Jun 16 2020
I’m a CISO. I have a CASB. Why do I need an SMP?
Today’s top enterprises have embraced Cloud Access Security Brokers (CASB) to secure cloud applications, but often fail to truly manage the SaaS solutions they own. Other shops do not have a CASB, but need many of their functions – and at the same time need to secure, manage and control their sprawling SaaS installations.
According to Gartner, “CASBs are being widely adopted to provide visibility and control of cloud-based services and protection of sensitive data.”. “This technology is the result of the need to secure cloud services — which are being adopted at a significantly increased rate — and provide access to them from users inside and outside the traditional enterprise perimeter, plus growing direct cloud-to-cloud access. They deliver differentiated, cloud-specific capabilities that are generally not available as features in other security controls, such as web application firewalls (WAFs), secure web gateways (SWGs) and enterprise firewalls.”
We spoke with Mark Evans, Microsoft Alliance Lead and Head of Special Projects about the role and limitations of a CASB, and why a SaaS Management Platform (SMP) adds critical value, whether the shop has a CASB or not.
CoreView: Let us cut to the chase. What is a CASB?
Evans: A CASB is a Cloud Access Security Broker. There are several things that led to the idea of securing cloud or web applications access, from the old standard firewalls, to more specific firewalls such as web application firewalls, as well as proxy servers, DNS gateways, secure web gateways, and more. CASBs are one of many options in a market that can be confusing even for sophisticated infosec departments. A CASB is designed to analyze traffic to and from the cloud, highlight risks, and block inappropriate access.
Two CASB products O365 shops might have or know of are Office 365 Cloud App Security — because that is free with O365 — and the more full-featured version, Microsoft Cloud App Security.
CoreView: Why would somebody use a Cloud Access Security Broker?
Evans: To prevent threats like malware, provide data loss prevention, and to enable secure and thorough identity management through Identity Access Management (IAM). Finally, there is discovery of what cloud or SaaS apps are out there and who is using them.
A CASB may do a bunch of things, but in security is there is no silver bullet. You can’t buy just one product hope it will do everything, keeping you secure day and night. You need an array of tools that work together. Of course, there will always be overlap. It is a confusing mess for customers to buy this stuff.
CoreView: How does a CASB work?
Evans: Let us assume you have people on different devices and they all want to access cloud apps. There are multiple paths for them to interact with those cloud apps. They can go directly to lucidchart.com or workday.com for example, or they might be routed through some other device or devices.
A CASB might have an app connector so that in order to get into Workday, you go directly through the CASB. It manages user sessions with the cloud app , analyzing which device or user is communicating, from where, at what time, etc., and authorizing the connection. These API connections are a pretty limited approach, however, because you only secure certain apps.
Most CASBs can also act as proxy servers, whether a reverse proxy or forward proxy. Proxying is just like going into a VPN, except it is invisible if you are inside the corporate firewalls. Your request goes through a proxy server, that proxy server collects the request, and communicates with sites and apps on the internet.
As I mentioned before, there are a lot of options available to organizations to secure their cloud communications. Any given organization might have other tools that monitor or control communications, such as a standalone firewall or proxy server. Imagine a scenario where the org has a firewall, a proxy server, and a CASB. If a user goes to something like Salesforce, their traffic would likely be routed through the firewall and the proxy server AND the CASB to get to the Salesforce app. Note that it doesn’t necessarily have to go through the CASB itself in this scenario, but even if it didn’t, the other devices might be configured to report what happened to the CASB. So they will share logs with the CASB, and the CASB can include that information in reports and potentially in actions.
As you can imagine, each one of these network device types is a bottleneck and a dangerous point of failure, in some sense, because they collect and route all traffic. They are very effective at seeing what is happening, but they also provide or incur some overhead and some risk. All these different methods are used by the CASBs to see what is happening as people try to access web applications.
CoreView is not a bottleneck, and it actually complements what CASBs and other network devices are doing. It uses additional data sources, provides new environment and activity visualizations, and enables different manual and automated management actions. And it is so simple to set up and operate.
CoreView: What are the main functions CASBs perform?
Evans: Three main things, and sometimes a fourth. The big 3 are discovery, data protection, and threat protection. Some CASBs add identity. Discovery is telling you what cloud apps people are communicating with. Data protection is ensuring your people aren’t sending sensitive data. Threat protection is keeping malware at bay. And identity is ensuring the person accessing the cloud app is actually that person and has the rights to do that access. That’s rare among CASBs probably because there are Identity and Access Management solutions that specialize in that functionality.
Microsoft Cloud App Security
CoreView: What should we know about the Microsoft CASB solutions?
Evans: Microsoft Cloud App Security is a Microsoft CASB. It uses the proxy, the API, and the log file. If you buy the standalone version, it costs something like $5 per user per month at public pricing.
Microsoft Cloud App Security has a junior version called Office 365 Cloud App Security. It has fewer features, but is based on the same foundation. And it is built into O365 pricing-wise.
What the heck does it look like? Surprise — it’s a dashboard, and the dashboard shows many items – including severity alerts, custom alerts, all different types and levels of alerts. At the top, it shows KPIs related to what it is doing, such as monitoring files, accounts, and activities.
Then there is a section called Discover, which is literally which applications people are using. The Investigate section shows me activities that are happening, such as files that are being shared. You can see users and account security configurations, apps people have logged into using their Microsoft accounts or their SSO through Azure ID, for example, or leveraging Azure Directory Federation Services (ADFS). And then in the Control section, you are able to set policies.
This is very complex. There is a lot of data and somebody has to manage it.
CoreView: What role does CoreSaaS – a broad SaaS management solution — and CoreView’s O365-focused management solutions play?
