CASBs – The Emperor’s New Clothes?

It seems that Fear Uncertainty and Doubt (FUD) will always be used to sell products that no-one needs to solve problems that no one really has.

Last week I attended the Wellington ISIG talk on Cloud Access Security Brokers (CASBs). The talk was interesting and the presenter handled the vocal scepticism of the audience very well.

The presentation left me with one burning question: Why would anyone buy CASBs products/services?

So I decided to have a more detailed look at CASBs and what they offer. Let’s start by defining what CASBs are. Where better to look for a definition of a ICT product or service than Gartner?

“Cloud Access Security Brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.” – GARTNER

The first thing in this definition that piqued my interest was:

“…on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers…”

A basic Internet search reveals that most of the CASBs offerings available are themselves marketed and delivered as cloud services. This leads to me to question:

If I purchase a CASB as a cloud service, do I need to purchase another CASB to manage access to my CASB service? Where does it end?

This is truly a modern take on the “Turtles All the Way Down” paradox! Of course in reality no one would actually bother to do this, but it makes me wonder why anyone would place more trust in a CASB to have implemented effective security practices and controls than the cloud services such as Office 365, Google Apps for Business, Salesforce? A number of the CASBs actually acknowledge that these services deliver world leading security, but counterpoint this with a snarky “but its only to prevent THEM, not YOU becoming front page news”. My response to this is simple; surely a breach of the service provider’s environment that results in your information being compromised would lead to both parties being front page news and suffering some degree of damage to their reputations?

One of the selling points of most CASBs seems to be “your cloud service provider cannot help you understand and effectively manage what information you or your users are choosing to store in the cloud”. This is true, but neither can a CASB product or service. You must assess all information that is created, collected, stored, used and shared by each of your business processes to ensure that is appropriately classified and labelled BEFORE a CASB product or service can enforce policies about what can or cannot be sent to the cloud, or what fields must be encrypted or tokenized.

Simple? You’re doing this already aren’t you?

This brings me neatly to the next point, encryption and tokenization. The main feature that appears to be highlighted by CASBs is the ability to apply rules to encrypt or tokenize sensitive fields (e.g. cardholder data, IRD numbers, date of birth etc.) in the data that is sent to the cloud. This seems like a great idea but it does have one major drawback: data that is encrypted or tokenized cannot be processed by services that do not have access to the encryption key. This is a classic example of security hindering the business and diminishing the benefits associated with Software as a Service (SaaS). Sure your data is secured from unauthorised access by the service provider’s staff, or lawful access by a government without your knowledge, but at the cost of usability. The business may not be able to use all or any of the features delivered by the SaaS solution if the most important data fields are encrypted, so why bother using it at all? But here is the rub, to encrypt or tokenize the data you need to trust the CASB with the encryption keys. This is less of a big deal if you are planning to deploy an on-premise CASB. However, if you are going to select a cloud-based CASB you will be trusting the provider with the keys to your kingdom.

Again why should you believe that they are better at protecting your information than the cloud service provider? How good are their key management practices? You wouldn’t want your CASB to effectively become an enterprise implementation of crypto-locker now would you?

Shadow IT is the unauthorised use of cloud services by users within the organisation. Just about all of the CASBs highlighted the ability to detect and stop Shadow IT as a key selling point. This is feature that does have some value, it is vital that you know where your information is being transmitted, stored and processed so that you can ensure that it is appropriately protected. However, blocking access may result in critical business information being orphaned in services that your users can no longer access. It might be more effective to address the main cause of Shadow IT, namely that IT is not responsive to the needs of the business. Remember that IT and security is supposed to support and enable the business to achieve its business goals and objectives, not to stop it from operating.

The main thrust of the various whitepapers I have waded through today is that “our whiz-bang product/service can assess and manage the risk of you using cloud for you so you don’t have to”. While they can help you enforce and monitor for compliance with your policy they cannot identify and assess the risk introduced to your organisation through the adoption and use of cloud services, only you can. There are no short cuts here. Sure you can throw in a piece of technology but you still have to understand the risks you are trying to manage to be certain that the tool you have selected is capable of managing them and has been appropriately configured to do so.

So what about my claim that FUD is being used to sell CASBs? Well there are plenty of examples but I’ll just give you one tiny example: Netskope’s 2016 Worldwide Cloud Report. They claim that “4.1% of all sanctioned cloud apps are laced with malware.” Really? Well no, not really. Digging a little deeper reveals that this ‘fact’ is based on files that are uploaded to and distributed using file sharing or syncing services that they scanned, the implication being that buying a CASB service will prevent your files from being infected in the cloud. The problem is that the files must have already been infected before they uploaded to the service. Highlighting that the organisations’ either didn’t have any controls in place to prevent malware infections (e.g. antivirus installed and maintained on end-user devices, user awareness training) or they weren’t effective. While the use of a CASB may prevent the upload and spread of infected files (assuming its anti-malware capabilities are more effective than your traditional anti-virus solutions) it will not address the fact you have already been infected.

I understand the attraction of CASBs, I really do. They appear to present a silver bullet to the problem of managing the risks associated with your adoption of cloud services. But the reality is they are not. Looking at the list of CASBs, many of which sell firewall or proxy solution, I really can’t help but think “the emperor has new clothes”.