plan and manage successful casb deployment · security architecture that explored in detail the...
TRANSCRIPT
Plan and Manage Successful CASB Deployment Match Security with agility and elasticity of Cloud
November 2018
In this issue
Plan and Manage Successful CASB Deployment 2
Featuring Research from Gartner: 10 Best Practices for Successful CASB 7
About TATA COMMUNICATIONS 20
Plan and Manage Successful CASB Deployment
Match Security with agility and elasticity of Cloud
As organizations expand their cloud usage
progressively every year, the need for an evolved
Cloud security and risk management strategy
is very evident. An effective multi – cloud
operating model for an enterprise also includes a
comprehensive managed service for the security
architecture and elements. These crucial elements
of the strategy are consistent visibility, tailored
controls around sensitive and regulated data,
security for distributed users and devices linking
to the cloud, as well as connecting it to any
existing SOC environment. We take a look below at
some effective approaches for this
Current Scenario:
As Enterprises utilize more cloud services like
SaaS, PaaS and IaaS, this may pose a serious
challenge of managing the cloud related risks, as
the business sensitive and PII data maybe flowing
to the cloud. Against a backdrop of increasingly
sophisticated attacks aimed at stealing
corporate data, IT Security leaders generally
feel uncomfortable with the perceived loss of
control over corporate data. Due to the direct
access model for cloud services as available now,
traditional IT controls are ineffective against cloud
usage linked to sensitive data exposure.
3
Source: Tata Communications
Figure 1. Cloud Control Points
In their report, “10 Best Practices for Successful
CASB Projects” Gartner outlines some of the key
challenges as being -
■ “Business units often adopt cloud services for
business-specific needs, outside of IT’s visibility
and control. Further, even when cloud services
are standardized, users often create personal
accounts that are outside the visibility and
control of IT.
■ Sensitive data will continue to be placed into
sanctioned and unsanctioned cloud services,
exposing the organization to excessive risk of
data loss and noncompliance.
■ When sensitive data is downloaded from a cloud
service to an unmanaged device, visibility and
control of the data is lost.”1
CASB (Cloud access security brokers):
While CASB is a new category of security solution
which has some variance in the functionality across
different vendors - Cloud access security brokers
(CASB) can be broadly defined as on-premises
or cloud-hosted software that sit between cloud
service consumers and cloud service providers
to enforce security, compliance, and governance
policies for cloud applications. CASBs help
organizations extend the security controls of their
on-premises infrastructure to the cloud and give
security professionals a critical control point in cloud
architectures by getting visibility into the access and
usage of cloud services.
4
Integrated security model and Operations
While CASB is an essential element in a cloud
security project, it’s important to note that cloud
security needs a holistic approach. According to
Gartner, “CASBs will assume a mainstream role
in enterprise security architectures and should
become integral parts of enterprise security fabric
of controls.”2
CASB integration points can enable the other
elements of security strategy for the Cloud like:
Source: Tata Communications
Figure 2. CASB Deployment models
■ Identification and access management (IAM)
integration
■ Re-usage of data security policies for the cloud
■ Event integration with technologies such as
security information and event management
(SIEM) for a single view of an organization’s
security events
■ Support existing security processes such as
incident response.
5
Suggested Best Practices for CASB:
Many customers that deploy Cloud Access Security
Broker (CASB) solutions to secure their Shadow
Apps, Sanctioned Apps and custom IaaS apps face
the challenge that they need to look at different
deployment options to secure their users and data
across mobile, desktop, remote and on-premise
users. Based on our experience with multiple
customers that deployed CASB solutions at scale, we
cover some of the highlights here -
■ Begin with Discovery – Start with a cloud
application discovery project to get a baseline of
the severity of the problem
■ Prioritize the critical assets and controls –
Sensitive data discovery, monitoring, analytics
and protection as the most critical use case for
CASB deployments over the next five years.
