SlideShare uma empresa Scribd logo

63 Requirements for CASB

K
Kyle Watson
1 de 7
Baixar para ler offline
136 Madison Ave New York, NY 10016 http://www.cedrusco.com 63 Requirements for CASB The Cloud Access Security Broker (CASB) market is rounding the corner into the mainstream. Venture backed startups are being acquired and big tech firms are positioning while enterprises are taking a serious look at these solutions. However, since these solutions are so new there is a lack of understanding as to how to create requirements in order to evaluate these solutions. There are still many people that are not clear on where CASBs fit in an overall Information Security strategy. It’s my goal to provide some background on the topic from a business and technology perspective and provide a baseline for your requirements effort. This paper is designed to provide you with some requirements that you can use as input consideration for your “real” CASB requirements. This is meant to be thought provoking, not a copy and paste exercise. Each requirement will provide you ideas as to what may be most important in your organization. For example, where we have provided examples of integrations such as Security Information and Event Management (SIEM), you may want to be specific about your particular SIEM. For comments, questions, or more information please contact Kyle Watson at kwatson@cedrusco.com. REQ # PRIORITY REQUIREMENT DESCRIPTION Category: Visibility FUNC-001 Identify cloud applications in use. The CASB must be able to detect and display "Shadow IT" by discovering a full range of known cloud applications in use whether CASB is configured in log-based discovery mode or active in- line proxy mode. FUNC-002 Discover Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) based cloud apps. The CASB must be able to detect and display IaaS and PaaS services in use whether CASB is configured in log-based discovery mode or active in-line proxy mode. FUNC-003 Identify the individual users of cloud apps. The CASB must be able to detect and display specific users of cloud applications preferably by name or alternatively by User ID. FUNC-004 Identify the device for users of cloud apps. The CASB must be able to detect and display specific device and browser (when applicable) for users of cloud applications. FUNC-005 Identify device type and integrity. The CASB must be able to detect and display the device status / integrity and the devices that are being used, such as laptops or iPads. FUNC-006 Identify location data for users of cloud services. The CASB must be able to detect and display locational information, geographic and IP, from which access is taking place. FUNC-007 Identify data types being stored in cloud services. The CASB must be able to identify which data items (files, fields) are being stored in or used with the identified cloud services and highlight items of significant data risk. kwatson@cedrusco.com ! of ! pages1 7
136 Madison Ave New York, NY 10016 http://www.cedrusco.com Category: Data Loss Prevention (DLP) FUNC-008 Provide advanced policy driven DLP. The CASB must be able to provide a policy driven approach to DLP. The DLP functionality should be mature enough to allow the CASB to inspect and protect critical data in hidden cells, columns, document comments, and metadata. The CASB DLP should also provide features such as fingerprinting, exact match, international support, dictionaries, and validation mechanisms such as Luhn tests for credit cards numbers. FUNC-009 Provide cloud DLP via API. The CASB must be able to provide near real- time data monitoring, using the APIs provided by the cloud app and apply alerting, encryption, or legal hold to items that meet policy violation criteria. FUNC-010 Provide cloud DLP via in-line proxy. The CASB must be able to provide real-time data monitoring, through a proxied connection between the user and the cloud app through the CASB and apply blocking, alerting, encryption, or legal hold to items that meet policy violation criteria for any “trusted”, “untrusted”, or “not fully trusted” apps. FUNC-011 Provide data pattern recognition. The CASB must be able recognize regulated data such as personally identifiable information (PII), protected health information (PHI), social security numbers, credit cards, customer numbers, etc. FUNC-012 Provide HTTPS / secure transport inspection. The CASB must be able to inspect traffic sent via HTTPS in order to apply policy to the data in transit when operating In-Line Proxy. FUNC-013 Provide encryption/tokenize data in motion/at rest. The CASB must support flexible field level encryption and/or tokenization of sensitive data when interacting with cloud apps, including cloud storage through API. FUNC-014 Read / apply data classification tags. The CASB must be able to incorporate identifying tags from native or third party applications and Incorporate them into policy decisions. This includes the ability to consume Digital Rights Management/Information Rights Management (DRM/IRM) data to prevent copying, printing or other distribution of sensitive documents. FUNC-015 Enable automated actions upon policy violation. When data protection policies are violated the CASB must be able to perform an appropriate configured action, which may include encryption, alerts, logging, blocking the action, quarantining data until some external approval has taken place, or requiring step up authentication. FUNC-016 Manage Cloud DLP Policy. The CASB must be able to manage data loss prevention policies for cloud services and integrate with an existing Enterprise DLP for policy extraction and sharing. This is important to ensure consistency of data security policies from on-premise to cloud. The CASB should be capable of integrating by sending only suspected violations to the enterprise DLP. FUNC-017 Provide flexible key management and key storage. The CASB must support flexible solutions for encryption key management, including customer- managed keys using either an on-premise solution or a cloud based hardware security module (HSM) approach. kwatson@cedrusco.com ! of ! pages2 7
