With the rapid proliferation of rogue cloud applications, it becomes pertinent that new tools are implemented in order to protect corporate data on cloud. The main focus is now on Shadow IT and the growing need for flexibility has put many employee activities off the IT security department radar. Employees in organizations use cloud-based apps mostly categorized as Software-as-a-Service i.e. SaaS Security.
In any organization, there are applications like Microsoft Office 365 and Google Docs etc., which are sanctioned by the IT department after due identification, consultation and procurement. Then there are that unsanctioned apps, but can still be there, which are being used for communication purposes like Skype and Yahoo IM etc. Then there the unsanctioned ones that pose a serious risk. These are downloaded by other departments without the consent of the IT department. These may be used by the employees to boost their productivity levels at office, but are unaware of the security threats they pose. These have very weak passwords or the authentication in most of the cases is simply non-existent. The best solution to SaaS security would be to explain to the concerned people about the security risks and think of some other apps as effective but more secure.
When organizations cannot restrict access to users connected through Virtual Private Network (VPN), then the employees can access sensitive information on public PCs or on unsafe Wi-Fi networks. Any organization’s job is to identify such risky networks and deploy Single Sign-On (SSO) solution to protect their corporate data. Those which are considered as high risk can be categorized as HR records, customer data, health data, financial data and critical business information. Even the DNS, content delivery networks, data center management portals and the phone systems which provide critical services to businesses need to be protected from unauthorized access.
The single most effective approach to gain control is by using security services provided by Cloud Access Security Brokers (CASBs). CASBs effectively mediate data between these SaaS applications and the end-user; thus restricting access and reporting any risky behaviors. CASBs either require a client to be installed on each of the device or rely on a device on the network that acts as a proxy between the SaaS app and the user. This helps to intercept the traffic and take appropriate action. A simple example is when a user needs to store a sensitive code like a social security number. The proxy or the client identifies this as a crucial operation and either prevents the user from completing this activity while storing. Here the access denial is not a foolproof method, since the CASB is out of loop when the employee uses any other machine to login outside the ambit of the client installed device.
The Application Program Interface (API) in any CASB solution does not require installing a client application or proxy. Here, rules are set for identifying users and a host of other parameters so that access can be restricted and controlled. CASB would send an email to the user saying that the document may not be suitable to share it outside the organization. Then there is the API with real-time capabilities, which alerts the admin when there is an unauthorized access. The best approach to secure sensitive data in an organization is to use a combination of API, endpoint and proxy, depending upon the situation. The security needs of organizations vary and the needs of each department also vary. So it is better to chalk out a plan and identify the areas where CASB has to be deployed. The next step would be to discuss about your chosen CASB solution with your cloud security provider and have a customized plan using a combination of DLP techniques that will gel very well with the security requirements of your organization.