ℹ️ CASB integrations update
Presented by: Alex Dunbrack, Tarika Srinivasan
Originally aired on February 25, 2023 @ 7:00 AM - 7:30 AM EST
Welcome to Cloudflare CIO Week 2023!
This CIO Week we’ll demonstrate how Cloudflare is helping CIOs keep data, devices and employees both safe and fast across hybrid and remote environments. We’ll show how Cloudflare accelerates digital transformation and modernizes networking and security towards a Zero Trust model.
In this episode, tune in for a conversation with Cloudflare's Tarika Srinivasan and Alex Dunbrack about our new CASB integrations with Salesforce and Box.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
For more, don't miss the Cloudflare CIO Week Hub
English
Transcript (Beta)
Hi there. My name is Tarika Srinivasan. I'm a product marketing manager here at Cloudflare and I'm joined with Corey Mahan, who is a director of product for our Zero Trust platform.
And today we actually announced during CIO Week that we have two new integrations for our Cloudflare CASB product, one for Salesforce and one for Box.
But before we dive right into that, Corey, since you've been a critical part of helping build out the Cloudflare CASB product over the past year, could you just give us a quick rundown on what it is?
Yeah, totally. Thanks for having me today as well, Tarika.
Yeah, so when we talk about Cloudflare CASB, what we're talking about is a cloud access security broker.
A lot of words there.
What does it really mean? Well, there's kind of two camps when we think about CASB.
The first is inline, meaning sitting inline or in between the connection between the source and the destination.
Cloudflare has lots of those capabilities for our inline services, usually supported by Cloudflare Gateway and that product suite, making sure that we can do things like tenant control so that your end users can only access your instance of, say, Box versus Box.com in their personal account.
Other things like inspecting traffic to make sure that they're not uploading or downloading anything potentially malicious.
So that's the inline version.
We're excited about that, but today we're really going to focus on the API version.
That second camp is really what we're talking about in how we connect to the various services that we're helping protect, and that is, as the name implies, via API.
So an API-driven CASB or an API CASB, the center of this conversation, helps companies make sure that the data that their employees in their organization is accessing is protected, is safe, and a simple misconfiguration or an overprivileged user or a user we forgot to deprovision are all taken care of.
So really, at the end of the day, what we're doing is helping you keep your data secure using a product like CASB for the various services that you use.
Yeah, and since this is CIO week, Corey, if you put yourself in the shoe of a CIO, why would a product like Cloudflare CASB actually be helpful and useful to them?
Yeah, great question. I think about it from any type of, in a day-to-day, just as a regular user, if you will, the amount of things that you share internally, you send that link in chat, you email this link to a partner, you download this file, you upload to that folder, all of those things are part of our daily lives, especially when we're adopting more and more SaaS.
So if I'm a CIO, I'm thinking about, okay, cool, we're moving all this data around.
Is it moving to the right place?
Is it being accessed by the right people? Have we removed access for those that shouldn't have it?
And all the things around that data control, that data protection, that data privacy to some extent.
And so I'm really, really worried about that because as we've seen in recent past, in some in more public cases than others, how easy it is to overshare in addition to how easy it is to upload, hey, I was dragging all of my downloads to the upload folder and oops, I forgot that there was a customer spreadsheet and there wasn't some data that shouldn't be moved anywhere.
So all of those little things. So if I'm a CIO, I'm worrying about, hey, I want to encourage my end users to continue to use SaaS and to continue to use the cloud for all of the things, but in that we have to make sure there's some guardrails in place.
So that's what I'm most thinking about as an end user, all the way to, I guess, as a CIO.
Yeah. And when I think about also the past few years, given the pandemic and a lot of organizations adopting remote or hybrid work comes with that kind of a shift to the cloud for all of your productivity suites and tools.
And so how do you kind of see remote work being and Cloudflare CASB kind of being essential to that picture?
Yeah, I think they go hand in hand.
I think there's a lot of great native built-in controls that should be leveraged totally within these SaaS services and specifically within the business suite set of services.
But where CASB really shines and adds the value is the behaviors and the settings and services and data across those SaaS services.
So it may be your business suite, it may be your telecommunications suite, maybe your chat suite, maybe your storage suite, maybe your CRM.
Knowing that, hey, we'll pick on ourselves here.
Tariq and Corey are sharing stuff publicly in all of these services and Tariq had downloaded all of our data from our CRM and moved it over to this personal Google Drive.
Like, that's a bit odd. And so while these services help accelerate business and make sure that we can collaborate much easier and faster, they also introduce more attack surface and more areas for CIOs to care about, right?
It used to be, you know, kind of guard the bank vault, the one door in and out.
And now there's hundreds, if not thousands of doors in and out and windows and all the other ways people can get in and out as part of our jobs.
