Cloud Access Security Brokers Give IT Staff Visibility and Oversight
Colleges and universities are rapidly expanding their use of cloud services, ranging from complete infrastructure deployments to specialized applications. This leaves cybersecurity teams in the difficult position of trying to track the flow of sensitive information.
Although they may have tools in place to track the presence of sensitive information within internal systems, this process becomes far more complicated when employees use cloud services. Cloud access security brokers can help resolve this complexity.
The issues that arise from employee use of cloud services come in two forms. First, employees may use cloud services without the knowledge of IT staff. They might discover a new service on their own, open an account, then transfer sensitive information into the cloud account.
But the danger doesn’t stop there. Even when employees use vetted and approved cloud services, they might configure security settings that violate institutional policies. For example, an employee using an approved cloud storage service might share a file using a personal email address, or even accidentally make a file available on the public web.
MORE FROM EDTECH: See how your team can overcome common cloud security pain points.
What Is a Cloud Access Security Broker?
CASBs are technology solutions that insert themselves between the end user and a cloud service, injecting security controls that enforce the desired security policy.
They allow colleges to enforce internal requirements for access control, authentication, encryption, firewalling, malware protection, monitoring, data loss prevention and content filtering, even when the data being protected resides in external systems.
CASB solutions come in two primary forms. They can exist as on-premises devices that sit on the network in a location where they can intercept and inspect traffic headed to the cloud. These solutions are effective across a wide range of cloud services, but require the user to send traffic through the device.
CASBs can also exist as a cloud-based solution that leverages application programming interfaces to interact with cloud services. These solutions can reach deeply into a cloud service and perform detailed monitoring, but they are unable to detect the use of cloud services where the institution lacks an enterprise agreement.
MORE FROM EDTECH: Security expert weighs in on how campuses should secure their networks in 2019.
How Can CASBs Help Campus IT?
CASBs may be quickly gaining steam in the private sector, but adoption may lag in higher education when technology leaders don’t see the direct benefits of these solutions. Let’s take a quick look at three ways that CASBs can play an important role at a college.
- CASBs provide visibility into cloud utilization. One of the primary advantages offered by CASBs is that they give IT staff insight into how faculty, staff and students are using the cloud. This includes the detection of “shadow IT” services where individuals may have adopted cloud services without appropriate security vetting, as well as the misuse of approved cloud services. CASBs provide a wealth of monitoring and enforcement capabilities that prevent employees from intentionally or unintentionally violating a security policy. For example, a college might use a CASB to scan its cloud-based file sharing service for the presence of publicly accessible information. These scans invariably uncover files and folders containing sensitive information that a faculty or staff member accidentally shared on the web.
- CASBs offer data loss prevention capabilities. Many colleges already deploy data loss prevention services on their own networks, but these systems lack visibility into the movement of data within a cloud service. CASBs can extend DLP policies into the cloud by examining the data placed into the cloud and monitoring sensitive data for DLP violations. If the institution prohibits the storage of Social Security numbers in the cloud, for example, IT staff can configure the CASB to enforce this rule. The CASB can scan existing content in the cloud service to search for unauthorized content, as well as block future attempts to move offending content into the cloud.
- CASBs inject encryption into the cloud. Encryption is a tried and true security control for the protection of sensitive information that leaves the direct control of its owner. IT staffers have long relied on encryption to reduce the sensitivity level of information stored in the cloud, but they also face the choice of implementing the encryption themselves or placing the encryption keys in the hands of the cloud provider. CASBs mitigate this risk by introducing encryption before the data reaches the cloud service and handling key management tasks. For example, staffers might configure the CASB to intercept and encrypt all files heading to the cloud and then transparently decrypt data returning from the cloud. This gives the end user a seamless experience, while dramatically reducing the impact of a breach at the cloud provider. Cloud computing holds great promise for higher education, offering faculty, staff and students access to a wide range of capabilities that allow them to better carry out their teaching and research missions. CASBs help mitigate the risks associated with cloud computing, smoothing the road to adoption.