The 27th APT Standardization Program Forum (ASTAP-27)
7 – 11 March 2016, Pattaya, Thailand / Document No.:
ASTAP-27/INP-41
29 February 2016
Republic of Korea
ACCESS CONTROL PROCESS FOR CLOUD SERVICE SECURITY: 2-TIER CASB (InLINE GATEWAY)
1. Introduction
Services using CASB (Cloud Access Security Broker) are a new business model as cloud-based software service and are innovative security service technology to resolve security issues that have been major obstacles in expansion of SaaS (Software as a Service).
CASB is placed between SaaS application users and SaaS applications and support access control, anomaly detection, DLP (Data Loss Prevention), and logging/audit.
CASB can be deployed in a gateway of an organization using cloud services, inside a system of public cloud services, inside a public cloud application, and so on. Each case has its specific purpose.
Lately many companies and institutions use public cloud services to achieve their goals efficiently. The system of such public cloud services stores work-related information from each organization, but it has trouble in applying the unique security policy of each organization to the corresponding one correctly.
Therefore, to apply the unique security policy to each organization, cloud service providers plan to install and run CASB that can independently support security features inside their public cloud service centers.
Considering its security control performance and convenience of usage, we would set up CASB inside a public cloud service center in the form of inline gateway. But we do not yet have any established execution process that realizes various functions of CASB inline gateway. CASB is being developed by different companies and can be run in different modes among inline gateway mode, proxy mode, security control API mode, and so on. To satisfy compatibility and efficiency in such a complicated operation structure, we need to establish an execution process of CASB inline gateway.
Among various operation modes of CASB, we propose an execution process that performs security control by CASB inline gateway in a public cloud service center.
2. Process of 2-tier Cloud Access Security Broker
Attachment is the contents for access control process for cloud service security, 2-tier Cloud Access Security Brokers. We propose the following attachment for process of 2-tier CASB.
3. Conclusion
In ASTAP-26, we presented our firstdocument about CASB (cloud access security broker), "Structure of CASB: 4-tier Cloud Access Security Brokers". We described a 4-tier CASB structure (Secure Agent-CASB Proxy-CASB Inline Gateway-CASB Secure API) in that document. This document is our second about CASB and discusses the security service process of the first step from the proposed structure of CASB. In other words, this document explains the required service process when cloud service providers use CASB Inline Gateway to provide customers with cloud security service.
Based on the process of 2-tier CASB in this document, we need to start the research about process that minimizes overlapped security controls of each CASB in 3-tier or 4-tier CASBs.
Attachment: Structure of Cloud Access Security Brokers
Table of Contents
1. Introduction
2. Scope
3. Terms and Definitions
4. Structure of 2-tier Cloud Access Security Broker
5. Functions and Process
6. References
1. Introduction
CASB is a system that provides separate security features for SaaS applications. It serves as a platform to meet security demands from each customer effectively without public cloud service providers’ burden to implement more complicated security features to meet the exactly same security demands.
CASB inside a public cloud service center operates as an inline gateway. The overall operation structure is of 2-tier to effectively detect unauthorized access; authorized users must use CASB agents.
This document presents the functions and execution process that such 2-tier CASB provides.
2. Scope
The scope of this document covers the method for public cloud service centers to satisfy customers’ security demands where each organization uses public cloud services its own way for work. It first presents the structure of the 2-tier CASB and then explains the functions of each component and the execution process of each function.
3. Terms and definitions
- CASB: on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed.
- SaaS (Software as a Service): software that is owned, delivered and managed remotely by one or more providers.
- Public Cloud Computing: a style of computing where scalable and elastic IT-enabled capabilities are provided as a service to external customers using Internet technologies
- CASB administrator: service system manager of CASB inline gateway
- CASB Security manager: security manager for a customer (company, institution, etc.) who performs CASB-related security tasks
- User: ordinary user that uses a public cloud system
4. Structure of 2-tier Cloud Access Security Broker
Users can access public cloud services from outside, using PCs, laptops, tablets, or mobile devices. We need to set up the 2-tier CASB of CASB inline gateway and Secure Agent to perform consistent security control in such environments as shown in the picture above.,
- CASB Inline Gateway
Generally, the public cloud service provider supplies services using SaaS applications from various vendors. The credibility of the public cloud service depends on whether users are accurately charged based on how much they have used the service. Furthermore, exact billing depends on whether to accurately measure how much each user has used certain SaaS applications, and the biggest obstacle to exact billing is usage of SaaS applications by unauthorized users or identity thieves. CASB inline gateways control security at the gateway of the SaaS system as an appliance. While SaaS service is usually provided in encrypted data as in SSL, CASB inline gateways operate inside the system, so they do not concern with encrypted data.
- Secure Agent
Secure Agent is a client program to effectively operate all CASB functions. It performs user authentication and secure communication, and mobile Secure Agent additionally supports VPN (Virtual Private Network) to ensure the connection to CASB and to prevent a bypass connection.
5. Functions and Process
CASB applies a different security policy for each organization and performs security control on public cloud users. The most important feature of CASB is access control, and it also performs anomaly detection, analysis and management of risks, audit, and logging. The picture below depicts key functionalities of CASB.
The following steps are needed to complete basic setup for security control:
① Cloud service providers request the CASB administrator to register cloud services subject to security control in CASB.
② The security manager of a certain organization using cloud services requests those services to CASB
③ The CASB administrator registers information of the organization.
④ The security manager registers the information.
⑤ The security manager logs in and registers cloud services of his or her organization, users, and security policies.
After that, when each user attempts to access cloud services, CASB performs applicable security control. The sequence diagram below shows the process of the 2-tier CASB.
6. References
[1] http:// www.gartner.com
ASTAP-27/INP-41 Page 5 of 6