So how do we make sure that we're protecting those? How do we add guardrails where we need to?
And then how do we see that complete visibility across all of those services?
And that's exactly what the API-driven CASB does, integrating with those services and then shining the light across what all that looks like to get kind of that single bit of glass.
When I think about our CASB product, I often think about the statement, you can't protect what you don't see or know.
And I feel like our API-driven CASB really does like lift that curtain to unveil all the security issues that you maybe didn't know.
And so over the past year or so we've launched a variety of integrations with very popular SaaS apps, some of them being a Microsoft 365, Google Workspace, Slack, and now we're GitHub as well.
And now we're introducing Salesforce and Box.
Why was this the next important two SaaS apps to introduce to our CASB integration set?
Great question. So there's, I think for every business, you know, different levels of risk exist based off of their business, right?
Maybe this company stores all their sensitive data in this SaaS service and another in this SaaS service.
So really how we prioritize this is listening to customers and where their customer demand is.
And if you think about these two services with immense amount of built-in security controls, which are fantastic and you should totally leverage those, but the addition of the API integrations from the cloud for CASB gives you that additional layer of insight and then ties everything together.
So why Salesforce? Well, it is where most companies store all of their customer data.
For those unfamiliar with Salesforce, it's a CRM or a customer relationship management cloud-based software that helps, you know, with flexible sales operations, quoting, contracting, customer engagements.
And so there's a lot of customer centric data that's stored there.
Kind of like the vault, if you want to think about it in regards to customer data, who's buying what, et cetera, et cetera.
And so for example, just to kind of make this very easy and clear is, you know, during some of the early onboardings with the Salesforce integration through the API CASB of Cloudflare, one of the Salesforce administrators literal quote was, oh, explicit.
As they soon realized that a lot of their contracts were publicly available on the web via a link, right?
And so it's just a simple oops and hmm, your pricing data is now on the Internet is not a great thing.
And so it's just a simple issue like that or a simple oops like that of why we really partnered and built this integration.
Second with Box, it is a very popular storage service for those unfamiliar with Box.
You can think about it as a content cloud, if you will, where you can store data, docs, files, folders, pictures, anything that you'd want to enable and accelerate your business from a collaboration perspective, and maybe a backup use case.
There's lots of different things that help within the business. And obviously, they have a personal offering as well.
So why Box? Well, a lot of our customers move a lot of their data through Box.
And so they were asking, hey, there's, again, we've turned on all the native stuff, but we want to see what this looks like across services.
And so you can think about things like, hey, my Box admin doesn't have the 2FA enabled all the way to we've shared this Box folder with a contractor that we'd stopped doing business with three years ago.
Maybe we should bring that in, a little bit of housekeeping, right?
And everything in between.
So these two services we see our Cloudflare customers using, and we listen very closely to them.
And thus, we prioritize both of these. If we deep dive kind of into specifically the Salesforce integration, is there anything interesting or something that as a security person, you wouldn't necessarily think about checking for as a finding that the CASB integration detects?
Yeah, great question. I think you can kind of center it all around back to kind of, well, what are we protecting?
And that's the data, right? And so data that's perhaps there's files or folders shared publicly that have no password.
That's one that you're like, oh, yeah, we should probably look at least what those are.
Maybe they're intentionally there, maybe they're not.
And then two is, OK, there's stuff shared publicly.
This is the one I was like, ah, share publicly with a password. But that password is super weak or a lowercase string tag, it's password or something like that.
But someone just said it in haste to try to do something quickly. Those are the things where you're like, oh, OK, what else is here, right?
And so just around the sharing behavior of that data and what's available, again, the tools are there.
You can set a password if you'd like, you can make it strong, but did you?
And so those are the things I found very, very intriguing, kind of surfacing immediately within the first couple seconds of connecting to Salesforce.
And then when we think about Box similarly, what is our integration kind of surface that is out of the ordinary?
Yeah, some really cool things I think about with Box in particular are, again, back to that, and I'll pick on this use case because it usually gives CIOs and CISOs the most heartburn of like, oh, that's public on the web.
One that's really, really cool with Box is a file or a folder with a high view count, right?
So, hey, you've got this file public and the file name is marketing template.
Totally OK, right? That's what it's supposed to be.
And that view count kind of helps you understand who's looking at what.
When you see one like Q4 earnings and it's not the end of Q4 yet, and that's public with a high view count, oh, what's going on here, right?
And so it's not just the, hey, here's a bad thing or potentially bad thing, it's here's a thing with some context around.
And so those are the things I think I'm most excited about for how I think customers will leverage the Box integration.
And so when I think about also these SaaS applications, specifically Salesforce or even Microsoft's of the world, they have already really strong built-in native security in their applications.
How does Cloudflare CASB either supplement or kind of layer on additional protections for an integration for the Salesforce or Box?
