CASB delivers must-have protection for your SaaS apps
- 08 August, 2016 20:00
Cloud Access Security Brokers are products that can be described as firewall plus identity management plus anti-malware plus DLP plus encryption control/implementation plus threat management.
CASB products have becoming increasingly important as enterprises look to extend their on-premises security policies to their cloud-based assets. We looked at three products -- CipherCloud, Bitglass, and Netskope. Each one takes a different, yet ingenious, approach to the task of stopping unauthorized, inappropriate, or uncontrolled cloud asset access and manipulation.
+ MORE ON CASB: What is a cloud access security broker (CASB) and why do I need one? +
Security brokers require varying degrees of work, we found in our review, but they pay off in important ways. While it’s impossible for us to test all use cases and to scale as high as vendor claims, we were able to get a good feel for both the features of these products and for potential scalability.
- If you’re part of a huge organization, a multinational, with many users in difficult locales, we’d choose CipherCloud for its sheer depth and the power of its encryption techniques.
- Bitglass also has interesting features and a lot of control to back up specific popular SaaS apps. Also, Bitglass can watermark files in such a way as to trace exfiltration forensically.
- Netskope scored the highest in our review, just edging out CipherCloud and Bitglass. It has a complex setup, but widely and deeply covers sanctioned brand-name SaaS sources, using gradients of multi-faceted, bolt-things-down methodology.
Another thing to keep in mind: CASB is a critical security resource, so it requires administration, monitoring, and help desk personnel, along with astute installation. Adopting one is important, but non-trivial.
Here are the individual reviews:
|PRODUCT||Netskope GoScope Platform||CipherCloud Trust Platform||Bitglass|
|PRICE||Starts at $8 per user per month for Discovery, $15 per month for the Active Platform. Options such as DLP, Encryption, and Malware Protection are priced separately.||Starts at $2/month to $30/user month + maintenance costs/help desk costs + those that use a gateway with on-premises can be $30-150K depending on complexity.||Breach Discovery + Log analysis, $2/user/mo. Add Mobile-only protection, $5/user/mo. Standard edition (mobile+web+DLP) $10/user/month, Enterprise (includes encryption and specific app control) $30/user/month).|
|PROS||Detailed platform with very good analytics and administrative tracking; flexible and deep cloud app intelligence, high potential programmability||Extreme encryption flexibility and with it, DLP control for large organizations needing international regulatory compliance||Detailed and broad canned application control, graduated services|
|CONS||Docs could use work; a la carte pricing and configuration potentially inconvenient||Requires platform dedicated work costs; potential additive cloud app coverage costs||Comparatively less programmability, cloud-based forward proxy only.|
CipherCloud Trust Platform
CipherCloud provides a hypervised gateway appliance priced per user. Inside the appliance are three functional components, administrative, security, and connectors specific to managed CASB resources. Pricing, like the other products in this review, is based in gradients of services provided.
CipherCloud is a construction set with many pre-fab pieces, and it requires significant planning to deploy in order to gain full effectiveness. It’s in use by some of the largest financial institutions in the world.
+ ALSO ON NETWORK WORLD 5 cloud security companies to watch +
The strong upside is its ability to establish strong flexible encryption to the record/field level, and with it, strong DLP controls for its list of covered applications. A hidden cost is integration and adaptation of specific cloud app platforms, like Salesforce. With some work, it can be come annealed to a target application like no other, because of its data protection schemes.
We installed the gateway as an Amazon Web Services VM. Multiple instances of the gateway appliance VM can be used in redundant instances as a reverse proxy gateway between users and cloud resources. Once set, and platforms are encrypted, so it renders AES-256 gibberish of any access that doesn’t use the gateway and its decryption resources. Once accessed through the controls set in CipherCloud’s trust platform, it’s possible to set encryption that allows searches and field-level data loss prevention (DLP) flagging and control.
We like CipherCloud for its certificate key control, staggering varieties of stateful/stateless encryption, tokenization possibilities and breadth of popular SaaS app coverage. (CipherCloud doesn’t cover every app found in the cloud.)
We also like it for its strong flexibility for varying deployment designs for larger organizations. BitDefender services are available as an additional intermediary for streams flowing through, although streaming data examination isn’t totally perfect.
Architecturally, the VM is a reverse proxy gateway appliance that’s licensed by user count, so multiple instances can be generated and deployed without additional cost. The gateway, which requires healthy server-allocation resources, serves as a deep-inspector, even with many pre-set encrypted data flows filtering through it, using AES-256 encryption.
