What is a CASB and How Do You Even Say It?

Caleb Mast, Regional Sales Director, Bitglass

These are some of the questions that I asked as I went through the recruiting process with Bitglass. My goal was to understand the product completely before going out and pitching it to prospective clients. So, what exactly is a Cloud Access Security Broker (CASB)? By Gartner’s definition, CASBs (Cloud Access Security Brokers) are “on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed.

CASBs consolidate multiple types of security policy enforcement, just like a top rated college football program (such as Penn State) leverages skilled players at all positions to thwart the best efforts of competitors’ offenses (and as they’ll demonstrate against Ohio State on November 23 of this year).

Example CASB security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.”* If you’re like me, even after reading the official definition, you may be slightly confused. My hope is that this article will give you a better understanding of how a CASB may benefit your corporate security strategy.

It’s pronounced caz-bee by the way.

At the broadest level, a CASB provides risk mitigation controls that help organizations protect data as they adopt cloud applications. There are four critical security gaps in cloud applications that CASBs defend against:

Data Protection Beyond the Firewall: Pop quiz – if someone on an unmanaged device connects to Office 365 via wifi from a coffee shop, which security product in your stack protects this session? If you’re at a loss, you aren’t alone.

In the pre-cloud world, your security stack offered insight, security controls, data loss prevention, and threat protection to the IT staff in order to fully monitor and secure corporate data. However, this is under the assumption that the information traversed through at least some part of your corporate network. With the introduction of cloud into our corporate environments, employees now access company data outside of the four walls of the office with applications like Office 365, GSuite, Box, Salesforce, and so on and so forth. CASBs are architected to ensure security for any application, anywhere.

Bring Your Own Device: Once employees discovered how easy it was to access their company information from the cloud, they began doing so from their own personal devices (laptops, smartphones, tablets, et cetera). While many organizations want to provide flexibility and allow employees to work from any device, they shudder at the idea of sensitive corporate data syncing to a totally unmanaged (and potentially insecure or compromised), personal device. Once the information is on the user’s device, it becomes very difficult to have any control – cue the CASB.

Unmanaged Applications: Also known as shadow IT, these are applications over which IT has no visibility. Though these applications may not be inherently bad, they allow files to be stored and shared in an uncontrolled environment. This is a massive compliance violation at best, and a nightmare to any CISO. How should your organization address this problem? You guessed it.

Malicious Users: Pre-CASB, a malicious user would have to get through the corporate security stack undetected in order to get company information. Now that information resides in cloud applications, all parties, good and bad, can knock at the front door authentication prompt. Additionally, cloud usage balloons quickly – once an organization becomes cloud friendly, their cloud footprint expands rapidly. As such, malicious users (whether they are disgruntled insiders or hackers with compromised credentials), can easily exfiltrate data via cloud apps when proper security is not in place.

Organizations that utilize CASBs find that they are able to store sensitive information in the cloud without compromising on security. CASBs enable malware detection and remediation, geofencing, data encryption, session management, and more. What are you doing to protect corporate data across your cloud footprint? I would love to hear your strategies.

Financial Services: Counting on CASBs

By Will Houcheime, Product Marketing Manager, Bitglass

Financial institutions handle a great deal of sensitive data and are highly conscientious of where they store and process it. Nevertheless, they are aware of the many benefits that they can gain by using cloud applications. In order to embrace the cloud’s myriad advantages without compromising the security of their data, financial institutions have been turning to cloud access security brokers (CASBs). To find out why, check out our latest episode of Glass Class:

“Collection #1” Data Breach

By Paul Sullivan, Software Engineer, Bitglass

hacker in hoodie sitting in front of a laptop

News of the 773 million email data breach that Troy Hunt announced for Have I Been Pwned certainly got a lot of coverage a few months ago. Now that the dust has settled, let’s cut through some of the hype and see what this really means for enterprise security.

First, let’s clear some things up – the data itself is actually several years old, but it looks like the seller of the data has more recent material, as well. Also, this data did not come from a specific company, but was a composite of various sources that cybercriminals stitched together. It is unclear what these sources are, but some of them are likely to be breaches that have been widely known for some time. This is demonstrated by the fact that Have I Been Pwned has already seen about 82 percent of the compromised emails in previous breaches.

However, the above could also mean that individual emails have been breached multiple times across different services. Unfortunately, people commonly reuse passwords, which means if a cybercriminal gains access to one password or account, they can potentially gain access to various accounts on different websites.

This is important because this kind of data is used in credential stuffing attacks to automate trying to log in to various services with stolen data. Since passwords are often reused, criminals run all this data against other accounts (Spotify, Netflix, Amazon or other paid subscription accounts), hijack them, and resell them.

Unfortunately, this data is out there now and new breaches are happening all the time. Luckily there are ways both individuals and companies can mitigate the damage. For individuals, using a password manager to create strong unique passwords is definitely a good idea. For companies, password expiration is now arguably a bad idea, but IT teams can monitor services like HIBP and let employees know when to change passwords after a breach. Companies can also cut down on the number of passwords running around by using single sign on (SSO) for their cloud services, and by enabling multi-factor authentication to make it harder for credential stuffing attacks to work. A cloud access security broker (CASB) can also alert IT teams when a strange login occurs so they can take action to protect their data.  

For more information, download the Top CASB Use Cases.

