63 requirements for casb

136 Madison Ave New York, NY 10016

http://www.cedrusco.com

63 Requirements for CASB

The Cloud Access Security Broker (CASB) market is rounding the corner into the mainstream. Venture backed startups are being acquired and big tech firms are positioning while enterprises are taking a serious look at these solutions. However, since these solutions are so new there is a lack of understanding as to how to create requirements in order to evaluate these solutions. There are still many people that are not clear on where CASBs fit in an overall Information Security strategy. It’s my goal to provide some background on the topic from a business and technology perspective and provide a baseline for your requirements effort.

This paper is designed to provide you with some requirements that you can use as input consideration for your “real” CASB requirements. This is meant to be thought provoking, not a copy and paste exercise. Each requirement will provide you ideas as to what may be most important in your organization. For example, where we have provided examples of integrations such as Security Information and Event Management (SIEM), you may want to be specific about your particular SIEM. For comments, questions, or more information please contact Kyle Watson at [email protected].

REQ # PRIORITY REQUIREMENT DESCRIPTION

Category: Visibility

FUNC-001

Identify cloud applications in use. The CASB must be able to detect and display "Shadow IT" by discovering a full range of known cloud applications in use whether CASB is configured in log-based discovery mode or active in-line proxy mode.

FUNC-002

Discover Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) based cloud apps. The CASB must be able to detect and display IaaS and PaaS services in use whether CASB is configured in log-based discovery mode or active in-line proxy mode.

FUNC-003 Identify the individual users of cloud apps. The CASB must be able to detect and display specific users of cloud applications preferably by name or alternatively by User ID.

FUNC-004 Identify the device for users of cloud apps. The CASB must be able to detect and display specific device and browser (when applicable) for users of cloud applications.

FUNC-005 Identify device type and integrity. The CASB must be able to detect and display the device status / integrity and the devices that are being used, such as laptops or iPads.

FUNC-006 Identify location data for users of cloud services. The CASB must be able to detect and display locational information, geographic and IP, from which access is taking place.

FUNC-007 Identify data types being stored in cloud services. The CASB must be able to identify which data items (files, fields) are being stored in or used with the identified cloud services and highlight items of significant data risk.

[email protected] ! of ! pages1 7



Category: Data Loss Prevention (DLP)

FUNC-008

Provide advanced policy driven DLP. The CASB must be able to provide a policy driven approach to DLP. The DLP functionality should be mature enough to allow the CASB to inspect and protect critical data in hidden cells, columns, document comments, and metadata. The CASB DLP should also provide features such as fingerprinting, exact match, international support, dictionaries, and validation mechanisms such as Luhn tests for credit cards numbers.

FUNC-009 Provide cloud DLP via API. The CASB must be able to provide near real-time data monitoring, using the APIs provided by the cloud app and apply alerting, encryption, or legal hold to items that meet policy violation criteria.

FUNC-010

Provide cloud DLP via in-line proxy. The CASB must be able to provide real-time data monitoring, through a proxied connection between the user and the cloud app through the CASB and apply blocking, alerting, encryption, or legal hold to items that meet policy violation criteria for any “trusted”, “untrusted”, or “not fully trusted” apps.

FUNC-011

Provide data pattern recognition. The CASB must be able recognize regulated data such as personally identifiable information (PII), protected health information (PHI), social security numbers, credit cards, customer numbers, etc.

FUNC-012 Provide HTTPS / secure transport inspection. The CASB must be able to inspect traffic sent via HTTPS in order to apply policy to the data in transit when operating In-Line Proxy.

FUNC-013 Provide encryption/tokenize data in motion/at rest. The CASB must support flexible field level encryption and/or tokenization of sensitive data when interacting with cloud apps, including cloud storage through API.

FUNC-014

Read / apply data classification tags. The CASB must be able to incorporate identifying tags from native or third party applications and Incorporate them into policy decisions. This includes the ability to consume Digital Rights Management/Information Rights Management (DRM/IRM) data to prevent copying, printing or other distribution of sensitive documents.

FUNC-015

Enable automated actions upon policy violation. When data protection policies are violated the CASB must be able to perform an appropriate configured action, which may include encryption, alerts, logging, blocking the action, quarantining data until some external approval has taken place, or requiring step up authentication.

FUNC-016

Manage Cloud DLP Policy. The CASB must be able to manage data loss prevention policies for cloud services and integrate with an existing Enterprise DLP for policy extraction and sharing. This is important to ensure consistency of data security policies from on-premise to cloud. The CASB should be capable of integrating by sending only suspected violations to the enterprise DLP.

FUNC-017

Provide flexible key management and key storage. The CASB must support flexible solutions for encryption key management, including customer-managed keys using either an on-premise solution or a cloud based hardware security module (HSM) approach.




FUNC-018

Provide data residency controls. For data that must be compliant with geographical information residency regulations, or to prevent data from specific jurisdictions, the CASB must support locational storage awareness to and incorporate it into policy decisions to support compliance. Data must not flow through jurisdictions that would be out of policy.

FUNC-019

Provide support for files that are locked or encrypted. The CASB must provide DLP capabilities when files that are being uploaded to the cloud are password protected, have DRM, or are in some other way already locked/encrypted.

