1. 136 Madison Ave
New York, NY 10016
http://www.cedrusco.com
63 Requirements for CASB
The Cloud Access Security Broker (CASB) market is rounding the corner into the mainstream.
Venture backed startups are being acquired and big tech firms are positioning while enterprises
are taking a serious look at these solutions. However, since these solutions are so new there is a
lack of understanding as to how to create requirements in order to evaluate these solutions. There
are still many people that are not clear on where CASBs fit in an overall Information Security
strategy. It’s my goal to provide some background on the topic from a business and technology
perspective and provide a baseline for your requirements effort.
This paper is designed to provide you with some requirements that you can use as input
consideration for your “real” CASB requirements. This is meant to be thought provoking, not a copy
and paste exercise. Each requirement will provide you ideas as to what may be most important in
your organization. For example, where we have provided examples of integrations such as
Security Information and Event Management (SIEM), you may want to be specific about your
particular SIEM. For comments, questions, or more information please contact Kyle Watson at
kwatson@cedrusco.com.
REQ # PRIORITY REQUIREMENT DESCRIPTION
Category: Visibility
FUNC-001
Identify cloud applications in use. The CASB must be able to detect and
display "Shadow IT" by discovering a full range of known cloud applications
in use whether CASB is configured in log-based discovery mode or active in-
line proxy mode.
FUNC-002
Discover Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS),
and Infrastructure-as-a-Service (IaaS) based cloud apps. The CASB
must be able to detect and display IaaS and PaaS services in use whether
CASB is configured in log-based discovery mode or active in-line proxy
mode.
FUNC-003
Identify the individual users of cloud apps. The CASB must be able to
detect and display specific users of cloud applications preferably by name or
alternatively by User ID.
FUNC-004
Identify the device for users of cloud apps. The CASB must be able to
detect and display specific device and browser (when applicable) for users of
cloud applications.
FUNC-005
Identify device type and integrity. The CASB must be able to detect and
display the device status / integrity and the devices that are being used, such
as laptops or iPads.
FUNC-006
Identify location data for users of cloud services. The CASB must be
able to detect and display locational information, geographic and IP, from
which access is taking place.
FUNC-007
Identify data types being stored in cloud services. The CASB must be
able to identify which data items (files, fields) are being stored in or used with
the identified cloud services and highlight items of significant data risk.
kwatson@cedrusco.com ! of ! pages1 7
2. 136 Madison Ave
New York, NY 10016
http://www.cedrusco.com
Category: Data Loss Prevention (DLP)
FUNC-008
Provide advanced policy driven DLP. The CASB must be able to provide a
policy driven approach to DLP. The DLP functionality should be mature
enough to allow the CASB to inspect and protect critical data in hidden cells,
columns, document comments, and metadata. The CASB DLP should also
provide features such as fingerprinting, exact match, international support,
dictionaries, and validation mechanisms such as Luhn tests for credit cards
numbers.
FUNC-009
Provide cloud DLP via API. The CASB must be able to provide near real-
time data monitoring, using the APIs provided by the cloud app and apply
alerting, encryption, or legal hold to items that meet policy violation criteria.
FUNC-010
Provide cloud DLP via in-line proxy. The CASB must be able to provide
real-time data monitoring, through a proxied connection between the user and
the cloud app through the CASB and apply blocking, alerting, encryption, or
legal hold to items that meet policy violation criteria for any “trusted”,
“untrusted”, or “not fully trusted” apps.
FUNC-011
Provide data pattern recognition. The CASB must be able recognize
regulated data such as personally identifiable information (PII), protected
health information (PHI), social security numbers, credit cards, customer
numbers, etc.
FUNC-012
Provide HTTPS / secure transport inspection. The CASB must be able to
inspect traffic sent via HTTPS in order to apply policy to the data in transit
when operating In-Line Proxy.
FUNC-013
Provide encryption/tokenize data in motion/at rest. The CASB must
support flexible field level encryption and/or tokenization of sensitive data
when interacting with cloud apps, including cloud storage through API.
FUNC-014
Read / apply data classification tags. The CASB must be able to
incorporate identifying tags from native or third party applications and
Incorporate them into policy decisions. This includes the ability to consume
Digital Rights Management/Information Rights Management (DRM/IRM) data
to prevent copying, printing or other distribution of sensitive documents.