The Many Benefits of a Cloud Access Security Broker

By Will Houcheime, Product Marketing Manager, Bitglass

server hallway leading to blue sky with clouds

Today, organizations are finding that storing and processing their data in the cloud brings countless benefits. However, without the right tools (such as cloud access security brokers (CASBs), they can put themselves at risk. Organizations’ IT departments understand how vital cybersecurity is, but must be equipped with modern tools in order to secure their data. CASBs protect against a wide range of security concerns that enterprises face when migrating to the cloud. Consequently, they have quickly increased in popularity and have become a one-stop-shop for countless enterprise security needs.   

BYOD, SaaS or IaaS

Depending on the industry in which an organization operates, it may need to focus on security for managed devices, or perhaps it might need more of a bring your own device (BYOD) solution. While major SaaS applications improve organizational productivity and flexibility, they can serve as entry points for malicious threats such as malware or be used to share sensitive data with unauthorized parties. In infrastructure-as-a-service platforms, even a simple misconfiguration can cause data leakage and jeopardize an organization’s wellbeing. Without a solution designed to address these modern security concerns, organizations can fall victim to these and other threats.

In recent years, cloud access security brokers have been used to prevent these types of unfortunate scenarios from happening to organizations. Whether it’s securing data on personal devices, limiting external sharing, stopping cloud malware, or other security needs, CASBs have been stepping in and protecting data whether it is in transit or at rest. In our latest white paper, Top CASB Use Cases, we go into detail about how organizations have used cloud access security brokers to embrace both the cloud and BYOD without compromising on security.

For information about how CASBs help secure data, download the Top CASB Use Cases.

Prying Eyes Inside the Enterprise: Bitglass’ Insider Threat Report

By Jacob Serpa, Product Marketing Manager, Bitglass

Threatbusters Insider Threat report cover

When words like cyberattack are used, they typically conjure up images of malicious, external threats. While hackers, malware, and other outside entities pose a risk to enterprise security, they are not the only threats that need to be remediated. 

Insider threats, which involve either malicious or careless insiders, are another significant threat to corporate data that must be addressed. Fortunately, Bitglass has the latest information on this topic. Read on to learn more.

In Threatbusters, Bitglass’ 2019 Insider Threat Report, Bitglass set out to learn about the state of insider attacks, as well as to uncover what organizations are doing to defend against them. This was accomplished by partnering with a cybersecurity community and surveying the IT professionals therein. A breadth of survey questions yielded a wealth of information, ranging from the tools that organizations are using to defend against threats, to how long it takes them to recover from these types of attacks. Two examples can be found below.

The frequency of attack

A staggering 73 percent of survey respondents claimed that insider threats are becoming a more common occurrence. In 2017, when Bitglass released its previous Insider Threat Report, this number was only 56 percent. Additionally, 59 percent of respondents revealed that their organization had experienced at least one insider attack within the last 12 months. For organizations to stay secure in today’s high-speed, cloud-first world where data is shared, accessed, and downloaded more rapidly and widely than ever before, appropriate security controls simply have to be put in place.

The damage done 

Eighty-seven percent of respondents said that it was either moderately difficult or very difficult to determine the damage done in the wake of an insider attack. This should not come as a surprise. Because insider attacks involve the use of legitimate credentials, distinguishing legitimate user activity from threatening user activity can be challenging (especially because said behavior can go unnoticed for extended periods of time if the proper tools are not in place). Naturally, this means that it can be difficult to ascertain the extent of the damage that these authorized users have done.

The above items are only a sample of what Bitglass was able to uncover in its most recent research. To learn more about insider attacks and how organizations are addressing them, download the full report.

Education: A Cloud Security Investigation (CSI)

By Will Houcheime, Product Marketing Manager, Bitglass

cloud education painted on pavement

Cloud computing is now widely used in higher education. It has become an indispensable tool for both the institutions themselves and their students. This is mainly because cloud applications, such as such as G Suite and Microsoft Office 365, come with built-in sharing and collaboration functionality – they are designed for efficiency, teamwork, and flexibility. This, when combined with the fact that education institutions tend to receive massive discounts from cloud service providers, has led to a cloud adoption rate in education that surpasses that of every other industry. Naturally, this means that education institutions need to find a cloud security solution that can protect their data wherever it goes.

Cloud adoption means new security concerns

When organizations move to the cloud, there are new security concerns that must be addressed; for example, cloud applications, which are designed to enable sharing, can be used to share data with parties that are not authorized to view it. Despite the fact that some of these applications have their own native security features, many lack granularity, meaning that sensitive data such as personally identifiable information (PII), personal health information (PHI), federally funded research, and payment card industry data (PCI) can still fall into the wrong hands.

Complicating the situation further is the fact that education institutions are required to comply with multiple regulations; for example, FERPA, FISMA, PCI DSS, and HIPAA. Additionally, when personal devices are used to access data (a common occurrence for faculty and students alike), securing data and complying with regulatory demands becomes even more challenging.

Fortunately, cloud access security brokers (CASBs) are designed to protect data in today’s business world. Leading CASBs provide complete visibility and control over data in any app, any device, anywhere. Identity and access management capabilities, zero-day threat detection, and granular data protection policies ensure that sensitive information is safe and regulatory demands are thoroughly addressed.

Want to learn more? Download the Higher Education Solution Brief.

