The primary two components of comprehensive risk management of SaaS application usage in an enterprise are visibility and control. In previous blog entries, I wrote about visibility and monitoring of SaaS app usage and its value proposition. In this post, I’m going to focus on the control component.
Data loss prevention is the reason why control is needed for SaaS apps. As more enterprises and their employees adopt these apps, there is an increased risk that critical data could be exported out of the enterprise. This invisible usage, called “Shadow IT”, is becoming a much larger security risk than anticipated, resulting in the vital need for control of data.
Enterprises are keen to adopt SaaS apps because of their lower operational cost and maintenance. This adoption increases the need for different type of strategies to allow use of these apps, but also control and monitor the data being transferred. To control the data flow means to be able to enforce enterprise-wide policies for specific types of SaaS apps based on their usage risk. Obviously, firewalls have been built to block access to specific sites, but for today’s SaaS usage, general blocking of certain sites is not possible since they are needed for many operational activities.
Most CASB vendors use a reverse-proxy to become the gateway policy enforcement layer for access to these apps. Since all the traffic to the app will flow through the proxy, it can be controlled at a much more granular level than what traditional firewalls provide. Some example of these types of policies include:
- Access restriction of individual or groups of users
- Access restriction based on geographical location
- Access restriction based on the content data that’s being transferred between the user and cloud app
- Restriction based on the amount of data being transferred
- Restriction based on metadata associated with the http connection between the user and cloud app
Access restriction is a one way of controlling the data flow. There may also be a need to allow the risky type of data to appear in the apps by not allowing the actual data to ever leave the organization. Tokenization policies can provide such functionality.
Tokenization allows the user to send data to these apps, but the proxy will keep the data on-premise while replacing the data sent to the app with a token. Therefore, data never leaves the interior of the firewall. When the tokenized data is requested through the proxy, the token is replaced with the actual data that it represents. The tokenization process is hidden from the user. The user doesn’t know the data is not actually in the cloud and if they access the app around the proxy, they’ll see tokens in their app instead of actual data.