auremar - Fotolia

Cloud access security brokers: How should enterprises evaluate them?

A proper evaluation of a cloud access security broker is critical to finding the best match for your enterprise's needs. Expert Dan Sullivan outlines key criteria to keep in mind during CASB assessment.

Cloud access security brokers are predicted to be "an essential component" of SaaS deployments and cloud application...

security by 2017, according to Gartner. Which enterprises would benefit most from a CASB, and what should an organization look for when evaluating CASBs?

Cloud access security brokers (CASBs) may be especially useful for organizations encountering gaps in the security controls they have on-premises versus in the cloud. Since a CASB acts as a proxy between on-premises systems and the cloud, its applications can implement additional security services not available from cloud providers. For example, a CASB might provide an application firewall or perform data leak detection.

Enterprises evaluating CASBs should consider several factors, and encryption is one of the most important. Cloud providers often control encryption keys and implement best practices, such as key rotation. However, organizations that need greater control over their data and key management practices may turn to a CASB to help implement their own encryption procedures. This may be more than many organizations want to take on, but those managing sensitive information on behalf of others -- such as law firms entrusted with confidential documents -- may be willing to assume the additional burden of key management.

Some CASBs offer tokenization features. Unlike encryption -- which preserves the original data -- tokenization replaces sensitive data with a token or string of characters with a comparable format of the original data, but with no relation to it. This masking of sensitive data can mitigate the risk of data leaks by preventing sensitive data from leaving on-premises systems except in authorized situations.

Enterprises should also consider how they can leverage the insights CASB proxying can provide. Shadow IT operations may not meet security or compliance standards, and that can put an organization at risk. Monitoring traffic from on-premises to cloud services can help control the use of unauthorized cloud services and identify cloud operations that should be brought under the enterprise's cloud management umbrella.

CASBs should make use of centralized identity management in Active Directory or LDAP. During CASB evaluations, be sure to determine how well the information cataloged in a corporate directory can be used to implement controls with the CASB. Businesses should not have to duplicate data and functionality that exists in on-premises directory services.

Another use case of a CASB is enterprise mobility. Mobile devices can be especially challenging to secure in the workplace. Without a CASB, it is easy to imagine a user downloading sensitive data from cloud storage onto a personal device. Businesses should assess the capabilities of CASBs for implementing mobile device policies for cloud data and services, but note there may be some overlap of functionality between CASBs and mobile device management systems; enterprises will have to decide how to divide the work of protecting cloud data between CASBs and MDM systems in this scenario.

Ask the Expert:
Want to ask Dan Sullivan a question about cloud security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn more about cloud access security brokers and enterprise cloud security

Dig Deeper on Evaluating Cloud Computing Providers