FUNC-020

Integrate with Mobile Device Management (MDM). The CASB must integrate with the MDM software on a managed device for and incorporate data points into policy decisions. In addition, provide visibility into local data issues and lost device wiping.

FUNC-021 Provide access control over unmanaged devices. The CASB must provide mechanisms to integrate with unmanaged BYOD devices and provide policy driven DLP as appropriate, even when no MDM software is present.

Category: Access Control

FUNC-022

Provide access control to categorized cloud services. The CASB must categorize and prioritize cloud services and apply access control policies based upon the level of trust. For example, "trusted" services that can be accessed by anyone; "untrusted" services that are blocked at all times; and "not fully trusted" services that need to be carefully monitored and audited while a decision is made on that particular cloud app.

FUNC-023

Integrate with Identity and Access Management (IAM) services. The CASB must integrate with existing corporate security infrastructure that supports user identity - whether internally or cloud based. This includes Single Sign-On (SSO) and federated identity management for user provisioning.

FUNC-024

Support for industry standard federation protocols. Where appropriate, the CASB should be configurable to work with industry standard federated authentication, authorization, and user provisioning technologies and protocols, including (but not limited to) SAML, ADFS, OAuth, and SCIM.

FUNC-025

Integrate with enterprise tools to provide step-up authentication based on policy. The CASB must provide the ability to require a step-up authentication based on policy, in conjunction with enterprise solutions, which may be on premise or cloud based. As an example, a particular user triggers a policy based upon a series of interesting events (see 026), one potential action may be to ask the user to provide another layer of authentication, such as a soft token or SMS based identifier, thereby elevating the level of trust to that user.

FUNC-026

Provide identity context and apply to access control policies. The CASB must provide contextual data including but not limited to things such as user, device, location, service, network, time of day, and type of data. The CASB must then be able to utilize these data points in access control policies for cloud services.




FUNC-027

Provide access control policies based upon user activity. The CASB must provide access control based upon the particular actions the user is taking. An example of this might be that the organization has decided the Google Drive is “untrusted”, but has decided that Microsoft OneDrive is “trusted” - but a business partner shares a document with an employee using Google Drive. In this case we still want the worker to be able to retrieve the document even if we don’t want them to upload anything there.

FUNC-028

Support both personal and corporate credentials with appropriate policies. The CASB must be able to configure and apply policies appropriately depending on whether a given user is using corporate or personal credentials on a managed device. An example of this might be that a company has “trusted” company Dropbox but does not want any corporate data to go to the myriads of personal Dropboxes.

FUNC-029

Support corporate shared credentials with appropriate policies. The CASB must be able to configure and apply policies appropriately for users accessing a shared corporate account when using corporate credentials on a managed device. An example of this might be to allow Online Banking or Twitter for the Corporate shared account, while ignoring, or providing different policies, for personal use.

FUNC-030

Support country specific access control policies. The CASB must be configurable for country specific access control requirements, such as allowing access to Salesforce.com from the US, Canada and the EU, but blocking access from other countries.

Category: Cloud Service Provider (CSP) Vendor Risk Management

FUNC-031

Analysis and tracking of efficacy of security controls. The CASB vendor must perform regular interval reviews of Cloud Service Provider Service Organization Control (SOC) report, type 2 to ensure that trust service principals are met. The minimum interval of review must be no greater that 90 days for "top tier" applications and no greater than 12 months for more obscure applications. This information must be available in the CASB User Interface.

FUNC-032

Analysis and tracking of business trustworthiness. The CASB vendor must perform regular interval reviews of Cloud Service Provider business trustworthiness using publicly available information and/or Dun & Bradstreet ratings. This information must be available in the CASB User Interface.

FUNC-033

Analysis and tracking of T&C or EULA. The CASB vendor must perform regular interval reviews of the legal implications put forth in the general Terms and Conditions and Enterprise User License Agreement. This information must be categorized based upon personnel and data protection and presented in the CASB User Interface.

FUNC-034

Analysis and tracking of vendor breach. The CASB vendor must perform ongoing tracking and alerting of compromises that occur within the Cloud Service Provider. This information must play into the vendor trustworthiness and be presented in the CASB User Interface.




FUNC-035

Analysis and tracking of vendor uptime. The CASB vendor must perform ongoing tracking and alerting of downtime that occurs within the Cloud Service Provider beyond quoted levels of availability. This information must play into the vendor trustworthiness and be presented in the CASB User Interface.

FUNC-036

Analysis and tracking of vendor compliance certifications. The CASB vendor must perform ongoing tracking of cloud service provider compliance (such as HIPAA or PCIDSS) and make this data available in the CASB User Interface.

FUNC-037 Analysis and tracking of vendor vulnerabilities and exploits. The CASB vendor must perform ongoing tracking of current vulnerabilities and indicate the status of the cloud service providers in the CASB User Interface.

FUNC-038

Provide risk assessment of cloud services. The CASB must be able to provide an assurance rating or risk assessment for the cloud services that are discovered, to help identify which services need immediate remediation access such as blocking or strong access control.

