Secure Cloud Access: a Beginner's Guide to Cloud Security

Cloud access security is a term that may not be familiar to everyone. Securing cloud access deals with access control and threat detection in cloud applications, such as G Suite or Office 365. Information security managers secure cloud access in two kinds of cases:

• Access from a local network to authorized or unauthorized cloud services
• Access from anywhere to an organization's cloud resources

What Does it Mean to Secure Cloud Access?

Cloud access security covers issues such as risk assessment, policy violations, shadow cloud applications, and account misuse. Unlike a firewall, it concerns itself with application-specific policies and the actions of apparently legitimate users.

The difference is important. As more organizations move to the cloud, access to email, files, and databases needs to be secured within the cloud environment, as well as on entry and exit. Weaknesses in security aren't limited to malware but can also include improper use of accounts, malicious mobile apps, and more. This type of activity will not be caught with traditional firewalls alone.

How to Secure Cloud Access

An appliance or software service that manages cloud access security is called a cloud access security broker, or CASB. This term covers a variety of approaches.

The traditional CASB uses a proxy or agent that stands between the users and the services. In most cases, it's a forward proxy, residing on the edge of the local network. All requests that originate locally will pass through it. It can catch access to unauthorized services (shadow cloud IT) but not access to services from outside the local network.

Deployed as a reverse proxy, a CASB sits in front of one or more cloud services. All access to the accounts and resources use the proxy to go through it.

A different CASB approach has emerged and proven to have many advantages: cloud application security. Cloud application security uses the API of SaaS applications, rather than an agent or proxy. This approach offers several benefits:

• Greater speed to set up and efficiency
• No impact on network performance or end-user experience
• Less disruption when SaaS applications change
• More precise visibility and control
• Complete coverage, protecting access to cloud applications from anywhere on the Internet, from any device

The CASB terminology is unsettled. It is often used for all these methods. Here, we'll use CASB for proxy-based technology, as distinguished from API-based cloud access (or application) security. The API-based approach doesn't sit between the user and the application but rather is integrated into the application. So, it isn't really a "broker."

Benefits of Cloud Access Security

Using a cloud access security solution provides a number of benefits:

• User monitoring and compliance: Monitoring users will catch deviations from normal behavior, such as logging in from a different place or at an unusual time, a jump in data usage, or a qualitative change in account usage. Such shifts may indicate a hijacked account or an insider threat.
• Data loss prevention: If sensitive data is being exported in an unusual way, that may be a sign of data theft. A cloud application security solution will report anomalies so that administrators can take a closer look. It will also catch unintentional data leaks, such as an employee accidentally sharing a file containing credit card numbers with users who shouldn't be able to access it.
• Malware and threat protection: malware and phishing schemes are evolving with the trend toward cloud computing. These threats now go beyond infected email links to include malicious cloud/mobile applications and file sharing. Cloud security tools will detect and quarantine all types of malware in the cloud environment, which a firewall or gateway would never be able to detect.

Whether you decide to use a proxy-based CASB or an API-based cloud security solution to secure cloud access for your organization, it largely depends on your technical requirements. The most important takeaway here is that, if your organization is using cloud applications (like G Suite and/or Office 365) and you're not securing it with a cloud access security solution, your information is vulnerable.