Bitglass Security Spotlight: DoD, Facebook & NASA

By Will Houcheime, Product Marketing Manager, Bitglass

red arrow with news icon

Here are the top cybersecurity stories of recent weeks: 

—Cybersecurity vulnerabilities found in US missile system
—Facebook shares private user data with Amazon, Netflix, and Spotify
—Personal information of NASA employees exposed
—Chinese nationals accused of hacking into major US company databases
—Private complaints of Silicon Valley employees exposed via Blind

Cybersecurity vulnerabilities found in US missile system
The United States Department of Defense conducted a security audit on the U.S. ballistic missile system and found shocking results. The system’s security was outdated and not in keeping with protocol. The audit revealed that the US’s ballistic system was lacking data encryption, antivirus programs, and multifactor authentication. Additionally, the Department of Defense also found 28-year-old security gaps that were leaving computers vulnerable to local and remote attacks. Obviously, the Missile Defense Agency must improve its cybersecurity posture before the use of defense weaponry is required.

Facebook shares private user data with Amazon, Netflix, and Spotify
The security of Facebook users continues to be in question due to the company’s illicit use of private messages. The New York Times discovered Facebook documents from 2017 that explained how companies such as Spotify and Netflix were able to access private messages from over 70 million users per month. There are reports that suggest that companies had the ability to read, write, and delete these private messages on Facebook, which is disturbing news to anyone who uses the popular social network.

Personal information of NASA employees exposed
The personally identifiable information (PII) of current and former NASA employees was compromised early last year. The organization reached out to the affected individuals notifying them of the data breach. The identity of the intruder was unknown; however, it was confirmed that the breach allowed Social Security numbers to be compromised. 

Chinese nationals accused of hacking into major US company databases
A group of hackers working for the Chinese government has been indicted by the U.S. Government for stealing intellectual property from tech companies. While the companies haven’t been named, prosecutors have charged two Chinese nationals with computer hacking, conspiracy to commit wire fraud, and aggravated identity theft.

Private complaints of Silicon Valley employees exposed via Blind
A social networking application by the name of Blind failed to secure sensitive user information when it left a database server completely exposed. Blind allows users to anonymously discuss topics including tech, finance, e-commerce, as well as the happenings within their workplace  (the app is used by employees of over 70,000 different companies). Anyone who knew how to find the online server had the ability to view each user’s account information without the use of a password. Unfortunately, this security lapse exposed users’ identities and, consequently, allowed their employers to be implicated in their work-related stories.

To learn about cloud access security brokers (CASBs) and how they can protect your enterprise from ransomware, data leakage, misconfigurations, and more, download the Definitive Guide to CASBs.

Rocks, Pebbles, Shadow IT

By Rich Campagna, Chief Marketing Officer, Bitglass

Way back in 2013/14, Cloud Access Security Brokers (CASBs) were first deployed to identify Shadow IT, or unsanctioned cloud applications. At the time, the prevailing mindset amongst security professionals was that cloud was bad, and discovering Shadow IT was viewed as the first step towards stopping the spread of cloud in their organization.

Flash forward just a few short years and the vast majority of enterprises have done a complete 180º with regards to cloud, embracing an ever increasing number of “sanctioned” cloud apps. As a result, the majority of CASB deployments today are focused on real-time data protection for sanctioned applications – typically starting with System of Record applications that handle wide swaths of critical data (think Office 365Salesforce, etc). Shadow IT discovery, while still important, is almost never the main driver in the CASB decision making process.

Regardless, I still occasionally hear of CASB intentions that harken back to the days of yore – “we intend to focus on Shadow IT discovery first before moving on to protect our managed cloud applications.” Organizations that start down this path quickly fall into the trap of building time consuming processes for triaging and dealing with what quickly grows from hundreds to thousands of applications, all the while delaying building appropriate processes for protecting data in the sanctioned applications where they KNOW sensitive data resides.

This approach is a remnant of marketing positioning by early vendors in the CASB space. For me, it brings to mind Habit #3 from Stephen Covey’s The 7 Habits of Highly Effective People -“Put First Things First.” 

Putting first things first is all about focusing on your most important priorities. There’s a video of Stephen famously demonstrating this habit on stage in one of his seminars. In the video, he asks an audience member to fill a bucket with sand, followed by pebbles, and then big rocks. The result is that once the pebbles and sand fill the bucket, there is no more room for the rocks. He then repeats the demonstration by having her add the big rocks first. The result is that all three fit in the bucket, with the pebbles and sand filtering down between the big rocks.

Now, one could argue that after you take care of the big rocks, perhaps you should just forget about the sand, but regardless, this lesson is directly applicable to your CASB deployment strategy:

You have major sanctioned apps in the cloud that contain critical data. These apps require controls around data leakage, unmanaged device access, credential compromise and malicious insiders, malware prevention, and more. Those are your big rocks and the starting point of your CASB rollout strategy. Focus too much on the sand and you’ll never get to the rocks.

Read what Gartner has to say on the topic in 2018 Critical Capabilities for CASBs.

Keeping Your Boat Afloat with a Cloud Access Security Broker

By Prasidh Srikanth, Senior Product Manager, Bitglass

boat on an Alpine lakeIf you were on a sinking ship that was full of holes of various sizes, which ones would you patch first? Probably the big ones. Now, consider this: As an enterprise, you’ve been successfully sailing and securing your corporate data on premises for some time. However, now you’re migrating to the cloud, looking for increased productivity, collaboration, and cost savings. In this new ocean, organizations must decide how to prioritize security concerns so that they can prevent data leakage.

There are two schools of thought on how organizations should accomplish the above. The first entails beginning by securing your most-used SaaS apps (Office 365BoxG SuiteSlack, et cetera). This is ideally done through a multimode cloud access security broker (CASB) that secures data access in real time via proxy, and secures data at rest in the cloud through API integrations. As these major apps are the primary locations to which your data is flowing, they are your first responsibility to address.

