This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Most organizations that operate their own data center have built a full stack of security solutions into their environment. The stack includes everything from anti-virus to advanced persistent threat (APT) detection, data loss prevention (DLP), anomaly and insider threat detection, and more. Suffice it to say that information passing in and out of the private data center, as well as virtually every user action, is scrutinized in numerous ways to keep the bad stuff out and the good stuff in.
In the traditional data center, companies have the ability to implement layers of security, privacy and compliance tools around their data. Now when they want to move their applications and data to the cloud, there is this question of how to implement those layers. Many cloud-based applications don't natively have the types of controls that enterprises must have, so companies are left to provide those controls for themselves.
This challenge gave birth a few years ago to the market known as cloud access security brokers. CASB solutions typically serve two purposes. First, they help companies discover precisely what cloud applications their employees are using. Second, they add some of the security, privacy and compliance controls that organizations must have around their data.
The CASB market has been maturing and growing over the past few years. In late November, the market gained one more player when Avanan came out of stealth mode with general availability of its Complete Cloud Governance Platform. Avanan's main differentiator is that it offers the full security stack that includes best-of-breed solutions from more than 60 leading vendors, including McAfee, FireEye, Symantec, CheckPoint and dozens of other security companies. This gives enterprises the flexibility to apply the precise controls they need for their SaaS applications.
Another differentiator for Avanan is that it doesn't use the proxy model, where enterprises must push all their cloud-bound traffic through a specific gateway to get the benefits of the security solutions. When designing their platform, Avanan architects realized that the proxy model misses the traffic that goes directly from an off-network device to a cloud service; for example, an end user accessing Salesforce from home. Unless that traffic is pushed through the CASB gateway via a VPN, the controls might never get applied.
Rather than using a proxy, Avanan uses an API model that connects directly from the Avanan platform to each cloud vendor's infrastructure to get more visibility and to uniformly apply the controls, as shown in the graphic. Today Avanan supports Google Drive, Box, Office 365, ServiceNow, Salesforce, Dropbox and Workday, and more applications are on the way.
On its own, the Avanan platform provides rights management, unified automated policy, and compliance reporting for the various SaaS applications in use. Avanan enables an enterprise to build a single policy across the cloud. For example, an organization that has to comply with both SOX and HIPAA can apply the policy controls in one central place so they are instituted uniformly across the various cloud applications.
On top of that, customers can choose which third party security tools to implement. Avanan has worked closely with more than 60 vendors – again, with more to come – to offer cloudified versions of the tools, even if a vendor itself doesn't have a cloud version of its own product. Avanan executives say they are essentially another distribution channel for these vendors. Because all of these security tools are combined through one platform, Avanan can make them interoperable through single policies.
Applying a security tool is as simple as going into the Avanan dashboard and toggling an on/off switch to apply the tool to a particular application. For example, an enterprise can apply Symantec's DLP tool to Box and Dropbox but choose not to apply it to Office 365 email. This approach allows an enterprise to granularly apply as much of a security stack as it needs per application, all within minutes. The security tools available include:
- Advanced persistent threat detection
- Data leak prevention
- Anomaly and insider threat detection
- Data sanitization
- Endpoint compliance
- Shared policy management
- Automated response
- Compliance auditing
- Shadow IT and shadow SaaS detection
Some of the tools are not otherwise available for use in the cloud; Avanan has worked with the vendors to adapt them specifically for this platform. Customers can do a trial run of the various tools before subscribing to them. Another advantage is that tools can be mixed and matched across the clouds. For example, Palo Alto Wildfire can find something to be malicious, and then CheckPoint threat extraction can clean the file and remove the malware.
Pricing for the Avanan platform is the typical per-user, per-month subscription model. The security tools are an add-on fee. If an enterprise already has a license agreement to use any of the security tools from the original vendors, the license can be adapted to the monthly subscription fee. Some enterprises may find they can reduce the cost of their security tools because of Avanan's volume licensing.
Avanan's platform is on the Amazon cloud, but it is portable and can be deployed on other cloud platforms, including private clouds, at a customer's request. Avanan provides each customer with a single tenant environment. When the customer spins up a new security service, Avanan spins up a virtual cloud-based appliance from the security vendor. Avanan takes care of all of the deployment and scaling and does everything behind the scenes to maintain performance.
Long-term, Avanan intends to build out its SaaS application offerings so that companies can run their business in the cloud while applying the full security stack now available for private data centers.