This past year, I had the great opportunity to work with so many wonderful entrepreneurs who were transformed into large industrialists before my very eyes. One of these individuals is my good friend Rajiv Gupta, whose start-up company Skyhigh Networks, was acquired by McAfee just a few weeks ago. This was, in my opinion, a good move by McAfee on two fronts: First, I believe CASBs (cloud access security brokers) to be one of the bright spots in our industry in the coming years. But second, and perhaps more importantly, I believe Rajiv to be one of the great minds in our industry as well.
Some months ago, long before the acquisition, I had the great fun to sit down with my friend - I believe it was over a nice lunch in DC - to learn more about how his company is pushing the boundaries of cloud security. More specifically, we discussed how to prevent confidential data from going into unsanctioned service infrastructure, as well as how such critical data might be prevented from leaving sanctioned areas. Below is a summary of my technical discussion with Rajiv Gupta, then CEO of Skyhigh Networks, now part of the McAfee executive team:
EA: Rajiv, let's start with the basics: What functions does a cloud access security broker solution support?
RG: A cloud access security broker (CASB) must ensure that the use of cloud services by an organization, whether unsanctioned or sanctioned, does not violate the organization's security, privacy, governance, and compliance policies. A CASB platform brings lost functionality visibility, threat protection, compliance, and data security to the cloud. These are the "what" of CASBs. The "how" often determines the value delivered by a CASB. That is, CASB platforms that opt for a cloud-native deployment, and that avoid high-friction architecture like device agents when possible, are more likely to provide the full value of a cloud-native security solution.
EA: How important is visibility of public cloud use to the security team?
RG: Most, if not all, security starts with visibility - you cannot protect what you don't know. In the case of public cloud use, visibility includes knowledge of which cloud service is being used, what is the risk of the cloud service, what activity is being performed in the cloud service by whom, what data is being stored or being created in the cloud service and by whom, and what data is downloaded to which device belonging to which user - essentially, the holistic context of every data transaction. Visibility also requires analytics. You not only need to know who accessed what data, but through analysis of the user behavior, you need to determine if that user was a rogue insider or a compromised user. Visibility is the start. The real requirement is for insights that lead to action to protect data.
EA: Do you see more enterprise teams converging on a single cloud provider, or are they more often shifting to a hybrid collection of different cloud offerings?
RG: We do not know of a single enterprise team who is converging on a single cloud provider. The reason is simple: There is no one cloud provider who covers the breadth of needs of any enterprise. Enterprises use productivity service providers like Office365 and G Suite, collaboration service providers like Slack and Spark, CRM service providers like Salesforce and Microsoft Dynamics, file sync and share service providers such as Box and Dropbox, and many more categories of cloud applications. Of course, many enterprises develop or customize software, and for these, they use hosting IaaS or PaaS service providers like Amazon Web Services and Azure. In fact, many enterprises use multiple service providers for the same function, such as OneDrive and Box for file storage - either because of legacy, transition, purpose, or preferences of their customer, partners, or employees.
EA: What sort of threats do you see in public cloud infrastructure?
RG: The appropriate use of public cloud along with a CASB almost always improves data security. Enterprise-grade cloud service providers typically have better security for their infrastructure and applications than that same application running in an enterprise. With cloud providers specialized in securing their services, enterprises can focus their security investment on the security of their own data under a model of shared security responsibility. Threats in public cloud almost always result from the enterprise not delivering on their part of the shared security responsibility model. Inappropriate use of cloud services can lead to a range of threats including the use of high-risk cloud services, open S3 buckets in Amazon, over-provisioned admin accounts in Salesforce, and storing and disseminating malware. Inappropriate access to cloud services encompasses threats under the umbrella of compromised credentials and rogue insiders.
EA: How do CISOs orchestrate security policies across different public clouds?
RG: To orchestrate a security policy across different cloud services you need to be able to map the security policy to the disparate security controls of each cloud service provider. If a CISO wants to ensure that confidential data is not inappropriately shared, the security team needs to have several capabilities. First, there must be a way to specify that policy, defining what is confidential data and what constitutes inappropriate sharing. There must be a way to map that policy to the different ways data can be shared through each cloud service, which typically offer different actions such as copy, share, invite to collaborate, upload, and download. Finally, they need a consistent platform to get the visibility into the data and to enforce the policy. This mix of cross-CSP administration, visibility, mapping, and control is one of the key capabilities that allows a CASB to enforce cloud security at scale.