■ Aim to enable – by securely facilitating the usage
of cloud services rather than prevent the use of
cloud services
■ Holistic view driven by risk-driven policies
– Address cloud security holistically, creating
policies that can be applied consistently across
all cloud services
■ Leverage and extend – Existing security
infrastructure based on feasibility rather than rip
and replace it
Going beyond security functionality - By enabling
Tata Communications CASB solution, organization
can benefit from:
■ Identify and control what Shadow IT cloud
services are in use, by whom, and what risks they
pose to the organization and organizational data
Figure 3. A Pragmatic and proven approach to CASB deployment
Source: Tata Communications
6
■ Evaluate and select cloud services that meet
security and compliance requirements using a
database of cloud services and their security
controls
■ Protect enterprise data in the cloud by
preventing certain types of sensitive data from
being uploaded, and encrypting and tokenizing
data
■ Identify potential misuse of cloud services,
including both activity from insiders as well as
third parties that compromise user accounts
■ Match Security with agility and elasticity
of Cloud using the deep expertise of Tata
Communications
■ Benefit from robust and 24X7 managed services
for CASB and Cloud security to manage threats
and data security incidents proactively
We invite you to dive deeper into the insights of
Gartner around the emerging opportunity space for
Cloud Security namely CASB through the following
research report.
Source: Tata Communications
1-2. Gartner Inc., 10 Best Practices for Successful CASB Projects, 8 November 2017, G00336456
Featuring Research from Gartner:
10 Best Practices for Successful CASB Projects
CASBs are being widely adopted to provide
visibility and control of cloud-based services
and protection of sensitive data. Security and
risk management leaders focused on cloud
security architecture should follow these 10 best
practices learned from early adopters to ensure a
successful deployment.
Key Challenges
■ There are a large number of competitors
in the CASB market with widely different
capabilities, confusing customers and
complicating the evaluation process.
■ Business units often adopt cloud services
for business-specific needs, outside of IT’s
visibility and control. Further, even when
cloud services are standardized, users often
create personal accounts that are outside the
visibility and control of IT.
■ Sensitive data will continue to be placed into
sanctioned and unsanctioned cloud services,
exposing the organization to excessive risk of
data loss and noncompliance.
When sensitive data is downloaded from a cloud
service to an unmanaged device, visibility and
control of the data is lost.
Recommendations
Security and risk management (SRM) leaders
tasked with ensuring cloud security should:
■ Start with a cloud application discovery project
to get a baseline of the severity of the problem.
8
■ Plan for integration with secure web gateway
providers when evaluating CASB offerings.
■ Expand the evaluation to include visibility and
control for IaaS and PaaS cloud services.
■ Prioritize sensitive data discovery, monitoring,
analytics and protection as the most critical use
case for CASB deployments over the next five years.
■ Phase in the CASB project with the subset of the
cloud applications most likely to carry sensitive
data and where security and compliance
requirements dictate strong visibility and control.
■ Engage business units and SaaS application
owners in a risk-based discussion of how to
handle out-of-date systems and unmanaged
devices in terms of access and sensitive data
handling.
Strategic Planning Assumptions
By 2020, more than 30% of CASB deployments
will require standardized sensitive data monitoring
policies across on-premises and public cloud, up
from less than 5% in 2017.
By 2020, 60% of CASB deployments will expand
their protection scope to include infrastructure as a
service, up from less than 5% in 2017.
Introduction
Gartner introduced the term cloud access security
broker (CASB) in 2012. Over the past five years,
CASB has been one of the fastest growing areas
of information security investments and is forecast
to reach a market size of $380 million at year-end
2017.The motivation for the uptake in CASB services
is straightforward: the adoption of sanctioned and
unsanctioned cloud services is leaving enterprise data
exposed outside the visibility and control of enterprise
IT and traditional information security infrastructure .
In many cases, cloud services are accessed
by managed and unmanaged devices directly
from networks that IT doesn’t own or control,
leaving traditional IT controls such as firewalls
completely blind to cloud usage and sensitive data
exposure. Using a variety of techniques, CASBs
give information security and risk professionals a
critically needed control point in cloud architectures
by getting visibility into the access and usage of
cloud services (see Figure 1).
With continued growth in the use of cloud-based
services, combined with the need to open up these
services and data to access from managed and
unmanaged mobile devices (including the devices
and users of digital business partners), we forecast
continued 16% compound annual growth rate
(CAGR) growth. Think of CASBs as the primary
point from which to maintain visibility and control
of enterprise data after it leaves legacy enterprise
perimeters. CASBs will become a standard, critical
control point every bit as much as enterprise
firewalls have been over previous decades. As CASB
enters mainstream adoption, later adopters can
benefit from the experiences of early adopters by
applying best practices for the successful planning,
evaluation and deployment of CASBs.