Each gateway is supposed to service approximately 5,000 users, and we caution this is an untested number; it could be more or less.
We could add redundancy of the gateway appliance in our network operations center, or distribute it to branches, or locations where its existence made sense from a control, management, and communications-need perspective. The VM is placed from a networking path behind where users logon to the desired cloud resource, meaning via VPN and through the gateway. Unless one does so, what happens is that they can directly access the Saas/cloud resource, but the data is encrypted at the SaaS/cloud destination, and is unusable, until someone figures out how to decrypt AES-256.
There are several levels of staff functionaries that must come together to make CipherCloud or any other CASB management system work, including networking, security, DLP/asset management, production instance management, and help desk support. The reverse proxy mechanism watches for exfiltration and policy violations. There are a rich amount of action/condition choices, ranging from stop-it-cold to providing stub access as a replacement for data improperly stored.
CCTP doesn’t need to encrypt everything, if desired, only pertinent fields. If set to encrypt entire discrete files, data from this form of encryption cannot be used for searches. You use your own keys, and CipherCloud doesn’t keep them. This means you generate your own keys, and/or make use of a certificate authority to generate appropriate keys.
Once installed, the keys encrypt what you’ve chosen. As an example, when we tested Salesforce via the test gateway VM residing in AWS, we could open up the Salesforce instances database schema, and choose which fields to encrypt. When we tried direct access to the data, deliberately going around the gateway, the result was total gibberish. Sorting on the gibberish produces still more gibberish, as the rendered encrypted text is in UTC-8 characters. If we had the keys outside the gateway keystore, we would have been able to decrypt the data — if we also had any optional tokens needed to further de-hash the data into meaningfulness. Salesforce domains and apps could therefore receive surgical treatment in terms of DLP.
The entire Salesforce database could be encrypted, but it’s not really needed, unless each field must be encrypted for regulatory compliance. If there are different Salesforce Orgs, each Org instance can be encrypted, including online Salesforce apps. For single sign-on, we used CipherCloud directly, but it’s possible to connect via Active Directory Federation Services or other SSO mechanisms.
CCTP manages this with what we feel are astute key repository banking and management, so that multiple apps can be managed concurrently. Keys are managed on the CCTP VM gateway after installation, and as such, allow jurisdiction partitioning of data. SafeNet’s KeySecure is supported as a third party key store, but we didn’t test this. As administrators are separated into system administrators, key managers, and cloud application managers, a key manager function can be kept ideologically distinct as a function. This comes in handy.
Key separation is used for geo-locating data into separate empires. For example, a European branch can use data that is encrypted differently than data in Chicago. This comes at low cost, because again, redundancy of the gateway(s) costs no more, as the pricing is related per user, so branches, business units, country-managed entities can each have their own gateway.
Initial key distribution and renewal/replacement means going into each gateway to replicate infrastructure. Subsequent upgrades (we did not try this) allow a dry run of updates prior to deployment within the appliance(s).
Data running through the gateway can have application-specific tuple treatment such as these: AES Email Address Encryption, AES Email Relay Encryption, AES Encryption for Alphabetic Filtering, AES File Stream Encryption, AES Length Restricting Encryption, AES Phone Number Encryption, AES Search and Sort Encryption, AES Search and Sort Encryption(FIPS Mode), AES Web URL Encryption, Alphabetic Filtering Tokenizer, Email Address Tokenizer, Email Relay Tokenizer, File Name Tokenizer, Length Restricting Tokenizer, Phone Number Tokenizer, Search and Sort Tokenizer, Stateless AES Alphanumeric Encryption, Stateless AES Chatter Encryption, Stateless AES Encryption with Search, Stateless AES Encryption without Search, Stateless AES Prefix Preserving Encryption, Stateless AFPE, Stateless AFPE for Alphabetic Filtering, Stateless Chatter URL Encryption, Stateless Email Address Encryption, Stateless Email Relay Encryption, Stateless Function Preserving Hybrid AES Encryption, Stateless Length Restricting Encryption, Stateless Order Preserving Hash Encryption, Stateless Partial Field Encryption, Stateless Partial Field Hybrid AES Encryption, Stateless Phone Number Encryption, Stateless Web URL Encryption, Static Chatter Tokenizer, Static Chatter URL Tokenizer, Static Date Tokenizer, Static Email Address Tokenizer, Static Length Restricting Tokenizer, Static Number Tokenizer, Static Partial Field Tokenizer, Static Per Word Tokenizer, Static Phone Number Tokenizer, Static URL Tokenizer, URL Tokenizer.
