10 Questions to Ask Your Cloud Access Security Broker
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
W H I T E PA P E R 10 Questions to Ask Your Cloud Access Security Broker
INTRODUCTION
According to Gartner, by 2020, 60 percent of large enterprises will use a cloud access security broker.
Organizations are increasingly turning to CASB vendors to address cloud service risks, enforce security
policies, and comply with regulations, even when cloud services are beyond their perimeter and out of
their direct control.
Attempting to maneuver the CASB vendor landscape and determine how each vendor is different can be
a daunting task. Most CASBs support core functionality such as discovery and risk assessment, DLP, and
threat protection for SaaS, others may also support security controls for IaaS. When evaluating CASB
vendors, it is recommended that you focus on use cases that are important to you. Here are ten use case
centric questions that you should consider as you start the process of evaluating CASB vendors.
2QUESTION #1:
Rather than simply blocking or allowing the apps discovered in my organization, how do you help
safely enable the hundreds or potentially thousands of cloud services that our lines of business and
users are adopting?
EXPLANATION NETSKOPE ADVANTAGE TEST FOR IT
Securing cloud services that Netskope is the only After getting an
are unsanctioned (shadow CASB vendor that safely understanding of what
IT), but permitted is a enables the thousands apps are running in your
challenging use case for a of unsanctioned, but environment, set up activity
number of reasons. permitted, apps that your restriction policies and DLP
lines of business and users for categories of apps that
First, in order to secure a are adopting. are prone to data loss. For
large number of apps, you example, create a policy to
need to understand what Powered by our patented prevent uploads of sensitive
risky activities are taking Cloud XD, Netskope is data to cloud storage, or HR
place so you can agree the only CASB vendor categories.
appropriate controls. These that is able to decode Once your policies are in
apps often do not have risky activities in real-time place, test them against
published APIs so your covering thousands of apps dozens or more of the
CASB vendor needs to be that do not have published unsanctioned applications
able to decode what is APIs. discovered in your
happening without relying environment.
on assistance from the app Only Netskope enables
vendor. you to provide granular Compare the process and
controls for these apps in the results for each CASB
Second, to cover context of user, device, vendor and their ability to
unsanctioned apps the location, activity, and achieve this key use case.
CASB vendor needs to be content. For example, stop
able to steer thousands of data exfiltration of sensitive
these apps and decode the data going to unsanctioned
risky activities in real-time. cloud services.
If a CASB vendor requires
a per-app configuration Finally, only Netskope
then this is simply not enables you to effectively
scalable when you have so triage thousands of cloud
many apps that need to be services by providing
secured. category-level policies.
Netskope allows you to
Third, the CASB vendor apply security controls like
needs to support category- DLP and activity restrictions
level policies so you can for all apps in app
triage a large number of categories such as cloud
apps with a small set of storage, HR, finance, etc.
policies. Creating 1,000
policies for 1,000 cloud
apps is not an effective
approach.
3QUESTION #2:
How do you enforce separate policies across multiple instances of a cloud app?
EXPLANATION NETSKOPE ADVANTAGE TEST FOR IT
It is very common to see Powered by our patented Craft a policy for a few
personal instances of Cloud XD, Netskope of your sanctioned cloud
sanctioned cloud apps differentiates between applications, allowing an
like Microsoft OneDrive, instances of dozens of cloud activity such as PII data
Google Drive, Box, and apps. This coverage enables uploads.
Dropbox. One of your use you to craft different
cases may be to apply policies for a sanctioned vs Next, craft another policy
additional restrictions on an unsanctioned instance, that blocks uploads of PII to
the personal version, while or a marketing vs an R&D unsanctioned instances of
relaxing restrictions on instance and so forth. the same cloud apps.
the corporate-sanctioned
version. For example you Compare which CASBs
might want to block PII support this key
data to a personal Dropbox functionality and for how
instance, but allow PII data many cloud apps they can
to the corporate-sanctioned identify different instances.
Dropbox instance.