FUNC-015
Enable automated actions upon policy violation. When data protection
policies are violated the CASB must be able to perform an appropriate
configured action, which may include encryption, alerts, logging, blocking the
action, quarantining data until some external approval has taken place, or
requiring step up authentication.
FUNC-016
Manage Cloud DLP Policy. The CASB must be able to manage data loss
prevention policies for cloud services and integrate with an existing Enterprise
DLP for policy extraction and sharing. This is important to ensure consistency
of data security policies from on-premise to cloud. The CASB should be
capable of integrating by sending only suspected violations to the enterprise
DLP.
FUNC-017
Provide flexible key management and key storage. The CASB must
support flexible solutions for encryption key management, including customer-
managed keys using either an on-premise solution or a cloud based hardware
security module (HSM) approach.
kwatson@cedrusco.com ! of ! pages2 7
3. 136 Madison Ave
New York, NY 10016
http://www.cedrusco.com
FUNC-018
Provide data residency controls. For data that must be compliant with
geographical information residency regulations, or to prevent data from
specific jurisdictions, the CASB must support locational storage awareness to
and incorporate it into policy decisions to support compliance. Data must not
flow through jurisdictions that would be out of policy.
FUNC-019
Provide support for files that are locked or encrypted. The CASB must
provide DLP capabilities when files that are being uploaded to the cloud are
password protected, have DRM, or are in some other way already locked/
encrypted.
FUNC-020
Integrate with Mobile Device Management (MDM). The CASB must
integrate with the MDM software on a managed device for and incorporate
data points into policy decisions. In addition, provide visibility into local data
issues and lost device wiping.
FUNC-021
Provide access control over unmanaged devices. The CASB must provide
mechanisms to integrate with unmanaged BYOD devices and provide policy
driven DLP as appropriate, even when no MDM software is present.
Category: Access Control
FUNC-022
Provide access control to categorized cloud services. The CASB must
categorize and prioritize cloud services and apply access control policies
based upon the level of trust. For example, "trusted" services that can be
accessed by anyone; "untrusted" services that are blocked at all times; and
"not fully trusted" services that need to be carefully monitored and audited
while a decision is made on that particular cloud app.
FUNC-023
Integrate with Identity and Access Management (IAM) services. The CASB
must integrate with existing corporate security infrastructure that supports user
identity - whether internally or cloud based. This includes Single Sign-On
(SSO) and federated identity management for user provisioning.
FUNC-024
Support for industry standard federation protocols. Where appropriate, the
CASB should be configurable to work with industry standard federated
authentication, authorization, and user provisioning technologies and protocols,
including (but not limited to) SAML, ADFS, OAuth, and SCIM.
FUNC-025
Integrate with enterprise tools to provide step-up authentication based on
policy. The CASB must provide the ability to require a step-up authentication
based on policy, in conjunction with enterprise solutions, which may be on
premise or cloud based. As an example, a particular user triggers a policy
based upon a series of interesting events (see 026), one potential action may
be to ask the user to provide another layer of authentication, such as a soft
token or SMS based identifier, thereby elevating the level of trust to that user.
FUNC-026
Provide identity context and apply to access control policies. The CASB
must provide contextual data including but not limited to things such as user,
device, location, service, network, time of day, and type of data. The CASB
must then be able to utilize these data points in access control policies for
cloud services.
kwatson@cedrusco.com ! of ! pages3 7
4. 136 Madison Ave
New York, NY 10016
http://www.cedrusco.com
FUNC-027
Provide access control policies based upon user activity. The CASB must
provide access control based upon the particular actions the user is taking. An
example of this might be that the organization has decided the Google Drive is
“untrusted”, but has decided that Microsoft OneDrive is “trusted” - but a
business partner shares a document with an employee using Google Drive. In
this case we still want the worker to be able to retrieve the document even if we
don’t want them to upload anything there.
FUNC-028
Support both personal and corporate credentials with appropriate
policies. The CASB must be able to configure and apply policies appropriately
depending on whether a given user is using corporate or personal credentials
on a managed device. An example of this might be that a company has
“trusted” company Dropbox but does not want any corporate data to go to the
myriads of personal Dropboxes.