No, we didn’t test all of them. Also available are anti-malware and anti-virus stream examination.
The tokenizers are tokenization hashes designed to keep data local, so that one need use only a single encryption key, but keep data partitioned for jurisdictional purposes, so that international branches can comply with data export constraints via administratively generated tokens.
Policies can be based on these fields for varying filtrations. There is an inline antivirus/antimalware app that works either system-wide, or not at all. The gateway and its keys are totally critical to organizational use of protected SaaS resources, and this means the gateway needs to be both replicated and backed up -- and from a communications perspective, constitutes a key critical path for organizations. No access to the gateway means: help desks catch fire.
If you believe in secret sauces, the strongest CipherCloud sauce in our estimation is that fact that it uses stateless/stateful AES encryption variances. This means that CipherCloud can use deep traffic inspection techniques and filter for policy-driven dysfunction indicating data exfiltration/misuse -- hence policy violations. Numerous types of fields can be examined for pattern matches, and when matches (hits) are found, CipherCloud records what’s happening and by policy can halt, or place tombstones representing data while the data is cached elsewhere.
This is where additional costs come into play: if you don’t deal with the warnings, your organization’s compliance is in jeopardy. How each organization deals with warnings and policies is up to the organization’s best practices, and CipherCloud gave us recommendations on how varying situations are dealt with from an administrative and policy perspective.
The downside is that it’s still possible for pre-encrypted data streams that CipherCloud has no keys for to be infiltrated/exfiltrated within an organization, and so CipherCloud isn’t a perfect firewall, but most firewalls can’t halt such activity. We also felt that CipherCloud can be overkill for smaller organizations.
In all, CipherCloud portends an intimate relationship between users, administrators, and SaaS applications. It’s a complex platform, and is not a simple undertaking. We like its encryption infrastructure, and its ability to inspect encrypted flows. It doesn’t cover an unlimited number of potential SaaS applications, but the list of covered apps is impressive.
Bitglass is an online CASB portal that’s preconfigured for use with a variety of SaaS sources, including Google Apps, Microsoft Office 365, Box, Dropbox, ServiceNow, Concur, Evernote, Egnyte, Exchange, and Jive, although mobile devices are limited to a smaller list.
Bitglass has strong situational knowledge to make access decisions. Using browser intelligence, Bitglass knows a lot about who’s accessing what and when.
Bitglass also watermarks data flowing through it, including email attachments, and provides tracking/tracing controls based upon user behavior of files/data that are sent through its forward proxy portal. Bitglass had the fastest initial setup of the three products tested, but that doesn’t mean that Bitglass is shallow, rather it is benefited by its own portal controls.
+ ALSO ON NETWORK WORLD Is this the Holy Grail? Bitglass gets patent for searchability over encrypted files +
Bitglass has done a lot of homework in terms of the tasklist of items needed to migrate to its services, but administration of the BitGlass portal requires above average administrative detail work to achieve the depth that competitor CipherCloud has in terms of encryption and DLP control. After testing, we agreed: non-trivial but definitely do-able.
Bitglass encrypts, and does something further than CipherCloud: it can watermark files in such a way as to trace exfiltration forensically. It geo-locates users and establishes the foundation to monitor weird user data behavior. Logged on from Santa Monica, then an hour later accessed something from London? Yes, Bitglass can sense this and throw a red flag. The geolocation feature can be thwarted, but it takes serious talent and timing to get past such a feature.
We found that Bitglass could accommodate other SaaS portals if we did the work, and single sign-on support can be enabled as well. We chose Active Directory Federation Services with Bitglass as a SAML provider. Okta, an SSO service, can also be used.
Another Bitglass strength is tending to devices both inside and outside an organization’s “secure perimeter,” although smartphones (we tested Android and iOS) have comparatively limited control compared to Windows or Mac OSX.
Initial setup was straightforward, and included directions to the correct scripts to join our small test Active Directory domain. A circuit to an organization’s Active Directory is necessary for authentication.
The Bitglass administrative portal renders a lot of information, and is the nexus of control. The administrative portal has object filters, including a set of pre-defined libraries of patterns for things like credit card data fields as keywords, used to stanch information flow upon a match with the object filter.
DLP is good, but not perhaps as good as CipherCloud or Netskope and not as programmable, either.
