Lying on a beach, sipping your favourite drink and checking the latest financials from a colleague; or sitting at the kitchen table and writing a report on your security findings on a client’s infrastructure. Too tempting, and easy, not to, right? Modern tech helps us have our life, all our identities – private, work, social – in one place, for our convenience and enjoyment. But what about security?
Consider the following example. Many businesses use cloud storage solutions for their work, for instance Microsoft OneDrive or Google Drive. When they want to share documents outside the organisation, they invite external users to join their cloud folder, let’s say in Microsoft OneDrive. The invitation is usually sent to the external user’s work e-mail address, with a link to join the cloud folder. Often, due to certain settings in Microsoft, if a user already has a private Microsoft account, they can access the shared link with this account. All they need is the link; there are no other enforced authentication mechanisms. And therein lies the risk for the business. Links can easily be shared. And what about finding and proactively removing all those private accounts joining the corporate cloud environment?
Several years ago, Gartner introduced the term ‘CASB’, or Cloud Access Security Broker, often mentioned at conferences and in publications as a potential silver bullet for cloud security. CASBs are software vendors which provide organisations with visibility into the cloud services being used, highlight the key risks of such usage, protect data in the cloud, and provide end-user behaviour analytics. In short, they monitor what’s going on with enterprise cloud.
But are CASBs, as claimed, really a silver bullet for cloud security? Can they really remove the risks by automating cloud discovery, security monitoring, and data protection? After working with CASBs for our clients at KPMG, I believe there is certainly potential in the software. But, just as a silver bullet still requires someone to shoot it, there’s also work for the organisation to do before it starts using a CASB.
Any further questions on CASBs? Don’t hesitate to get in touch!
Senior Consultant, KPMG Cyber