The challenge here is that
most CASBs do not have
any ability to differentiate
between instances of cloud
services. For those that
do, the capability may be
limited to only one popular
app like Microsoft OneDrive.
4QUESTION #3:
How do you see and stop data exfiltration taking place from a sanctioned to an unsanctioned cloud
app?
EXPLANATION NETSKOPE ADVANTAGE TEST FOR IT
A common scenario is when Powered by our patented Download sensitive data
an employee, downloads Cloud XD technology, from a some of your
sensitive data from a Netskope is the only sanctioned cloud services
sanctioned cloud app like CASB that sees and and then upload that data
Microsoft OneDrive and controls activities to an unsanctioned cloud
then uploads that data to and data movement service.
a personal cloud app like across sanctioned and
Gmail or Dropbox. unsanctioned cloud See how the CASB reports
services. on the activity.
The challenge is getting
visibility the employee’s Next, implement a policy
activities once the data that blocks the upload
leaves the sanctioned cloud of the sensitive data to
app. Controls need to be unsanctioned cloud apps.
implemented that stop Do this without blocking
the exfiltration without access to the unsanctioned
disrupting any legitimate cloud app.
use of either the sanctioned
or the personal cloud app.
QUESTION #4:
Can you give examples of how well your DLP performs when it comes to detecting sensitive data in
hard-to-find places?
EXPLANATION NETSKOPE ADVANTAGE TEST FOR IT
Managing risk tied to data Netskope’s award-winning Create a policy to alert
loss in the cloud is a big cloud DLP provides when PCI data is discovered
challenge. There are many robust content inspection within a sanctioned cloud
scenarios where sensitive supporting the ability to storage app such as Google
data movement across scan for data embedded in drive.
cloud apps, or exposure images (Optical Character
from within cloud apps, Recognition) or residing Next, upload PCI data
evades basic content within hidden tabs in Excel embedded in an image to
inspection techniques. workbooks. Google Drive
Consider for example, text Next, create and upload an
embedded in images or text Excel document that has
stored within hidden areas PCI data, but use a VB Script
of documents. to hide the tab with the PCI
data
Look for a CASB that can
find and secure sensitive Compare each CASB
data wherever it goes. vendor’s ability to find this
data.
5QUESTION #5:
Can you share details about how accurate your DLP is and what you can do to reduce false positives?
EXPLANATION NETSKOPE ADVANTAGE TEST FOR IT
It is critical to have Netskope’s award-winning Test exact data matching
an accurate DLP cloud DLP supports functionality by providing a
system or your advanced features such structured data source that contains
security team will as exact data matching, specific data values which can
spend too much fingerprinting, and be tokenized by the DLP engine..
time sifting through contextual policies to Then, instead of looking for any
meaningless alerts greatly improve accuracy PII data in any combination (such
and false positives. and reduce false positives. as first name, last name, SSN, and
home address), the DLP engine
Look for a CASB should look specifically for your
that supports source data in the combination
advanced features you specify (e.g last name, SSN,
such as exact data and home address).. Test with data
matching (EDM), that includes values for fields that
fingerprinting, and aren’t from your dataset, also test
contextual policies with data that includes PII identifiers
to help improve outside of those you have asked the
accuracy. DLP engine to look for.
For fingerprinting, use the CASB
to fingerprint a document . Create
a DLP policy that triggers on the
fingerprint you created. Optionally
adjust the threshold of the
fingerprint matching to trigger on
excerpts from the document. For
example, block the fingerprinted
data from being uploaded to
Dropbox.
For the last test, create a contextual
DLP policy, that incorporates a user
group, network location, device
type, activity, and data content.
For example, block users in the
finance group, outside of HQ, on a
Windows device, from downloading
documents from Microsoft OneDrive
that are tagged as confidential.
Test and compare each CASB
vendor’s ability to enhance the
accuracy of DLP policies with exact
data match, fingerprinting, and
contextual details.
6QUESTION #6:
How do you secure users that are on managed devices, but are outside the office and accessing any of
the thousands of unsanctioned cloud services directly?