Starting a new Salesforce instance with Bitglass involved creating a Salesforce subdomain, then modifying it so that an installed (self-signed Bitglass) certificate was used to force browser re-direction through Bitglass’s portal for rules/policy purposes, and subsequent data imprisonment. This locks in Bitglass as a provider and circuit for users, thus allowing agentless clients to use Bitglass for SSO, audit, and DLP features. It’s pretty easy, we found.
What’s less trivial is the need for staff to monitor exception handling, including noise generated from high volume user activity across a potentially broad spectrum of SaaS and supported cloud resources, but this is the same stress that CASB will impose for any good level of activity with any CASB product. The noise, however, can be “smoothed” to a manageable level.
Here, the Activity Dashboard of Bitglass became very useful. We felt like we had a handle on activity that needed addressing, and that a variety of activities with a high volume of load would be acceptable to us, although we lack the capacity to emulate the shenanigans of thousands of users doing cloud plus Exchange, Google or Office365 apps, Evernote — plus Salesforce. You might assume that your user base is well-behaved, but we all know that users do odd things, and sometimes try to get around the rules. This is why the BitGlass UI made us happy, in that it separates the trivial from the ghastly.
|Product||CipherCloud Trust Platform||Netskope GoScope Platform||Bitglass|
|Configuation, Flexibility, Installation||4||4||3.5|
|Administration, Overall User Experience||5||4.5||4.5|
|Features, Integration with Third Parties||4.5||4||4|
The potential downside is that a clear communications circuit needs to be maintained to the cloud-based Bitglass portal, which isn’t under your control, unlike the on-premises, appliance-based products reviewed here. BitGlass meets high standards for its own security, but does not have worldwide points of presence all in sync with each other.
No one reviewed did, although the CipherCloud architecture uses an autonomous internal gateway VM methodology which places the onus of circuit protection strictly on IT staff. We found other minor foibles mostly relating to our sense of quieting noise; we like a security package that’s nervous. Heaven help us if Bitglass’s portal is ever compromised, a thought that nagged us.
The Netskope platform uses Active Directory, single sign-on or SSO brokerage mechanisms to steer traffic through a customer’s Netskope cloud gateway appliance. The Netskope CASB acts either as a forward proxy, a tokenizer and/or reverse proxy to cloud app destinations, depending on how a cloud application works. Some cloud apps, such as Office365, can need all three interactions, depending on the type of “sub-app” chosen, within Netskope’s construction.
This functionality is divided into progressive gradients of products for billing purposes. You can start with simple log discovery of what cloud apps are being used, by whom, when, and perhaps what’s being done. You can impose rules as the next gradient. You can add significant DLP, then add encryption features, and malware filtration. Or you can buy the full meal deal, which is what we tested.
Netskope, like other CASB products, becomes deeply enmeshed into your infrastructure. There are three major components used in the process of Netskope CASB, including an on-premises gateway appliance, an organization-specific cloud admin portal, and possible client-side agents. Although client agents aren’t required, they’ll provide greater access when present. The portal works with client agents and browser add-ins, or without them.
The SSO can be an Active Directory link, or another SSO service that understands SAML 2.0 — and nearly all of them do. Netskope has relationships with several SSO providers as “partners.” SSO is connected to Netskope as a proxy authenticator, and conversations are then managed by the SecureForwarder VM, itself based on an Ubuntu Server platform.
CASB control is asserted in the gradients we described through steered traffic mechanisms. Traffic is steered through the SecureForwarder appliance (or appliances, depending on the architecture chosen to be deployed). We used one gateway for testing, but the others can work somewhat autonomously, indeed you could use different encryption for geographic controls.
Access can be achieved via browser-enabled agents, or on mobile devices through a Netskope GoScope gateway. When a mobile device is under control (e.g. routed through the gateway), maximum features are available, we found. When an unmanaged device is used for access, it’s up to administrators to determine by cloud app, if access is allowed, and if possible (by features of the cloud resource) what accessibility will mean in terms of control and access.
Gateway interactions come usually via the SecureForwarder VM/software appliance, but since it is based on Ubuntu Server, it can also be deployed as a discrete server with the GoScope Secure Forwarder instance. We installed an OVA SecureForwarder appliance in our testing. We found the docs a bit wanting, but were able to eventually connect the SecureForwarder to our cloud test resources via Active Directory Federation Services and Windows WSAdmin. This said, Netskope seemed eager to help us.
Many supported cloud apps can have additional DLP rules applied to them, including an important one: if we can’t inspect the data, invoke a rule to sequester/jail the payload to be dealt with by an administrative type (of which there are three levels). This might be at a file level, or at a field level, or we found designed-in using FINREG or HIPAA data field examination, including “something like this, near something like that” logic. The possibilities are extensive, and administrative time sunk into astute design will likely pay well. We found filters understandable to design and deploy.
