Eduard Meelhuysen, Head of EMEA at Bitglass, explains why emerging Cloud Access Security Broker technologies may provide the answer for banks and financial services firms looking to take advantage of public cloud services, without compromising on data security.
While the benefits of cloud computing are well known, it comes with its fair share of challenges in relation to data privacy, security and compliance. That’s an issue for highly regulated and security-conscious sectors such as banking and financial services, where apprehension about the risk of data held on public clouds being compromised is high.
In Europe, falling foul of the EU General Data Protection Regulation (GDPR) when it finally comes into force will have far reaching consequences for organisations operating in these sectors. Furthermore, any public revelation of the loss of sensitive customer data will have significant reputational implications, including potentially high-profile compensation cases.
Little wonder then that, until now, many CISOs have been cautious about the adoption of public cloud services like Salesforce or Office 365. But a new technology is emerging that may make the secure adoption of such services a realistic goal. Acting as a gatekeeper between the cloud and all endpoints, Cloud Access Security Broker (CASB) is a software tool that enables organisations to extend the reach of security policies beyond their on-premise infrastructures. Making it possible to mediate and manage data access with the cloud and protect against attacks that target data or users.
These tools allow enterprises to safely enable cloud apps from managed and unmanaged devices. They also deliver deep visibility into user behaviours and activities across all cloud applications while offering impressive data protection and data leakage prevention capabilities too. Designed to protect data throughout its lifecycle – in the cloud, at access, on the device and on the corporate network – CASBs at last make it possible to inspect and secure data and safely enable cloud-based business applications.
Full strength cloud encryption
A key advantage of using a CASB is that it introduces full strength cloud encryption that allows enterprises to control their own encryption keys, ensuring no one can gain access to corporate data without the knowledge of the enterprise. This is critical from a compliance perspective because while many cloud app vendors encrypt data-at-rest in their cloud infrastructures, they also retain control of the encryption key itself.
While it’s relatively easy to limit access to certain data sets or resources contained in on-premises applications to authorised managed devices, it’s a different story when dealing with public cloud applications like Salesforce and Office 365.
Available anywhere and on any device, maintaining the high levels of control that are possible within an organisation’s four walls becomes much more of a challenge. But using a CASB means customisable standards can be defined to strictly control access to data from unmanaged devices, while maintaining a degree of working flexibility for employees.
So, when a user attempts to access a protected application, the CASB first determines if the device is managed or unmanaged and then applies the appropriate policies for any device identified as unmanaged. For example, permitting restricted web access while blocking access from file-sharing clients like OneDrive will ensure sensitive data and IP is protected from being copied to unauthorised devices not monitored by Data Loss Prevention (DLP) technologies.
CASB solutions can also support the enforcement of device security policies, verifying that measures such as passcodes and encryption are in place on devices upon which corporate data is synchronised before allowing access to cloud data.
Imposing external sharing controls
The file sync and share apps capability offered by Google Apps or Office 365 may well represent an enticing productivity boon, but concerns about the ease with which the share button can be applied represents a minefield for the finance sector. Using a CASB, however, ensures that data-at-rest in these applications can be scanned for sensitive information. On discovery a variety of response actions can be deployed – including quarantine for investigation, share removal or encryption – so that employees can share data without risk of leakage.
Streamlined identity management
Authenticating identity is a key challenge for enterprises looking to move to cloud applications. But today’s leading CASB solutions feature integrated identity and access management capabilities that provide enterprises with contextual multi-factor authentication without having to deploy an additional third party identity system.
With phishing and credential compromise representing primary attack vectors in most data breach instances, the ability to thwart this type of threat activity represents a significant benefit. A CASB is able to detect suspicious activity across multiple cloud apps. So, if a user logs into Office 365 in Manchester and within minutes someone else using the same credentials logs into Salesforce from another location or a malicious IP address, the CASB will take action to force multi factor authentication on both devices in mid-session.
Audit logs, compliance reports and deep visibility into who’s doing what
CASBs are able to deliver deep visibility into user behaviours and activities across all cloud applications, providing complete audit logs that enable finance organisations to adhere to FCA compliance requirements. But that’s not all. CASBs also offer high-level analytics and reports that make it possible to observe trends and spot deviations from normal behavioural patterns. Alerts keep teams apprised of potential security and compliance issues such as inappropriate data access or user account compromise.
This visibility means that should a user’s personal mobile device be lost or stolen, the CASB dashboard can be used to identify which files are resident on the device and whether these contain sensitive data. Leading CASB solutions will also offer the ability to selectively wipe this data from the lost device, even if an MDM software agent has not been installed.
Reaching Cloud 9
Bullet proof data security is a must-have for banking and finance service organisations looking to adopt cloud-based applications. But today’s CASB solutions address cloud service risks, making it possible for enterprises to enforce security policies and comply with regulations – even when cloud services are public and out of their direct control.
Featuring a range of built-in technologies that include auditing, encryption and monitoring tools, CASBs deliver the visibility and control that makes it possible to fully leverage the potential of cloud applications without increasing the risk of sensitive customer date or confidential information falling into the wrong hands.