Analysis
Plan
Gain Visibility
An organization should be able to understand
at a glance what cloud services are in use and
whether or not the security posture of these cloud
providers represents unacceptable risk. In “How
to Evaluate and Operate a Cloud Access Security
Broker,” we introduced a CASB life cycle protection
framework built on the original Gartner adaptive
security architecture that explored in detail the
need for CASBs to provide continuous adaptive
access protection. At the center of this framework
(see Figure 2 on page 10) is pervasive visibility and
assessment of cloud access, behaviors and sensitive-
data handling by end users.
9
Figure 1. CASBs for Cloud Visibility and Control
Source: Gartner (November 2017)
10
We recommend most organizations start their CASB
by initiating a cloud application discovery project,
as illustrated in the upper left of Figure 2. We
believe the average enterprise has several hundred
cloud services in use. Some CASB vendors place
the estimate at more than 1,000.1 Consistently,
organizations that undertake a cloud application
discovery project find that they have at least 10
times the number of cloud services in use than they
had estimated.
These discovery projects are often provided for
free by CASB vendors as a way to create an upsell
to their subscription services. The value of the
report is more in showing a snapshot of the current
state of cloud usage. However, new cloud services
are introduced frequently and business-unit-led
requirements will drive the adoption of new cloud
services. The net result is that the value of the
snapshot is short-lived, but it can be used to help
justify initiation of a full CASB implementation.
Simply telling an organization what cloud services
are in use is of limited value. However, several of
the larger CASB vendors also provide an associated
database of the security posture assessments
of the cloud providers. The quality and depth of
these security posture databases vary widely. In
addition, the value of the database has not been
commoditized as keeping it current requires a
significant ongoing investment by the CASB vendor
and is a major differentiator among providers. A best
practice is to select a CASB provider that can provide
detailed visibility into:
Figure 2. CASB Life Cycle Protection
Source: Gartner (November 2017)
11
■ Cloud services usage by category (file sharing,
collaboration, payroll, CRM and so on)
■ Cloud provider security posture assessment
against a rich set of attributes. The CASB vendor
will assign an overall “trustability” rating – for
example, from 1 to 100
The attributes and weightings that make up the score
should be adjustable. The CASB discovery report
should dig deeper, providing more than just insight
into “shadow IT.” Specifically, it should also report:
■ Personal use of sanctioned cloud services (see
Note 1). This is also true in infrastructure as
a service (IaaS), with cloud services such as
Amazon Web Services (AWS) where developers
and others create personal accounts.
■ Unknown and risky storage of sensitive data
(see Note 2).
Security leaders can use a CASB to proactively
recommend better enterprise-ready cloud services
to business units that are using “unsanctioned”
applications. The first step in securing cloud services
is picking better cloud services to use in the first
place. This can also help procurement teams (which
security leaders can enable by use of a CASB),
who lack the range of tools needed to keep up and
evaluate incoming solutions to their organizations.
As organizations implement CASB, a best practice
is to institute cloud app discovery as a continuous
process and to have an identified business unit owner
for every cloud service. There will always be new
cloud services introduced worldwide and business
units will adopt them. Further, the security posture
of cloud services you are using will change, and you
need visibility into this. Finally, there will always be
the risk of personal accounts for sanctioned services
and the risk of “shadow-sensitive data” being exposed
in these clouds. A continuous adaptive risk and trust
assessment (CARTA) of cloud services should be a
foundational part of the CASB implementation, scope
and contract.
Plan for Adaptive Access and Identity Integration
Enterprise CASB projects should plan to integrate
with their existing identity sources such as Active
Directory or major identity and access management
as a service (IDaaS) providers such as Okta, Ping
Identity, Azure AD and OneLogin. Most CASBs don’t
provide IDaaS themselves. Instead, they partner for
this capability and provide out-of-the-box support
and integration with the major identity providers and
support for industry identity standards such as SAML.
Cloud access should not be viewed as a simple “yes”
or “no” authentication event. A best practice is to
make the access process itself context-aware and
adaptive (illustrated in the upper right of Figure
2). By integrating with the IDaaS provider, the
CASB can apply additional context at the point of
authentication for adaptive access decisions – for
example, the user’s location, the time of day, the
time of last access and so on. Further, most CASBs
also integrate with enterprise mobility management
(EMM) vendors for additional device context –
for example, whether the device is managed/
unmanaged, jailbroken, encrypted, password-set,
and the version of the OS and browser. Based on the
risk and trust assessment, contextual access can be
provided. In our discussions with clients, these are
several common scenarios for adaptive access:
Access to sensitive cloud applications can be
blocked entirely if the user is in a hostile geographic
region or if a data residency restriction prevents the
user from accessing the data from out of region.
