Definitive GuideTM to Cloud Access Security Brokers Visibility, Security, and Compliance for Applications and Data in the Cloud Jon Friedman Compliments of: Mark Bouchard, CISSP FOREWORD BY: Assaf Rappaport, CEO and Co-Founder of Adallom About Adallom Founded in 2012 by cyber defense veterans, Adallom is a 2014 Gartner Cool Vendor. Adallom’s cloud access security broker delivers visibility, governance and protection for cloud applications. Its innovative platform is simple to deploy, seamless to users, and is available as a SaaS-based or on-premises solution. Powered by SmartEngine™ advanced heuristics and backed by an elite cybersecurity research team, Adallom makes it easy to protect data in the cloud. For more information, visit www.adallom.com or follow @adallom. About HPE SECURITY — Data Security HPE SECURITY — Data Security drives leadership in data-centric security and encryption solutions. With over 80 patents and 51 years of expertise we protect the world’s largest brands and neutralize breach impact by securing sensitive data at rest, in use and in motion. Our solutions provide advanced encryption, tokenization and key management that protect sensitive data across enterprise applications, data processing IT, cloud, payments ecosystems, mission critical transactions, storage, and big data platforms. HPE SECURITY - Data Security solves one of the industry’s biggest challenges: simplifying the protection of sensitive data in even the most complex use cases. For more information, visit www. hpe.com/go/DataSecurity and www.voltage.com Definitive GuideTM to Cloud Access Security Brokers Jon Friedman Mark Bouchard, CISSP Foreword by Assaf Rappaport Definitive Guide™ to Cloud Access Security Brokers Published by: CyberEdge Group, LLC 1997 Annapolis Exchange Parkway Suite 300 Annapolis, MD 21401 (800) 327-8711 www.cyber-edge.com Copyright © 2015, CyberEdge Group, LLC. All rights reserved. Definitive Guide™ and the CyberEdge Press logo are trademarks of CyberEdge Group, LLC in the United States and other countries. All other trademarks and registered trademarks are the property of their respective owners. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, without the prior written permission of the publisher. Requests to the publisher for permission should be addressed to Permissions Department, CyberEdge Group, 1997 Annapolis Exchange Parkway, Suite 300, Annapolis, MD, 21401 or transmitted via email to [email protected]. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. For general information on CyberEdge Group research and marketing consulting services, or to create a custom Definitive Guide book for your organization, contact our sales department at 800-327-8711 or [email protected]. ISBN: 978-0-9961827-0-6 (paperback); ISBN: 978-0-9961827-1-3 (eBook) Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1 Publisher’s Acknowledgements CyberEdge Group thanks the following individuals for their respective contributions: Editor: Susan Shuttleworth Designer: Debbi Stocco Production Coordinator: Valerie Lowery Adallom Subject Matter Experts: Chris Westphal and Danelle Au Table of Contents Foreword ...............................................................................................................v Introduction ........................................................................................................vii Chapters at a Glance ....................................................................................... vii Helpful Icons ..................................................................................................viii Chapter 1: How Cloud Applications Change the Game for Security ............... 1 The Cloud Application Tsunami .......................................................................2 Shared Responsibility: Why You Can’t Outsource Security ............................. 2 Security Challenges for Cloud Applications .....................................................4 Lost visibility ......................................................................................4 Unmanaged and non-compliant devices ........................................... 4 Hidden data, over-sharing, and rogue admins .................................. 5 Chapter 2: Understanding Cloud Access Security Brokers ............................. 7 What is a Cloud Access Security Broker? ......................................................... 7 How CASBs Strengthen Security ......................................................................9 Visibility ..............................................................................................9 Threat protection .............................................................................. 10 Access control ....................................................................................11 Compliance and data protection .......................................................11 Extending the Reach of Existing Security Tools .............................................12 Phased Implementation ...................................................................................12 Chapter 3: Visibility .......................................................................................... 13 Data, Sources, and Output ...............................................................................13 Data about activities ..........................................................................13 Sources and output ............................................................................15 Visibility at Work .............................................................................................15 Discovery of unsanctioned applications ...........................................15 Users, abusers, and imposters ..........................................................17 Oversharing .......................................................................................17 Zombies and super admins .............................................................. 18 Chapter 4: Threat Protection ........................................................................... 19 How CASBs Generate Alerts ............................................................................19 Risky actions and policy violations ..................................................20 Suspicious actions and security incidents ........................................21 High-impact actions ..........................................................................21 Anomalous behaviors .......................................................................22 Dynamic Analysis of Files (Sandboxing) ........................................................22 Enforcement Actions ......................................................................................23 Supporting Incident Response and Forensics ................................................23 Cyber Threat Intelligence ...............................................................................24 Chapter 5: Access Control, Data Protection, and Compliance ..........................25 Not Your Father’s Access Control ...................................................................26 Endpoint assessment and cloud NAC ..............................................26 Data Protection, Cloud Style ........................................................................... 27 Cloud DLP......................................................................................... 27 Encryption and IRM .........................................................................28 Data sharing controls .......................................................................28 iv | Definitive Guide to Cloud Access Security Brokers Compliance ......................................................................................................29 Audit trails and attestation ..............................................................29 DLP, eDiscovery, and IRM ...............................................................29 Encryption ........................................................................................30 Chapter 6: Implementing a Cloud Access Security Broker ........................... 31 Interfacing with Cloud Applications ................................................................31 Deployment Mode Options .............................................................................32 API mode ..........................................................................................33