EXPLANATION NETSKOPE ADVANTAGE TEST FOR IT
A common blind spot for Netskope supports an Setup the CASB to
CASBs is the scenario where optional client deployment block sensitive data to
users are off the network for Mac, PC, and iOS that unsanctioned cloud apps
and accessing unsanctioned provides access to this like Trello or WeTransfer.
cloud services from their traffic. Once the traffic is
corporate-managed device. steered by the client from Test by posting sensitive
This blind spot presents risk the corporate-managed data to Trello, or uploading
tied to data loss and threats. device, Netskope provides it to WeTransfer, from a
real-time visibility, control, managed device that is off
and protection for the network. Repeat for
thousands of unsanctioned other unsanctioned cloud
cloud services. apps to verify breadth of
support.
7QUESTION #7:
How do you protect against various strains of malware and ransomware from using cloud apps to hide,
spread, and infect?
EXPLANATION NETSKOPE ADVANTAGE TEST FOR IT
Cloud apps present a Netskope’s Threat Protection Setup the CASB to protect
perfect place for threats capabilities are backed by against malware and
such as malware and Netskope Threat Research ransomware.
ransomware to hide and Labs, a dedicated team
spread rapidly. focused on the discovery Place a malware test file in
and analysis of new a sanctioned cloud service
t go beyond basic anomaly cloud threats. Netskope like Microsoft OneDrive and
detection and scan consumes over 40 threat verify the CASB detects and
sanctioned cloud apps intelligence sources, and quarantines it.
to find and quarantine uses advanced machine
malware. learning technology to Place a malware test file in a
provide multiple layers of shared cloud storage folder
There is also a need for real- threat detection. Netskope’s and verify the CASB blocks
time protection to protect malware detection and it from downloading via
against malware coming analysis capabilities include the desktop sync app (e.g.
in via desktop file sync static and dynamic anti- Microsoft OneDrive App.)
apps, or other non-browser virus inspection, user
agents accessing cloud behavior anomaly detection, Create a public link to the
applications. heuristic analysis, sandbox malware test file verify
analysis, and next-gen AV the CASB blocks it when
Whether from , phishing integrations.. a download is attempted
via webmail, or malicious from a corporate-managed
payload delivery from Netskope’s threat protection device.
collaboration apps, threat inspects sanctioned cloud
protection needs to cover services and quarantines Verify the CASB vendor’s
all of the thousands of cloud malware that’s discovered. threat intelligence capability
services in use within your In addition, Netskope by configuring the CASB
organisation. blocks malware in real-time to automatically fetch and
coming from any of the apply MD5 and SHA256
thousands of sanctioned hash lists for known
and unsanctioned cloud malware files from sources
services. such as Carbon Black.
Netskope’s threat
protection extends to
cover desktop file sync
apps, and other non-
browser agents accessing
cloud applications from
your corporate-managed
devices.
8QUESTION #8:
How do you help me prevent employees using IaaS from exfiltrating data from one Amazon S3 bucket
to another?
NETSKOPE
EXPLANATION TEST FOR IT
ADVANTAGE
Amazon Web Services provide Netskope is the only Configure the CASB for
a robust set of security controls CASB vendor to this use case and then
ensuring only authorized users have support the ability to perform the following
access to resources like S3 buckets. block activities such as activity:
The challenge once they have been upload and sync taking
granted access, is that they can easily place from a managed From the AWS CLI
copy or sync data from a corporate- to an unmanaged S3 perform a cp or sync
managed S3 bucket to a personal S3 bucket command from a
bucket or an S3 bucket outside of corporate-managed S3
your organisation’s control. bucket to a personal S3
bucket.
Look for a CASB that can address
this use case with the ability to block The CASB supporting
activities such as upload and sync this use case should
from a managed to an unmanaged S3 be able to block this
bucket. activity.
QUESTION #9:
How does your solution provide visibility into sensitive data stored in Amazon S3 buckets and Azure
Blob storage?