Evans: CoreView and CoreSaaS are designed to show what is going on in your environment – and manage the operations of those different SaaS products. This is a combination of things the typical CASB does not even attempt to address. With CoreSaaS, you can manage SaaS in different ways, block apps in multiple ways, or notify users instead of blocking it. There is a lot more flexibility, which makes it more useful.
Complexity is another big issue. A typical CASB rollout to truly get up and running is four to eight months. CoreSaaS starts in two clicks.
CASBs are expensive. It is nice to have Microsoft’s built-in CASB, but if you buy the more-capable version, or a third party CASB, it gets very expensive. Five dollars per user per month is a lot. CoreSaaS and CoreView, on the other hand, are priced very aggressively.
Why Have a SaaS Management Platform AND a CASB
CoreView: If an IT shop has already has a CASB, why would they need a SaaS Management Platform (SMP) such as CoreSaaS or CoreView’s O365 solution?
Evans: Short answer: because an SMP like CoreSaaS/CoreView adds highly useful functionality at a fraction of the cost and effort.
We actually think customers who have CASBs are great candidates for CoreView and CoreSaaS. If they have a CASB, it shows that they are focused on security and governance. We agree with that focus. We complement what they are doing.
CoreView uses all of the log information, Graph API information, beta API information, Azure AD info from Microsoft and pulls it into one place. That is a treasure trove of data that can be leveraged for insights and action. CoreSaaS adds to that even more data, from similar sources like API integrations, and additional data from financial systems, email headers, edge devices – and it also uses data from existing systems that the customer already has in place. That could be the firewall or CASB, for example.
We use what they already have and add functionality on top. That functionality is easy to use. It is super cheap and delivers real benefits.
CoreView: What are the biggest problems CoreView and CoreSaaS solve that are unique on top of what a CASB would solve?
Evans: Four things. One is the management of the SaaS applications themselves. We allow the admin user to manage more functionality within a set of SaaS applications than a CASB does. If you want to do things with Adobe, or ServiceNow, you can do that within CoreSaaS in ways that you cannot even think of doing that within a CASB.
Second is on the financial side. That whole world is simply missing from CASBs. A CASB has no interest in the financial side of what all this SaaS is costing. Can I optimize my licenses? Say I have 500 subscriptions. When are they all renewing? What does a department or an employee cost me? How do I allocate the costs for chargebacks? Customers interested in getting control over SaaS sprawl on the financial side have to use something other than a CASB. CoreSaaS is that thing.
Third is SaaS discovery and monitoring using multiple sources. CASBs find some information, but they are not great at showing you who is doing what. Who owns that Slack subscription? Maybe there are 20 teams, with 20 different Slack instances. Who are the organizers of those 20 things? A CASB has no idea what is going on with that. Moreover, just as CoreView enriches the data, CoreSaaS has many more data elements that it can look at to figure out who is doing what within the environment.
Fourth is security. CASBs are sophisticated security devices, but have limits. I already mentioned the level of knowledge that CoreSaaS and CoreView contain, and remember, we incorporate all the information from the CASB – we are a superset, where the CASB is just one of many information sources. That means we can identify security situations that a CASB alone cannot. And admins can take action on security issues, manually or through policies and workflows.
To summarize, benefits include management of the programs themselves, financial knowledge and control, stronger security, and simply knowing what is going on – all in a lot more depth than with a CASB alone.
CoreView: Are there hard cost savings implementing CoreSaaS/CoreView or is it mostly about time savings?
Evans: Both. The hard dollar savings or hard Euro savings can be substantial. When customers use CoreSaaS for financial purposes, they typically easily cover the cost of the software multiple times over. There is soft savings as well. Admins will definitely shave many hours off of tedious tasks, and can get info they could never have dreamed of before — but I do not think many people get budget approved for products by saying, ‘Hey, you’ll make my life easier.’
Finding duplicate apps in the same product category is a great example of where you can rationalize costs. Most organizations use half a dozen to a dozen project management tools. Paring that down to a few top choices lets you remove duplicate licenses and negotiate from a larger user base. Optimizing licenses for individual apps can also allow you to save money, or at least get the most out of what you’ve already invested in. Think of some high-priced apps in your organization – if you found some underused licenses, where could you reallocated hat budget? That is a positive impact on the bottom line that far exceeds the cost of deploying and using CoreSaaS and CoreView.
CoreView: Would you call CoreSaaS or CoreView a form of CASB?
Evans: CoreView and CoreSaaS are complementary to a CASB. There is some overlap, but each does things that the other does not. And remember, there is no silver bullet. It takes many things working in concert.
CoreView: What does CoreView mean for enterprises that do not currently have a CASB, but need some of the functionality, such as those three to four pillars that you mentioned about CASBs?
Evans: Here, CoreSaaS with broad SaaS perspective and CoreView with its O365 focus make sense together. CoreView has so many security features that are made so much easier to use and are quite powerful — and CoreSaaS is an extension of that. Think of the 80/20 rule. CoreView is so good at finding bad policies or lack of policies and figuring out where things that are missing. CoreView shows IT that it they fix this particular issue, they are going to hit 80% of the problems right away. That is a powerful message. For customers that do not have a sophisticated security posture, or set of security devices and software, we can prove that CoreView and CoreSaaS can dramatically increase the security of your environment at a very, very low cost in a very easy manner.
Learn How CoreView and CoreSaaS Add Value to a CASB
You can also get a free CoreView Office 365 Health Check that details license savings, state of application usage, and pinpoints security problems in your Office 365 environment. Get your O365 user workload usage and security profile FREE with our new CoreDiscovery solution. You can get your free software now at the CoreDiscovery sign up page: https://www.coreview.com/core-discovery-sign-up/
ABOUT THE WRITER
Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.