CipherCloud CASB+ Zero Trust Security

CipherCloud CASB+ combines with IDaaS solutions to deliver end-to-end user and data security from any device, any location, to all trusted cloud applications, providing organizations a first step to achieve Zero Trust Cloud Security.

When it comes to cloud security, there are many areas of security – identity, threat protection, behavioral monitoring, data rights management, DLP (data loss prevention), encryption, and the list goes on. However, two key areas are critical, and are foundational to Zero Trust Cloud Security: verifying the integrity of the users’ access to clouds and building a security perimeter around sensitive data.  Authenticating the user identities who are accessing the most sensitive data and applying strong data controls to prevent data loss are the two most important aspects of cybersecurity.

The challenge

• Cloud-native organizations create and share data in the cloud, between clouds, and to organizations outside of their purview.
• User credentials are extremely vulnerable to social engineering and are highly sought-after commodities by bad actors, such as cybercriminals, aggressive competitors, and nation-states.
• If user credential is the key, your data is the crown jewel. If either is compromised, the consequences are severe and can lead to lawsuits, revenue loss, severe regulation fines, and the loss of a company’s reputation.
• Once a user has access to cloud applications, they can do whatever they want with little oversight. The user can purposefully or accidentally leak sensitive data.

The Solution

To take back control and get ahead of the risks, it is critical to combine strong identity security (IDaaS- Identity as a Service) with cloud security controls (CASB- Cloud Access Security Broker) to make Zero Trust Cloud Security a reality. A Zero Trust security solution must satisfy the following criteria:

• Trust but verify the user identity and monitor their behavior throughout the journey
• Provide a highly secured but low friction user experience
• Deliver advanced security controls to user identity, gain full visibility of cloud app usage, apply granular policy controls, and automatically remediate risks.

CipherCloud Zero Trust CASB+ platform provides advanced data protection technologies to identify, protect, and control access to sensitive data. CipherCloud CASB+ creates a security perimeter around the data and deploys an array of data protection controls to secure sensitive data, such as data loss prevention, user behavior analytics, threat protection, and contextual access controls.  CASB+ identifies and protects all sensitive data at rest and in motion across messaging platforms, SaaS, and IaaS applications.

CipherCloud’s industry-leading Cloud Access Security Broker solution and identity controls provides true protection against unauthorized access to cloud applications and data. Following are CipherCloud’s recommended best practices for zero trust security:

• Verify the user – Control Access at the door with SSO and MFA integration with IDaaS solutions
• Access cloud apps with CipherCloud’s Secure Cloud Workspace – Frictionless user interface with secure connectivity to SaaS and private cloud applications
• Enable contextual access based on managed and unmanaged devices, and geolocation
• Perform continuous assessment of your security landscape with Adaptive Access Controls
  • Continuously monitor user activity with UEBA (User Entity Behavioral Analysis) for risk
  • Re-evaluate and adapt user access to data and applications using DLP
  • Confirm or terminate the connection based on a user’s risk level using step-up authentication
  • Use data rights management to protect data shared outside of your control

This diagram depicts how CipherCloud CASB+ deployed with IDaaS to verify the user credentials, contextual policies based on the verified identity, continuously monitor the users cloud journey and secure against any threats. This can be achieved in the modern business environment where users will connect from any location, using any device, to any cloud.

Advanced Threat Use Cases

Use case 1: Stolen credential and compromised account

Example: A customer support account attempts Salesforce access, such as credential stuffing.

Solution: CASB+ UEBA will monitor user behavior in real-time and raise an alarm on detecting an anomaly. Actions taken during the attack-in-progress:

• Re-route session to IDaaS provider
• CASB+ alerts administrators and management
• IDaaS  signalled to initiate credential updates with the users

Outcome: Stolen credentials and compromised accounts are stopped at the gate with IDaaS MFA, rendering the attempted breach a failure. Already trusted users will be monitored by CASB+ for risky behavior, and risk mitigation will occur, that includes step-up authentication, improved identity proofing, or raising additional alerts.

Use Case 2: Over-entitling of user access to application and data

Example: A ServiceNow admin who’s also granted an admin role in Office365.

Solution: CASB+ provides an in-depth analysis and consistent policy control. Actions taken:

• Monitor multiple security and risk attributes combined with IDaaS for step-up authentication
• Ethical firewalling will block data usage or convert SaaS application to read only

Outcome: Even when mistakes happen, such as the over-entitling of a user’s access to an application or data, CASB+ UEBA will monitor and assess the risk associated with the user.  CASB+ UEBA then takes action, either stand-alone, such as denying access to the data or in combination with IDaaS by challenging the user with an MFA push or terminating the session altogether.

Use Case 3: Decaying Security After Authorization

Example: A user becomes a malicious insider, or a hijacked device is used to access trusted cloud apps.

Solution: Fine-grained activity monitoring using CASB+ and adaptive access policies throughout the session. Actions taken:

• Step-up authentication or re-authentication in conjunction with the IDaaS MFA
• Adaptive access control with CASB+ UEBA to raise users risk score and remediate

Outcome: If a bad actor attains access to sensitive applications and is granted access, CASB+ continues to monitor for threats and insider risk. Once a threat is detected, remediation steps will be taken such as step-up authentication or termination of the session.

Use Case 4: Corporate credential exposure, risky data storage

Example: An Office365 user reuses corporate credentials for a personal account. In a world where credential theft is happening weekly, the use of credentials across multiple accounts, both work and personal, is common. This misuse of corporate credentials consequently creates a serious risk to businesses.

Solution: CASB+ discovers any shadow IT present and finds credentials used in unmanaged apps. Actions taken:

• Block access with CipherCloud-created rules for Secure Web Gateways
• Initiate a governance process to modify account access
• Assess risk and onboard the application
• Alerts to management and administrators to remediate

 
Outcome: Risks are mitigated and even eliminated with a multi-tiered solution as provided by CASB+ and IDaaS. The stolen/personal credentials are detected, and the user is either challenged with MFA, alerts to proper management, or access can be completely denied.

Zero Trust Whiteboard Session