When it comes to cloud security, there are many areas of security – identity, threat protection, behavioral monitoring, data rights management, DLP (data loss prevention), encryption, and the list goes on. However, two key areas are critical, and are foundational to Zero Trust Cloud Security: verifying the integrity of the users’ access to clouds and building a security perimeter around sensitive data. Authenticating the user identities who are accessing the most sensitive data and applying strong data controls to prevent data loss are the two most important aspects of cybersecurity.
To take back control and get ahead of the risks, it is critical to combine strong identity security (IDaaS- Identity as a Service) with cloud security controls (CASB- Cloud Access Security Broker) to make Zero Trust Cloud Security a reality. A Zero Trust security solution must satisfy the following criteria:
CipherCloud Zero Trust CASB+ platform provides advanced data protection technologies to identify, protect, and control access to sensitive data. CipherCloud CASB+ creates a security perimeter around the data and deploys an array of data protection controls to secure sensitive data, such as data loss prevention, user behavior analytics, threat protection, and contextual access controls. CASB+ identifies and protects all sensitive data at rest and in motion across messaging platforms, SaaS, and IaaS applications.
CipherCloud’s industry-leading Cloud Access Security Broker solution and identity controls provides true protection against unauthorized access to cloud applications and data. Following are CipherCloud’s recommended best practices for zero trust security:
This diagram depicts how CipherCloud CASB+ deployed with IDaaS to verify the user credentials, contextual policies based on the verified identity, continuously monitor the users cloud journey and secure against any threats. This can be achieved in the modern business environment where users will connect from any location, using any device, to any cloud.
Example: A customer support account attempts Salesforce access, such as credential stuffing.
Solution: CASB+ UEBA will monitor user behavior in real-time and raise an alarm on detecting an anomaly. Actions taken during the attack-in-progress:
Outcome: Stolen credentials and compromised accounts are stopped at the gate with IDaaS MFA, rendering the attempted breach a failure. Already trusted users will be monitored by CASB+ for risky behavior, and risk mitigation will occur, that includes step-up authentication, improved identity proofing, or raising additional alerts.
Example: A ServiceNow admin who’s also granted an admin role in Office365.
Solution: CASB+ provides an in-depth analysis and consistent policy control. Actions taken:
Outcome: Even when mistakes happen, such as the over-entitling of a user’s access to an application or data, CASB+ UEBA will monitor and assess the risk associated with the user. CASB+ UEBA then takes action, either stand-alone, such as denying access to the data or in combination with IDaaS by challenging the user with an MFA push or terminating the session altogether.
Example: A user becomes a malicious insider, or a hijacked device is used to access trusted cloud apps.
Solution: Fine-grained activity monitoring using CASB+ and adaptive access policies throughout the session. Actions taken:
Outcome: If a bad actor attains access to sensitive applications and is granted access, CASB+ continues to monitor for threats and insider risk. Once a threat is detected, remediation steps will be taken such as step-up authentication or termination of the session.
Example: An Office365 user reuses corporate credentials for a personal account. In a world where credential theft is happening weekly, the use of credentials across multiple accounts, both work and personal, is common. This misuse of corporate credentials consequently creates a serious risk to businesses.
Solution: CASB+ discovers any shadow IT present and finds credentials used in unmanaged apps. Actions taken:
Outcome: Risks are mitigated and even eliminated with a multi-tiered solution as provided by CASB+ and IDaaS. The stolen/personal credentials are detected, and the user is either challenged with MFA, alerts to proper management, or access can be completely denied.