Great question.
Yeah. So I think it's twofold. One, and I've already touched on a little bit, is seeing the different services together.
For example, I'm unaware of any, but as one is, how many Box and Salesforce sharing permissions can you look at in a single screen?
Right? Can you look at Tarika and understand what she's, her activities across these services without this type of tool?
And the answer is usually no.
So that's one unique benefit is that, okay, I can leverage the existing technology and controls there and start seeing them together.
The second is the, what I would call like the ancillary behaviors, right? And so we can understand using kind of the wider Zero Trust Suite.
What makes it awesome is, hey, for users, we'll pick on Tarika and Corey again.
Hey, they're uploading everything.
They're copying all this stuff that we don't want to. We are uncovered this via the API integration to say Box.
Using the wider Zero Trust Suite, we can now isolate their session using something like our remote browser isolation technology and just stop uploads for those two users or that group of users or all of those users.
So we can turn their session into a read-only session. So we don't have to worry about them oversharing until we've had a conversation with them or we've educated them on what they should or shouldn't be sharing.
So it's not only just that this, kind of the, we talk about it internally, one plus one equals three, two individual things making the greater whole when they work together.
That's the exact same with our API CASB and these integrations.
And that's really great to mention because I think the power of our Cloudflare CASB tool is actually being built into our larger CF1 Zero Trust platform.
How does CASB today kind of work across the different existing tools?
And like, do you see the Cloudflare CASB getting closer towards other products in our platform today?
Yeah, great question. I think the one existing today is obviously for inline actions.
So blocking via the, what we would call gateway.
So for example, to the previous use case of, hey, Tariq is behaving in a way that we would prefer if she didn't, we need to have give her some training.
There's a one -click policy option that integrates with gateway to create a block policy for certain behaviors, such as uploading to say, Google Drive.
That is just in production today and anyone can use it if it's a Cloudflare CASB or a gateway customer.
Ones that we're forward looking to and are excited about, there's a blog out today actually related to this, or I believe it was yesterday around CASB plus DLP.
And so back to the, hey, we've surfaced all these behaviors and we've surfaced all these settings and permissions and these data sharing behaviors.
Now going then level deeper of, hmm, this file or folder had 30 credit card numbers in it, or this file had tons of PII and integrating with our DLP platform to say, hey, you really should address this one first, and then this one second, and then this one third, so that we're not only just highlighting the risk, but also giving you actual tangible steps to remediate it.
So CASB and DLP are kind of one in the same, and we joke internally that they're kind of yin and yang, they go one hand in hand.
So that integration and those two products will become very, very much intertwined married at the hip.
And kind of adding to that, I know we also have like a remote browser isolation tool.
And so when we find a kind of surface threats using API CASB, and then we're starting to block them, I think another cool thing is that you could also isolate those threats using a remote browser product.
And then looking forward, looking for CASB integrations overall, like what do you see down the line?
How do you feel that we're going to kind of grow the product overall in terms of number of integrations and what SaaS apps we're going to support?
Yeah, great question. We're definitely focused on customer demand.
And so if you're a current customer or soon to be, we listen very intently.
That's how we arrived at building these two.
One I can kind of tease out a little bit is thinking about kind of that business operations or your collaboration toolkits, right?
So those cloud-based services that you use for your engineering wiki-like services, those are ones we're working on now.
And then we'll continue to expand it to where our customers are most concerned and to where the most risk lies, right?
Is it the HR apps of the world, which is very much likely the case where all of our employee personal data lives, payroll data, all of those services and things like that.
In addition, kind of the further CRMs of the world, again, customer data is kind of consolidated there as well as storage services of the world, right?
That is their job is to store lots of data.
And so those are kind of the three over-generic or generalized buckets that we kind of think about, but it doesn't mean that we won't go into something more specific as well.
So there is lots to protect. There's an N number of SaaS apps that are out there.
We're really focused on what makes the most impact and reduces the most risk for our customers.
Thank you so much, Corey, for chatting with me about Cloudflare CASB and our new Salesforce in -box integrations.
One last thing before we hop off is if someone wanted to get started with Cloudflare CASB today around how long does it take to get started and how can one do that?
Yeah, great question. So if you're an enterprise customer today in our Zero Trust suite or Cloudflare one set of products, I think we kind of joke, it would usually take you longer to find an admin than it will to set it up.
And so it is seamless to do.
We say usually over a cup of coffee, which is actually probably too long, your coffee would be cold.
It'll take about five minutes to do. So integrating, it usually follows what we would call an OAuth prompt or think about it as like a couple of clicks and then you're in.
And so it's really, really seamless to set up.
And CASB is available to our Zero Trust customers on contract plans.
Well, great. Thank you so much, Corey. Have a great rest of your day. Awesome.
Thanks for having me, Tariqa.