The Most Critical CASB Use Cases in the Market Today: Prevent Data Exfiltration

As enterprises adopt cloud services across virtually every line of business, the cloud security market is maturing. Log-based discovery, once the prevailing cloud access security broker (CASB) use case, is now table-stakes, and forward-looking information security professionals are serious about getting the most out of their implementations.

Rather than cheer for or rail against a deployment method, we at Netskope are bringing to bear our ALL-MODE architecture to highlight some of the most critical CASB use cases we have seen in the market. We will publish a use case per week in this blog series. For the first 15, see “The 15 Critical CASB Use Cases”, our latest eBook.

And now for the first use case: Prevent data exfiltration

Many CASBs refer only to the first half of data exfiltration: that seen from API introspection and from a combination of cloud DLP-based e-discovery or data classification and activity feed from their sanctioned app’s API. If the admin is alerted to sensitive data being downloaded, they follow up. But they rarely actually know (or can prove) what happened next.

What if you could see the combination of that download by a user, followed by an upload to a personal or unsanctioned cloud storage app, and then a share of that data with an unauthorized user, someone outside of the company, or a competitor? Furthermore, what if you could enforce a single, granular, “set-it-once” policy across the Cloud Storage category to prevent that action?

To achieve this use case, the enterprise must deploy in forward proxy mode (with or without agents) if they want to monitor and enforce policies, or TAP mode if they choose to monitor only. Here are seven critical architectural requirements needed to achieve this use case:

• Detect sensitive data, e.g., “confidential,” either through e-discovery using DLP or detecting pre-classified data
• Be aware of context, e.g., activities such as “upload” and “download”
• Determine identity (e.g., [email protected] = [email protected] = [email protected])
• Differentiate between internal and external domains
• Know corporate vs. personal accounts
• Recognize and enforce differing policies between app instances
• See and control usage in both sanctioned and unsanctioned apps

Learn more about this and 14 additional most impactful use cases by downloading our eBook.