Unmanaged devices such as a personal home
computer are not allowed to access critical
enterprise-managed cloud services (such as Office
365 or Salesforce) that may or may not be Windows-
based. Scenarios need to account for mobile and
Mac access as well.
12
Alternatively, users on unmanaged devices are
allowed to access the critical application, but with
reduced functionality – typically “read only” with no
ability to download data locally, rather than blocking
these unmanaged devices.
Scenarios where the device, the OS or the browser
represent additional risk such as out-of-date OSs
(e.g., Windows XP, Android 4.x and earlier, iOS 6 and
earlier), out-of-date browsers (for example, IE6 and
earlier) or unpatched systems.
In these scenarios, the decision of how much risk is
acceptable should not be made solely by information
security. A best practice is for CASB project owners
to identify application owners for each of the
cloud services in use and engage in a risk-based
conversation with the business owner on how to
handle unmanaged devices. Specifically, discuss what
the risks are and how to mitigate at least some of
the risk to a level that is acceptable to the business
unit application owner and security – up to and
including blocking access for unmanaged devices and
a formalized risk sign-off such that the business unit
takes ownership for the risk.
Closely Scrutinize the Need to Encrypt/Tokenize Outside of the SaaS Provider
In some cases, sensitive data at the field or object
level will need to be encrypted or tokenized before it is
placed into the cloud service. In general, encryption/
tokenization outside of the cloud provider should
be avoided if possible; but there are legal, regional
and regulatory concerns where this capability is
necessary. Issues that early adopters of CASB-based
field- and object-level encryption have encountered
include:
■ Potential loss of cloud service functionality (since
the data the cloud services sees is unintelligible):
■ Loss of cloud service provider functions such
indexing, search and sort on fields
■ Loss of document preview, indexing and
search for encrypted objects (such as file
attachments)
■ Loss of the ability to perform numerical
calculations by the cloud provider (if the field
is a numeric value)
■ Sideloaded functions and apps in the cloud that
are unable to work with the directly with the
data (for example, apps within the Salesforce
ecosystem access the enterprise data directly)
■ A potential single point of failure if the CASB
data protection gateway is down
■ Risk of loss of all data if the encryption/
tokenization gateway is destroyed and the keys
and/or tokenization dictionary is lost
■ Possible latency and performance issues,
depending on where the CASB data protection
gateway is loaded, how many users are funneled
through the gateway and how much encryption
is performed
■ Situations where the cloud service is updated,
but the CASB gateway isn’t updated to reflect
these changes. This creates a situation where the
gateway’s mapping of the cloud service is out of
sync with the cloud application, impacting the
usability of the application
Despite these limitations, there are cases where
CASB-provided data protection for data moving to
the cloud is the only option. For example, many
cloud-based services do not offer their own native
encryption option. So if encryption is required,
CASB-provided data protection may be the only
option. Further, Gartner has clients in the Middle
East that will not use public cloud services outside
of their region unless the data is protected before it
leaves the region. Depending on the organization’s
risk tolerance, the General Data Protection
Regulation (GDPR) may also be a factor in the use of
this approach over the next few years in the EU, as
well as similar regulatory requirements around the
world requiring data residency.
Finally, there are options whereby the cloud vendor
might provide encryption, but you do not want
13
(or need) to manage each one of these functions
individually. A number of CASBs support the ability
to control the encryption/tokenization policy, event
monitoring and encryption keys centrally. This
significantly eases the burden of having to perform
such a critical function for each cloud service that
requires it. For many organizations, this use case
alone justifies the decision to use a CASB instead of
the cloud service provider for key management.
Plan to Extend Scope to IaaS and PaaS Visibility and Monitoring
The value of CASBs to date has been primarily
for SaaS, but most CASBs are extending their API
support for visibility and control of sensitive data at
the IaaS and platform as a service (PaaS) layers by
integrating with cloud provider APIs to gather and
analyze:
■ Administrative access and activities
■ Logs of all API-based access
■ Data entering and leaving via APIs to IaaS or PaaS
■ Risky configurations by assessing the security
posture of the cloud infrastructure (for example,
data stores exposed to the public internet) –
ideally, this would replace the need for cloud
infrastructure security posture assessment
(CISPA) point products such as Evident.io
■ Sensitive data stored in IaaS data stores, file
shares, object stores and databases
■ Malware stored in IaaS data stores, file shares,
object stores and databases
Most CASB vendors will support AWS and Azure
explicitly via APIs. If support for other IaaS
providers is needed, it should become a part of the
evaluation criteria.
