Protecting Against Shadow IT: 5 Key CASB Use Cases

By on Aug 25, 2017

Cloud service usage in the workplace is growing exponentially. The average organization used 1,427 cloud services in 2016, an increase of 23.7% from the previous year. In fact, the current level of cloud use is almost triple what it was just four years ago.

Despite the increasing prevalence of cloud-first IT programs, most of the cloud applications used by companies fall into the shadow IT category, potentially putting sensitive data at risk. In this context, shadow IT refers to unauthorized cloud service usage by employees without the knowledge of the IT department and they usually don’t include robust security controls. In fact, out of the 20,000+ cloud services in use today, less than 8.1% meet enterprise-grade data security and privacy requirements as defined by McAfee’s (formerly Skyhigh Networks) Cloud Trust Program.

Organizations often underestimate the scale of shadow cloud service among their own employees. Based on McAfee data across over 30 million users at enterprises worldwide, the scale of shadow IT is 10 times greater than enterprise IT departments assume. Companies can alleviate the risks associated with Shadow IT by using CASB solutions to gain visibility and control over shadow SaaS usage while maintaining employee productivity. Against the backdrop of these trends, here are the top five ways a CASB helps enterprises take control of their shadow cloud usage.


Get the Full eBook

Download this ebook that outlines the recommended deployment architectures that support the top 20 CASB use cases.

Download Now

1) Discover cloud services in use

The first step to understanding and protecting against potentially high-risk cloud usage involves determining the extent of shadow IT within the organization. CASB solutions collect firewall and proxy log and analyze log data, enabling IT to discover cloud services in use by all employees and business units and identify which cloud services do not meet security requirements. This service is available through McAfee’s Cloud Audit, but is also included in the CASB platform.

In order to screen for cloud usage, CASBs collect log data from network firewalls and web proxies. SIEMs streamline this process by allowing CASBs to compile logs from one channel rather than from multiple sources. The CASB can easily integrate with the SIEM through an on-premises connector, tokenizing log data before uploading it to the platform to protect identifying data including IP addresses and user names.

2) Assess cloud service risk

CASBs detect cloud usage using firewall and proxy logs because they maintain detailed and up-to-date registries of all cloud services. Most CASB solutions also allow companies to assess the risk of any cloud service by providing a risk score calculated using over 50 attributes and more than 260 sub-attributes (e.g. service claims ownership of data uploaded, service shares customer data with third parties without permission, encryption of data stored at rest, etc.). This evaluation IT security teams perform before allowing cloud services is dramatically accelerated when using a registry with up-to-date cloud intelligence.

The ownership of data uploaded to the cloud is a crucial risk assessment criteria because it poses a danger to sensitive data exposure. For example, some PDF conversion services include terms of service that claim ownership over every file uploaded to their platform. This places sensitive corporate data at risk if an employee is unaware of the dangers associated with the service they are using to be more productive.

Risk assessment analysis is an essential part of a CASB solution because it identifies the potential benefits and risks associated with each cloud service.

3) Apply cloud governance policies

Once each cloud service has been evaluated, IT teams can use the risk assessment rating provided by the CASB solution to define acceptable cloud governance policies. The CASB then integrates with the enterprise’s existing firewall or secure web gateway to enforce policies. This capability is crucial for managing an organization’s shadow IT vulnerabilities because it can potentially blacklist dangerous services and promote useful ones, limiting data vulnerabilities and maximizing employee productivity.

CASB users typically separate cloud services into three broad categories: 1) IT-sanctioned services, which includes useful tools applicable to the entire company that also leverage powerful security capabilities; 2) Permitted services, which may be used by employees but often lack the security applications or the effectiveness of the sanctioned services; and 3) Prohibited services, which either lack even the most basic security or include dangerous provisions that put companies at risk.

McAfee’s CASB solution is well suited for cloud governance because it can seamlessly integrate with secure web gateways (SWG) and next generation firewalls (NGFW) to enforce policies in real time without introducing another endpoint agent or network control point.

4) Detect data exfiltration and proxy leakage

Using a CASB, companies can detect malware operating on the enterprise network that leverages the cloud as a vector for data exfiltration, such as sensitive data exhilarated via a private Twitter account. While governance policies for shadow cloud services focus on preventing sensitive data from being uploaded to non-sanctioned services, preventing data exfiltration in permitted or sanctioned cloud services is just as important for effective cloud security. Aside from detecting malware-based data exfiltration, McAfee’s CASB is also able to track potential threats using machine-learning threat protection, preventing hackers and malware from using the cloud as an attack vector.

Enforcing cloud governance policies with a NGFW or SWG can experience several limitations that lead to gaps in enforcement coverage. First, the IPs and domains used by cloud services are changing constantly and these databases used by these solutions do not keep comprehensive and up-to-date records on cloud services. Second, cloud governance policies may not be standardized globally across all egress devices, leading to gaps in coverage. Finally, exceptions created for a individual or single service can quickly be expanded, and allow overly broad access for an entire team to an entire category of cloud services. CASBs detect these gaps and integrate with egress solutions to close gaps.

5) Gain granular visibility and activity-level control

With a CASB, companies can obtain deep visibility into the activities users perform in cloud services and enforce granular controls at the user, activity, and data levels. Unlike the previous use cases which leverage integration to firewalls and proxies, this use case relies on a CASB’s forward proxy. The forward proxy mode uses the “SSL man-in-the-middle” technique to inspect cloud traffic for users, controlling which traffic can forwarded for employee-use. This solution provides an additional level of customization because users can choose on a micro-level which repositories within a service can be used by employees and which ones cannot.

Across these five use cases, the McAfee CASB provides multiple solutions to deal with Shadow IT concerns. Not only can the CASB identify, assess, and govern cloud services, but it can also limit data exfiltration and enforce policies with highly granular criteria. With CASB’s multi-faceted approach, companies can rest easy about using a large variety of cloud services. To learn more about other CASB use cases and the deployment architecture best suited to each use case, download the full eBook here.

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs