Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

CASBs: A Better Approach to Cloud Encryption

Home
Industry Insights
CASBs: A Better Approach to Cloud Encryption

Blog Article Published: 10/20/2015

By Anurag Kahol, Founder and CTO, Bitglass

Widespread enterprise adoption of public cloud applications like Office 365 has not come without security and compliance concerns. Most cloud apps function like a black box, providing little visibility or control over the handling of sensitive data. When cloud applications leave security gaps that the enterprise simply can’t live with, thoughts often turn to cloud encryption options.

This data may exist as structured data in an app like Salesforce, or as unstructured data in file sharing apps like Box or OneDrive. In either case, a cloud access security broker (CASB) provides a way to encrypt the data using keys that you control. A CASB also provides a central point for monitoring and managing access to those resources.

Encrypting cloud data at rest with CASBs

CASBs provide a central point of visibility and control across any cloud app used in an enterprise. Control comes in various forms, including contextual access control, data leakage prevention, and of course encryption for data at rest. A CASB works by mediating connections between cloud apps and the outside world, typically via a combination of proxies and API connectors to applications.

bitglass-casb-architecture-100621449-large.idge A CASB, or cloud access security broker, mediates the connections between end users and cloud applications, providing a central point of visibility, access control, and data security.

CASBs have become the de facto answer to encryption for cloud data at rest. Unfortunately, in order to make data searchable when encrypted and stored in the cloud, early CASBs cut down on the number of initialization vectors used in their products which limits the number of possible encrypted versions of a given string. This same approach makes the encrypted data subject to attacks, such as a chosen plaintext attack. Why bother encrypting if you use weak schemes that can easily be cracked?

Full-strength cloud encryption with Bitglass

Bitglass takes a patented “split index” approach to searching cloud-based content that allows you to have your cake and eat it too -- that is, full-strength crypto and search. In a nutshell, Bitglass brings the trusted security of a private cloud to powerful and flexible public cloud applications, allowing you to safely take advantage of apps like Office 365, Salesforce, Box, and ServiceNow.

Screen_Shot_2015-10-16_at_1.24.24_PM Unless a user accesses the cloud application through the Bitglass service, he or she will see nothing but meaningless ciphertext.

With a few clicks, CASBs like Bitglass can replace sensitive data inside of the application with copies encrypted using keys that you control using the encryption algorithms of your choosing -- which means your existing key management system works out of the box. The encrypted data can be stored in the cloud app or on-premise; in the latter case, the only thing stored in the cloud application is an encrypted pointer to where the data lies in the local data store.

When a user searches for data, the search query is executed against a local search index, returning all of the associated pointers to Bitglass. Bitglass then searches the application for those pointers and retrieves the encrypted files or records, decrypting data for the user on the fly.

Because data is encrypted in the app, it’s not readable by prying eyes. Even within your organization, access is provided by policy. In fact, unless the user is accessing the application securely through Bitglass, they will see nothing but meaningless encrypted pointers.

Many enterprises forgo the power and flexibility of public cloud applications for the sake of data security and compliance. With a split-index approach to cloud encryption, these businesses can have both without undermining the strength of the encryption or sacrificing the functionality of the applications. It’s an approach to cloud encryption that should make a cloud-first strategy more attainable for the most security-conscious of organizations.

Want to learn more? Watch our Glass Class on Cloud Encryption.

Share this content on your favorite social network today!

Latest from CSA
Join AT&T Cybersecurity in Chicago
The State of AI and Security Survey Report
CSA's STAR: The Key to Cloud Security & Compliance
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Enhance your cloud security skills with CSA's online training options.