136 Madison Ave New York, NY 10016 http://www.cedrusco.com FUNC-018 Provide data residency controls. For data that must be compliant with geographical information residency regulations, or to prevent data from specific jurisdictions, the CASB must support locational storage awareness to and incorporate it into policy decisions to support compliance. Data must not flow through jurisdictions that would be out of policy. FUNC-019 Provide support for files that are locked or encrypted. The CASB must provide DLP capabilities when files that are being uploaded to the cloud are password protected, have DRM, or are in some other way already locked/ encrypted. FUNC-020 Integrate with Mobile Device Management (MDM). The CASB must integrate with the MDM software on a managed device for and incorporate data points into policy decisions. In addition, provide visibility into local data issues and lost device wiping. FUNC-021 Provide access control over unmanaged devices. The CASB must provide mechanisms to integrate with unmanaged BYOD devices and provide policy driven DLP as appropriate, even when no MDM software is present. Category: Access Control FUNC-022 Provide access control to categorized cloud services. The CASB must categorize and prioritize cloud services and apply access control policies based upon the level of trust. For example, "trusted" services that can be accessed by anyone; "untrusted" services that are blocked at all times; and "not fully trusted" services that need to be carefully monitored and audited while a decision is made on that particular cloud app. FUNC-023 Integrate with Identity and Access Management (IAM) services. The CASB must integrate with existing corporate security infrastructure that supports user identity - whether internally or cloud based. This includes Single Sign-On (SSO) and federated identity management for user provisioning. FUNC-024 Support for industry standard federation protocols. Where appropriate, the CASB should be configurable to work with industry standard federated authentication, authorization, and user provisioning technologies and protocols, including (but not limited to) SAML, ADFS, OAuth, and SCIM. FUNC-025 Integrate with enterprise tools to provide step-up authentication based on policy. The CASB must provide the ability to require a step-up authentication based on policy, in conjunction with enterprise solutions, which may be on premise or cloud based. As an example, a particular user triggers a policy based upon a series of interesting events (see 026), one potential action may be to ask the user to provide another layer of authentication, such as a soft token or SMS based identifier, thereby elevating the level of trust to that user. FUNC-026 Provide identity context and apply to access control policies. The CASB must provide contextual data including but not limited to things such as user, device, location, service, network, time of day, and type of data. The CASB must then be able to utilize these data points in access control policies for cloud services. kwatson@cedrusco.com ! of ! pages3 7
136 Madison Ave New York, NY 10016 http://www.cedrusco.com FUNC-027 Provide access control policies based upon user activity. The CASB must provide access control based upon the particular actions the user is taking. An example of this might be that the organization has decided the Google Drive is “untrusted”, but has decided that Microsoft OneDrive is “trusted” - but a business partner shares a document with an employee using Google Drive. In this case we still want the worker to be able to retrieve the document even if we don’t want them to upload anything there. FUNC-028 Support both personal and corporate credentials with appropriate policies. The CASB must be able to configure and apply policies appropriately depending on whether a given user is using corporate or personal credentials on a managed device. An example of this might be that a company has “trusted” company Dropbox but does not want any corporate data to go to the myriads of personal Dropboxes. FUNC-029 Support corporate shared credentials with appropriate policies. The CASB must be able to configure and apply policies appropriately for users accessing a shared corporate account when using corporate credentials on a managed device. An example of this might be to allow Online Banking or Twitter for the Corporate shared account, while ignoring, or providing different policies, for personal use. FUNC-030 Support country specific access control policies. The CASB must be configurable for country specific access control requirements, such as allowing access to Salesforce.com from the US, Canada and the EU, but blocking access from other countries. Category: Cloud Service Provider (CSP) Vendor Risk Management FUNC-031 Analysis and tracking of efficacy of security controls. The CASB vendor must perform regular interval reviews of Cloud Service Provider Service Organization Control (SOC) report, type 2 to ensure that trust service principals are met. The minimum interval of review must be no greater that 90 days for "top tier" applications and no greater than 12 months for more obscure applications. This information must be available in the CASB User Interface. FUNC-032 Analysis and tracking of business trustworthiness. The CASB vendor must perform regular interval reviews of Cloud Service Provider business trustworthiness using publicly available information and/or Dun & Bradstreet ratings. This information must be available in the CASB User Interface. FUNC-033 Analysis and tracking of T&C or EULA. The CASB vendor must perform regular interval reviews of the legal implications put forth in the general Terms and Conditions and Enterprise User License Agreement. This information must be categorized based upon personnel and data protection and presented in the CASB User Interface. FUNC-034 Analysis and tracking of vendor breach. The CASB vendor must perform ongoing tracking and alerting of compromises that occur within the Cloud Service Provider. This information must play into the vendor trustworthiness and be presented in the CASB User Interface. kwatson@cedrusco.com ! of ! pages4 7
136 Madison Ave New York, NY 10016 http://www.cedrusco.com FUNC-035 Analysis and tracking of vendor uptime. The CASB vendor must perform ongoing tracking and alerting of downtime that occurs within the Cloud Service Provider beyond quoted levels of availability. This information must play into the vendor trustworthiness and be presented in the CASB User Interface. FUNC-036 Analysis and tracking of vendor compliance certifications. The CASB vendor must perform ongoing tracking of cloud service provider compliance (such as HIPAA or PCIDSS) and make this data available in the CASB User Interface. FUNC-037 Analysis and tracking of vendor vulnerabilities and exploits. The CASB vendor must perform ongoing tracking of current vulnerabilities and indicate the status of the cloud service providers in the CASB User Interface. FUNC-038 Provide risk assessment of cloud services. The CASB must be able to provide an assurance rating or risk assessment for the cloud services that are discovered, to help identify which services need immediate remediation access such as blocking or strong access control. Category: Threat Protection FUNC-039 Provide an audit trail of all access activities