Evaluate
Favor Multimode CASBs
In Figure 1 and Figure 2, continuous visibility
should be a key CASB capability evaluated. However,
different CASB providers use different techniques
to gain visibility. Many CASBs use proxy-based
architectures, others use APIs available from some
of the cloud providers. There are pros and cons
to each of these approaches. The best practice is
to choose a CASB provider that supports a mix of
approaches that matches your enterprise use cases.
In most cases, we recommend a multimode CASB –
specifically a CASB that supports visibility through
forward proxy, reverse proxy and APIs – and that
lets the customer pick and choose the appropriate
mix for its use cases. Multimode CASBs also help in
meeting all the usage scenarios described earlier.
For example:
■ Forward proxies require some type of endpoint
modification such as deployment of an agent,
VPN client or proxy autoconfiguration (PAC)
file. Endpoint agents introduce complexity in
deployment and platforms supported, especially
for bring your own device (BYOD). Forward
proxies also have to deal with how to get visibility
into SSL/TLS-protected traffic, typically by some
type of man-in-the-middle approach. However,
increased use of certificate pinning breaks this.
■ Reverse proxies have an advantage in that they
don’t require an agent to be installed, and they
work well for unmanaged devices where agents
can’t be placed. However, reverse proxies don’t
work with native mobile applications containing
hard-coded URLs and certificate pinning.
Complex JavaScript applications with embedded
URLs can also create issues. Reverse proxy
14
models also require that the enterprise knows
what apps to reverse proxy in order to implement
it – a difficult proposition when dealing with
shadow IT.
■ APIs provide visibility in ways that proxies alone
cannot; for example, visibility into data already
located in cloud applications. This also includes
access to cloud data by sideloaded applications
in the SaaS provider that never touch any
network traffic. However, APIs don’t yet provide
“in-line” blocking and prevention (for example,
risky sensitive data exposure is identified only
after it has happened [see Note 3]). Another
significant limitation is that of the estimated
10,000 cloud services, only 20 or so have
suitable APIs at this point.
Finally, an emerging best practice is to evaluate
CASB providers for the ability to “wrapper” (proxy)
and protect existing custom enterprise web
applications. We have seen multiple cases where the
movement of an existing web-enabled application
to IaaS was the catalyst to wrapper the application
with CASB services for the visibility and control
of sensitive data in the application. Some CASBs
support this only for IaaS-based web apps; others
can support legacy on-premises web-enabled
applications as well.
Look for Integration With Your Secure Web Gateway Vendor
Most enterprises have a web URL and malware
filtering function in place in the form of a secure
web gateway (SWG), firewall or unified threat
management (UTM) product for the protection of
users and systems from threats as they connect to
the public internet. Typically, SWGs use a forward
proxy to insert in the data path. At a minimum,
the evaluation should test how CASB will be
integrated with SWG via proxy chaining (for example,
forwarding some connections to the CASB for deeper
inspection). Another common integration is to
leverage the SWG logs to provide visibility as to what
cloud services users are accessing (the first best
practice described in this research). In other areas,
such as malware prevention and data loss prevention
(DLP), there may be overlap in these capabilities and
an opportunity to leverage a common engine and
inspection point for both.
The significant potential to use the same proxy fabric
for SWG and CASB services, especially for cloud-
based SWG fabrics that support mobile and remote
users should be evaluated. CensorNet is a smaller
CASB player that has done exactly this. Likewise,
Symantec, with the acquisition of Blue Coat, can
leverage common services such as DLP across
both its SWG and CASB offerings. Netskope has
announced, but not yet delivered, its SWG offering.
The benefit to the customers would be in a single
agent for forward-proxy deployments, a common
fabric for proxy-based data path inspection, and
common inspection for things like DLP and malware.
Gartner refers to this synergistic network security
gateway services concept as a secure internet
gateway (SIG) service platform, where individual
services are sold as functional extensions of a broad,
highly integrated set of security gateway services
that complement each other as a bundled capability.