From there, a shadow IT discovery tool can be used to identify the other, less frequently used SaaS apps that employees are accessing. When these uncommon, less widely known apps are discovered, you may then choose to perform policy-based remediations; for example, coaching users to sanctioned alternatives, making shadow IT apps read only, or blocking access altogether. In this way, the larger security gaps are addressed before the smaller ones, meaning that your boat is successfully patched and gets to sail onward.

The other approach to cloud security says that organizations should perform shadow IT discovery before they begin to secure major SaaS applications and enforce data protection policies. In other words, you have to identify everything before you can begin securing anything. With this approach, you start by hunting down every minuscule security gap before beginning to address the apps that represent the largest data leakage threats, meaning that your boat is allowed to take on water.

Gaining insight into SaaS app usage is helpful for the enterprise; however, there’s a handful of apps that act as the gateway to your cloud journey. Addressing these commonly used applications first is the right way to secure your cloud migration. Once you have your bases covered in this way, you can further strengthen your security posture by performing shadow IT discovery and securing the other apps that represent the metaphorical small holes in your boat. With this measured and methodical security approach, you can confidently continue to transform your business and sail into the cloud.

Fixing Your Mis-Deployed NGFW

By Rich Campagna, Chief Marketing Officer, Bitglass

firewall logo imageThe Firewall/Next-Gen Firewall has been the cornerstone of information security strategy for decades now. The thing is, changes in network traffic patterns have resulted in most firewalls protecting a smaller and smaller percentage of enterprise network traffic over time.

This post will illustrate the root cause of these firewall mis-deployments, and how the typical enterprise can correct the issue, restoring the efficacy of their security strategy.

In the beginning

In the beginning, your firewall was in position to protect the majority of your corporate data and applications. Most users were on managed devices, on network (either physically or via VPN), and connected to data and applications inside of the enterprise (private) data center. Everything was protected and the deployment was sound:

premise apps to managed devices

Time goes on

As time went onthe first sanctioned SaaS applications were introduced to the organization. These typically took the form of major SaaS applications like Office 365, G Suite, and Salesforce. Since these applications are publicly available from anywhere, BYOD started to rear its ugly head as well (even if you had held it off in the past). This was the first step towards firewall mis-deployment, with a good portion of corporate data now existing unprotected outside the firewall:

premise apps to BYOD

Eventually, the business got the idea that cloud was easier, more agile, and more cost effective than premises applications, so the demands started to increase. In addition to major SaaS apps, niche industry and/or functional applications started popping up, and the organization began migrating premises applications (both custom apps and package software) to IaaS platforms. Today’s picture for most enterprises looks something like this:

premise apps to IaaS

Results are in

The result? Your firewall is currently protecting only a small percentage of your enterprise applications and data. There is, however, a simple fix for this deployment challenge:

firewall zero to CASB

With the constant wave of applications migrating to the cloud, it won’t be long before we hit Firewall Zero, with Cloud Access Security Brokers taking the firewall’s place as the cornerstone of enterprise security strategy.

Data Breaches on the Rise in Financial Services

By Jacob Serpa, Product Marketing Manager, Bitglass

Financial World: Breach Kingdom report coverFinancial services organizations are a prime target for hackers looking to steal and sell valuable data. This is because these firms handle sensitive information known as PII, personally identifiable information, as well as other financial data. In Financial World: Breach Kingdom, Bitglass’ latest financial breach report, the Next-Gen CASB reveals information about the state of security for financial services in 2018. Read on to learn more.

The rise of financial services breaches

2018 has seen the number of financial services breaches reach new heights. This is likely due to a large number of reasons. For example, some organizations may have an overreliance upon existing cybersecurity infrastructure and find it difficult to justify additional expenses in light of their existing sunk costs in security. Other firms may simply overestimate what traditional endpoint and premises-based tools can do to protect data from evolving threats. Regardless, the fact remains that financial services firms were breached in 2018 nearly three times more than they were in Bitglass’ previous, 2016 report.

Malware leads the pack

In prior years, the causes of financial services breaches were fairly diverse. Lost or stolen devices and hacking each caused about 20 percent of breaches, while unintended disclosures and malicious insiders were responsible for 14 percent and 13 percent, respectively.

However, this year saw a massive shift in the balance of power. Nearly three quarters of all financial services breaches in 2018 were caused by malware or hacking. This seems consistent with headlines over the last year – ransomware, cloud cryptojacking, and highly specialized malware variants have dominated the news when it comes to breaches.

What to do?

In financial services, far more must be done to secure sensitive information. While it is imperative that the enterprise can protect data against any threat, it is now clear that defending against malware deserves special attention. This is particularly true in light of the rise of cloud and BYOD. More devices and applications are storing and processing data than ever before, creating more opportunities for malware to infect the enterprise. Fortunately, there are appropriate solutions available.

To learn more about the state of cybersecurity in financial services, download Financial World: Breach Kingdom.

Seven Reasons Why Proxy-based CASBs Are Required for Office 365

By Rich Campagna, Chief Marketing Officer, Bitglass

O365 logoA competing CASB vendor blogged recently on why proxy-based Cloud Access Security Brokers (CASBs) shouldn’t be used for Office 365.

The post cites “7 reasons,” all of which are variations of just one reason: their CASB breaks each time Microsoft makes changes to Office 365.  What they call “application breakages” due to “updates,” are really “CASB outages.”  In other words, dog ate their homework.