and actions. The CASB must provide a complete log of all activities that it has monitored, along with a complete audit trail of policy enforcement actions taken (such as blocking, quarantining, or step-up authentication requests). FUNC-040 Identify events based on User and Entity Behavior Analytics (UEBA). The CASB must provide a UEBA solution that incorporates user activity monitoring and anomaly detection in order to incorporate into policy. FUNC-041 Identify and remediate compromised accounts. The CASB must have mechanisms to identify accounts that may have been compromised and initiate automated actions to remediate the accounts such as an event, alert, and blocking of access to the specific account. For example, an account used in the US to access a cloud service is then used to access the same cloud service from an impossible physical location, such as Germany, simultaneously or in a small window of time, such as 4 hours. FUNC-042 Provide exception and alert processing. When an exception to policy is found by the CASB, the data about that exception must be provided to a selected group of security analyst(s) for investigation via some automated mechanism. FUNC-043 Provide automation workflow. The CASB must provide the capability to incorporate workflows, such as escalation after a time interval, when specific exceptions or alerts are generated due to policy violation. FUNC-044 Integrate with Security Information and Event Management (SIEM) system. Exceptions, alerts, and other activity from the CASB must have the capability to be integrated with existing SIEM infrastructure to provide a unified view to the security team. kwatson@cedrusco.com ! of ! pages5 7
136 Madison Ave New York, NY 10016 http://www.cedrusco.com FUNC-045 Provide access to history data to support forensics. The CASB must be able to provide data to the Incident Response (IR) and forensics teams after suspicious activity has occurred. For example, for the suspected user what other activities has that user performed recently and has the user performed any admin activities that could be obscuring activity. FUNC-046 Integrate with IaaS consoles for protection of apps running on those platforms. The CASB must provide integration to admin consoles of IaaS providers such as Azure and Amazon Web Services (AWS) to prevent damage that would impact applications running on those platforms if the admin access was compromised. FUNC-047 Provide dynamic malware analysis. The CASB must be able to monitor data stored in cloud apps and detect if there is malware present in the files. This capability should be both real-time for in-line configurations and through "crawling" for API based integrations. Category: Non-Functional Requirements NONFUNC-001 Provide full capability regardless of device, client type, and location. The CASB must provide full policy based functionality for any “trusted”, “untrusted”, or “not fully trusted” app whether access is desktop, laptop, or mobile device on-premises or remote, regardless of client (browser, native app, sync, etc.). NONFUNC-002 Provide audit logs of change for configuration management and change control. The CASB must provide audit logging for policy and configuration changes made by an administrator. If changes were in error or malicious, the CASB should support configuration rollback to a previous version. NONFUNC-003 Provide policy simulation. Prior to implementing a policy in CASB, the CASB should provide a mechanism to "test" what the result of implementing the policy would do in the environment. NONFUNC-004 Provide test instances. In order to integrate CASB with test instances of other components in the environment, the vendor should be able to provide one or more test instances of the CASB with the possibility of separate integration points from the production system. NONFUNC-005 Support standard log types for integration with identification services. The CASB must provide the capability to read in a range of web gateway and firewall logs in various formats, including but not limited to CEF, CLSF, and syslog. NONFUNC-006 Integrate with enterprise proxy or web gateway. When the CASB is running in proxy mode it must be able to integrate with any existing secure web gateway/proxy, rather than adding an additional hop into the network flow. NONFUNC-007 Data tokenization or encryption should not limit application functionality. If CASB policy dictates that data must be tokenized or encrypted, functionality of the cloud service should not be reduced. kwatson@cedrusco.com ! of ! pages6 7
136 Madison Ave New York, NY 10016 http://www.cedrusco.com For comments, questions, or more information please contact Kyle Watson at kwatson@cedrusco.com. NONFUNC-008 Encryption type must be relevant, current, and strong. The CASB encryption approach should include strong levels of encryption and changing the approach of encryption should not be required in order to retain integrated cloud service application functionality. NONFUNC-009 No impact to mobile device application use. Integration of the CASB with mobile devices should not interfere with installed "apps" that contain hard coded URIs NONFUNC-010 Business-friendly User Interface (UI). The CASB should provide a simple UI that provides role-based access to key information for authorized users. NONFUNC-011 Highly available architecture. The CASB platform should be continuously available with a zero Recovery Time Objective (RTO) for component failure or data center outage. NONFUNC-012 24x7x365 technical support. The CASB vendor should provide support capable to meet the needs of a global enterprise. Specific incident priority levels should dictate expected response times and an escalation path should be provided. NONFUNC-013 Elasticity and scalability. The CASB solution must be able to scale to support both linear growth and unforeseen bursts in activity, preferably through elasticity. For any on premise components, a clear scalability model must be defined that incorporates user base, devices, and traffic in order that the company can plan for scaling as needed. NONFUNC-014 No noticeable performance impact to applications. When users are accessing applications through the CASB, in-line, the users should not notice any performance impact. NONFUNC-015 Reporting. The CASB must provide reporting that includes, but is not limited to cloud service provider trustworthiness and user and device access, events, and alerting. The CASB should have a capability to filter and customize these reports. NONFUNC-016 Support for multi-language capabilities. The CASB must provide language services including the ability to meet the functional requirements in major world languages. kwatson@cedrusco.com ! of ! pages7 7

