NEW TECH: CASBs continue evolving to help CISOs address multiplying ‘cloud-mobile’ risks

By Byron V. Acohido

It can be argued that we live in a cloud-mobile business environment.

Related: The ‘shared responsibility’ burden

Most organizations are all caught up, to one degree or another, in migrating to hybrid cloud networks. And startups today typically launch with cloud-native IT infrastructure.

Mobile comes into play everywhere. Employees, contractors, suppliers and customers consume and contribute from remote locations via their smartphones. And the first tools many of them grab for daily is a cloud-hosted productivity suite: Office 365 or G Suite.

The cloud-mobile environment is here to stay, and it will only get more deeply engrained going forward. This sets up an unprecedented security challenge that companies of all sizes, and in all sectors, must deal with. Cloud Access Security Brokers (CASBs), referred to as “caz-bees,” are well-positioned to help companies navigate this shifting landscape.

I had the chance to discuss this with Salah Nassar, vice president of marketing at CipherCloud, a leading San Jose, CA-based CASB vendor. We met at RSA 2020 and had a lively discussion about how today’s cloud-mobile environment enables network users to bypass traditional security controls creating gaping exposures, at this point, going largely unaddressed. For a full drill down please give the accompanying podcast a listen. Here are excerpts edited for clarity and length.

LW: You’ve been speaking a lot about the cloud-mobile environment; please explain what you’re referring to.

Nassar: On a personal level, we use our mobile devices to access just about everything from our email, to our banking, to social media collaboration, to sharing photos with family, it’s all in a cloud-mobile environment. Many organizations have picked up on that, yet haven’t been able to manage the devices being used by employees and third parties, such as contractors, vendors and software developers.

Nassar

We’re in a very mobile environment. There’s no such thing as a perimeter anymore. The perimeter is wherever you are, with your device, connecting through applications that happen to be hosted on Amazon Web Services, Microsoft Azure or Google. So we’re very much in this world where it’s a cloud-mobile environment. And mobile refers to a couple of things: a mobile workforce, as well as mobile devices.

LW: What does this mean for security executives?

Nassar: CIOs are really trying to push a cloud-first type of environment to reduce costs and really just to operationalize better, to keep up with the times. They’re either on the cloud-first approach, or just starting up as cloud-native, even for lines of business like human resources and collaboration, it’s all cloud-based. So if you’re a Microsoft shop, you’re on an Office 365 and a Windows 10 migration path.

Some CISOs, at first, were reserved and said, ‘We’re not moving to the cloud.’ But when you dig  into the conversation, they’ll admit, ‘ Yeah, we’re adopting Office 365.’ They don’t necessarily think that this is part of a cloud migration, until they start using AWS and Azure and moving their workforce fully into the cloud.

LW: When does privacy and security hit them in the face?

Nasser: It’s one of two things, when the legal department comes in, or the government comes in, and there’s a conversation around regulation and privacy.

Or, unfortunately, this comes through because of a recent breach, and then it becomes clear that they don’t have visibility on what actually happened.

LW: How do CASBs come into play?

Nasser: CASBs can operationalize and simplify cloud security. We are in a world, especially with Office 365 and G Suite, where I can open up an application, create content in the cloud, and share that content externally, in the cloud. That creates many issues, from a compliance perspective and from a data protection perspective.

Traditional security controls, like endpoint security, firewalls, proxies, etc., will never see any of this, because it’s happening between clouds. That type of collaboration is a little scary for many organizations. Yet that’s the new level of visibility that everyone wants to have. And that’s the foundation for services provided by CASBs.

LW: Sort of like wrapping a layer of protection around an amorphous perimeter?

Nasser: We’re definitely in a data-centric world, and we’re in a cloud-mobile environment. When someone double clicks on something, I need to understand who the user is and what device they’re using to log into my cloud apps. And, for regulation purposes, I need to apply policy toward that.

I might be allowed to log into my SharePoint in the U.S., and download very sensitive financial data. However, if I’m traveling in Europe, because of GDPR, I may not be able to download any  sensitive data while I’m on a European network. Those type of controls are very easy to deploy with a CASB.

LW: What’s new, generally, in the CASB space?

Nasser: What’s changed in CASB is a focus on getting closer to understanding how humans behave in the cloud. The biggest issues have to do with very human-centric behaviors. What are people doing? Who’s logging into my cloud apps? What are they touching on a cloud app? Are they being risky?

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone