Opinion: Lise Feng, Director at CipherCloud, looks at Cloud Access Security Brokers (CASB) and what organisations should look for when selecting one.
If you aren’t considering deploying a cloud access security broker (CASB), you could be falling behind the technology curve. With most businesses now operating anytime and anywhere, employees need to collaborate in the cloud. This is shaping cloud security buying patterns as Gartner predicts that 85 percent of large enterprises will be using a CASB by 2020.
The cloud’s exponential growth also introduces an abundance of associated security risks. While cloud providers offer tools to manage access, and a growing number are beginning to offer shared key management for cloud data encryption, not every provider takes the same approach. This results in protection silos for each cloud with no consistent way to secure access and protect data across cloud applications.
CASB vendors, a new breed of technology providers who’ve sprung up over the past five years, address an enterprise’s need for multi-cloud protection. The breadth and depth of these vendors’ capabilities vary but the most complete providers address four pillars:
– Visibility – providing a consolidated view into sanctioned cloud usage patterns and Shadow IT reporting, detailing how and where users are accessing cloud data
– Compliance – monitoring for data in the cloud for compliance with data privacy and data residency regulations as well as cloud risk scoring
– Data Security – providing a consistent level of file, field and object protection through encryption, tokenisation, collaboration controls and data loss prevention
– Threat Protection – analysing traffic and applies user behaviour analytics to find external threats such as compromised accounts and flag suspicious behaviour of privileged users
The four pillars can assist organisations when considering priorities for deploying a CASB. Not all vendors will be equally strong in each area. It’s up to the enterprise to identify the primary concerns driving the CASB implementation. This includes reviewing data governance scenarios and compliance requirements, ensuring they are up-to-date with new and emerging regulations, and developing specific use cases to ensure the CASB will provide the functionality required for real world scenarios.
This checklist is a good start for enterprises thinking through their CASB framework:
Inventory and Evaluate Sanctioned Clouds
Identify your company’s sanctioned cloud usage and how compliance is impacted due to sensitive data flows, then report on Shadow IT cloud usage that can be consolidated or eliminated. You need to know which applications are in use currently, or planned for use in the next year, to make sure the CASB you choose will support them. Be aware that many CASBs integrate with specific applications, but what that means will vary from vendor to vendor. Consider not just the application itself but the cloud and on-premises ecosystem that must also be supported.
Impact on Your Existing Security Infrastructure
Investigate whether the CASB deployment will integrate with your identity and asset management (IAM), security information and event management (SIEM), and enterprise data loss protection (DLP) products. Ideally, policies already defined for your enterprise can be applied to cloud and internal data. Gartner recommends that IAM integration be a mandatory capability for CASB evaluation.
On-premises versus SaaS
Understand what components of a CASB can be deployed in the cloud versus on-premises. Capabilities such as encryption require regulated enterprises to maintain sole ownership of keys and encrypt data before it is sent to the cloud provider. A CASB solution should provide flexible cloud and hybrid deployment modes based on the business and operational needs of the enterprise.
Impact on Users
Be aware of the impact of the CASB on your end users’ experience. Protection of field and file data can be intrusive to how a user experiences a cloud service. Ensure users can continue to share, report, chart, search and sort on data using the tools within the cloud provider environment. Protecting sensitive data with technologies like encryption and tokenisation are easy but preserving familiar operations is hard and requires a CASB with specific expertise and experience. In addition, a CASB should work seamlessly with file sharing and collaboration clouds, enforcing DLP and sharing rules while preserving the user experience of these clouds.
Impact on Administrators
One critical aspect of a CASB is the ability to consolidate multiple types of security policy enforcement across clouds. As organisations deploy a CASB, they should avoid creating cloud specific silos for administrators. Selecting a CASB that provides centralised controls can help your enterprise maintain consistent policy control and monitoring. Making life easier for administrators offers benefits including better management of multiple cloud instances and preventing users from bypassing polices by "cloud hopping". In addition, centralised controls result in more complete audit trails for incident investigation and compliance reporting for auditors.
CASBs can help companies gain a full spectrum of data protection, including visibility, policy-driven data security and threat protection that are essential in the post-Snowden world. Speak to a variety of CASBs to help you make an informed decision. Find one with a good reputation and solid customer base, and check that it will meet your needs – and work with you as you grow. Every customer’s needs may be different, so it’s good to compare and contrast with tried and true products.