NETSKOPE
EXPLANATION TEST FOR IT
ADVANTAGE
Managing risk tied to the exposure of Netskope provides Setup the CASB to
sensitive data in cloud infrastructure the ability to scan S3 look for and alert on
environments like AWS and Azure is a buckets and Azure sensitive data in S3
big challenge. Blob storage and apply buckets and Azure Blob
award-winning cloud storage.
Addressing security misconfigurations DLP to alert you to
that lead to exposure of resources what sensitive data is in Compare the results
to the internet is the first step and these environments. of the findings and
most CASB vendor’s support this the ability to create
functionality. compliance-centric
reports.
A further key step is to get visibility
into what data has made its way into
cloud infrastructure and what the
sensitive nature of the data is.
9QUESTION #10:
What is your approach to securing SaaS, IaaS, and web as part of your offering that also includes
CASB?
NETSKOPE
EXPLANATION TEST FOR IT
ADVANTAGE
Gartner’s CASB definition Netskope is the only Apply an advanced DLP
encompasses visibility, data cloud security vendor policy incorporating features
security, compliance and that combines best-of- like exact data matching
threat protection for SaaS and breed CASB for SaaS and fingerprinting to block
IaaS. and IaaS with innovative sensitive data going to SaaS
web security, all from (unsanctioned apps), IaaS
There are many advantages one cloud and one (unsanctioned environments)
to taking a more holistic console. and websites such as social
approach and expanding media, and discussion forums.
your security coverage to the For web security
general web as well. You may specifically, Netskope Try to upload and post
currently be addressing web leverages its patented sensitive data matching
security separately with a Cloud XD technology the DLP policy to these
traditional secure web gateway to provide a more destinations and manage the
product, with a focus on use intelligent, user-focused incidents from initial creation,
cases such as threat protection view of cloud and web through investigation, to
and acceptable use policies. use. Unlike legacy closing out the incidents.
secure web gateway Compare the complexity of
Combining best-of-breed solutions that generate each vendor to configure,
CASB functionality covering high volumes of log manage, and support this use
SaaS and IaaS with innovative data with every HTTP case.
web security from a unified transaction, Cloud XD
platform that is delivered from synthesizes and distills Configure each vendor to
one cloud and one console web activity into the protect against malware in
delivers value never seen specific user, site and SaaS, IaaS, and Web. This
before with the current crop of page visits on which includes inspecting data
cloud security vendors. security teams want to already in the environments
focus. and blocking malware from
Some of the larger security these environments in real-
vendors have attempted to time.
bundle together disparate
tools, but the result is Use a malware test file and
increased complexity, multiple compare the complexity
consoles, and disjointed of each vendor’s capability
incident management to configure, manage, and
workflows; and they still lack support this use case.
best-of-breed functionality.
The last test is to compare
With a “one cloud” approach, each vendor’s ability to provide
deployment is simplified, visibility into web usage. Start
policy conflicts are minimized, by visiting a series of websites
and incident management and perform actions such
workflows are streamlined. as downloading of content.
You can achieve visibility, Incorporate DLP and threat
compliance, data security, protection as part of the
and threat protection across activity if possible.
SaaS, IaaS, and Web from one
console and one cloud. Compare each vendor’s ability
to provide a clear picture of the
user’s activity.
10SUMMARY
The answers you get to the preceding ten questions along with test validation will help you get clarity
around how each CASB vendor is different when it comes to the features and capabilities that will best
enable you to address your specific cloud security use cases.
Netskope is the leader in cloud security. We help the world’s largest organizations take advantage of cloud and web without
sacrificing security. Our patented Cloud XD technology targets and controls activities across any cloud service or website and
customers get 360-degree data and threat protection that works everywhere. We call this smart cloud security.
To learn more visit, https://www.netskope.com.
©2018 Netskope, Inc. All rights reserved. Netskope is a registered trademark and Netskope Active, Netskope Cloud XD, Netskope Discovery, Cloud
Confidence Index, and SkopeSights are trademarks of Netskope, Inc. All other trademarks are trademarks of their respective owners. 12/18 WP-13-3You can also read