Recomendados

CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applications
Forcepoint LLC
 
Sensitive data
Sensitive dataSensitive data
Sensitive data
S.M. Towhidul Islam
 
5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases
Netskope
 
Creating a GDPR Action Plan; Not a Freakout Plan
Creating a GDPR Action Plan; Not a Freakout PlanCreating a GDPR Action Plan; Not a Freakout Plan
Creating a GDPR Action Plan; Not a Freakout Plan
Mediacurrent
 
Secure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoSecure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAlto
Prime Infoserv
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)
Cloudflare
 
Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation Firewall
Cisco Canada
 
14 palo alto quality of service(qos) concept
14 palo alto quality of service(qos) concept14 palo alto quality of service(qos) concept
14 palo alto quality of service(qos) concept
Mostafa El Lathy
 

Recomendados

CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applications
Forcepoint LLC
 
Sensitive data
Sensitive dataSensitive data
Sensitive data
S.M. Towhidul Islam
 
5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases
Netskope
 
Creating a GDPR Action Plan; Not a Freakout Plan
Creating a GDPR Action Plan; Not a Freakout PlanCreating a GDPR Action Plan; Not a Freakout Plan
Creating a GDPR Action Plan; Not a Freakout Plan
Mediacurrent
 
Secure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAltoSecure Access – Anywhere by Prisma, PaloAlto
Secure Access – Anywhere by Prisma, PaloAlto
Prime Infoserv
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)
Cloudflare
 
Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation Firewall
Cisco Canada
 
14 palo alto quality of service(qos) concept
14 palo alto quality of service(qos) concept14 palo alto quality of service(qos) concept
14 palo alto quality of service(qos) concept
Mostafa El Lathy
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Himani Singh
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB
Samrat Das
 
15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept
Mostafa El Lathy
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
Castleforce
 
7 palo alto security zones & interfaces concepts
7 palo alto security zones & interfaces concepts7 palo alto security zones & interfaces concepts
7 palo alto security zones & interfaces concepts
Mostafa El Lathy
 
2 Modern Security - Microsoft Information Protection
2 Modern Security - Microsoft Information Protection2 Modern Security - Microsoft Information Protection
2 Modern Security - Microsoft Information Protection
Andrew Bettany
 
Labelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & SensitivityLabelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & Sensitivity
Drew Madelung
 
Information classification
Information classificationInformation classification
Information classification
Howard Diesel (CDMP BI, DW, DBA, Msc Elec Eng)
 
17 palo alto threat prevention concept
17 palo alto threat prevention concept17 palo alto threat prevention concept
17 palo alto threat prevention concept
Mostafa El Lathy
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
Prime Infoserv
 
Understanding SASE
Understanding SASE Understanding SASE
Understanding SASE
Haris Chughtai
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information Protection
Robert Crane
 
Demystifying Prisma Access
Demystifying Prisma AccessDemystifying Prisma Access
Demystifying Prisma Access
Haris Chughtai
 
10 palo alto nat policy concepts
10 palo alto nat policy concepts10 palo alto nat policy concepts
10 palo alto nat policy concepts
Mostafa El Lathy
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013
Belsoft
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overview
Belsoft
 
Putting Firepower into the Next Generation Firewall
Putting Firepower into the Next Generation FirewallPutting Firepower into the Next Generation Firewall
Putting Firepower into the Next Generation Firewall
Cisco Canada
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview
Mostafa El Lathy
 
CollabDaysBE - Microsoft Purview Information Protection demystified
CollabDaysBE - Microsoft Purview Information Protection demystifiedCollabDaysBE - Microsoft Purview Information Protection demystified
CollabDaysBE - Microsoft Purview Information Protection demystified
Albert Hoitingh
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA Firepower
Anwesh Dixit
 
CASBs and Office 365: The Security Menace
CASBs and Office 365: The Security MenaceCASBs and Office 365: The Security Menace
CASBs and Office 365: The Security Menace
Bitglass
 
5 Highest-Impact CASB Use Cases - Office 365
5 Highest-Impact CASB Use Cases - Office 3655 Highest-Impact CASB Use Cases - Office 365
5 Highest-Impact CASB Use Cases - Office 365
Netskope
 

Mais conteúdo relacionado

Mais procurados

Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
Castleforce
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overview
Belsoft
 

Mais procurados (20)

Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB
 
15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept15 intro to ssl certificate & pki concept
15 intro to ssl certificate & pki concept
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
 
7 palo alto security zones & interfaces concepts
7 palo alto security zones & interfaces concepts7 palo alto security zones & interfaces concepts
7 palo alto security zones & interfaces concepts
 
2 Modern Security - Microsoft Information Protection
2 Modern Security - Microsoft Information Protection2 Modern Security - Microsoft Information Protection
2 Modern Security - Microsoft Information Protection
 
Labelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & SensitivityLabelling in Microsoft 365 - Retention & Sensitivity
Labelling in Microsoft 365 - Retention & Sensitivity
 
Information classification
Information classificationInformation classification
Information classification
 
17 palo alto threat prevention concept
17 palo alto threat prevention concept17 palo alto threat prevention concept
17 palo alto threat prevention concept
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
 
Understanding SASE
Understanding SASE Understanding SASE
Understanding SASE
 
Azure Information Protection
Azure Information ProtectionAzure Information Protection
Azure Information Protection
 
Demystifying Prisma Access
Demystifying Prisma AccessDemystifying Prisma Access
Demystifying Prisma Access
 
10 palo alto nat policy concepts
10 palo alto nat policy concepts10 palo alto nat policy concepts
10 palo alto nat policy concepts
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overview
 
Putting Firepower into the Next Generation Firewall
Putting Firepower into the Next Generation FirewallPutting Firepower into the Next Generation Firewall
Putting Firepower into the Next Generation Firewall
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview
 
CollabDaysBE - Microsoft Purview Information Protection demystified
CollabDaysBE - Microsoft Purview Information Protection demystifiedCollabDaysBE - Microsoft Purview Information Protection demystified
CollabDaysBE - Microsoft Purview Information Protection demystified
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA Firepower
 

Destaque

CASBs and Office 365: The Security Menace
CASBs and Office 365: The Security MenaceCASBs and Office 365: The Security Menace
CASBs and Office 365: The Security Menace
Bitglass
 
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
Amazon Web Services
 
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
Okta-Inc
 
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using DeceptionNTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
North Texas Chapter of the ISSA
 

Destaque (20)

CASBs and Office 365: The Security Menace
CASBs and Office 365: The Security MenaceCASBs and Office 365: The Security Menace
CASBs and Office 365: The Security Menace
 
5 Highest-Impact CASB Use Cases - Office 365
5 Highest-Impact CASB Use Cases - Office 3655 Highest-Impact CASB Use Cases - Office 365
5 Highest-Impact CASB Use Cases - Office 365
 
Stop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS SecurityStop Hackers with Integrated CASB & IDaaS Security
Stop Hackers with Integrated CASB & IDaaS Security
 
IAM Methods 2.0 Presentation Michael Nielsen Deloitte
IAM Methods 2.0 Presentation Michael Nielsen DeloitteIAM Methods 2.0 Presentation Michael Nielsen Deloitte
IAM Methods 2.0 Presentation Michael Nielsen Deloitte
 
The Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity ModelThe Gartner IAM Program Maturity Model
The Gartner IAM Program Maturity Model
 
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
(SEC305) How to Become an IAM Policy Ninja in 60 Minutes or Less
 
Closing the Cloud Security Gap with a CASB (in partnership with Forrester)
Closing the Cloud Security Gap with a CASB (in partnership with Forrester)Closing the Cloud Security Gap with a CASB (in partnership with Forrester)
Closing the Cloud Security Gap with a CASB (in partnership with Forrester)
 
London Devops #9 - Security at a startup
London Devops #9 - Security at a startupLondon Devops #9 - Security at a startup
London Devops #9 - Security at a startup
 
How to Automate User Provisioning
How to Automate User Provisioning How to Automate User Provisioning
How to Automate User Provisioning
 
Leading Trends in IAM Webinar 3: Optimizing User Experience in Cloud Initiatives
Leading Trends in IAM Webinar 3: Optimizing User Experience in Cloud InitiativesLeading Trends in IAM Webinar 3: Optimizing User Experience in Cloud Initiatives
Leading Trends in IAM Webinar 3: Optimizing User Experience in Cloud Initiatives
 
How to increase your understanding of application usage with LeanIX and OneLo...
How to increase your understanding of application usage with LeanIX and OneLo...How to increase your understanding of application usage with LeanIX and OneLo...
How to increase your understanding of application usage with LeanIX and OneLo...
 
Cloud Access Security Broker (CASB)
Cloud Access Security Broker (CASB) Cloud Access Security Broker (CASB)
Cloud Access Security Broker (CASB)
 
User Creation and Authentication in Remedyforce
User Creation and Authentication in RemedyforceUser Creation and Authentication in Remedyforce
User Creation and Authentication in Remedyforce
 
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
Avoiding the Hidden Costs of Active Directory Federation Services (AD FS)
 
8 questions to ask when evaluating a Cloud Access Security Broker
8 questions to ask when evaluating a Cloud Access Security Broker8 questions to ask when evaluating a Cloud Access Security Broker
8 questions to ask when evaluating a Cloud Access Security Broker
 
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
 
NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Secu...
NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Secu...NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Secu...
NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Secu...
 
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOTSailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
Sailpoint Training | Best Sailpoint IdentityIQ Online Course -GOT
 
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using DeceptionNTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
 
NTXISSACSC4 - Security for a New World
NTXISSACSC4 - Security for a New WorldNTXISSACSC4 - Security for a New World
NTXISSACSC4 - Security for a New World
 

Semelhante a 63 Requirements for CASB

o-palerra-ROI-QuantifyCASB-WP
o-palerra-ROI-QuantifyCASB-WPo-palerra-ROI-QuantifyCASB-WP
o-palerra-ROI-QuantifyCASB-WP
Eric Opp
 
saassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdfsaassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdf
SahilSingh316535
 
Palerra_CASB_UBA_WhitePaper
Palerra_CASB_UBA_WhitePaperPalerra_CASB_UBA_WhitePaper
Palerra_CASB_UBA_WhitePaper
Eric Opp
 
Building Secure Services in the Cloud
Building Secure Services in the CloudBuilding Secure Services in the Cloud
Building Secure Services in the Cloud
Sumo Logic
 
Service now is a software platform that supports IT service manag.docx
Service now is a software platform that supports IT service manag.docxService now is a software platform that supports IT service manag.docx
Service now is a software platform that supports IT service manag.docx
edgar6wallace88877
 

Semelhante a 63 Requirements for CASB (20)

8 major facts you must know before you buying a casb
8 major facts you must know before you buying a casb8 major facts you must know before you buying a casb
8 major facts you must know before you buying a casb
 
casb_by_.pptx
casb_by_.pptxcasb_by_.pptx
casb_by_.pptx
 
Compliance in the Cloud
Compliance in the CloudCompliance in the Cloud
Compliance in the Cloud
 
o-palerra-ROI-QuantifyCASB-WP
o-palerra-ROI-QuantifyCASB-WPo-palerra-ROI-QuantifyCASB-WP
o-palerra-ROI-QuantifyCASB-WP
 
Cloud Security (CASB) for Slack
Cloud Security (CASB) for SlackCloud Security (CASB) for Slack
Cloud Security (CASB) for Slack
 
SaaS Security.pptx
SaaS Security.pptxSaaS Security.pptx
SaaS Security.pptx
 
saassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdfsaassecurity-230424030940-08314322.pdf
saassecurity-230424030940-08314322.pdf
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
 
SaaS Platform Securing
SaaS Platform SecuringSaaS Platform Securing
SaaS Platform Securing
 
eBook: 5 Steps to Secure Cloud Data Governance
eBook: 5 Steps to Secure Cloud Data GovernanceeBook: 5 Steps to Secure Cloud Data Governance
eBook: 5 Steps to Secure Cloud Data Governance
 
Whitepaper: Security of the Cloud
Whitepaper: Security of the CloudWhitepaper: Security of the Cloud
Whitepaper: Security of the Cloud
 
Security of the Cloud
Security of the CloudSecurity of the Cloud
Security of the Cloud
 
How can cas bs help
How can cas bs helpHow can cas bs help
How can cas bs help
 
Palerra_CASB_UBA_WhitePaper
Palerra_CASB_UBA_WhitePaperPalerra_CASB_UBA_WhitePaper
Palerra_CASB_UBA_WhitePaper
 
Building Secure Services in the Cloud
Building Secure Services in the CloudBuilding Secure Services in the Cloud
Building Secure Services in the Cloud
 
IRJET- A Novel and Secure Approach to Control and Access Data in Cloud St...
IRJET- A Novel and Secure Approach to Control and Access Data in Cloud St...IRJET- A Novel and Secure Approach to Control and Access Data in Cloud St...
IRJET- A Novel and Secure Approach to Control and Access Data in Cloud St...
 
Service now is a software platform that supports IT service manag.docx
Service now is a software platform that supports IT service manag.docxService now is a software platform that supports IT service manag.docx
Service now is a software platform that supports IT service manag.docx
 
10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the Cloud10 Tips for CIOs - Data Security in the Cloud
10 Tips for CIOs - Data Security in the Cloud
 
Protect your Data even under breach
Protect your Data even under breachProtect your Data even under breach
Protect your Data even under breach
 
10 Tips for CIOS Data Security in the Cloud
10 Tips for CIOS Data Security in the Cloud10 Tips for CIOS Data Security in the Cloud
10 Tips for CIOS Data Security in the Cloud
 

63 Requirements for CASB

  • 1. 136 Madison Ave New York, NY 10016 http://www.cedrusco.com 63 Requirements for CASB The Cloud Access Security Broker (CASB) market is rounding the corner into the mainstream. Venture backed startups are being acquired and big tech firms are positioning while enterprises are taking a serious look at these solutions. However, since these solutions are so new there is a lack of understanding as to how to create requirements in order to evaluate these solutions. There are still many people that are not clear on where CASBs fit in an overall Information Security strategy. It’s my goal to provide some background on the topic from a business and technology perspective and provide a baseline for your requirements effort. This paper is designed to provide you with some requirements that you can use as input consideration for your “real” CASB requirements. This is meant to be thought provoking, not a copy and paste exercise. Each requirement will provide you ideas as to what may be most important in your organization. For example, where we have provided examples of integrations such as Security Information and Event Management (SIEM), you may want to be specific about your particular SIEM. For comments, questions, or more information please contact Kyle Watson at kwatson@cedrusco.com. REQ # PRIORITY REQUIREMENT DESCRIPTION Category: Visibility FUNC-001 Identify cloud applications in use. The CASB must be able to detect and display "Shadow IT" by discovering a full range of known cloud applications in use whether CASB is configured in log-based discovery mode or active in- line proxy mode. FUNC-002 Discover Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) based cloud apps. The CASB must be able to detect and display IaaS and PaaS services in use whether CASB is configured in log-based discovery mode or active in-line proxy mode. FUNC-003 Identify the individual users of cloud apps. The CASB must be able to detect and display specific users of cloud applications preferably by name or alternatively by User ID. FUNC-004 Identify the device for users of cloud apps. The CASB must be able to detect and display specific device and browser (when applicable) for users of cloud applications. FUNC-005 Identify device type and integrity. The CASB must be able to detect and display the device status / integrity and the devices that are being used, such as laptops or iPads. FUNC-006 Identify location data for users of cloud services. The CASB must be able to detect and display locational information, geographic and IP, from which access is taking place. FUNC-007 Identify data types being stored in cloud services. The CASB must be able to identify which data items (files, fields) are being stored in or used with the identified cloud services and highlight items of significant data risk. kwatson@cedrusco.com ! of ! pages1 7
  • 2. 136 Madison Ave New York, NY 10016 http://www.cedrusco.com Category: Data Loss Prevention (DLP) FUNC-008 Provide advanced policy driven DLP. The CASB must be able to provide a policy driven approach to DLP. The DLP functionality should be mature enough to allow the CASB to inspect and protect critical data in hidden cells, columns, document comments, and metadata. The CASB DLP should also provide features such as fingerprinting, exact match, international support, dictionaries, and validation mechanisms such as Luhn tests for credit cards numbers. FUNC-009 Provide cloud DLP via API. The CASB must be able to provide near real- time data monitoring, using the APIs provided by the cloud app and apply alerting, encryption, or legal hold to items that meet policy violation criteria. FUNC-010 Provide cloud DLP via in-line proxy. The CASB must be able to provide real-time data monitoring, through a proxied connection between the user and the cloud app through the CASB and apply blocking, alerting, encryption, or legal hold to items that meet policy violation criteria for any “trusted”, “untrusted”, or “not fully trusted” apps. FUNC-011 Provide data pattern recognition. The CASB must be able recognize regulated data such as personally identifiable information (PII), protected health information (PHI), social security numbers, credit cards, customer numbers, etc. FUNC-012 Provide HTTPS / secure transport inspection. The CASB must be able to inspect traffic sent via HTTPS in order to apply policy to the data in transit when operating In-Line Proxy. FUNC-013 Provide encryption/tokenize data in motion/at rest. The CASB must support flexible field level encryption and/or tokenization of sensitive data when interacting with cloud apps, including cloud storage through API. FUNC-014 Read / apply data classification tags. The CASB must be able to incorporate identifying tags from native or third party applications and Incorporate them into policy decisions. This includes the ability to consume Digital Rights Management/Information Rights Management (DRM/IRM) data to prevent copying, printing or other distribution of sensitive documents. FUNC-015 Enable automated actions upon policy violation. When data protection policies are violated the CASB must be able to perform an appropriate configured action, which may include encryption, alerts, logging, blocking the action, quarantining data until some external approval has taken place, or requiring step up authentication. FUNC-016 Manage Cloud DLP Policy. The CASB must be able to manage data loss prevention policies for cloud services and integrate with an existing Enterprise DLP for policy extraction and sharing. This is important to ensure consistency of data security policies from on-premise to cloud. The CASB should be capable of integrating by sending only suspected violations to the enterprise DLP. FUNC-017 Provide flexible key management and key storage. The CASB must support flexible solutions for encryption key management, including customer- managed keys using either an on-premise solution or a cloud based hardware security module (HSM) approach. kwatson@cedrusco.com ! of ! pages2 7
  • 3. 136 Madison Ave New York, NY 10016 http://www.cedrusco.com FUNC-018 Provide data residency controls. For data that must be compliant with geographical information residency regulations, or to prevent data from specific jurisdictions, the CASB must support locational storage awareness to and incorporate it into policy decisions to support compliance. Data must not flow through jurisdictions that would be out of policy. FUNC-019 Provide support for files that are locked or encrypted. The CASB must provide DLP capabilities when files that are being uploaded to the cloud are password protected, have DRM, or are in some other way already locked/ encrypted. FUNC-020 Integrate with Mobile Device Management (MDM). The CASB must integrate with the MDM software on a managed device for and incorporate data points into policy decisions. In addition, provide visibility into local data issues and lost device wiping. FUNC-021 Provide access control over unmanaged devices. The CASB must provide mechanisms to integrate with unmanaged BYOD devices and provide policy driven DLP as appropriate, even when no MDM software is present. Category: Access Control FUNC-022 Provide access control to categorized cloud services. The CASB must categorize and prioritize cloud services and apply access control policies based upon the level of trust. For example, "trusted" services that can be accessed by anyone; "untrusted" services that are blocked at all times; and "not fully trusted" services that need to be carefully monitored and audited while a decision is made on that particular cloud app. FUNC-023 Integrate with Identity and Access Management (IAM) services. The CASB must integrate with existing corporate security infrastructure that supports user identity - whether internally or cloud based. This includes Single Sign-On (SSO) and federated identity management for user provisioning. FUNC-024 Support for industry standard federation protocols. Where appropriate, the CASB should be configurable to work with industry standard federated authentication, authorization, and user provisioning technologies and protocols, including (but not limited to) SAML, ADFS, OAuth, and SCIM. FUNC-025 Integrate with enterprise tools to provide step-up authentication based on policy. The CASB must provide the ability to require a step-up authentication based on policy, in conjunction with enterprise solutions, which may be on premise or cloud based. As an example, a particular user triggers a policy based upon a series of interesting events (see 026), one potential action may be to ask the user to provide another layer of authentication, such as a soft token or SMS based identifier, thereby elevating the level of trust to that user. FUNC-026 Provide identity context and apply to access control policies. The CASB must provide contextual data including but not limited to things such as user, device, location, service, network, time of day, and type of data. The CASB must then be able to utilize these data points in access control policies for cloud services. kwatson@cedrusco.com ! of ! pages3 7
  • 4. 136 Madison Ave New York, NY 10016 http://www.cedrusco.com FUNC-027 Provide access control policies based upon user activity. The CASB must provide access control based upon the particular actions the user is taking. An example of this might be that the organization has decided the Google Drive is “untrusted”, but has decided that Microsoft OneDrive is “trusted” - but a business partner shares a document with an employee using Google Drive. In this case we still want the worker to be able to retrieve the document even if we don’t want them to upload anything there. FUNC-028 Support both personal and corporate credentials with appropriate policies. The CASB must be able to configure and apply policies appropriately depending on whether a given user is using corporate or personal credentials on a managed device. An example of this might be that a company has “trusted” company Dropbox but does not want any corporate data to go to the myriads of personal Dropboxes. FUNC-029 Support corporate shared credentials with appropriate policies. The CASB must be able to configure and apply policies appropriately for users accessing a shared corporate account when using corporate credentials on a managed device. An example of this might be to allow Online Banking or Twitter for the Corporate shared account, while ignoring, or providing different policies, for personal use. FUNC-030 Support country specific access control policies. The CASB must be configurable for country specific access control requirements, such as allowing access to Salesforce.com from the US, Canada and the EU, but blocking access from other countries. Category: Cloud Service Provider (CSP) Vendor Risk Management FUNC-031 Analysis and tracking of efficacy of security controls. The CASB vendor must perform regular interval reviews of Cloud Service Provider Service Organization Control (SOC) report, type 2 to ensure that trust service principals are met. The minimum interval of review must be no greater that 90 days for "top tier" applications and no greater than 12 months for more obscure applications. This information must be available in the CASB User Interface. FUNC-032 Analysis and tracking of business trustworthiness. The CASB vendor must perform regular interval reviews of Cloud Service Provider business trustworthiness using publicly available information and/or Dun & Bradstreet ratings. This information must be available in the CASB User Interface. FUNC-033 Analysis and tracking of T&C or EULA. The CASB vendor must perform regular interval reviews of the legal implications put forth in the general Terms and Conditions and Enterprise User License Agreement. This information must be categorized based upon personnel and data protection and presented in the CASB User Interface. FUNC-034 Analysis and tracking of vendor breach. The CASB vendor must perform ongoing tracking and alerting of compromises that occur within the Cloud Service Provider. This information must play into the vendor trustworthiness and be presented in the CASB User Interface. kwatson@cedrusco.com ! of ! pages4 7