FUNC-029
Support corporate shared credentials with appropriate policies. The
CASB must be able to configure and apply policies appropriately for users
accessing a shared corporate account when using corporate credentials on a
managed device. An example of this might be to allow Online Banking or
Twitter for the Corporate shared account, while ignoring, or providing different
policies, for personal use.
FUNC-030
Support country specific access control policies. The CASB must be
configurable for country specific access control requirements, such as allowing
access to Salesforce.com from the US, Canada and the EU, but blocking
access from other countries.
Category: Cloud Service Provider (CSP) Vendor Risk Management
FUNC-031
Analysis and tracking of efficacy of security controls. The CASB vendor
must perform regular interval reviews of Cloud Service Provider Service
Organization Control (SOC) report, type 2 to ensure that trust service principals
are met. The minimum interval of review must be no greater that 90 days for
"top tier" applications and no greater than 12 months for more obscure
applications. This information must be available in the CASB User Interface.
FUNC-032
Analysis and tracking of business trustworthiness. The CASB vendor
must perform regular interval reviews of Cloud Service Provider business
trustworthiness using publicly available information and/or Dun & Bradstreet
ratings. This information must be available in the CASB User Interface.
FUNC-033
Analysis and tracking of T&C or EULA. The CASB vendor must perform
regular interval reviews of the legal implications put forth in the general Terms
and Conditions and Enterprise User License Agreement. This information must
be categorized based upon personnel and data protection and presented in the
CASB User Interface.
FUNC-034
Analysis and tracking of vendor breach. The CASB vendor must perform
ongoing tracking and alerting of compromises that occur within the Cloud
Service Provider. This information must play into the vendor trustworthiness
and be presented in the CASB User Interface.
kwatson@cedrusco.com ! of ! pages4 7
5. 136 Madison Ave
New York, NY 10016
http://www.cedrusco.com
FUNC-035
Analysis and tracking of vendor uptime. The CASB vendor must perform
ongoing tracking and alerting of downtime that occurs within the Cloud Service
Provider beyond quoted levels of availability. This information must play into
the vendor trustworthiness and be presented in the CASB User Interface.
FUNC-036
Analysis and tracking of vendor compliance certifications. The CASB
vendor must perform ongoing tracking of cloud service provider compliance
(such as HIPAA or PCIDSS) and make this data available in the CASB User
Interface.
FUNC-037
Analysis and tracking of vendor vulnerabilities and exploits. The CASB
vendor must perform ongoing tracking of current vulnerabilities and indicate the
status of the cloud service providers in the CASB User Interface.
FUNC-038
Provide risk assessment of cloud services. The CASB must be able to
provide an assurance rating or risk assessment for the cloud services that are
discovered, to help identify which services need immediate remediation access
such as blocking or strong access control.
Category: Threat Protection
FUNC-039
Provide an audit trail of all access activities and actions. The CASB must
provide a complete log of all activities that it has monitored, along with a
complete audit trail of policy enforcement actions taken (such as blocking,
quarantining, or step-up authentication requests).
FUNC-040
Identify events based on User and Entity Behavior Analytics (UEBA). The
CASB must provide a UEBA solution that incorporates user activity monitoring
and anomaly detection in order to incorporate into policy.
FUNC-041
Identify and remediate compromised accounts. The CASB must have
mechanisms to identify accounts that may have been compromised and initiate
automated actions to remediate the accounts such as an event, alert, and
blocking of access to the specific account. For example, an account used in the
US to access a cloud service is then used to access the same cloud service
from an impossible physical location, such as Germany, simultaneously or in a
small window of time, such as 4 hours.
FUNC-042
Provide exception and alert processing. When an exception to policy is
found by the CASB, the data about that exception must be provided to a
selected group of security analyst(s) for investigation via some automated
mechanism.
FUNC-043
Provide automation workflow. The CASB must provide the capability to
incorporate workflows, such as escalation after a time interval, when specific
exceptions or alerts are generated due to policy violation.