There are also possible aggregate price reductions.
We have seen contracts for Symantec where Blue
Coat SWG and CASB are separately priced line
items, but in combination, the bulk discount
aggregates across the two. Another advantage might
be adding CASB capabilities to existing contracts
and discount SWG schedules with these vendors as
a way to speed the procurement process. CASB will
not merge with SWG within the next five years and
will continue provide distinct, monetizable value for
SWG vendors as an upsell, and for CASB vendors to
enter the SWG market.
Weight Sensitive Data Classification, Discovery, Monitoring, Analytics and Protection as the Most Critical Use Cases
While most CASB projects start with cloud app
discovery, the long-term value is in the extension
of the CARTA strategic approach to the continuous
discovery, monitoring, analysis and protection of
sensitive data. As such, these capabilities should be
a critical part of the evaluation. CASB vendors vary
15
widely in their DLP capabilities and in the quality of
their DLP engine. Specific areas to evaluate include:
■ Detection accuracy and out-of-box-detection
predefined rules with built-in dictionaries for
common use cases such as medical terms, legal
terms and so on.
■ Machine learning against established
repositories of sensitive data to reduce the time
to value, and so the DLP engine can be trained
for the enterprise’s specific needs.
■ The ability to perform user and entity behavior
analytics (UEBA) for all devices, users, data and
applications to help discover genuine issues in a
large volume of logs. (This is a key differentiator
for leading CASBs.)
■ The ability to perform risk-based assessments
of the sensitive data and its usage, and to take
action based on the risk. For example, blocking
sensitive data from being uploaded or restricting
its ability to be shared.
■ Possible integration of policies with existing
enterprise on-premises DLP solutions. In some
architectures, this is a handoff from one DLP
engine to another. Some vendors may import
and understand existing DLP policies from an
on-premises solution. A few vendors that play in
both markets can offer customers a common DLP
engine and policy set across on-premises and cloud
service, but none yet offer a common console.
■ The ability to protect sensitive data when it is
moved out of cloud-based services to a managed
or unmanaged endpoint. This is an emerging, but
critically important area of evaluation. Several
of the leading CASB vendors address this use
case by encrypting the sensitive data themselves
before it is downloaded or by wrappering with
enterprise digital rights management (eDRM)
using an established eDRM partner such as
Absio, Ionic Security, Vera or Microsoft’s Rights
Management Service (RMS).
Finally, a best practice is to extend the evaluation
and strategy for data protection to include protecting
data from malware, including ransomware.
This is critical for cloud-based enterprise file
synchronization and sharing (EFSS) services and
is an emerging best practices for data repositories
in IaaS (scanned by the CASB via APIs). Leading
CASBs offer malware scanning themselves along
with integration to malware repositories such as
VirusTotal or ReversingLabs and optional integration
with network sandboxing solutions – cloud-based or
on-premises.
Keep Contract Terms Short and Be Open to Switching
The CASB market is consolidating and multiple
acquisitions have occurred. As predicted, we are now
seeing significant downward pricing pressure as the
market has consolidated, larger players have entered
and the size of vendors’ client bases is expanding
rapidly. For example:
■ Microsoft bundling some CASB capabilities with
E3 and E5 level licenses of Office 365
■ SWG bundling and bulk discounts as a part of
SWG contracts when CASB services are added
■ Enterprise DLP bundling and upsell to extend
DLP to cloud services
■ Oracle, Palo Alto Networks and Cisco all can
include CASB services as part of broader
enterprise licensing contracts and potentially
include them in enterprise software license
agreements
The net result is downward pricing pressure, year
over year over the past four years. In almost all
cases, these are subscription contracts. A best
practice is to keep the contract terms short and to
be open to competitive displacement bids. Since
CASBs have been around for several years, initial
contracts are expiring and we are already seeing
displacement deals as well as sales teams/channels
empowered for competitive displacement pricing.
