Corporate Security Blog

Can a CASB Protect You From the Treacherous 12? - Part 4: CASBs and the Treacherous 7 through 12

Welcome to the fourth in a four-part series on how Cloud Access Security Brokers (CASBs) can help protect your organization from the top twelve threats to cloud computing in 2016. If you want to read the first three blogs, their links are provided below.  

This blog series examines whether a CASB can protect your organization from the top cloud computing threats identified by a Cloud Security Alliance (CSA) working group. The four-part series includes:

- Part 1: CASB 101
- Part 2: CASBs and Threat Detection
- Part 3: CASBs and the Treacherous 1- 6
- Part 4: CASBs and the Treacherous 7-12

CASBs and the Treacherous 7 through 12

The final 6 of the "Treacherous 12" threats that the CSA working group identified are:

7. Advanced Persistent Threats (APTs)
8. Data loss
9. Insufficient due diligence
10. Abuse and nefarious use of cloud services
11. Denial of Service (DoS)
12. Shared technology issues

Here is a definition and an anecdote for each of these threats, along with an assessment of whether a Cloud Access Security Broker (CASB) like Palerra can help protect against it.

7. Advanced Persistent Threats (APTs)
An APT is a parasitical form of cyberattack that infiltrates systems and establishes a foothold in the computing infrastructure. Once the foothold is in place, the perpetrator can smuggle data and intellectual property. 

A CASB can help with APT attacks. A CASB can help detect anomalies in inbound and outbound data to identify data exfiltration, which further enables you to discover that a network is the target of an attack. 

8. Data loss
Data loss can be due to malicious attacks, accidental deletion by the cloud service provider, or a physical catastrophe such as a fire or earthquake.

A CASB is not the solution in this case. Cloud service providers should take measures to back up data according to best practices in business continuity and disaster recovery. Consumers of these services should review the service provider's data loss provisions. 

9. Insufficient due diligence
When a business is under pressure to leverage the benefits of the cloud, the selection process for adopting cloud technologies and choosing cloud service providers can get rushed and proper due diligence can be skipped. When that occurs, organizations are exposing a myriad of commercial, financial, technical, legal, and compliance risks. 

A CASB is not the solution in this case. Executives need to develop a good roadmap and checklist for due diligence when evaluating technologies and cloud service providers. A CASB can help in that process, but the responsibility is with the executives. 

10. Abuse and nefarious use of cloud services
Poorly secured cloud service deployments, free cloud service trials, and account sign-ups that exploit fraudulent payment instruments expose all cloud computing models (including IaaS, Paas, and SaaS). 

A CASB can help monitor identity as a service (IaaS) workloads and software as a service (SaaS) access patterns to better detect suspicious activity such as abnormal launches and terminations of compute instances and abnormal user access patterns.

11. Denial of Service (DoS)
A DoS attack is meant to prevent users of a service from being able to access their data or applications. DoS attacks also flood the cloud service provider with access requests, with the intent of disrupting the service.

A CASB is not the solution in this case. Cloud providers hold the responsibility for taking appropriate precautions to mitigate the impact of DoS attacks.

12. Shared technology issues
Cloud service providers deliver scalable services by sharing infrastructure, platforms, or applications. Because of this shared architecture, one vulnerability or misconfiguration can lead to a compromise across IaaS, PaaS, and SaaS. For example, the VENOM vulnerability allowed attackers to compromise any virtualized platform, which opened millions of virtual machines to attack.

A CASB can help with monitoring of compute, storage, network, and application resources, as well as user security enforcement and cloud service configurations, whether the service model is IaaS, PaaS, or SaaS. However, not all CASBs cover all areas, so be sure that you are working with one that does.

This is the final blog post in the four-part series. For additional information, check out our white paper, "Can a CASB Protect You from the 2016 Treacherous 12?". Or if you prefer an abbreviated format, check out our infographic on the same topic.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha

Integrated Cloud Applications & Platform Services