In recent years, federal agencies have increasingly implemented cloud-based solutions that offer easy deployment and remote access to files — a pressing need once the COVID-19 pandemic began.
Securing data in cloud environments, however, can be more challenging than in on-premises settings, according to 45 percent of federal agency staff who participated in a 2019 Ponemon Institute and Forcepoint survey.
And 71 percent identified visibility and governance as two key difficulties agencies face in securing cloud use.
To strengthen cloud protection, some are turning to cloud access security brokers (CASBs) — solutions that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency recently recommended for agencies attempting to secure remote workers’ access to cloud services.
How Agencies Gain Visibility with CASBs
CASBs serve as an additional security layer between cloud service providers and end users.
The solutions can provide greater visibility into cloud application use, potentially helping agencies track user behavior, authenticate users, enforce policies surrounding sensitive information storage and sharing, and meet various compliance requirements.
CASBs may help an agency determine, for instance, that an employee has downloaded a nonsanctioned and possibly problematic application. They can also enhance overall data protection efforts through methods like encryption.
Federal agencies began using CASBs more frequently about three or four years ago, according to Andras Cser, vice president and principal analyst for security and risk management at Forrester.
“Data protection was the main driver for CASB adoption, along with FedRAMP,” Cser says. “The advantages include shadow IT detection, data leak prevention and threat detection through scrutinizing unusual traffic patterns, and malware detection. CASBs help prevent confidential data loss in cloud apps.”
Today, a number of agencies — including the National Oceanic and Atmospheric Administration, the Food and Drug Administration and the departments of Transportation and Energy — utilize CASB tools such as McAfee’s MVISION Cloud or Cisco’s Cloudlock.
FDA Uses Its CASB for Cloud Security
Given that the FDA works to ensure the safety and quality of products that range from medical devices to much of the food supply — which, according to the agency, accounts for roughly 20 cents of every dollar Americans spend each year — data housed within the agency’s information systems could clearly be an enticing target.
The amount 13 agencies saved by using cloud services between 2014 to 20181
Source: Government Accountability Office, “Cloud Computing: Agencies Have Increased Usage and Realized Benefits, but Cost and Savings Data Need to Be Better Tracked,” April 2019
The FDA’s CASB solution, implemented in 2017, provides near real-time situational awareness and visibility into cloud activity and assists the agency in enforcing security controls, helping ensure the confidentiality, integrity and availability of industry and public health information, according to FDA spokesperson Courtney Rhodes.
“The agency recognizes the risks associated with operating a global IT enterprise in support of our public health mission, particularly during this critical time,” Rhodes says.
“Our CASB solution has been integral to our defense-in-depth strategy by enhancing our data loss prevention capabilities and cyberdefenses in addressing the evolving threat landscape.”
NASA Uses a CASB to Track Increase in Cloud Usage
Anticipating that vendors’ software delivery model would be transitioning to applications that were situated in the cloud, NASA also began using a CASB solution, the Skyhigh product now owned by McAfee, in fall 2017, according to Raymond O’Brien, service manager for NASA.
“We knew the NASA workforce would want to use that cloud delivery model and wanted to get ahead by ensuring we had visibility,” O’Brien says. “The ability to see what’s being used by the entire workforce, which may not be evident because it’s intermingled with other internet traffic, lets us get a better view of just the cloud applications.”
The solution’s graphing capabilities allow the agency to track how cloud service use has increased over periods of time, according to Mary Jo Alfano, cloud analyst at NASA. Coupled with indicators of high-risk services, that helps the agency determine where to focus its attention.
“That’s probably the biggest way we use graphs — to keep an eye on and adjust the planned approach to a particular application, based on an overall trend analysis,” Alfano says. “The graphing feature also helps with keeping an eye on the data that feeds into the tool itself.
“On a Friday, for example, if some area of the network that’s been receiving a consistent amount of traffic receives none at all, we know one of our data feeds has dropped and we need to make a phone call.”
Cloud-based solutions have become a popular implementation; in addition to helping facilitate employees’ desire or need for remote access, they can relieve the operational burden on-premises solution maintenance may present.
The CASB Model Is Here to Stay
As O’Brien points out, having to support software that’s shipped to customers who may run it on multiple operating systems (and use different versions and releases) involves an expense.
As a result, the cloud-based Software as a Service model — and CASBs, which, he says, offer an unparalleled view of application activity — are more than likely here to stay. Currently, the CASB market is experiencing 5 to 8 percent annual growth, according to Cser.
“There was a time when there were just a few vendors; now, I’m not sure you can be a security solution vendor and not have a CASB tool,” O’Brien says. “CASB solutions have really taken off because the workforce wants to use cloud services.
“However, enterprises still have to deal with security, intellectual property protection, and sensitive data and confidentiality requirements; that’s why CASB growth is exploding.