CASBs: A Better Approach to Cloud Encryption
Published 10/20/2015
By Anurag Kahol, Founder and CTO, Bitglass
Widespread enterprise adoption of public cloud applications like Office 365 has not come without security and compliance concerns. Most cloud apps function like a black box, providing little visibility or control over the handling of sensitive data. When cloud applications leave security gaps that the enterprise simply can’t live with, thoughts often turn to cloud encryption options.
This data may exist as structured data in an app like Salesforce, or as unstructured data in file sharing apps like Box or OneDrive. In either case, a cloud access security broker (CASB) provides a way to encrypt the data using keys that you control. A CASB also provides a central point for monitoring and managing access to those resources.
Encrypting cloud data at rest with CASBs
CASBs provide a central point of visibility and control across any cloud app used in an enterprise. Control comes in various forms, including contextual access control, data leakage prevention, and of course encryption for data at rest. A CASB works by mediating connections between cloud apps and the outside world, typically via a combination of proxies and API connectors to applications.
A CASB, or cloud access security broker, mediates the connections between end users and cloud applications, providing a central point of visibility, access control, and data security.
CASBs have become the de facto answer to encryption for cloud data at rest. Unfortunately, in order to make data searchable when encrypted and stored in the cloud, early CASBs cut down on the number of initialization vectors used in their products which limits the number of possible encrypted versions of a given string. This same approach makes the encrypted data subject to attacks, such as a chosen plaintext attack. Why bother encrypting if you use weak schemes that can easily be cracked?
Full-strength cloud encryption with Bitglass
Bitglass takes a patented “split index” approach to searching cloud-based content that allows you to have your cake and eat it too -- that is, full-strength crypto and search. In a nutshell, Bitglass brings the trusted security of a private cloud to powerful and flexible public cloud applications, allowing you to safely take advantage of apps like Office 365, Salesforce, Box, and ServiceNow.
Unless a user accesses the cloud application through the Bitglass service, he or she will see nothing but meaningless ciphertext.
With a few clicks, CASBs like Bitglass can replace sensitive data inside of the application with copies encrypted using keys that you control using the encryption algorithms of your choosing -- which means your existing key management system works out of the box. The encrypted data can be stored in the cloud app or on-premise; in the latter case, the only thing stored in the cloud application is an encrypted pointer to where the data lies in the local data store.
When a user searches for data, the search query is executed against a local search index, returning all of the associated pointers to Bitglass. Bitglass then searches the application for those pointers and retrieves the encrypted files or records, decrypting data for the user on the fly.
Because data is encrypted in the app, it’s not readable by prying eyes. Even within your organization, access is provided by policy. In fact, unless the user is accessing the application securely through Bitglass, they will see nothing but meaningless encrypted pointers.
Many enterprises forgo the power and flexibility of public cloud applications for the sake of data security and compliance. With a split-index approach to cloud encryption, these businesses can have both without undermining the strength of the encryption or sacrificing the functionality of the applications. It’s an approach to cloud encryption that should make a cloud-first strategy more attainable for the most security-conscious of organizations.
Want to learn more? Watch our Glass Class on Cloud Encryption.