security professionals WITH ADDITIONAL cloud applications can still use
users are accessing have the necessary
should monitor regulated data DATA PROTECTION TECHNIQUES the application’s features such as
certifications and security functionality.
stored in their cloud apps include: searching, sorting, and report-
LIMIT ACCESS TO ALL Analyze the credentials of existing sanctioned and
REGULATED DATA TYPES ing–even on data that has been
unsanctioned (Shadow IT) cloud apps to make sure
strongly encrypted or tokenized. they comply with any external or internal data
CUSTOMER SUPPORT APPLICATIONS MONITOR AND LOG ALL
security requirements.
for banking where the call center
representative needs to be able to view
INTERACTIONS WITH REGULATED
DATA
Monitor and Log Restrict access to those cloud applications that
cannot be brought into compliance.
pertinent customer banking details provided
by a cloud-based customer support app.
Limit Access to Interactions with
Regulated Data Regulated Data ☐ Understand if regulated data is being
placed in cloud applications, and make
Protect Regulated Even though regulated data may A common requirement of compli-
sure there is a legitimate business
need to be placed in cloud appli- ance is to audit and log application
Data with cations, it does not mean that all transactions that contain regulated
reason for placing it there.
Ensure that regulated data or information that has
Tokenization or employees should have free reign to data. These logs capture how been classified as sensitive is being stored or
access and use it. Restricting access administrators use the system, as processed in the cloud only when it needs to be. In
34 CHAPTER FOUR COMPLIANCE & DATA PRIVACY SECURING CLOUD APPLICATIONS & SERVICES 35
5
While the many CASB implementation options may seem daunting, it generally comes
down to making sure the cloud security strategy delivers the features and functions the
organization needs, including comprehensive coverage, positive user experience, and
reasonable administrative overhead. Choosing a solution that offers a wide range of these
deployment options delivers the most flexibility.
AS
3 Deploy agents
Typical CASB
Deployment Model
Cloud
Apps
BEFORE
API Discover
DURING
Gateway Traffic CASB
selecting
Solution
Logs
Enforce
Mobile
a solution
AFTER
Analyze
Web Proxy / FW
Chapter Five
Enterprise
Deployment ☐☐ Does the solution support multiple instances of Threat Detection ☐☐ Does the solution enable the creation and
enforcement of complex rules involving multiple
the same cloud app inside a company?
☐☐ Does the solution help identify malicious activities, user actions over time?
☐☐ Does the solution integrate with existing web ☐☐ Does the solution require hardware on-premises?
using advanced User Behavior Analytics (UBA)?
proxy solutions to maximize reuse of security If so what is required, and how is it managed? ☐☐ Does the solution provide built in malware
investments? ☐☐ Does the solution provide advanced visualization detection capability?
☐☐ Does the solution support integration with identity
for easy investigation of malicious activity?
☐☐ Does the solution provide Role Based Access management solutions? ☐☐ Does the solution support integration with
Control (RBAC) to give limited access to admins ☐☐ Are built-in threat detectors customizable? third party sandboxing or APT solutions?
for selected data in selective applications?
Granularity Visibility and Control ☐☐ Can granular user activity on cloud apps be User Experience ☐☐ Is there any latency or usability impact
to end users?
extracted from traffic with info about objects,
such as file names? ☐☐ How complicated is the solution
☐☐ How many apps are supported with granular, ☐☐ If there is a failure in the CASB solution,
to set up and operate?
real-time controls? ☐☐ Can granular policy controls be applied on user can users still gain access to their cloud apps?
activities based on context and content, such as ☐☐ How intuitive is the user interface?
☐☐ How scalable is the solution?
user name, group, device, location, browser, or How many users, transactions?
user agent?
38 CHAPTER FIVE SELECTING A CASB SOLUTION SECURING CLOUD APPLICATIONS & SERVICES 39
C L
T
Credits
AUTHORS Eric Andrews Gerry Grealish
COPY EDITOR Laura Jordan
CREATIVE DIRECTION / DESIGN Daniel Bayat Copyright © 2019 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo, are trademarks or registered
trademarks of Symantec Corp. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
COVER DESIGN Daniel Bayat and Yoshi Takebuchi
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this
Hugh Thompson, Michael Rinehart, Martin Johnson, document, either express or implied, are disclaimed to the maximum extent allowed by law, and are subject to change without notice.
CONTRIBUTIONS BY
Ellen Roeckl, and Aditya Sood
Symantec Corporation (NASDAQ: SYMC), the world’s leading cyber security company,
helps businesses, governments and people secure their most important data wherever it
lives. Organizations across the world look to Symantec for strategic, integrated solutions to
defend against sophisticated attacks across endpoints, cloud and infrastructure. Likewise,
a global community of more than 50 million people and families rely on Symantec’s
Norton suite of products for protection at home and across all of their devices. Symantec
operates one of the world’s largest civilian cyber intelligence networks, allowing it to
see and protect against the most advanced threats. For additional information, please
visit www.symantec.com or connect with us on Facebook, Twitter, and LinkedIn.
symantec.com +
1 650-527-8000