  • 5. 136 Madison Ave New York, NY 10016 http://www.cedrusco.com FUNC-035 Analysis and tracking of vendor uptime. The CASB vendor must perform ongoing tracking and alerting of downtime that occurs within the Cloud Service Provider beyond quoted levels of availability. This information must play into the vendor trustworthiness and be presented in the CASB User Interface. FUNC-036 Analysis and tracking of vendor compliance certifications. The CASB vendor must perform ongoing tracking of cloud service provider compliance (such as HIPAA or PCIDSS) and make this data available in the CASB User Interface. FUNC-037 Analysis and tracking of vendor vulnerabilities and exploits. The CASB vendor must perform ongoing tracking of current vulnerabilities and indicate the status of the cloud service providers in the CASB User Interface. FUNC-038 Provide risk assessment of cloud services. The CASB must be able to provide an assurance rating or risk assessment for the cloud services that are discovered, to help identify which services need immediate remediation access such as blocking or strong access control. Category: Threat Protection FUNC-039 Provide an audit trail of all access activities and actions. The CASB must provide a complete log of all activities that it has monitored, along with a complete audit trail of policy enforcement actions taken (such as blocking, quarantining, or step-up authentication requests). FUNC-040 Identify events based on User and Entity Behavior Analytics (UEBA). The CASB must provide a UEBA solution that incorporates user activity monitoring and anomaly detection in order to incorporate into policy. FUNC-041 Identify and remediate compromised accounts. The CASB must have mechanisms to identify accounts that may have been compromised and initiate automated actions to remediate the accounts such as an event, alert, and blocking of access to the specific account. For example, an account used in the US to access a cloud service is then used to access the same cloud service from an impossible physical location, such as Germany, simultaneously or in a small window of time, such as 4 hours. FUNC-042 Provide exception and alert processing. When an exception to policy is found by the CASB, the data about that exception must be provided to a selected group of security analyst(s) for investigation via some automated mechanism. FUNC-043 Provide automation workflow. The CASB must provide the capability to incorporate workflows, such as escalation after a time interval, when specific exceptions or alerts are generated due to policy violation. FUNC-044 Integrate with Security Information and Event Management (SIEM) system. Exceptions, alerts, and other activity from the CASB must have the capability to be integrated with existing SIEM infrastructure to provide a unified view to the security team. kwatson@cedrusco.com ! of ! pages5 7
  • 6. 136 Madison Ave New York, NY 10016 http://www.cedrusco.com FUNC-045 Provide access to history data to support forensics. The CASB must be able to provide data to the Incident Response (IR) and forensics teams after suspicious activity has occurred. For example, for the suspected user what other activities has that user performed recently and has the user performed any admin activities that could be obscuring activity. FUNC-046 Integrate with IaaS consoles for protection of apps running on those platforms. The CASB must provide integration to admin consoles of IaaS providers such as Azure and Amazon Web Services (AWS) to prevent damage that would impact applications running on those platforms if the admin access was compromised. FUNC-047 Provide dynamic malware analysis. The CASB must be able to monitor data stored in cloud apps and detect if there is malware present in the files. This capability should be both real-time for in-line configurations and through "crawling" for API based integrations. Category: Non-Functional Requirements NONFUNC-001 Provide full capability regardless of device, client type, and location. The CASB must provide full policy based functionality for any “trusted”, “untrusted”, or “not fully trusted” app whether access is desktop, laptop, or mobile device on-premises or remote, regardless of client (browser, native app, sync, etc.). NONFUNC-002 Provide audit logs of change for configuration management and change control. The CASB must provide audit logging for policy and configuration changes made by an administrator. If changes were in error or malicious, the CASB should support configuration rollback to a previous version. NONFUNC-003 Provide policy simulation. Prior to implementing a policy in CASB, the CASB should provide a mechanism to "test" what the result of implementing the policy would do in the environment. NONFUNC-004 Provide test instances. In order to integrate CASB with test instances of other components in the environment, the vendor should be able to provide one or more test instances of the CASB with the possibility of separate integration points from the production system. NONFUNC-005 Support standard log types for integration with identification services. The CASB must provide the capability to read in a range of web gateway and firewall logs in various formats, including but not limited to CEF, CLSF, and syslog. NONFUNC-006 Integrate with enterprise proxy or web gateway. When the CASB is running in proxy mode it must be able to integrate with any existing secure web gateway/proxy, rather than adding an additional hop into the network flow. NONFUNC-007 Data tokenization or encryption should not limit application functionality. If CASB policy dictates that data must be tokenized or encrypted, functionality of the cloud service should not be reduced. kwatson@cedrusco.com ! of ! pages6 7
  • 7. 136 Madison Ave New York, NY 10016 http://www.cedrusco.com For comments, questions, or more information please contact Kyle Watson at kwatson@cedrusco.com. NONFUNC-008 Encryption type must be relevant, current, and strong. The CASB encryption approach should include strong levels of encryption and changing the approach of encryption should not be required in order to retain integrated cloud service application functionality. NONFUNC-009 No impact to mobile device application use. Integration of the CASB with mobile devices should not interfere with installed "apps" that contain hard coded URIs NONFUNC-010 Business-friendly User Interface (UI). The CASB should provide a simple UI that provides role-based access to key information for authorized users. NONFUNC-011 Highly available architecture. The CASB platform should be continuously available with a zero Recovery Time Objective (RTO) for component failure or data center outage. NONFUNC-012 24x7x365 technical support. The CASB vendor should provide support capable to meet the needs of a global enterprise. Specific incident priority levels should dictate expected response times and an escalation path should be provided. NONFUNC-013 Elasticity and scalability. The CASB solution must be able to scale to support both linear growth and unforeseen bursts in activity, preferably through elasticity. For any on premise components, a clear scalability model must be defined that incorporates user base, devices, and traffic in order that the company can plan for scaling as needed. NONFUNC-014 No noticeable performance impact to applications. When users are accessing applications through the CASB, in-line, the users should not notice any performance impact. NONFUNC-015 Reporting. The CASB must provide reporting that includes, but is not limited to cloud service provider trustworthiness and user and device access, events, and alerting. The CASB should have a capability to filter and customize these reports. NONFUNC-016 Support for multi-language capabilities. The CASB must provide language services including the ability to meet the functional requirements in major world languages. kwatson@cedrusco.com ! of ! pages7 7