The IT infrastructure of organizations keeps getting redefined. Teams within the organization are now buying cloud services themselves – and the IT department’s role is to make sure that enterprise data stays safe in this new world. “The solution is to use a so-called cloud access security broker,” says Tejas Lagad, director for Asia at identity and security company Nexus Group.
The CIO’s focus used to be to get systems in place that could be accessed by people within the organization, and the CISO was asked to ensure that no one outside the organization could access the systems.
New security requirements
“But after a while, the IT team was asked to open up systems so that employees could work remotely, and so that partners could access some systems. IT security experts then rushed to the rescue, ensuring that while good people were allowed to access enterprise resources, bad people were kept out,” says Lagad.
Now, we are in a phase where the IT team has reduced control over enterprise data, which once again leads to changed security requirements.
“Different teams within the organization digitize their businesses by setting up their own systems, which they buy as cloud services. The CIO’s role is now to provide a platform that allows this so-called shadow IT to prosper while keeping the enterprise data safe,” says Lagad.
A security policy enforcement point is needed
Such a platform is called a cloud access security broker (CASB), and is a security policy enforcement point, placed between the various cloud service providers and the end users.
“The cloud access security broker can either be installed on the premises or be cloud based, and it enforces enterprise security policies as the cloud-based resources are accessed,” says Lagad.
Access is allowed or denied based on a number of factors:
- Who are you – what is your role?
- Where are you coming from – what is your geographic location, and what kind of network are you using?
- What device are you using – corporate laptop, home PC, tablet or phone?
- What time is it – are you authorized to access the resources during this time?
“The cloud access security broker also makes life easier for the end users by providing single sign-on (SSO). This means that users only have to authenticate once to get seamless access to all cloud services they are subscribed to,” says Lagad.
Leveraging a single identity storage
Single sign-on, based on identity federation, also ensures that users can be provisioned to cloud services on demand the first time they access the cloud app.
“The cloud access security broker helps ensure that all cloud apps leverage a single identity storage by authenticating users directly against your corporate directory,” says Lagad.
This eliminates redundant accounts and allows effective enforcement of password policies.
“And even more importantly from a security standpoint, it ensures that users easily can be deprovisioned from all cloud services when they leave the organization or change roles. Deleting or disabling the user accounts in your corporate directory, or changing their group membership, automatically removes their access to the cloud apps,” says Lagad.
Several multi-factor authentication options
A good cloud access security broker should offer a range of multi-factor authentication options, so that you can choose the right authentication methods for different user groups. It can also be a good idea to enforce stronger authentication for sensitive applications.
“For most users and applications, a secure and easy-to-use out-of-band authentication app with push notifications is the preferred authentication method. It has several benefits, such as cost-efficiency and ensuring that your users never have to remember any passwords,” says Lagad.
The cloud access security broker should also provide transparency regarding which users are accessing what applications, and from what locations.
“This is key to gaining control over the shadow IT and remaining compliant,” says Lagad.
Securing on-premises applications too
While cloud adoption is in full flow, there are still some applications that are hosted on the premises.
“Hence, the cloud access security broker you opt for should preferably be a hybrid one. That is, it should be able to secure not just your cloud applications but also those few remnant applications still hosted in your own datacenter. This ensures smooth transition for your users, and less administrative hassles for your IT team,” says Lagad.
There are a range of different cloud access security brokers on the market. One of them is the Nexus authentication platform Nexus Hybrid Access Gateway.