Sanctioned IT: Software as a Service
Skyhigh CASB for Software-as-a-Service (SaaS) enables the secure adoption of cloud services by providing activity monitoring, threat detection, and data protection. With these cloud-native controls in place, organizations can benefit from cloud transformation without sacrificing the security of their data or users.
Customers deploying Skyhigh CASB for SaaS can immediately benefit from centralized activity monitoring. Departments can get a clear understanding of how these cloud applications are used, leverage machine learning to identify trends, detect various levels of anomalies and threats, and have a centralized location from which to conduct investigations.
Activity Monitoring and Threat Detection
Skyhigh CASB utilizes machine learning to provide User Entity Behavior Analytics (UEBA) for the customers’ entire SaaS portfolio. The result is that threats from or against a user can be detected across multiple cloud services. For example, a superhuman anomaly would be generated if a user named Frank were to log in to one service provider from Chicago and another from London just a few minutes apart. If additional indicators of compromise (IOCs) are detected, such as abnormal administrative activity by Frank, these activities would be automatically correlated and generate a threat event for immediate follow-up by SOC personnel.
Data Protection
Depending on an organization's perception of their data boundaries, data protection can be looked at from two perspectives: Into the cloud and out of the cloud.
Into-the-cloud
Data protection "into" the cloud refers to measures that either prevent certain types of data from being stored in the SaaS or place additional protections on it while stored there.
Commonly, customers will use DLP policies to scan for sensitive data being transferred to or already stored in SaaS services. For example, an organization might have a policy stating that Payment Card Information (PCI) cannot be stored in a productivity suite such as Microsoft Office or GSuite. When a violation is found, either in real-time or during a scan of data at rest, Skyhigh CASB administrators have several remediation options at their disposal:
- Notify the user of the problem and provide a time period for the user to resolve the violation on their own (self-remediation).
- Block the data during transmission (see the proxy section in the architectural discussion later).
- Delete the data from cloud storage at rest.
- Tag/Classify the data for use in other policies (such as real-time collaboration control, see Collaboration Control in Out-of-the-cloud).
- Quarantine the data within the cloud storage provided by moving it to a protected folder.
- Alert designated IT security personnel to perform a manual investigation.
- Apply encryption / DRM wrappers such as Microsoft AIP or Ionic, which will protect data from unauthorized access even if control of the file itself is lost.
Out-of-the-cloud
Data protection "out" of the cloud addresses the unauthorized sharing, viewing, or downloading of data that is stored within the sanctioned SaaS. Common use cases for these types of protection include:
- Conditional Access – Employees working from their own devices or remote locations can be limited to viewing data and be prevented from downloading data or connecting thick clients (such as a file sync agent or mail client). Conditions include:
- IP Address / Geolocation
- User certificate
- Attributes passed from SAML provider (leverages existing agents)
- Device OS
- Agent type (i.e., browser vs thick client)
- Type of access (i.e., download vs view)
- Email DLP – Emails containing sensitive data can generate alerts for SOC follow-up or blocked automatically.
- Collaboration control – Many SaaS providers allow users to share or provide links to data directly out of the SaaS without having to email or send data through a file transfer service. These collaborations can be alerted or blocked based on:
- Content being collaborated (DLP policy)
- Sender attributes (department, AD group, etc.)
- Receiver domain allow list/block list
When deployed as part of a Skyhigh Security Service Edge, data protection policies already defined for an endpoint, Shadow IT, or IaaS storage can be seamlessly applied to multiple SaaS vendors.