代码改变世界

Netskope The 20 Most Common CASB Use Cases

2020-09-14 20:41  宋海宾  阅读(191)  评论(0编辑  收藏  举报

As people and organizations  adopt cloud services, Cloud Access Security Brokers(CASBs) have become a must-have for any information security team. CASBs provide critical capabilities such as governing access and activities in sanctioned and unsanctioned cloud services, securing sensitive data and preventing its loss, and protecting against internal and external threats. In short, CASBs enable organizations to extend their information protection policies and programs from their on-premises infrastructure and applications to the cloud. For organizations that are considering deploying CASB, It's useful to consider the specific use cases they're likely to address within these broad topic areas as they inform functional and architectural requirements.

 

Here's a list of the 20 most common CASB use cases.

 

1. Secure DATA

1.1 Prevent data exfiltration from an IT-led to any cloud service.

    For example, prevent the download of confidential content from a corporate-IT-led service such as Salesforce, Box, or even AWS S3 to a personal Dropbox or other file sharing service.

   Functional Requirements

   See and control usage in both IT-led and business-led services

   Detect sensitive data, e.g. "confidential"

   Identify all unique content in motion and track its movement

   Be aware of context, e.g. , activities such as "upload" and "download"

   Correlate users' identities (e.g., bob@netskope.com = bob123@yahoo.com = bobaran@gmail.com)

   Differentiate between internal and external domains

   Know corporate vs. personal accounts

   Recognize and enforce differing policies between service instances, e.g., corporate and personal

   Decrypt SSL and decode the unpublished API to understand the transaction

   Surface data exfiltration activities in a user interface that is easy to understand.

 

   Deployment Requirements

   Forward Proxy(monitor and control)

 

1.2 Enforce different policies for personal and corporate instances of the same cloud service

    For example, prevent the upload of regulated information(such as that beholden to FISMA(联邦信息安全管理法案), NERC, or PCI) to any Dropbox EXCEPT for the corporate-IT-led instance of Dropbox.  

   

Functional Requirements

▸ Detect sensitive data, e.g., data beholden to FISMA, NERC, or PCI

▸ Be aware of context, e.g., activities such as “upload” and “download”

▸ Know corporate vs. personal accounts

▸ Recognize and enforce differing policies between service instances, e.g., corporate and personal

▸ See and control usage in both IT-led and business-led services

▸ Decrypt SSL and decode the unpublished API to understand the transaction

Deployment Requirements

▸ Forward proxy (monitor and control)

 

1.5 Monitor Sensitive data in Amazon S3 buckets

  For example, alert when PCI data is discovered in AWS S3 buckets.

Functional Requirements

▸ Cloud DLP that can scan S3 buckets

▸ Specify all or individual S3 buckets

▸ Incident management workflow

Deployment Requirements

▸ API (IT-led only)

 

protect against threats

1.3 Block or remediate malware in IT-led and en route to/from business-led cloud services

For example, detect, quarantine, and block malware being downloaded from any cloud service in real time.

Functional Requirements

▸ Inspect, detect, block, and remediate malware in IT-led cloud services

▸ Inspect, detect, block, and remediate malware en route to/from business-led cloud services

▸ Decrypt SSL and decode the unpublished API to understand the transaction

Deployment Requirements

▸ API (IT-led only)

▸ Forward proxy

▸ Reverse proxy (IT-led only, browser only)

 

Govern Usage

1.4 Govern access to Office 365 and other cloud services by device ownership class

For example, offer web-based email access only to a BYOD device but full suite access to a corporate one.

Functional Requirements

▸ Understand different authentication protocols and federated identity across Office 365 and other cloud services

▸ Enforce access and activity policies based on device attributes, including classification of “managed” and “unmanaged”

▸ Decrypt SSL and decode the unpublished API to understand the transaction (for forward proxy)

Deployment Requirements

▸ Forward proxy

▸ Reverse proxy (IT-led only, browser only)