FUNC-044
Integrate with Security Information and Event Management (SIEM)
system. Exceptions, alerts, and other activity from the CASB must have the
capability to be integrated with existing SIEM infrastructure to provide a unified
view to the security team.
kwatson@cedrusco.com ! of ! pages5 7
6. 136 Madison Ave
New York, NY 10016
http://www.cedrusco.com
FUNC-045
Provide access to history data to support forensics. The CASB must be
able to provide data to the Incident Response (IR) and forensics teams after
suspicious activity has occurred. For example, for the suspected user what
other activities has that user performed recently and has the user performed
any admin activities that could be obscuring activity.
FUNC-046
Integrate with IaaS consoles for protection of apps running on those
platforms. The CASB must provide integration to admin consoles of IaaS
providers such as Azure and Amazon Web Services (AWS) to prevent damage
that would impact applications running on those platforms if the admin access
was compromised.
FUNC-047
Provide dynamic malware analysis. The CASB must be able to monitor data
stored in cloud apps and detect if there is malware present in the files. This
capability should be both real-time for in-line configurations and through
"crawling" for API based integrations.
Category: Non-Functional Requirements
NONFUNC-001
Provide full capability regardless of device, client type, and location. The
CASB must provide full policy based functionality for any “trusted”, “untrusted”,
or “not fully trusted” app whether access is desktop, laptop, or mobile device
on-premises or remote, regardless of client (browser, native app, sync, etc.).
NONFUNC-002
Provide audit logs of change for configuration management and change
control. The CASB must provide audit logging for policy and configuration
changes made by an administrator. If changes were in error or malicious, the
CASB should support configuration rollback to a previous version.
NONFUNC-003
Provide policy simulation. Prior to implementing a policy in CASB, the CASB
should provide a mechanism to "test" what the result of implementing the policy
would do in the environment.
NONFUNC-004
Provide test instances. In order to integrate CASB with test instances of other
components in the environment, the vendor should be able to provide one or
more test instances of the CASB with the possibility of separate integration
points from the production system.
NONFUNC-005
Support standard log types for integration with identification services.
The CASB must provide the capability to read in a range of web gateway and
firewall logs in various formats, including but not limited to CEF, CLSF, and
syslog.
NONFUNC-006
Integrate with enterprise proxy or web gateway. When the CASB is running
in proxy mode it must be able to integrate with any existing secure web
gateway/proxy, rather than adding an additional hop into the network flow.
NONFUNC-007
Data tokenization or encryption should not limit application functionality.
If CASB policy dictates that data must be tokenized or encrypted, functionality
of the cloud service should not be reduced.
kwatson@cedrusco.com ! of ! pages6 7
7. 136 Madison Ave
New York, NY 10016
http://www.cedrusco.com
For comments, questions, or more information please contact Kyle Watson at
kwatson@cedrusco.com.
NONFUNC-008
Encryption type must be relevant, current, and strong. The CASB
encryption approach should include strong levels of encryption and changing
the approach of encryption should not be required in order to retain integrated
cloud service application functionality.
NONFUNC-009
No impact to mobile device application use. Integration of the CASB with
mobile devices should not interfere with installed "apps" that contain hard
coded URIs
NONFUNC-010
Business-friendly User Interface (UI). The CASB should provide a simple UI
that provides role-based access to key information for authorized users.
NONFUNC-011
Highly available architecture. The CASB platform should be continuously
available with a zero Recovery Time Objective (RTO) for component failure or
data center outage.
NONFUNC-012
24x7x365 technical support. The CASB vendor should provide support
capable to meet the needs of a global enterprise. Specific incident priority
levels should dictate expected response times and an escalation path should
be provided.
NONFUNC-013
Elasticity and scalability. The CASB solution must be able to scale to support
both linear growth and unforeseen bursts in activity, preferably through
elasticity. For any on premise components, a clear scalability model must be
defined that incorporates user base, devices, and traffic in order that the
company can plan for scaling as needed.
NONFUNC-014
No noticeable performance impact to applications. When users are
accessing applications through the CASB, in-line, the users should not notice
any performance impact.
NONFUNC-015
Reporting. The CASB must provide reporting that includes, but is not limited to
cloud service provider trustworthiness and user and device access, events,
and alerting. The CASB should have a capability to filter and customize these
reports.
NONFUNC-016
Support for multi-language capabilities. The CASB must provide language
services including the ability to meet the functional requirements in major world
languages.
kwatson@cedrusco.com ! of ! pages7 7