A commonly cited issue with proxies (the only way to achieve real-time cloud data loss prevention or DLP) is their ability to adjust to the near constant changes in cloud applications. However, without an automated solution that can respond to these changes in real time, it’s up to quick response by CASB engineers to fix breakages after they occur, which leads to inevitability of downtime. Make sure you don’t fall into this trap. Select a CASB that can adapt to changes on the fly. Don’t throw out proxy technology completely just because some vendors can’t do it properly.

Proxy-based CASBs: Seven reasons why

So, knowing that a proxy-based solution for Office 365 can work, if you pick the right one, why go inline with Office 365 versus relying purely on out-of-band API integration? Here are 7 unique reasons:

  1. Managed vs Unmanaged Device Access Control – For most organizations, a managed device represents a much lower risk than an unmanaged BYO device. Proxy-based controls allow you to distinguish between the two and provide a different level of access to the app and to sensitive corporate data.
  2. OneDrive Sync Client Control – A OneDrive sync client constantly synching many GBs of corporate data to an unmanaged device is riskier than a user on that device logging into OneDrive via web browser to download a couple of files that they need. Proxy allows you to control by access method,
  3. Real-time Data Leakage Prevention – API-based integration with apps like Office 365 is great for scanning data-at-rest, but only provides “Monday morning” notifications of data leakage. Proxies prevent data leakage in real-time.
  4. BYOD Malware Prevention – Your organization probably has unmanaged devices connecting into Office 365. Devices that could be infected with malware. Proxy-based solutions stop malware from making its way into Office 365, thwarting would-be attempts to use Office as an IT sanctioned and paid for malware distribution tool.
  5. Session Management – You likely want to aggressively time out and reauthenticate users on unmanaged or new devices. Possible with proxy, not possible with API.
  6. Step-up Multifactor Authentication – See suspicious activity mid-session? Evidence of credential compromise? Only inline CASB allows you to do something about it as it starts to occur.
  7. Data-at-rest Encryption – In many industries, there is a desire to use the public cloud but without giving up control over your data. Proxy-based CASBs allow you to encrypt data before it gets to the cloud. Public cloud apps with private cloud security – have your cake and eat it too!

Bonus: One bonus add — Office 365 might be your main (or only) cloud app today, but that will most definitely change in the future. The fact is, only a small handful of cloud applications provide APIs that are security relevant, whereas a properly architected proxy can support any application.

POC the CASB

By Rich Campagna, Chief Marketing Officer, Bitglass

POCtheCASB poster imageThe Cloud Access Security Broker, or CASB, space has quickly made its way to the mainstream, with organizations of every size and every industry deploying CASBs whenever their data moves beyond the firewall.

While ready for primetime and widely deployed, some enterprises are taking the risky step of skipping the proof-of-concept or trial phase. Given the rapid evolution of the enterprise use cases, and of CASB vendor solutions, we always encourage organizations to #POCtheCASB (of course, it helps that our sales team has complete confidence in the quality of our CASB solution and in our support …).

Seven ways to #POCtheCASB

Here are a few of the key areas to focus on for a successful trial:

  • Proxy Robustness – A commonly cited issue with proxies (the only way to achieve real-time cloud data loss prevention or DLP) is their ability to adjust to the near constant changes in cloud applications. However, without an automated solution that can respond to these changes in real time, it’s up to quick response by CASB engineers to fix breakages after they occur, which leads to inevitability of downtime. Make sure you don’t fall into this trap. Select a CASB that can adapt to changes on the fly. Don’t throw out proxy technology completely just because some vendors can’t do it properly.
  • User Experience – The days of the security team being able to put their needs ahead of the user experience are long gone. Be sure to test with volunteer users from a variety of different business units or departments. Ensure that the CASB solution preserves the user experience and requires minimal or no retraining for your test group.
  • Managed and Unmanaged Device Access – Even if you held BYOD at bay with premises applications, it will become a reality when you move to the cloud. Be sure to test the capabilities of the CASB on both managed devices, as well as on a range of BYO device types to ensure that policy and control capabilities work equally well on all device types.
  • Performance – A well-architected CASB solution should offer high performance and low latency for all users globally, as well as when under peak load. Test from a variety of geos and from several different times of day.
  • Enterprise Integration – Most enterprises end up integrating their CASB into several other systems including Active Directory, IDaaS, network DLP, SIEM and more. Test to be sure that the CASB has appropriate connectors for each of these systems.
  • Flexibility – You might initially deploy a CASB for a small number of cloud applications, but for most enterprises, their cloud footprint begins to evolve and grow rapidly once cloud takes root in the organization. Ensure that you develop test cases that exercise the CASBs ability to test not only your current needs, but the future needs of your business.
  • Policy – Last but not least, test out the policies you plan to develop on your CASB! Whether you’re planning to use baseline policies like access control and UEBA, or more sophisticated policies involving DLP and encryption, run the test CASB(s) through their policy paces.

Pwned Passwords – Have Your Credentials Been Stolen?

By Paul Sullivan, Software Engineer, Bitglass

hacker in a hoodie with credit cards, computer screenData breaches now seem to be a daily occurrence. In recent months, Have I Been Pwned (HIBP) introduced  Pwned Passwords, which allows you to securely check your password against a database of breach data. There are over 280 breaches in the database, and that’s only the tip of the iceberg. Breaches aren’t just a problem for the users who lose their data, but for the companies responsible for it.   

So how does all this data get breached?

Surely, it was some sinister character in a hoodie with extensive knowledge of computers, right? As it turns out, many of the data breaches came from misconfigured databases and Amazon S3 buckets that were left wide open for anyone who knows where to look. S3 is easy to use, which is great for security-conscious developers. However, it also makes it easy for someone who doesn’t understand security to toss some data into the cloud (so that it’s publicly viewable) and forget about it. As noted by Troy Hunt, the security researcher who runs HIBP, one company was breached because it stored personal data from IoT devices in MongoDB and Amazon S3 buckets with no credentials. It’s not just small, unorganized companies that make these mistakes either. Big corporations are losing track of their configurations, too.

Proper training is a good way to help with these problems, but it’s not always enough. Fortunately, a cloud access security broker (CASB) can help keep S3 and other cloud data secure by encrypting the data at rest. That way, even if data can be accessed by unauthorized parties, it is still unreadable and protected. A CASB can also provide auditing and analytics tools to help detect suspicious activity so that data breaches can be detected early as well as prevented from happening in the first place.

EU GDPR vs US: What Is Personal Data?

 

By Rich Campagna, Chief Marketing Officer, Bitglass

GDPR-personal data screen shotMay 25, 2018—GDPR enforcement day,—has come and gone with little fan fare (and about 6 quadrillion privacy policy updates), but that doesn’t mean we all know what to do to get into compliance. In fact, some measures put only one third of organizations in compliance as of the deadline, and the linked article refers to UK organizations—what about US organizations that are only now catching on to the fact that they probably need to be GDPR compliant? We thought that contrasting GDPR with typical US regulations and definitions would be helpful.

It’s personal. Or, is it?

First topic, what constitutes personal data?

In the US, when we hear “personal data,” that usually equates to Personally Identifiable Information (PII). PII, according to the CIO of the US Navy, is “information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, including any other personal information which is linked or linkable to a specified individual.” This has become an important enough topic that NIST has created a list of specific fields that constitute PII.

GDPR: It’s more than PII

How does this differ from how personal data is defined in GDPR?

Well, according to the GDPR, personal data means “any information relating to an identified or identifiable natural person.”

Side note: In GDPR, “natural persons” are typically referred to as, “data subjects,” which is the least personal and least natural possible way to describe natural persons that I can think of, but I digress…

GDPR clarifies that “identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

In other words, personal information includes the US definition of PII, but goes much further. In addition to PII, personal information can include IP address (yes, even dynamic IPs with user behind a router doing NAT/PAT), sexual preference, medical prescriptions, occupation, eye color, shoe size and puzzling fandom of the band Survivor.

That’s lesson #1 – personal data, as defined by GDPR, goes far further than the typical US definition of PII.

More to come in future posts…

 

 

What Is a CASB?

By Dylan Press, Director of Marketing, Avanan

Email is the #1 attack vector. Cloud Account Takeover is the #1 attack target.
A CASB is the best way to protect against these threats.

cartoon of man asking What is a CASBGartner first defined the term Cloud Access Security Broker (CASB) in 2011, when most IT applications were hosted in the data center and few companies trusted the cloud. Most online services were primarily aimed at the consumer. At the time, CASB products were designed to provide visibility for so-called Shadow IT and limit employee access to unauthorized cloud services.

Today, organizations have embraced the cloud, replacing many of their datacenter applications with Software as a Service (SaaS) or moving much of their IT into infrastructure (IaaS) providers like Amazon or Azure. Instead of limiting access, CASBs have evolved to protect cloud-hosted data and provide enterprise-class security controls so that organizations can incorporate SaaS and IaaS into their existing security architecture.

CASBs provide four primary security services: Visibility, Data Security, Threat Protection, and Compliance. When comparing CASB solutions you should first make sure that they meet your needs in each of these categories.

Visibility

A CASB identifies all the cloud services (both sanctioned and unsanctioned) used by an organization’s employees. Originally, this only included the services they would use directly from their computer or mobile device, often called “Shadow IT“. Today, it is possible for an employee to connect an unsanctioned SaaS directly to a an approved SaaS via API. This “Shadow SaaS” requires more advanced visibility tools.

Shadow IT Monitoring: Your CASB must connect to your cloud to monitor all outbound traffic for unapproved SaaS applications and capture real-time web activity. Since nearly all SaaS applications send your users email notifications, your CASB should also scan every inbox for rogue SaaS communication to identify unapproved accounts on an approved cloud services.

Shadow SaaS Monitoring: Your CASB must connect to your approved SaaS and IaaS providers to monitor third-party SaaS applications that users might connect to their account. It should identify both the service as well as the level of access the user has provided.

Risk Reporting: A CASB should assess the risk level for each Shadow IT/Shadow SaaS connection, including the level of access each service might request (i.e. read-only access to a calendar might be appropriate, read-write access to email might not.) This allows you to make informed decisions and prioritize the applications that need immediate attention.

Event Monitoring: Your CASB should provide information about real-time and historical events in all of your organization’s SaaS applications. If you do not know how the applications are being used, you can not properly control them or properly assess the threats facing your organization.

Data Security

A CASB enforces data-centric security policies by offering granular access controls or encryption. It incorporates role-based policy tools, data classification and loss prevention technologies to monitor user activity and audit, block or limit access. Once, these were stand-alone systems. Today it is vital that they are integrated into the organization’s data policy architecture.

Data Classification: Your CASB should identify personally identifiable information (PII) and other confidential text within every file, email or message. Taking this further, it should be capable of applying policies to control how that sensitive information can be shared.

Data-Centric Access Management: Your CASB should allow you to manage file permissions based upon the user’s role and the type of data the file contains using cloud-aware enforcement options that work within the context of the cloud service.

Policy-based Encryption: Your CASB should be able to encrypt sensitive information across all your cloud services to ensure data security, even after files leave the cloud.

Threat Protection

A CASB protects cloud services from unwanted users or applications. This might include real time malware detection, file sandboxing or behavior analytics and anomaly detection. New threats require new protections, so the list should include anti-phishing, account-takeover detection and predictive (A.I.) malware technologies.

Anti-phishing Protection: Phishing attacks are the #1 source of data breaches every year, but few CASBs offer phishing protection for cloud-based email. For a technology that is protecting your cloud environment, anti-phishing is a must. It has been proven over and over again that your email provider is not a viable solution to the phishing problem.

Account Takeover Protection: Your CASB should monitor every user event (not just logins) to identify anomalous behavior, permission violations, or configuration changes that indicated a compromised account.

URL Filtering: Your CASB should check every email, file, and chat messages for malicious links.

Real Time Malware Detection: Your CASB should scan every email and file for active code and malicious content before it reaches the inbox.

Advanced Threat Sandboxing: Your CASB should test suspicious files in an emulation environment to detect and stop zero-day threats.

Compliance

Regulated organizations require auditing and reporting tools to demonstrate data compliance and a CASB should provide all the necessary auditing and reporting tools. More advanced solutions offer policy controls and remediation workflows that enforce regulatory compliance in real time for every industry, from GDPR and SOX to PCI and HIPAA..

SIEM Integration: Your CASB should collect and correlate user, file and configuration events from each cloud application installed in your organization’s environment and make them visible through your organization’s existing reporting infrastructure.

Auditing: Your CASB should have access to historical event data for retrospective compliance auditing as well as real-time reporting.

Enforcement: Your CASB should be able to move and encrypt files, change permissions, filter messages or use any number of cloud-native tools to ensure compliance through automated policies.

Email Security from Your CASB

As you may have noticed, across all the CASB criteria, email security is a major component. Can this really be that important? After all, so few CASBs include email security.

No matter the motivation, email continues to be the most common vector for enterprise breaches. Phishing and pretexting represented 98% of social incidents and 93% of breaches last year. Protection for the cloud must include protection for cloud-based email. Without cloud-based email security, a CASB is not truly providing full cloud security and is just acting as a simple Shadow IT tool.

Conclusion

While a solution doesn’t need to have every feature mentioned in this blog post in order to sell themselves as a CASB, they are the criteria that separate the CASBs that are complete security solutions from those that will need to be paired with additional security tools. If you want a CASB to act as your full security suite protecting your organization from cloud-borne threats then this will serve as a useful checklist.

Microsoft Workplace Join Part 1: The Security Timebomb

By Chris Higgins, Technical Support Engineer, Bitglass

timebomb countdown to Workplace Join infosecurity riskIt’s no secret that enterprise users wish to access work data and applications from a mix of both corporate and personal devices. In order to help facilitate this mix of devices, Microsoft has introduced a new feature called Workplace Join into Azure Active Directory, Microsoft’s cloud-based directory and identity service. While the intent of streamlining user access to work-related data is helpful, the delivery of this feature has resulted in a large security gap—one that can’t easily be disabled. This is another example of an app vendor optimizing for user experience ahead of appropriate controls and protections—demonstrating the basis for the cloud app shared responsibility model and the need for third-party security solutions like cloud access security brokers (CASBs).

According to Microsoft, “…by using Workplace Join, information workers can join their personal devices with their company’s workplace computers to access company resources and services. When you join your personal device to your workplace, it becomes a known device and provides seamless second factor authentication and Single Sign-On to workplace resources and applications.”

How does it work?

When a user links their Windows machine to “Access Work or School,” the machine is registered in Azure AD, and a master OAuth token is created for use between all Microsoft client applications as well as Edge/I.E. browsers. Subsequent login attempts to any Office resource will cause the application to gather an access token and log in the user without ever prompting for credentials. The ideology behind this process is that logging in to Windows is enough to identify a user and give them unrestricted access to all Office 365 resources.

In plain language, this means that once you login to Office 365 from any device (Grandma’s PC, hotel kiosks, etc.), you, and anyone accessing that device, are logged in to Office 365 automatically moving forward.

Why is this such a big security issue?

Workplace Join undoes all of your organization’s hard work establishing strong identity processes and procedures—all so that an employee can access corporate data from Grandma’s PC (without entering credentials). Since Grandma only has three grandkids and one cat, it likely won’t take a sophisticated robot to guess her password—exposing corporate data to anyone who accesses her machine. Making matters worse, user accounts on Windows 10 don’t even require passwords, making it even easier for data to be exfiltrated from such unmanaged devices.

Workplace Join is enabled by default for all O365 tenants. Want to turn it off? You’ll have to wait for the next blog post to sort that out.

In the meantime, download the Definitive Guide to CASBs to learn how cloud access security brokers can help secure your sensitive data.

Cloud Security Trailing Cloud App Adoption in 2018

By Jacob Serpa, Product Marketing Manager, Bitglass

In recent years, the cloud has attracted countless organizations with its promises of increased productivity, improved collaboration, and decreased IT overhead. As more and more companies migrate, more and more cloud-based tools arise.

In its fourth cloud adoption report, Bitglass reveals the state of cloud in 2018. Unsurprisingly, organizations are adopting more cloud-based solutions than ever before. However, their use of key cloud security tools is lacking. Read on to learn more.

The Single Sign-On Problem

Single sign-on (SSO) is a basic, but critical security tool that authenticates users across cloud applications by requiring them to sign in to a single portal. Unfortunately, a mere 25 percent of organizations are using an SSO solution today. When compared to the 81 percent of companies that are using the cloud, it becomes readily apparent that there is a disparity between cloud usage and cloud security usage. This is a big problem.

The Threat of Data Leakage

While using the cloud is not inherently more risky than the traditional method of conducting business, it does lead to different threats that must be addressed in appropriate fashions. As adoption of cloud-based tools continues to grow, organizations must deploy cloud-first security solutions in order to defend against modern-day threats. While SSO is one such tool that is currently underutilized, other relevant security capabilities include shadow IT discoverydata loss prevention (DLP), contextual access control, cloud encryptionmalware detection, and more. Failure to use these tools can prove fatal to any enterprise in the cloud.

Microsoft Office 365 vs. Google’s G Suite

Office 365 and G Suite are the leading cloud productivity suites. They each offer a variety of tools that can help organizations improve their operations. Since Bitglass’ 2016 report, Office 365 has been deployed more frequently than G Suite. Interestingly, this year, O365 has extended its lead considerably. While roughly 56 percent of organizations now use Microsoft’s offering, about 25 percent are using Google’s. The fact that Office 365 has achieved more than two times as many deployments as G Suite highlights Microsoft’s success in positioning its product as the solution of choice for the enterprise.

The Rise of AWS

Through infrastructure as a service (IaaS), organizations are able to avoid making massive investments in IT infrastructure. Instead, they can leverage IaaS providers like Microsoft, Amazon, and Google in order to achieve low-cost, scalable infrastructure. In this year’s cloud adoption report, every analyzed industry exhibited adoption of Amazon Web Services (AWS), the leading IaaS solution. While the technology vertical led the way at 21.5 percent adoption, 13.8 percent of all organizations were shown to use AWS.

To gain more information about the state of cloud in 2018, download Bitglass’ report, Cloud Adoption: 2018 War.

Bitglass Security Spotlight: Twitter, PyRoMine, & Stresspaint

By Jacob Serpa, Product Marketing Manager, Bitglass

man holding coffee cup and reading newspaper cybersecurity industry newsHere are the top cybersecurity stories of recent weeks:

—Twitter exposes user credentials in plaintext
—PyRoMine mines Monero and disables security
—Stresspaint malware hunts Facebook credentials
—MassMiner malware mines cryptocurrency
—Access Group Education Lending breached

Twitter exposes user credentials in plaintext

Despite the fact that Twitter doesn’t store or display users’ credentials in plaintext, the social media company recently had a security mishap. Passwords were stored in internal logs before they were successfully obfuscated, exposing them to employees in plaintext. While the information wasn’t made viewable to outside parties, it’s still a cause for concern for Twitter’s users.

PyRoMine mines Monero and disables security

New malware, PyRoMine, leverages a host of previously disparate capabilities featured in other strains of malware. For example, it uses NSA exploits while mining Monero, a cryptocurrency. Malware is continuing to grow more sophisticated, compelling organizations to adopt advanced anti-malware solutions.

Stresspaint malware hunts Facebook credentials

Disguised as a stress-relieving paint program, Stresspaint is a piece of malware that is attacking users in an attempt to gather their Facebook credentials. In particular, the malware is targeting influential users – those who manage Facebook pages or have numerous friends and followers. It is primarily distributed through emails and messages on Facebook.

MassMiner malware mines cryptocurrency

MassMiner is the latest in a slew of malware strains that engage in malicious cryptomining. This threat seeks to take advantage of known vulnerabilities in order to commandeer web servers and mine Monero – which continues to be a common target in malicious cryptomining.

Access Group Education Lending breached

Unfortunately for those who have used the organization’s services for their student loans, Access Group Education Lending has been breached. Nearly 17,000 borrowers had their information exposed when a loan processing vendor working for the group shared their information with an unauthorized, unknown company.

Fortunately for the enterprise, cloud access security brokers (CASBs) can defend against zero-day malware and countless other threats. To learn more, download the Zero-Day Solution Brief.

How ChromeOS Dramatically Simplifies Enterprise Security

By Rich Campagna, Chief Marketing Officer, Bitglass

chrome logoGoogle’s Chromebooks have enjoyed significant adoption in education, but have seen very little interest in the enterprise until recently. According to Gartner’s Peter Firstbrook in Securing Chromebooks in the Enterprise (6 March 2018), a survey of more than 700 respondents showed that nearly half of organizations will definitely purchase or probably will purchase Chromebooks by EOY 2017. And Google has started developing an impressive list of case studies, including WhirlpoolNetflixPinterestthe Better Business Bureau, and more.

And why wouldn’t this trend continue? As the enterprise adopts cloud en masse, more and more applications are available anywhere through a browser – obviating the need for a full OS running legacy applications. Additionally, Chromebooks can represent a large cost savings – not only in terms of a lower up-front cost of hardware, but lower ongoing maintenance and helpdesk costs as well.

With this shift comes a very different approach to security. Since Chrome OS is hardened and locked down, the need to secure the endpoint diminishes, potentially saving a lot of time and money. At the same time, the primary storage mechanism shifts from the device to the cloud, meaning that the need to secure data in cloud applications, like G Suite, with a Cloud Access Security Broker (CASB) becomes paramount. Fortunately, the CASB market has matured substantially in recent years, and is now widely viewed as “ready for primetime.”

Overall, the outlook for Chromebooks in the enterprise is positive, with a very real possibility of dramatically simplifying security. Now, instead of patching and protecting thousands of laptops, the focus shift towards protecting data in a relatively small number of cloud applications. Quite the improvement!