16
To help clients, we provide these approximate pricing
guidelines per user, per year starting with use cases
as follows:
■ Assume continuous cloud application discovery
and security posture assessments are included
■ Assume DLP and malware protection are
included for all services
For API-only CASBs: One to three cloud apps
– $15/user/year
For API and proxy: One to three cloud apps –
$25/user/year
For API and proxy: Four to six cloud apps –
$45 to $65/user/year
For API and proxy: Unlimited cloud apps –
$65 to $85/user/year
The actual deal size can vary based on:
■ Number of users in an organization
■ Number of SaaS applications or IaaS environments
that customers are seeking to monitor
■ Number of users using certain apps (for
example, Box and Salesforce)
■ Types of standard and advanced capability
purchased by the customer
■ Industry vertical in which the customer operates
(for example, some CASBs charge financial
services customers higher per-user per-year
prices than for some customers in other verticals)
Consider a typical CASB deployment where the
customer environment consists of: 15,000 users
(1,000 users on Box; 1,000 users on Salesforce; and
all 15,000 on Office 365 [O365]), a 12-month term,
and multimodal CASB deployment (see Table 1).
As discussed earlier, encryption or tokenization at
the field level for one or more of the SaaS apps is
not a mainstream use case. The implementation
is complex and the engineering cost to the CASB
provider to maintain the connectors is extensive.
Pricing for this case jumps to at least $120 to $140
per user, per year for the specified application where
the data will be encrypted at a field level.
Deploy
Integrate With Existing Security Infrastructure and Security Operations Center Processes
CASBs will assume a mainstream role in enterprise
security architectures and should become integral
parts of enterprise security fabric of controls. When
deployed, the CASB project must integrated with
enterprise security infrastructure, monitoring and
processes including:
■ Security information and event management
(SIEM) – for incident correlation, monitoring log
management
■ Identity and access management (IAM)/IDaaS –
for user and cloud identity
■ EMM – for device health and risk posture
■ UEBA – for integrating on-premises and cloud-
based usage analytics
■ DLP – for consistent application of policy across
on-premises and cloud
■ SWG – as discussed previously
■ Data-centric audit and protection (DCAP) – for
analytics of user activity with sensitive data and
consistent monitoring, on-premises and cloud
■ Enterprise key management (EKM) – for
integration with on-premises encryption key
management for consistent access policies
We believe the most critical integration of the
CASB project will be the integration into the
17
Component Description Per-User/
Per-Year
Pricing
Number
of Users
Annual
Pricing
Comments
Standard Components
Visibility and
Compliance
Ongoing shadow
IT discovery and
governance
$10 15,000 $150,000 All users
Threat
Protection and
Data Security
– Box
Detect anomalous
behavior in Box
environment, and enforce
standard DLP and data
security capabilities
$15 1,000 $15,000 Only Box users
Threat
Protection and
Data Security –
Salesforce
Detect anomalous
behavior in Salesforce
environment, and enforce
standard DLP and data
security capabilities
$15 1,000 $15,000 Only Salesforce users
Threat
Protection and
Data Security –
Office 365
Detect anomalous
behavior in Office 365
environment, and enforce
standard DLP and data
security capabilities
$12 15,000 $180,000 All users
Total Price Paid by Customer per Year $360,000 Pricing with standard
components
Optional/Add-On Components*
Add-On Data
Security
Subscription
Additional encryption,
key management and/
or DLP capability not
included in base service
$5 15,000 $75,000 All users – Some
CASBs will bundle this
with per-app price,
while others will break
it out separately.
Add-On Threat
Protection
Subscription
Additional threat
protection modules
(for example, malware
analysis modules) not
included in base service
$5 15,000 $75,000 All users – Some
CASBs will bundle this
with per-app price,
while others will break
it out separately.
Support Dedicated customer
relationship managers,
faster response times for
escalation, 24/7 support
About 15%
of total
annual deal
size
$75,000 Rarely seen
Add-On Data
Retention
Retention of customer
data beyond basic period
of 90 or 180 days
About 15%
of total
annual deal
size
$75,000 Rarely seen
Total Pricing of Standard and Optional Components $660,000
* Optional/add-on components differ between providers based on services and deployment modes offered.
Table 1. Typical CASB Deployment – Pricing
Source: Gartner (November 2017)
18
enterprise SIEM and security operations center
(SOC) processes. For most organizations, the SIEM
is the system of record for all security-related
events and CASB events will be part of this. From a
process perspective, the enterprise must integrate
CASB event handling into standard SOC incident
workflow. In the implementation, integration with
DLP workflows should be one area of focus. While
the SOC may be the center of all events – attack-
or DLP-related – the typical DLP incident workflow
may involve the application owner or in some cases,
human resources.
The CASB usage data gathered from the continuous
visibility at the center of Figure 2 has other value,
for example, in incident response or identifying risk.
So, in the event of an insider threat or a person that
leaves the company, it allows for answering questions
such as:
■ What else did the person access?
■ What accounts haven’t been used in 60 days?
■ What open file shares haven’t been accessed in
more than 30 days?
The usage data is also useful to identify over- and
underlicensing issues with cloud services.
Phase in the CASB Control Scope and Establish Metrics for Success
Enterprise CASB projects should not try to control
and monitor all possible cloud applications from
day one. Once a cloud usage visibility baseline
is established, the best practice is to perform a
risk-based prioritization to determine which cloud
services to phase monitoring and control into first.
We recommend enterprises identify one or two cloud
services that host the enterprise’s most sensitive
information and start the project there, expanding to
all cloud services over time.
For example, many organizations start with a single
cloud application of interest – typically Salesforce
or Office 365 (initial phases typically only cover
Exchange, OneDrive and SharePoint). The project
scope should include plans to activate DLP from the
beginning for these critical services. Another way to
scope the project will be to start by limiting access to
managed devices only – and handle unmanaged device
scenarios in future phases. As other cloud services will
be phased in over time, make sure the CASB contract
anticipates and allows for this expansion.
There are several critical metrics to monitor as
key performance indicators to gauge the ongoing
success of the project:
■ Number of clouds actively managed and the
number of clouds monitored – as stated earlier,
there will always be new clouds appearing, so
measuring this over time will be a critical metric.
■ End-user acceptance – both of how new clouds
are onboarded, IT’s willingness to help, and the
ability to self-remediate by the end user
■ Excessively risky behaviors blocked:
■ Sensitive data exposure events
■ Malware detection events
The time to detect and respond to an identified risk-
related event is also a critical metric:
■ Risky exposure of sensitive data incidents and
escalations
■ DLP incidents that were self-remediated by the
user versus escalated
■ Stolen credentials/insider threat issues
identified, percentage that were real, and the
amount of time to detect and respond to a
credential theft/insider threat issue
19
Evidence
1 “Cloud Adoption & Risk Report Q4 2016.” Skyhigh.
(Free registration required.)
“Cloud Security Report - September 2017.”
Netskope. (Free registration required.)
Note 1
Unsanctioned Use of Sanctioned Cloud Applications
For example, the enterprise may have standardized
on Box, but users have created personal accounts for
Box. Activities in these accounts occur outside the
visibility of IT, representing risk.
Note 2
Risky/Shadow Data
There is a discovery issue even when cloud services
are standardized (say Dropbox) and the accounts are
managed, but where sensitive data is stored in these
sanctioned cloud services, which represents risk to
the enterprise.
Note 3
APIs and In-Line Blocking
The time to detect and respond will be a critical
differentiator among the CASBs providing the API.
This should be tested as a part of the evaluation
process. Customers report that the gaps between
vendors can be measured in tens of minutes
because of architectural differences.
Over the next several years, we expect some SaaS
vendors to provide in-line-decisioning and call-out
support to third-party CASB providers that offer
real-time, CARTA-inspired risk and trust assessments
with in-line blocking capabilities.
Source: Gartner Research, G00336456, Neil MacDonald, 8 November 2017
Plan and Manage Successful CASB Deployment is published by Tata Communications Editorial content supplied by Tata Communications is independent of Gartner analysis. All Gartner research is used with Gartner’s permission, and was originally published as part of Gartner’s syndicated research service available to all entitled Gartner clients. © 2018 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner’s endorsement of Tata Communications’s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner’s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website.
Contact usFor more information contact us at:
tatacommunications.com/services/managed-security/
ABOUT TATA COMMUNICATIONS
Tata Communications is a leading global
provider of A New World of Communications™ to
multinational enterprises and service providers.
The company leads from the front to create an
open infrastructure, partner ecosystem and
platforms for businesses to stay competitive in
this digital age. Tata Communications’ portfolio
of services are underpinned by the company’s
leading global network infrastructure.
With a strong presence in both developed and
emerging markets, the company is a key enabler
of information and communication technology
globally with a broad range of services including
network services; managed security; voice, data
and mobility solutions; unified communications &
collaboration tools; content management; media
and entertainment services; and cloud and data
centre solutions.
LEARN ABOUT OUR SECURITY PORTOLIO
© 2018 Tata Communications. All Rights Reserved. TATA COMMUNICATIONS and TATA are trademarks of Tata Sons Limited in certain countries.