Securing IaaS and PaaS — A Look Back at Three Years of Innovation

Over the past several months we’ve been talking about the Critical CASB Use Cases  — there are 15 of these that we highlight, ranging from the management of unsanctioned versions of sanctioned cloud services to the control of managed vs. unmanaged device access to Microsoft Office 365. Worthy of a deeper dive are the various use cases found in the usage of Infrastructure as a Service (IaaS) platforms that require a CASB. By now, many of us know that it’s quite important to include services like Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure when assessing the risk of cloud service usage within the enterprise. This is validated by the many organizations who have recognized that they need to protect the critical workloads running in these services as well as the sensitive data residing in them. This has made the visibility and control of IaaS platforms one of the hotter topics for us so far this year and it’s gratifying to see increasing customer interest in securing IaaS platforms. As many folks know, here at Netskope we have been working steadily to expand our coverage of these services since we delivered the CASB industry’s first real-time, inline connectors for Amazon Web Services and Microsoft Azure way back in 2014. Today, Netskope provides both real-time, inline visibility and control of IaaS usage as well as API-based introspection across a range of IaaS platforms.

Here are some of the ways that organizations use Netskope to secure their IaaS platforms:

Granular visibility and activity-level control of IaaS usage

Many of our customers choose Netskope to better understand their IaaS usage and define granular policies to address any risky activities in IaaS platforms. Frequently, our customers have multiple instances of an IaaS platform running in their organization (e.g. for dev, QA and production or for different lines of business) and take advantage of Netskope’s unique ability to tailor different policies for each IaaS instance. Within a specific IaaS instance, they are creating granular policies for specific activities. For example, alert on the creation of a new VM instance within AWS, or block the reboot activity for a production workload in Azure. In AWS Identity and Access Management, they are able to restrict an AWS admin from creating new policies or modifying admin permissions.

Detailed IaaS audit logs for reporting and forensics

Some organizations want to maintain detailed audit logs of their IaaS usage for reporting and forensics purposes. For example, a Fortune 100 retailer is using Netskope API introspection for Google Cloud Platform to monitor all users and activities in GCP and they use Netskope to make sure that external developers are not accessing unauthorized projects or performing unauthorized activities on VM instances or other objects within specific GCP projects. Similarly, an international energy company needed to maintain a detailed audit trail of all admin activity across multiple instances of AWS being used by its different lines of business. They accomplished this with Netskope’s integration with the AWS CloudTrail API.

Sensitive data protection in IaaS clouds

The critical workloads in IaaS clouds are very often connected to stores of sensitive customer or business information, so most of our customers want to understand what data is moving into their IaaS clouds and take steps to protect their sensitive data. Netskope was the first CASB to deliver real-time, inline DLP capabilities for IaaS, which gives our customers the ability to detect sensitive content en route to and from Amazon S3 buckets and EC2 instances, Google Cloud Storage and Azure Storage and to create granular policies to reduce the risk of sensitive data exposure and maintain compliance with regulatory requirements. And Netskope’s deep visibility into the files moving in and out of IaaS clouds also enables our customers to use Netskope Threat Protection to inspect IaaS for malicious or infected files, such as web exploits, backdoors, and other forms of malware.

Protecting custom apps in PaaS and IaaS clouds

The ability to protect custom apps built or housed in a public or private PaaS or IaaS is imperative. Netskope’s capabilities include visibility and policy enforcement for these custom apps. For Netskope customers, this extends beyond simple access control, since we’re also able to apply Netskope Cloud DLP and Netskope Threat Protection to custom apps. For private PaaS or IaaS usage, the Netskope Universal Connector is used in combination with our on-premises solution that utilizes a wide range of heuristics to be able to detect user activity and scan for any DLP violations.

How do these use cases match up with your security needs for your IaaS platform? We’d love to hear from you.