If you aren’t thinking about deploying a cloud access security broker (CASB), you may be falling behind the technology curve. Gartner predicts that 85% of large enterprises will be using CASB by 2020.
That’s because the growth of cloud usage is exponential, along with the associated security risks. While cloud providers offer tools to manage access and a smaller number offer shared key modes of cloud data encryption not all these provider approaches are the same and don’t offer a consistent way to secure access and protect data across clouds. By contrast, the CASB framework (as detailed by Gartner) is intended to provide cloud security across providers by defining four “pillars” for cloud security that enterprises should address:
- Visibility, provides a consolidated view into sanctioned cloud usage patterns and Shadow IT reporting, detailing how and where users are accessing cloud data
- Compliance, which monitors data in the cloud for compliance with data privacy and data residency regulations as well as cloud risk scoring
- Data Security, which provides a consistent level of file, field and object protection through encryption, tokenization, collaboration controls and data loss prevention
- Threat Protection, which analyzes traffic and applies user behavior analytics to find external threats such as compromised accounts and flag suspicious behavior of privileged users
The four pillars can assist you when considering your priorities for a CASB. Not all vendors will be equally strong in each area; identifying the primary concerns driving your CASB implementation will give a focus to your evaluation. Review your data governance scenarios and compliance requirements; make certain they are up-to-date with new and emerging regulations. Develop specific use cases to ensure the CASB will provide the functionality you require for the real-world scenarios of your business environment such as fully supporting your cloud-based CRM, ITSM and File Sharing providers.
Here’s a quick CASB self-evaluation/checklist to help get you started:
1. Inventory and Evaluate Sanctioned Clouds
Identify your company’s sanctioned cloud usage and how compliance is impacted due to sensitive data flows, then report on Shadow IT cloud usage that can be consolidated or eliminated. You need to know which applications are in use currently, or planned for use in the next year, to make sure the CASB you choose will support them. Be aware many CASBs integrate with specific applications, but what that means in reality differs from vendor to vendor. Consider not just the application itself but the cloud and on-premises ecosystem that must also be supported.
2. Evaluate Impact on Your Existing Security Infrastructure
Investigate whether the CASB deployment will integrate with your identity and asset management (IAM), security information and event management (SIEM), and enterprise data loss protection (DLP) products. Ideally, policies already defined for your enterprise can be applied to cloud and internal data. Gartner recommends that IAM integration be a mandatory capability for CASB evaluation.
Understand what components of CASB can be deployed in the cloud versus
on-premises. Some capabilities like encryption require regulated enterprises to maintain sole ownership of keys and encrypt data before it is sent to the cloud provider. A CASB solution should provide flexible cloud and hybrid deployment modes based on the business and operational needs of the enterprise.
3. Evaluate Impact on Your Users
Be aware of the impact of the CASB on your end users’ experience. Protection of field and file data can be intrusive to how a user experiences a cloud service. Ensure users can continue to share, report, chart, search and sort on data using the tools within the cloud provider environment. Protecting sensitive data with technologies like encryption and tokenization are easy but preserving familiar operations is hard and requires a CASB provider with specific expertise and experience. In addition, a CASB should work seamlessly with file sharing and collaboration clouds, enforcing DLP and sharing rules while preserving the user experience of these clouds.
4. Evaluate Impact on Your Administrators
One critical aspect of a CASB is the ability to consolidate multiple types of security policy enforcement across clouds. As organizations deploy a CASB they should avoid creating cloud specific silos for administrators. Selecting a CASB that provides centralized controls can help your enterprise maintain consistent policy control and monitoring. Making life easier for administrators has benefits including better management of multiple cloud instances and preventing users from bypassing polices by “cloud hopping”. In addition, centralized controls results in more complete audit trails for incident investigation and compliance reporting for auditors.
5. Evaluate CipherCloud
OK, so perhaps I’m biased, but you should also include CipherCloud in your CASB evaluations. Over 100 customers (financial services, health care, government and high tech) run their businesses on CipherCloud’s advanced zero-knowledge data protection. Every customer’s needs may be different, but it’s good to compare and contrast with tried and true products.
Take a look at our CASB Resource Center, and then take a look at CipherCloud.