Companies need CASBs now more than ever — to help secure ‘digital transformation’

By Byron V. Acohido

When I first wrote about Cloud Access Security Brokers in 2015, so-called CASBs were attracting venture capital by the truckloads — and winning stunning customer testimonials.

CASBs (pronounced caz-bees) originally sought to resolve a fast rising security nightmare: Shadow IT.

Related podcast: Web gateways emerge as crucial defense layer

Striving to be productive, well-intentioned employees raced out to subscribe to cloud-enabled storage services, collaboration suites and project management tools. These hustlers were unwilling to slog through lugubrious IT onboarding processes in order to get their hands on the latest, greatest software-as-a-service tools.

But these early-adopter employees were also blissfully ignorant about how Shadow IT exposed sensitive business data in new and novel ways.

Thus, CASBs arrived on the scene to help companies monitor and manage Shadow IT. And they were so successful at, so quickly, that six of nine CASBs got gobbled up in a spectacular feeding frenzy.

CASBs new role

Ever see the video of dolphins gorging on a bait ball? In about a two year span, Microsoft acquired Adallom; Oracle purchased Palerra; Proofpoint grabbed FireLayers; McAfee nabbed Skyhigh Networks; Forcepoint acquired Skyfence from Imperva, which had bought that CASB earlier; and Blue Coat Systems bought Perspecsys, just before Blue Coat itself was swallowed up by Symantec.

I recently had a chance to speak at length with Anthony James, chief marketing officer for CipherCloud, one of the three CASBs still operating as a standalone independent. The other two are Netskope and Bitglass.

While Shadow IT has been largely quelled, the core dynamic that started all this fuss – eager humans scrambling to use the latest, greatest cloud-enabled services  – remains a major security issue, one that now connects directly to digital transformation.

That suggests CASBs may yet have an enduring role to play in securing what our business networks are morphing into, as the result of digital transformation. For a full drill down on my conversation with James please listen to the accompanying podcast. A synopsis of key takeaways:

Misconfigurations.  The core security issue raised by digital transformation is fundamentally the same as the one that arose with Shadow IT – only on steroids. Companies today are not just storing data in the cloud, they are developing and running mission critical applications on Amazon Web Services, Microsoft Azure and Google Cloud.

While cloud services give companies amazing flexibility and scalability, they also create endless additional vulnerable access points. And leaving even one of these access points unaccounted for creates additive risk, disproportionately.

“Data is no longer sitting in protected, on-premises data centers,” James observes, “it sits in one of the many cloud platforms that’s accessible globally, and if you misconfigure something, it’s left completely out in the open.”

Poor practices: It has become all too clear that misconfiguring something in the cloud is all too easy to do. FedEx discovered this when an unsecured Amazon Simple Storage Service (S3) server  — configured for public access  — exposed thousands of FedEx customer records, including civilian and military ID cards, resumes, bills, and more.  

 That disclosure put the package shipper on a long and swelling list of organizations that have unintentionally left sensitive data exposed on poorly configured Amazon S3 storage buckets.

Meanwhile, another pervasive poor practice is tolerance of lax authentication policies for employees and contractors who are busily engaged in digital transformation projects. Threat attackers are not just cognizant – they are proactively seeking out these ripe access points. The result are massive breaches, like those disclosed by Timehop, Uber and Telsa. This new type of hack revolves around the attackers manipulating admin credentials and then maneuvering far and wide through the breached cloud environment.

A dozen years ago, companies scrambled to tighten down administrator accounts on Windows servers that arrive configured by Microsoft with weak default passwords. A very similar exposure exists with the tens of thousands of human-user and machine-to-machine accounts spun up and meshed together in a digitally transformed network.


“Enterprises need to understand the cloud does give you a much larger attack surface,” James observes. “The challenge is to make sure the data is always protected when it’s out there in the cloud.”

Corporate burden: Reducing security risks associated with digital transformation is something all enterprises must come to grips with. The good news is that CipherCloud, Netskope and Bitglass, along with the half dozen CASBs swallowed up in the acquisition binge, continue to innovate and improve existing services.

CipherCloud’s founders, for instance, came from an encryption services background. The vendor has built a broad portfolio of CASB services around this encryption core. “We can put our services on premises, or we can host it for a customer, or we can combine on-premises, plus hosted,” James says. “And we also do much the same thing for how we integrate with clouds.”

James described for me how a customer can monitor and select certain containers of sensitive data – data  being worked on collaboratively in a public cloud environment – for encryption. This detracts minimally from development speed and nimbleness, the desirable characteristics associated with digital transformation. And it also keeps the designated data safe as it moves across different cloud platforms, as well as across to the company’s on-premises servers.

“We’re going to encrypt it on the fly and you can dictate who has access,” he explains. “So no one can see it unless you give them access via the decryption keys.”

(Editor’s note: Last Watchdog has provided consulting services to CipherCloud.)



Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone