CLOUD ACCESS SECURITY BROKER (CASB): A PATTERN FOR SECURE ACCESS TO CLOUD SERVICES
ASWINI DEVI UMASHANKAR
CAMPBELLSVILLE UNIVERISTY
Introduction
We all know that cloud services had been in the trend for some years now and has started to be implemented by many organizations in the recent years. This has not only been adapted by small business but many global enterprises as well. The reason why many organizations switch to cloud, is that much of the potential customers has benefited with the variety of services provided by cloud. With the development of cloud services, technologies to encounter their security issues as well as securing their data in the cloud in different levels has been the primary concern. Cyber security technologies are a broad chapter to consider and some different types of them that have been implemented by enterprises or currently being implemented are CASB (Could access security broker), Endpoint Detection and Response, Next generation Endpoint security, Threat intelligence analysis, Orchestration, IOT Security and many more. In this paper we are picking the security technology to discuss is CASB, which bypasses the vulnerabilities introduced by cloud services. Especially I would like to point the importance of cloud back up and storage and how it must be secure and protected. This in a way becomes a challenge for enterprises on how to secure its data when the governing must be for both the internal and external resources (cloud) and how the access from external to internal and vice versa regarding the data traffic. In this paper I am eager to discuss the CASB – Cloud access security broker, a software bought by many enterprises who have cloud services and applications in order to secure their services and applications borrowed from third-party via cloud. I will also cover the implementation, challenges, dependencies involved in having to set a secure framework.
SaaS – SOFTWARE AS A SERVICE
There are differences and categories in cloud services, they are IaaS (Infrastructure as a Service), PaaS (Platform as a Service) and SaaS (Software as a Service). Well Software as a service (SaaS) era is here! Software as a service (SaaS) is nothing but as the name suggests utilizes the internet to deliver applications to its users, which are managed by third party vendor. The advantage of Software as a service (SaaS) is that these applications run on browsers and need not be downloaded or installed on the user end side. Software as a service (SaaS) help IT teams work more efficiently, allows them to keep away the work load off from maintaining and performing day to day operations for the respective applications, thereby efficiently utilizing the resources only for the betterment of the company. Experts say that Software as a service (SaaS) or any cloud-based revenue has been and will increase tremendously in the upcoming years. Some example of Software as a Service (SaaS) is Google Apps, Dropbox, Cisco WebEx, Concur, Go to Meeting etc. This is where it becomes important to notice regarding security that third-party vendors are involved thereby uploading your data in the cloud must be secure and isolated. Since enterprises have been reliant on web-based resources and hosted cloud solutions for the provision of infrastructure, applications and services, this adaptation comes as a focus and need for security strategies and solutions which are exclusively tailored for the cloud. Securing the cloud does not follow the same standardization as securing services or systems in an on premises (building) non-virtual types, it is much more developed, customized and satisfies a lot of dependencies. Securing data for a virtual manner is on a whole new different level.
CATEGORIES INVOLVED IN SECURING CLOUD APPLICATIONS
Data Management, Risk Management and Security on a cloud are the three main characteristics that define the approach towards protecting the cloud services and the data that’s being used in it as well. Let’s discuss how we can categorize based on those three characteristics,
Anywhere anytime any device access: In respect to the cloud services if a user has the login credentials like the username and password to get access to the application, the user can gain access irrespective of the network, managed or unmanaged device he is using. But in the traditional approach, user should use only the VPN and must have a managed device to access the applications along with the username and the password, sometimes more additional barriers.
User defined Usage: As the name suggests, the user here defines how the data in the cloud applications such as google apps, drop box are stored and shared. This is a first-time approach of user handling the data and being responsible for its security. Sometimes these users might not have any idea that their actions might lead to risks and damage and this is mostly because of very less background knowledge on security.
Unique Data sharing capabilities: Lots of companies store their data on cloud for back up services, which is also another good example of cloud-based SaaS. And since cloud poses a variety of services there a no of ways in which these data can be stored and retrieved as well. For e.g., Google store their confidential and sensitive corporate information in the form of chatter files, documents, attachments, knowledge base articles and some numbered data in excel files as well.
DATA SECURITY ON CLOUD NEEDS A DIFFERENT APPROACH
One should understand that cloud applications come under shared model responsibility, meaning that the enterprises might have outsourced the day to day operations and maintenance as discussed earlier, the cloud administrators i.e. third-party vendors, but this does not mean they will forgo their accountability and liability of their data on those cloud applications. For e.g.; I would like to compare the enterprises data on the cloud ( third party involved ) with a public parking garage, the parking garage will do its best to keep the garage safe and secure, might install security cameras and more, keep guards outside and even have digital token authentication for every car parked, but are indemnified when it comes to valuables in the car being stolen. We are aware that there are some solutions such as firewalls and intrusion prevention systems for on premises that provide visibility for them, the same solutions have been proved to not provide the same quality of visibility for SaaS applications, because they do not understand the nuances and intricacy of the cloud applications and its data transactions. I do not mean to say these cloud infrastructures does not have security framework at all, they would definitely have a strong foundation on security as well, but depending upon the enterprises and its services which will be discussed further in detail, the customer and device categories, how the customer intended to use the data, cloud applications requires special attention for better protection of sensitive information.
CASB – CLOUD ACCESS SECURITY BROKER
A software that developed during the last decade to organize, secure, manage the cloud applications and the data involved with it. Consumers (users) request services through the Broker, which in turn gets them from one of the Service Providers. The Broker includes a set of security mechanisms such as a Security Logger/Auditor, an Authorizer, an Authenticator, an Encryption specialist, and maybe others. Consumers and CASBs can be mutually authenticated. The CASB enforces rights for the consumers when they try to access an application. Internal Resources (application) can also be controlled by the CASB. An Identity Federation provides identifiers across consumers and cloud administrators. According to [Mul14], there are already about 14 vendors of this type of product. It involves as Access to the company resources may come from portable devices such as smartphones, tablets, and laptops, and there is also a need to grant some users temporary access to cloud applications [McV13]; all this variety can be conveniently handled by CASBs. CASBs between the customers and the service providers acts as a gateway that provides security access, authentication and authorization controls, intrusion prevention, anti-malware filters, finest encryption, security logging and auditing. CASB also covers the internal resources of the service providers. Let me provide you with an example how discussed security controls are important to run cloud-based application. Skyscanner is a travel agency company that in its website has flight information, hotel information, car rental information to be selected at different locations within United States. Skyscanner used a travel software to manage its customers profiles, account information, credit card information and may more confidential information such as their DOB, gender and even their travel information. Since they did not go for the CASB or any cloud security control services, to handle their software, there was a data leakage and many confidential information such as credit card details and its PIN numbers has been let out and many other profile details which led to the loss of the company. Existing solutions such as firewalls and intrusion detection systems which they had already using as an aspect of security, did not understand the nuances and the intricacy of the software, how it has been used and its visibility. That’s why the reason for the data leakage. They had later installed a cloud-based security service that like CASB and thereby they haven’t faced a major security breach in their company. It’s an enterprises responsibility to protect its assets. If an enterprise decides to take up cloud services, then it needs to carefully asses what type of services its adapting and what is the relationship between the resources and the cloud services, the relationship between the application and the customer and specifically define the security gateways at each category.
CHALLENGES FACED BY ENTERPRISES TO SECURE CLOUD
It is not easy to secure a cloud-based application, its services or the data involved. One must keep in mind the dependencies involved for each service and its consumer relationships. Some of the dependencies that I would like to point out here are, Policy based services – some consumers are forced to apply some security policies on the services to restrict the access of some sensitive information from low level employees and customers as well. Transparency is another dependency, where an item is secure must be visible to both the employees and customers. Another form of transparency is the transparency security services must be visible for the customer or employees to gain access the view the content or use a service. Discovery lies closely to transparency as well; the customers must be able to view what services are available and which they are eligible or qualified for and what kind of services they will need for what type of request. Data encryption is a major dependency, cloud administrators will have their own encryption key for their applications, but then comes the employees and the customer who prefer to use their own key for their applications which faces a major challenge for the cloud security has each customer has to be provided with their own key and its authentication has to be verified as well in a large number. Access unification is another type where the application need not be dealt with a lot of credentials types and protocols, Heterogeneity deals with the customer using any device or any type of smart device to access the applications or services which again makes the cloud accessible to different types of device software and operating systems. Compliance is another positive dependency where the customer must agree to come compliances before using certain services. Malware detection might have affected some applications in the cloud and when customers must use them, they had to be alerted with some intrusion detection schemes. Logging is another dependency that needs to capture and audited as a back up to verify statistics and facts. We have discussed more than ten dependencies that posse as a challenge to pursue a standardized security framework, therefore customization is required, there are also chances that this customization might interfere in the services functionality creating disturbances to the customers, thereby we can expect a chaos cloud application security system. To overcome this, CASB has all the solutions for the above-mentioned dependencies.
SOLUTION OF CASB TO THE POSED CHALLENGES
The mentioned challenges posed by the cloud services on security aspect can be overcome using an intermediary system called Cloud Access Security Broker (CASB). This provides security controls such as authentication and authorization which will validate the usage of the services by the customers and provide access controls such as malware detection. Other dependencies mentioned such as compliance, identity, discovery, access unification, transparency, transparency security and others are also overcome or to be precise handled by Cloud Access Security Broker (CASB). How is the question here, imagine you have deployed your CASB onto your systems and trying to access some service or application from the cloud, this information of request is first sent to and processed by CASB. Cloud Access Security Broker (CASB) having broker in its name is the structure that performs all the security policy mechanism, compliances, identity, transparency as configured and then connects the consumer to the safest and unaffected applications and services. In enterprises the employees can access the services and internal applications only via CASB for security purposes. The CASB enforces institution policies in any access as well as protecting against malware. In other words, the CASB is an enhanced Reference Monitor [Fer13]. There are few implementation techniques that can be pointed to neglect the mentioned vulnerabilities of the cloud.
ADVANTAGES
DISADISADVANTAGES
SUMMARY
REFRENCES
Fernández, Eduardo & Yoshioka, Nobukazu & Washizaki, Hironori. (2015). Cloud Access Security Broker (CASB): A pattern for accessing secure cloud services.
Wani, Aaqib & Lone, Zubair. (2017). A Survey of Security Issues and Attacks in Cloud and their possible defenses.
Amoud, Mohamed & Roudies, Ounsa. (2016). A Systematic Review of Security in Cloud Computing. 427. 69-81. 10.1007/978-3-319-29504-6_8.
[McV13] Lori McVittie, “The mounting case for cloud access brokers”, Virtualization Journal, Feb. 8, 2013
[Mul14] R. Mullins, “Cloud security brokers play a key role”, 07/11/2014 (NEED TO INSERT LINK)
[Fer13] E.B. Fernandez, “Security patterns in practice: Building secure architectures using software patterns”, Wiley Series on Software Design Patterns, 2013
Somesh P. Badhel et al, A Review of data back techniques on cloud services International Journal of Computer Science and Mobile Computing, Vol.3 Issue.12, December- 2014, pg. 538-542
http://www.hp.com/hpinfo/newsroom/press_kits/2015/RSA2015/TheCaseForaCloudAccessSecurityBrokerAPR2015_4AA5-8064ENW.pdf
https://www.ciosummits.com/Online_Asset_Bitglass_White_Paper_-_The_Definitive_Guide_to_Cloud_Access_Security_Brokers.pdf