- Before purchasing a CASB product, do a complete inventory of your cloud applications.
- Set up a pilot CASB project to give you a clear idea of what works.
- Select the right vendor based on your cloud security needs and circumstance.
In our post on using a Cloud Access Security Broker (CASB), we discussed what these tools are used for and how they work. In this post, we’ll explore how to purchase the right product for your particular needs.
A good place to start is to first make an inventory of all the cloud applications your company uses. Don’t be surprised if this inventory uncovers apps that have slipped by your IT department. This process will show you just how prevalent these apps are in the modern enterprise and why you need a CASB to begin with. A popular free tool to consider using is Cofense’s Cloudseeker.
Narrow Your Search
Once you have an idea of the scope and mix of cloud apps your organization uses, you should then narrow your search down to a couple of CASB vendors. You should then request proposals from them for your range of services, the number of endpoints on your network and other relevant specifics about your infrastructure. Most CASB vendors have free service plans with the ability to also discover your cloud portfolio, which you can use to double-check the information gleaned from Cofense’s tool. Most vendors also offer the first month with a limited number of apps or services for free. This will give you an idea of the scale and scope of your exposure and how the tool works within your infrastructure.
As part of your free evaluation period, you might want to pick your most critical apps to pilot a CASB project and run the product through its paces with this smaller set before you widen its scope. This is useful to ensure that you understand what the CASB does and what it doesn’t do, as well as to explore its multi-mode operations if it supports more than one operating mode, forward and reverse proxies and API control. You probably should decide during your evaluation period whether having support for all three is a critical must-have or just nice to have. The pilot and evaluation period will help you explore as many use cases as possible. You should make sure you understand a product’s limitations in each of its three operating modes. Within a single vendor’s product, they do tend to operate slightly differently and that difference can be a deal-breaker as you extend a CASB’s reach across more of your applications infrastructure.
As you move through your evaluation, here’s a checklist of what to consider before you buy a CASB:
- Figure out if you want to integrate with existing identity-as-a-service or single-sign-on tools. Having the right identity configurations is half the battle with keeping your cloud apps secure. If you are considering upgrading your identity tools, you might want to figure this out before attempting to purchase any CASB product.
- Don’t view cloud access as a simple “yes” or “no” authentication event. Understand when and how you will need more granular and continuous risk-based authentication and whether you want a CASB to deliver this functionality or a separate security product that is designed just for this particular purpose.
- Understand if and how your product supports field-level data encryption. If you have numerous cloud-based databases, this will be an essential feature.
- Review their reports, especially for compliance purposes. As we mentioned in the first blog post, CASBs are useful tools for revealing security risks and can help your security team plug these holes. As part of your review, take a careful look at their data dashboards and make sure you understand what the product is telling you and whether it fits with what you need to know about your current security posture, as well as what actions you need to take from this information.
- Find out if the product integrates with your secure web gateways, application firewalls, data loss prevention tools and email providers. Examine these equivalent features offered by the CASB versus what you already have in place. These are key integrations and places where security loopholes exist, so it makes sense to cover these situations with your CASB.
What Will It Cost?
Finally, you should calculate the overall costs. Gartner puts the range between $15 per user per year for simple installations of just a few cloud apps to a more robust coverage for multimode unlimited cloud apps at $85 per user per year. Some vendors won’t quote prices until you get to the contract stage, while others are more transparent about their pricing and list them directly on their website.
CASB Product Links
The links below go to free trial pages or video screencast demos where available.
- Broadcom (form. Symantec/Skycure) CloudSOC
- Cisco Cloudlock
- Forcepoint CASB
- IBM Managed Cloud Services
- McAfee/Skyhigh MVISION Cloud
- Microsoft Cloud App Security
- Netskope (Video Demo)
- Oracle CASB Cloud Service
- Palo Alto Networks Aperture/Prisma
- Proofpoint CASB