In execution, Netskope Introspection is a highly programmable administrative bot-like proxy process that scans supported applications for data using aforementioned DLP rules and triggers specific to the supported cloud app. As it doesn’t have quite the encryption power of CipherCloud, it does have very flexible rules that will be familiar to Unix/Linux programmers.
After installing the SecureForwarder VM onto a VMware substrate, we connected our Active Directory, and also WSAdmin services for Office365 cloud services. It’s a simple, three-step process. Client access was transparent; we did this through a browser agent which proxied an Office365 connection. When we had installed Secure Forwarding services, we constructed the platform to a supplied Ubuntu-based VM with three ports: management, input/ingress, and output/egress. DNS infrastructure needs to be in top shape for the scheme to work.
Once communicating with the Netskope GoSkope portal, it’s possible and normal to have GoSkope examine local log files, from which it extracts information about app communications, sources and most destinations. It’s now an interloper, forward or reverse proxy as the destination app needs.
Steered traffic can be “introspected” for apps Box, Google Drive, One Drive, SharePoint, Dropbox, Salesforce, Egnyte, and Service Now. We saw no delays, but we didn’t hit it with 2,000 concurrent diverse power users, either, and our net connections are fast. Their cloud-based proxies are load balanced, and can be homed to specific GoSkope processing sites based on speed, or by jurisdiction.
A feature called Skope-IT in the online GoSkope portal contains the reporting nervous system of the platform. Inside, we could look at application and connection events, as well as the audit and infrastructure logs. Events or conditions needing administrative action were easy to find, and can be sorted by date, user, user location or activity.
Events, alerts, quarantined items, legal holds, malware finds, and incidents (and their severity) can be easily found through sorting, or the results of a query field action. This may be Netskope’s finest “secret sauce”— rapidly usable and obvious administrative action productivity possibilities.
At the top “full meal deal” resource license, we also had access to Netskope’s ongoing research into specific cloud app ratings. There are a vast number of cloud apps (taken from logs) that have ratings applied by Netskope, as part of its audit capability. This list can also be re-rated based on an organization’s re-estimation of the values used, so as to derive a rating based upon the new assessment.
This permits administrative blocks and restrictions to be imposed on access deliberately based upon the ratings then derived to the resource. It’s the source of much pride at Netskope, and we were surprised to see name brand cloud apps rated in the way they were — some highly secure, others we believed to be highly rated, were not. You can drill into the values and decide to change them. If we had a legal department, we might be arguing with them over ratings, and they might win.
Overall, Netskope is an increasingly sophisticated menu, and if you take all of the courses offered by their waiter, think about the architecture and then program it to suit your needs, it’s an excellent CASB dinner, and the check might be hefty at the end.
CipherCloud represents extreme depth in encryption mechanisms. Netskope has high programmability, and shares with Bitglass, very good administrative controls. Were we to offer a suggestion as to which one is most flexible with the greatest variety of possible cloud app protections, Netskope barely edges its competitors, but out of the box, Bitglass is likely the fastest route to reasonable protection.
Each product is also dependent on third party platforms, such as SSO, external DLP providers, and organizational firewall/IDS/IPS schemes/threat protection to work in concert with each other. Will traditional firewall and security providers subsume CASB, or will the reverse become true? At this point, we don’t offer a guess. In all likelihood, CASB is a category that because it must rapidly evolve to keep up with cloud apps, will likely digest other categories.
How we tested cloud access security brokers
We used server resources at our NOC at Expedient in Indianapolis, consisting of several VMware and Hyper-V servers on HP, Lenovo, and Dell platforms as hosts for gateway VMs described in the review. In turn, we accessed accounts at Salesforce (including some product-sponsored accounts in the cloud in AWS), as well as Office365 and Box to be used as proof-of-concept examples.
Our circuits included VMs of Windows in the NOC, running through our Extreme Summit Series 10GB switches, to Expedient’s network core. These connections also served as proxies for our VPN, and Windows and Mac clients running in our lab, connected via Comcast broadband circuits to the NOC.
We setup configurations as proof-of-concepts to understand the administrative procedures necessary to install and administer the apps, and store at least one record in the chosen apps. We examined and/or tried as many features in as many configurations as possible, after initial installation.
Tom Henderson runs ExtremeLabs, in Bloomington, Ind. He can be reached at email@example.com.