Category: Threat Protection

FUNC-039

Provide an audit trail of all access activities and actions. The CASB must provide a complete log of all activities that it has monitored, along with a complete audit trail of policy enforcement actions taken (such as blocking, quarantining, or step-up authentication requests).

FUNC-040 Identify events based on User and Entity Behavior Analytics (UEBA). The CASB must provide a UEBA solution that incorporates user activity monitoring and anomaly detection in order to incorporate into policy.

FUNC-041

Identify and remediate compromised accounts. The CASB must have mechanisms to identify accounts that may have been compromised and initiate automated actions to remediate the accounts such as an event, alert, and blocking of access to the specific account. For example, an account used in the US to access a cloud service is then used to access the same cloud service from an impossible physical location, such as Germany, simultaneously or in a small window of time, such as 4 hours.

FUNC-042

Provide exception and alert processing. When an exception to policy is found by the CASB, the data about that exception must be provided to a selected group of security analyst(s) for investigation via some automated mechanism.

FUNC-043 Provide automation workflow. The CASB must provide the capability to incorporate workflows, such as escalation after a time interval, when specific exceptions or alerts are generated due to policy violation.

FUNC-044

Integrate with Security Information and Event Management (SIEM) system. Exceptions, alerts, and other activity from the CASB must have the capability to be integrated with existing SIEM infrastructure to provide a unified view to the security team.




FUNC-045

Provide access to history data to support forensics. The CASB must be able to provide data to the Incident Response (IR) and forensics teams after suspicious activity has occurred. For example, for the suspected user what other activities has that user performed recently and has the user performed any admin activities that could be obscuring activity.

FUNC-046

Integrate with IaaS consoles for protection of apps running on those platforms. The CASB must provide integration to admin consoles of IaaS providers such as Azure and Amazon Web Services (AWS) to prevent damage that would impact applications running on those platforms if the admin access was compromised.

FUNC-047

Provide dynamic malware analysis. The CASB must be able to monitor data stored in cloud apps and detect if there is malware present in the files. This capability should be both real-time for in-line configurations and through "crawling" for API based integrations.

Category: Non-Functional Requirements

NONFUNC-001

Provide full capability regardless of device, client type, and location. The CASB must provide full policy based functionality for any “trusted”, “untrusted”, or “not fully trusted” app whether access is desktop, laptop, or mobile device on-premises or remote, regardless of client (browser, native app, sync, etc.).

NONFUNC-002

Provide audit logs of change for configuration management and change control. The CASB must provide audit logging for policy and configuration changes made by an administrator. If changes were in error or malicious, the CASB should support configuration rollback to a previous version.

NONFUNC-003 Provide policy simulation. Prior to implementing a policy in CASB, the CASB should provide a mechanism to "test" what the result of implementing the policy would do in the environment.

NONFUNC-004

Provide test instances. In order to integrate CASB with test instances of other components in the environment, the vendor should be able to provide one or more test instances of the CASB with the possibility of separate integration points from the production system.

NONFUNC-005

Support standard log types for integration with identification services. The CASB must provide the capability to read in a range of web gateway and firewall logs in various formats, including but not limited to CEF, CLSF, and syslog.

NONFUNC-006 Integrate with enterprise proxy or web gateway. When the CASB is running in proxy mode it must be able to integrate with any existing secure web gateway/proxy, rather than adding an additional hop into the network flow.

NONFUNC-007 Data tokenization or encryption should not limit application functionality. If CASB policy dictates that data must be tokenized or encrypted, functionality of the cloud service should not be reduced.




For comments, questions, or more information please contact Kyle Watson at [email protected].

NONFUNC-008

Encryption type must be relevant, current, and strong. The CASB encryption approach should include strong levels of encryption and changing the approach of encryption should not be required in order to retain integrated cloud service application functionality.

NONFUNC-009 No impact to mobile device application use. Integration of the CASB with mobile devices should not interfere with installed "apps" that contain hard coded URIs

NONFUNC-010 Business-friendly User Interface (UI). The CASB should provide a simple UI that provides role-based access to key information for authorized users.

NONFUNC-011

Highly available architecture. The CASB platform should be continuously available with a zero Recovery Time Objective (RTO) for component failure or data center outage.

NONFUNC-012

24x7x365 technical support. The CASB vendor should provide support capable to meet the needs of a global enterprise. Specific incident priority levels should dictate expected response times and an escalation path should be provided.

NONFUNC-013

Elasticity and scalability. The CASB solution must be able to scale to support both linear growth and unforeseen bursts in activity, preferably through elasticity. For any on premise components, a clear scalability model must be defined that incorporates user base, devices, and traffic in order that the company can plan for scaling as needed.

NONFUNC-014

No noticeable performance impact to applications. When users are accessing applications through the CASB, in-line, the users should not notice any performance impact.

NONFUNC-015

Reporting. The CASB must provide reporting that includes, but is not limited to cloud service provider trustworthiness and user and device access, events, and alerting. The CASB should have a capability to filter and customize these reports.

NONFUNC-016 Support for multi-language capabilities. The CASB must provide language services including the ability to meet the functional requirements in major world languages.


63 requirements for casb

Documents