This post was originally published here by Mike Schuricht.
Infrastructure as a Service (IaaS) has been a huge driver to move both public and internal corporate apps to the cloud. For many, a public IaaS platform like Amazon Web Services (AWS) is the first foray into the public cloud. Companies are using IaaS for DevOps automation to speed agile development, storing and analyzing large amounts of company data, and to move internally hosted applications from their own data centers to Amazon AWS and Microsoft Azure. The move to IaaS allows security teams to focus more on data protection since the security of networks, hardware, physical server locations, uptime, etc… can now be controlled more readily.
Securing data in IaaS brings many of the same concerns as protecting data in SaaS apps. Identifying and inventorying stored data, determining the sensitivity of the data, assessing how data can be accessed/moved/replicated/downloaded/etc, and controlling or mitigating what was found in the prior steps. Cloud Access Security Brokers (CASB) have capabilities to scan data at rest via SaaS APIs, have proxies to control browser or thick client access, have native data loss prevention (DLP) policies, and can protect data via actions – e.g. watermark, encrypt, quarantine, so naturally these same protections should be extended to IaaS.
In addition to data protection at the platform level, data protection must extend to the apps (custom or off-the-shelf) deployed on IaaS (e.g. Tableau server). Visibility and control are both concerns, requiring policies based on the context of the user and device being used for access, as well as control over upload/download of data (e.g. PDF export). CASB proxy solutions can tie into an app’s single sign-on (SSO) to provide overall control over access, as well as control over the flow of sensitive data.
CASB solutions can provide a unique solution to protect data in IaaS providers like Amazon AWS in the following ways:
- Granular admin role assignment for the AWS admin console with policies based off of group membership, location (geo, on/off company premises), device (managed vs. BYO) and more
- Visibility and control over data stored in S3 and EC2 volumes
- Turn key SAML 2.0 integration to provide Identity as a Service (IDaaS) or relay to 3rd party IdPs
- Control over access to apps used to visualizing sensitive data and over what data can be download to endpoints through inline DLP
Additionally, CASBs which support custom app integrations can extend to on-premises apps before they are moved to the cloud to provide secure use without requiring heavy VPNs (e.g. Intranets, Confluence, Jive, Exchange OWA).