How a CASB Enables Cloud Data Classification at Scale

By on Oct 20, 2016

The dust is settling on the Yahoo breach, which is now just the latest in the long line of 725 data breaches that have been publicly disclosed in 2016, according to ITRC’s research database. And as it does, the inevitability of a cybersecurity breach is driving security budgets and causing organizations to spend hundreds of millions of dollars on protecting their systems, data, and networks. However, budgets are not infinite, so IT Security teams are trying to get smarter.

As part of this effort, data classification is gaining importance as a way to enhance the security strategy. Categorizing data assets based on sensitivity enables IT to focus security and governance efforts on protecting the ‘crown jewels’. But as enterprise data moves to the cloud, classification efforts often get left behind since most cloud services do not provide this useful capability. The security classification feature announced by Box directly addresses this requirement by enabling companies to classify and protect sensitive data in the cloud.


Cloud Data Loss Prevention Cheat Sheet

Download to learn about cloud DLP best practices to ensure your organization meets internal and external compliance requirements.

Download Now

Increased Confidence in Cloud-based Systems

A recent report from McAfee (formerly Skyhigh Networks) found that the average enterprise uses 1,154 cloud services, which include 61 file sharing and collaboration services. These services have become an integral part of the enterprise collaboration workflow, and as they are used by employees for business critical processes, sensitive data is uploaded to the cloud. In fact, McAfee’s report showed that 15.8% of all documents uploaded to cloud based file sharing services contain sensitive information which includes personally identifiable data (PII), health data (PHI) as well as confidential company data such as financial records, business plans, and source code, demonstrating the confidence users have in the security of their loud platforms.

The increasing confidence in cloud-based systems was also affirmed by a finding in a recent survey by CSA, which found that 64.9% of its respondents said the cloud is more secure than on-premises software. A potential reason for this is the heavy investment cloud providers, like Box, have made in building security infrastructure and controls. However, given the cloud’s shared responsibility model, companies are responsible for how employees use the product, and are looking for ways to build data-protection guardrails for users and train employees to follow best practices in secure collaboration.

Box Announces Data Classification in the Cloud

With the announcement of its security classification capability, Box became one of the few cloud file sharing and collaboration companies to allow enterprises to classify data in the cloud according to sensitivity. Now, either users or IT can apply classification labels, such as “Internal”, “Confidential”, or “Public” to files within Box based on metadata tags set up by the admin. Box uses these labels to enforce collaboration and access restrictions, such as disabling public links and external sharing for all documents marked as ‘Internal’. So, an employee inadvertently attempting to create a public link for a document containing user names and passwords that is classified as “Confidential” will be blocked from doing so. Admins can also choose to display a visual indicator on the document with the label, thereby guiding users with regard to sharing and governance.

McAfee Enables Cloud Governance at Scale with Box Data Classification

Cloud Access Security Brokers (CASBs) act as control points between users and cloud applications and secure the usage of cloud services, including file sharing and collaboration services such as Box. McAfee, the leading CASB solution, is used by many Fortune 500 companies to add an additional layer of protection over Box, allowing them to gain visibility into cloud usage, enforce compliance polices, detect threats from insiders and compromised accounts, and secure cloud data with encryption and access controls.

McAfee has collaborated with Box on the security classification capability to enable companies to effectively govern their cloud data. Using McAfee, companies can automate the assignment of classification labels, while minimizing IT resource overheads and meeting scalability requirements. By applying security classification on Box data using McAfee, enterprises gain multiple benefits:

  1. Leverage existing policies to apply security classification labels: Companies using McAfee would have already defined granular policies to protect against data loss and compliance breaches. These policies detect sensitive data using multiple methods, including data identifiers, keywords, and regular expressions, and apply the specified remediation such as delete or quarantine. By leveraging existing policies to apply classification labels, companies reduce the efforts required to detect and flag sensitive data.
  2. Enforce classification on on-going uploads to Box: Companies use policies in McAfee to inspect documents being uploaded to Box and apply the predefined classification label based on sensitivity. For example, if an employee is uploading a document with personal health information into Box, the policy can detect this sensitive data and attach a ‘Confidential’ label to this document. By automatically scanning all documents uploaded to Box, McAfee reduces the manual effort on the part of users or IT required in classifying data and minimizes the chances of human errors.
  3. Enforce classification on existing Box data: Companies can use McAfee’s on-demand scan capability to inspect their existing Box deployments and apply classification labels on documents based on specified policies. Large enterprise Box deployments contain hundreds of thousands of files and the on-demand scan capability is a method by which IT can quickly automate the application of classification labels without incurring huge overheads.
  4. Meet enterprise scalability requirements: By enabling companies to apply classification labels, either in real-time or on-demand, based on granular DLP policies, McAfee allows IT teams to quickly and easily apply the capability across their corporate Box deployments. Data classification projects often do not get off the ground due to high resource costs and the inability to scale to cover all existing and ongoing data assets. Using McAfee, IT teams can overcome these challenges and successfully deploy security classification on data residing in Box.

McAfee and Box are used together by a number of enterprises such as Aetna, AstraZeneca, UNUM, and Western Union to securely collaborate while meeting compliance, regulatory, and governance requirements. The joint success of the two teams was validated at the 2016 BoxWorks Partner Summit, where Box recognized McAfee with the Box Trust Partner of the Year award. The integration on security classification represents another big step forward in this partnership to deliver a secure, user-friendly cloud collaboration solution to some of the largest and most innovative enterprises in the world.

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs