How to evaluate a CASB

Evaluating cloud access security broker (CASB) products can be a challenge. Although they all share core functionality, each has its own unique overall feature mix. Understanding those features and how they work will make it easier to know which ones should be on your short list.

What follows is an explanation of the core functions CASBs share and the other features you might find. This will help you decide what your expectations should be and understand the issues involved in making your purchase decision.  

Core CASB services

If you have a mixture of cloud and on-premises equipment, a CASB is certainly in your future. The sooner you deploy one the better. The following three basic services that all CASBs offer are at the core of what CASBs do and why you would buy one: 

Monitor and control your most sensitive data flows. CASBs were originally designed to stem the tide of shadow IT products and to control and make software-as-a-service (SaaS) applications more secure. Now they have broadened their use and can fit into a variety of situations, including operating across multiple cloud providers and mixing SaaS, mobile and on-premises applications, too.

Apply uniform data loss prevention (DLP) policies across all servers and apps. As your data appetite increases, you need better ways to ensure that you aren’t leaking customer- and business-sensitive information, either through a malicious insider or inadvertently through a bad combination of security loopholes. While DLP products have been around for years, having DLP-like features in your CASB can be a nice way to track these potential weak spots, especially as more of your data moves into the cloud and is accessed by unmanaged mobile devices.

Manage cloud-native encryption keys. Ideally, your CASB should automatically keep track of your encryption needs and keys so you don’t have to do this manually, and so you can encrypt more of your data.

CASB tools are better at some things than others. For example:

• Bitglass has an Ajax virtual machine (VM)-like layer that handles near-real-time DLP on unmanaged devices. The only caveat is that these devices have to access data through their browsers.
• CipherCloud has field-level encryption on some SaaS structured data services, which can be a handy mechanism for protecting sensitive information.
• Netskope excels at showing a very solid behavior analytics dashboard and also has impressive application discovery tools.
• Forcepoint and McAfee both have two different DLP product lines, one for on-premises and one for the cloud. Both vendors’ lines aren’t at feature parity and do require some effort to integrate across cloud and local servers.
• Microsoft continues to expand and enhance its CASB line but will require integration of a series of its separate management tools.

Beyond these basics, all CASBs offer the potential to operate in one (or more) of three different modes:

• Forward proxy, usually deployed with endpoint agents or VPN clients
• Reverse proxy, which doesn’t require agents and can work better for unmanaged devices
• API control, which provides visibility into data already stored in cloud repositories or data that is used within a cloud process that never enters a corporate network.

Agent deployment a big CASB differentiator

Take note about the use or requirements for deploying various agents with each product. (McAfee has a nice blog post that goes into more details.) This is where the CASB vendors often place their secret sauce, which could be an issue depending on how agent-friendly or adverse your IT department is. McAfee uses a single agent that functions across all three operational modes. Some of the others have multiple agents – such as for specific functional areas like antivirus, VPN or DLP – that can get messy, not to mention tough to deal with unmanaged endpoints such as personal cellphones.

Feature sets across operational modes vary

Part of the CASB evaluation challenge is understanding how the feature set extends to each operational mode – if indeed the product operates in more than one mode. Symantec’s CASB, for example, has reverse proxies just for Office 365 and no other application. Saviynt, Cisco and Palo Alto Networks all offer API-only CASB products. This means you need to understand the types of protection and not just which apps are supported but how they are supported, and what is the exact API portfolio that is covered by each product.

You really need the API support if you want to get granular with your CASB protection, in particular to understand the state of your public cloud security exposure and to stop any cloud-based malware too. API deployments also can trap cloud-to-cloud activities and to retrospectively inspect archived traffic flows. You will also need some level of proxying to handle application gateways and for implementing specific security policies. It pays to read the fine print and develop an appropriate test plan that will reveal the relevant features for each vendors’ product.

Consider how the CASB will work with other security tools

I have been using the word “apps” rather inelegantly here. I mean this word to refer to the entirety of your existing security apparatus, too – how your CASB interacts with your existing firewalls, endpoint protection, and web application gateways should also be part of your evaluation and in understanding if all these tools will play nicely with each other, or get into each other’s way.

Here are some examples of how CASBs can play nice with other apps:

• Forcepoint claims it can protect any custom app within a few days’ effort by their engineering support staff.
• Bitglass claims it has a feature that can detect changes in underlying apps that might elude traditional reverse proxies.
• McAfee’s CASB can create custom prevention policies for apps without any coding. IT also has comprehensive policy management that is applied uniformly for all three modes of operation.

Nice-to-have CASB features

Finally, there are two nice-to-have sets of CASB features:

Conduct continuous risk assessments and compliance audits on demand. A CASB can show in a single place where a corporation has the most risk and summarizes issues that a security team can quickly focus on for suspicious behavior that other products couldn’t easily do.

Forcepoint, Proofpoint and Netskope all have nice risk summary dashboards that you can customize to display the things you need to understand how your environment is behaving and what needs immediate attention.

Apply uniform adaptive authentication policies across all logins, servers and apps. This should include read-only access (Gartner suggests this would be a good situation for unsanctioned SaaS services that are nonetheless needed), step-up auth and more granular access rights management.

Identity management and SSO tools are the usual go-to reasons for these sorts of tasks, and one important trend is that more CASBs are integrating with traditional single sign-on (SSO) products. The trick is to understand that the typical level of integration happens (usually) in reverse proxy mode only, and the SSO authentication is only passed to the CASB at the initial application login moment. This means that if you want a more complete adaptive authentication to trap when more risky behavior happens, you will probably have to stick with your dedicated SSO product.

As you can see, CASBs touch a lot of different existing security products across your enterprise. The challenge for successful integration is being able to understand these interactions and ensure that you overall security profile is enhanced rather than degraded with their use.