Cloud access security brokers (CASB) insert security between enterprises and their cloud services by providing visibility and access control, but IPv6 could be causing a dangerous blind spot.
That’s because CASBs might not support IPv6, which could be in wide corporate use even in enterprises that choose IPv4 as their preferred protocol.
For example, end users working remotely have a far greater chance of connecting via IPv6 than when they are in the office. Mobile providers collectively have a high percentage of IPv6-connected subscribers and broadband residential Internet customers often have IPv6 connectivity without realizing it. Internet service providers and software-as-a-service (SaaS) vendors both widely support IPv6, so a mobile worker accessing, say, DropBox over a Verizon 4G wireless service might very well connect via IPv6.
Additionally, enterprises may contract with SaaS providers and Internet-based application services that use both IPv4 and IPv6 internet connectivity. IPv6 is now supported by major cloud providers, making it easier than ever for companies to IPv6-enable internet-facing web applications.
Certain CASBs might not see IPv6 traffic
So wittingly or not, enterprises may be employ IPv6 for many internet connections that are used for common business functions. If the corporate choice of CASB (pronounced caz-bee) inspects and controls only IPv4 traffic, then these direct IPv6 connections could bypass corporate policies the CASB is supposed to enforce. If the CASB your organization selects is only looking at IPv4 connections, there could be dangers lurking in the blind spots.
Enterprises aren’t the only ones that might overlook this danger. Gartner outlines four pillars of functionality that CASBs should possess to be suitable for enterprise deployment:
- CASBs must provide visibility to end-user behavior and the cloud services used.
- CASBs should be cognizant of data classification, data marking and confidentiality.
- CASBs should help the organization protect against Internet/cloud threats and malicious behavior.
- CASBs should provide governance of cloud service usage based on corporate policies.
These are good goals, but they should be expanded to explicitly include IPv6:
- CASBs must provide visibility to connections that could be occurring using IPv4, IPv6 or a combination of both.
- CASBs should be cognizant of data classification, marking and confidentiality regardless of client IP address family.
- CASBs should protect against Internet-based threats that could be transported over either IPv4 or IPv6 and alert to malicious behavior occurring over either protocol.
- CASBs should provide control and governance based on corporate policies dictated by physical location of either the end-user or the cloud service and should also be aware of geolocation information based on IPv4 or IPv6 address.
Enterprise may not immediately enable the IPv6 features in a product or service. But, by purchasing products and services that already support IPv6, they have the option to enable IPv6 on their own schedule.