One of the biggest transformations modern enterprises had to face in recent years has been the shift to the cloud. The shift saw enterprises renting computing, storage and networking functions from third party providers as opposed to set-up and maintenance in-house. This shift led to massive savings in costs, and created leaner IT departments. A lot of this cloud activity comes from an enterprise’s official IT strategy. However, there is an increase in cloud usage by shadow IT activities, spurred by employees’ inherent need to leverage more effective means of processing their IT workload outside the limits set by their IT departments.
Due to the COVID pandemic, cloud operations have become increasingly important among enterprises as IT resources now have to be accessible from outside the office. Whether it is PaaS, IaaS or SaaS, the use of the cloud gave enterprises floating IT resources that are accessible and available for use by any user from any location. As a result, enterprise cloud traffic which comprises all the flows between user devices (laptops, servers, printers, phones either at the office or at home, home laptops) and applications in the cloud, as well as traffic between clouds, started to grow phenomenally. This consequently gave rise to an abundance of static data, stored and secured in the cloud.
While the cloud offers efficient services and expanded possibilities, it comes with its own risks that can impact the security of enterprise cloud applications and cloud assets. Cyberattacks, for example, pose a huge threat to cloud applications and assets. Devices, applications and services used in shadow IT are inherently more insecure or do not fit well with existing IT processes and requirements. Remote users may use compromised devices. These devices can also be used by malicious agents to breach the company’s systems. Employees may also accidentally and negligently corrupt applications and the data these applications store. Lastly, the clouds themselves may be compromised due to inherent vulnerabilities in their architecture and security policies, or cloud providers’ negligence in securing their assets.
To address the security needs of an enterprise whose IT perimeters stretch to the cloud, enterprises are deploying the cloud access security broker (CASB), a security gateway that features a range of security management functions. The CASB secures the traffic flows between the cloud applications and the plethora of users including employees on site, data centers and remote workers. The CASB effectively replaces the role of firewalls/IPS/IDS/UTM/network gateways from the pre-cloud days. Like all brokers, the CASB is essentially a middleman that can be located on site, in the cloud or deployed as SaaS, with the latter being the most popular model.
Bolstering the broker with DPI
While the CASB goes a long way in securing an enterprise cloud infrastructure, it could use further advancements, for example through deep packet inspection (DPI). An advanced DPI engine such as ipoque's R&S®PACE 2 has a wide range of capabilities to enhance CASB’s defenses.
First, visibility. A DPI engine like R&S®PACE 2 is capable of distinguishing network traffic by application, protocol or service type. It is able to do so in real-time, with a regularly updated library of signatures known to be indicative of various data types. R&S®PACE 2 can also extract metadata, revealing details about the traffic information, such as bandwidth consumption, speed, jitter and latency.
Thus, the CASB gains more visibility and expands its reporting capacity. It can provide information not just about the applications and clouds being accessed, but also who is accessing them, how frequently they are being accessed, connecting clouds and applications and the consumption of resources by applications, clouds and users.
Zooming in into the threats
These insights, in turn, improve the CASB's ability to detect threats and enforce security policy. As it is, the CASB works with security tools such as firewalls, data loss prevention software and advanced threat protection to fight malicious threats and unintentional security incidents. DPI’s traffic classification capability enhances the CASB’s ability to identify cyberattacks such as malware, DDoS, data loss or theft, traffic anomalies, unauthorized user activity and security loopholes.
The real-time monitoring provided by DPI also allows for detailed insights into data flows and usage patterns throughout the enterprise network and all the cloud services it is connected to. This enables an enterprise to establish security policies with tiers or usage categories, in which different locations or users have different privileges. With that, an enterprise can ensure that only authorized users and devices have access to specific clouds and applications. In addition, some routes or applications can be set up with encryption. Similarly, shadow IT activity can be managed by whitelisting/blacklisting certain applications and cloud services, and data transfers can be authorized only when specific conditions are met.
Having created such rules for access, usage limits, session timeouts and zero-trust policies, enforcing them is also made easier due to the visibility and classification capabilities of deep packet inspection and the insights gained through metadata. Since all activity in the network is monitored in real-time, privilege or access can be revoked, added or modified as cloud-based resources are accessed, if there are suspicious or anomalous traffic flows, or if the immediate need comes up.
Finally, the CASB-DPI combo can enable companies to maintain compliance in the industry they operate in. Two prominent examples are the Payment Card Industry Data Security Standard (PCI DSS) in the US and the General Data Protection Regulation (GDPR) in the EU. Companies are obliged to ensure that they follow rules, regulations and guidelines. When it comes to cloud operations, compliance can be dependent on multiple jurisdictions depending on the location of the company, the users, the data and the cloud services. Deep packet inspection, by offering traffic and application awareness, ensures that the CASB is adequately equipped with real-time information that helps with the secure transfer and storage of regulated data, for example, data that is sensitive and confidential. It also contributes to the required security practices, for example, those relating to the prevention of data breaches.
The value of CASB-DPI admixture
The growing complexities of the cloud require enterprises to keep their guard up at all times, across all applications. The CASB provides the checkpoint to do so. But to be able to provide real-time insights, end-to-end visibility and accurate detection of threats and anomalies, DPI engines such as R&S®PACE 2 are a critical addition. By combining the capabilities of both the CASB and DPI, enterprises are sure to be safe as they move their work to the cloud.