The Role of CASBs in Protection Against the 2016 “Treacherous 12"

Tuesday, May 03, 2016

Ganesh Kirti


In early 2015, health insurance giant Anthem disclosed that hackers had broken into its servers and stolen more than 80 million customer records, including names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses and employment information. A third-party cloud service had been used to transfer the huge data store from the company’s network to the public cloud.

This headline-making attack, and many others the last few years, have raised new questions about cloud security. It used to be that most questions about cloud security revolved around concerns regarding compliance and insider threats. But lately, attention has turned to a troubling new worry: whether cloud services are falling victim to the same level of external attack as the data center.

As Software as a Service (SaaS) reshapes the way nearly every organization approaches IT, and with Infrastructure as a Service (IaaS) on the rise, cloud services now hold an array of mission-critical enterprise data, intellectual property, and other valuable assets. Which makes them a prime target for bad actors – from both inside and outside the organization.

A vivid illustration of the cloud threat landscape came Feb. 29 when the Cloud Security Alliance, an organization dedicated to defining and raising awareness of best practices for cloud security, issued a report titled “The Treacherous 12: Cloud Computing Top Threats in 2016.” Though cloud services deliver business-supporting technology more efficiently than ever before, the CSA concluded, they also bring significant risk.

Why do these risks occur?  The CSA said a major factor is that enterprise business units often acquire cloud services independently of the IT department, and often without regard for security. In addition, regardless of whether the IT department sanctions new cloud services, the door is wide open for the Treacherous 12.

Because all cloud services (sanctioned or not) present risks, the CSA asserts that businesses need to take security policies, processes, and best practices into account.

That makes sense, but is it enough?

Consider this surprising finding by Gartner. The analyst firm predicts that through 2020, 95 percent of cloud security failures will be the customer’s fault (1). This does not necessarily mean that customers lack security expertise, but it illustrates that it’s no longer sufficient to know how to make decisions about risk mitigation in the cloud. To reliably address cloud security, more is needed – automation.

Cloud security automation is where Cloud Access Security Brokers (CASBs) come into play. A CASB can help automate visibility, compliance, data security and threat protection for cloud services.

We looked at how well CASBs would fare in helping enterprises survive the treacherous 12 and guess what? CASBs clearly address nine of the treacherous 12 (along with many other risks not mentioned in the report). These include: 

#1   Data breach

#2   Weak ID, credential, and access management

#3   Insecure APIs

#4   System and application vulnerabilities

#5   Account hijacking

#6   Malicious insiders

#7   Advanced persistent threats

#10 Abuse and nefarious use of cloud services

#12 Shared technology issues

There are countless examples of why being protected against the Treacherous 12 is important. Some of the more high profile ones:

  • Data breach: In the 2015 Anthem breach, hackers used a third-party cloud service  to steal over 80M customer credentials.
  • Insecure APIs: A mid-2015 breach at the IRS exposed more than 300,000 records. While that’s a big number, the more interesting one is that it only took one vulnerable API to allow the breach to happen.
  • Malicious Insiders: Uber reported that its main database was improperly accessed. The unauthorized individual downloaded 50,000 names and numbers to a cloud service. Was it their former employee, the current Lyft CTO? That was Uber’s opinion. The DOJ disagreed and a lawsuit ensued. 

In each of these cases, a CASB could have helped. A CASB can:

  • Help detect data breaches by monitoring privileged users, encryption policies, and movement of sensitive data.
  • Detect unusual activity within cloud services that originate from API calls, and support risk scoring of external APIs and applications based on the activity.
  • Spot malicious insiders by monitoring for overly-privileged user accounts as well as user profiles, roles and privileges that drift from compliant baselines.
  • Spot malicious user activity through user behavior analytics.

You’re probably wondering about the three of the 12 threats that aren’t covered by a CASB -- data loss (#8), insufficient due diligence (#9) and denial of services (#11).

The cost of data loss is huge. A now-defunct company named Code Spaces had to close down when its corporate assets were destroyed, because it did not follow best practices  for business continuity and disaster recovery. Data loss prevention is a primary corporate responsibility, and a CASB can’t detect whether it is in place.

Insufficient due diligence is the responsibility of the organization leveraging the cloud service, not the service provider. Executives need a good roadmap and checklist for due diligence. A CASB can provide advice, but they don’t automate the process.

Finally, denial of service attacks are intended to take the provider down. It is the provider’s responsibility to take precautions to mitigate DoS attacks.

As cloud security becomes one of the most pressing issues in IT, the power of the CASB can not be ignored.

1. “Gartner Press Release, “Gartner Reveals Top Predictions for IT Organizations and Users for 2016 and Beyond,” October 6, 2015, 

Possibly Related Articles:
Cloud Security
Cloud Security CASB
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.