Cloud Access Security Broker Checklist

October 1, 2015 By Andrew Roberts

Gartner coined the term Cloud Access Security Brokers (or CASB) a few years ago now, and placed it atop of their security technology trends of 2014.

As defined by Gartner, CASB solutions are on-premises, or cloud-based security policy enforcement points, placed between consumers and cloud service providers that offer monitoring and control across multiple cloud services.

Most Cloud Access Security Brokers focus on specific cloud and SaaS applications for their data protection solutions and include standard security policies such as authentication, single sign-on and encryption.

Cloud Access Security Brokers should be application agnostic, being able to integrate with any cloud or SaaS application, and offer an array of additional and more advanced layers of security such as device profiling, user behavioral analysis, system logging and monitoring, alerting and the deployment of defensive countermeasures.

CASB Checklist

Positioned on the right is a quick checklist for you to consider when evaluating CASB vendors. Work through this list and tick off the boxes to ensure your CASB is providing you with the best possible security for your sensitive data.

 Protection  Compliance  Single Solution

1. Authentication

Your CASB should interact directly with users, performing identity checks such as device fingerprinting, geo-locking and behavioral analysis to ensure that users who have the correct credentials are who they say they are.

A good CASB will follow an interoperable approach and integrate seamlessly with common enterprise systems, including SAML, Single Sign-On (SSO), Active Directory, policy enforcement (Groups/Users), Okta, Ping etc.

2. Visibility

Utilizing cloud applications can sometimes create SIEM blind-spots. Having a Cloud Access Security Broker that provides cloud app monitoring functions can help remove these blind spots. Look for features such as the provision of real-time access logs, data consumption, usage patterns, device profiles, time, location, etc. Viewing all of this information through a unified monitoring interface will give you complete visibility across all of your cloud applications.

3. Security

Selectively encrypting your data before it is sent to the cloud ensures that the end cloud application never stores your sensitive information as plain text. This is important, not only if the cloud app vendor ever incurs a data breach, but also with data residency and privacy regulations (see below) - your data is encrypted before it gets to the cloud and is unreadable should it be accessed by an unauthorized party. Having a CASB that supports policy-based decryption will prevent inappropriate sharing or leaking of data.

4. Detection

Second generation CASBs continually compile and build security profiles on each user passing through their cloud gateways. Each time a user enters the gateway, their behaviour is benchmarked against their historical patterns as well as their colleagues. This Behavioral Analysis is crucial in detecting security anomalies, significant changes in behaviour or outliers that could be the result of user credential theft or an insider threat.

5. Protection

A CASB's ability to detect a threat is not enough to prevent a data breach. CASBs should have the capability to deploy automated countermeasures to ensure that threats are not only detected, but thwarted. A flexible countermeasure engine can respond depending on the severity of the threat, and has a wide range of rules that can be configured to meet your defined data protection policies; including specific platform or geolocation locks, behavioral analysis, or automatically deleting inactive user accounts.

6. Compliance

Meeting strict privacy, residency and data security requirements whilst using cloud applications can be difficult. However, a good Cloud Access Security Broker can be used to meet access control, monitoring, encryption and other compliance requirements outlined in legislation such as HIPAA. Be sure to check vendor claims carefully to ensure full compliance with industry specific regulations.

7. Single Cloud Security Solution

Having multiple security solutions for multiple cloud applications is a nightmare - some only offer a limited number of features and others only work with specific apps. Try to find a Cloud Access Security Broker that offers a complete solution that not only ticks all of the boxes above, but also integrates with all your cloud and SaaS applications. One that is truly cloud and SaaS application agnostic is ideal as it allows you to add additional apps in the future, without compatibility issues.

By analyzing CASB vendors against the seven criteria detailed, organizations have a good chance of selecting an appropriate vendor that will scale with their cloud deployment strategy.

1. [Cloud Access Security Brokers]
2. [Gartner CASB definition]
3. [StratoKey: Cloud Access Security Broker]