May 11, 2016

The (Indispensable) Cloud Access Security Brokers (CASB) Checklist

Checklist_320x267One of the fastest growing segments in security is the Cloud Access Security Broker (or CASB for those of you who like acronyms) space. It has evolved from a “nice to have” to “must have” in a very short period of time, most recently being labeled by Gartner as a “required” security platform for those organizations moving to the cloud.

Given the rapid adoption of cloud apps and the proliferation of BYOD in the workplace, the need for a CASB is more pronounced than ever before. Because of that, we’ve put together a checklist of requirements that all organizations should take into consideration as they embark on their CASB initiatives. Examples of the types of questions organizations should be asking are also provided.


What You Need to Know

Cloud app discovery

  • How does the CASB discover cloud apps?
  • Does the CASB require log files to be sent outside your organization, i.e., is there an on-premises discovery process?
  • Is the CASB discovery and risk analysis catalog updated on a regular schedule?  Can you search the app catalog to learn more about a given app?

Risk and data governance

  • Does the CASB provide insight into the users of an application to better identify high-risk areas?
  • Does the CASB benchmark application security configurations against regulatory requirements (e.g., PCI DSS, HIPAA, SOX) or best practice standards (e.g., Cloud Security Alliance) to identify security gaps?
  • Does the CASB identify former employees who still have access to company data?
  • Can the CASB identify sensitive or regulated data in cloud file sharing services?

Activity monitoring

  • Does the CASB monitor activities at the document level (e.g., can it report on Create/Delete/Upload/Download operations for all files and folders)?
  • Does the CASB monitor activities at the record level, say, for Salesforce, Workday, or Box?
  • Can new cloud apps be supported easily without changing the product or deployment model?

Threat prevention

  • What kind of threats can the CASB detect and how?
  • How are threats detected for custom-built cloud apps?
  • Does the CASB profile user behavior in order to detect anomalous usage and suspicious behavior automatically?

Data security

  • Can the CASB enforce in-transit DLP policies to prevent data loss?
  • Can the CASB enforce multi-factor authentication for high-risk activities?
  • Can custom policies and alerts be created based on any number and combination of criteria (who, what, where, when, how)?

Activity analytics

  • Are activity analytics available with multiple levels of aggregation options (e.g., by user location, endpoint type, department)?
  • Can the CASB correlate login usernames with the user's corporate directory (e.g., Active Directory) identity?
  • Can analytics be easily exported to SIEM solutions (e.g., Splunk)?

Endpoint access control

  • Can the CASB distinguish between managed and unmanaged mobile and endpoint devices?  And enforce unique policies for each?
  • Does the CASB support third-party MDM solutions?

Remediation options

  • What remediation options are supported (e.g., alert, block, multi-factor authentication)?
  • Does the CASB integrate with NGFWs or other security solutions for applying remediation policies?

Deployment considerations

  • Does the CASB support API-based integration with cloud apps?
  • Does the CASB support proxy-based (i.e., inline) deployments?
  • Can the CASB be deployed with a single sign-on solution (e.g., Okta, Ping Identity, Centrify, OneLogin, etc.)?

Delivery infrastructure

  • How is the CASB infrastructure protected from DDoS attacks?
  • Does the CASB provide optimization capabilities to minimize latency when deployed inline as a proxy?
  • Is the CASB delivered from a Tier 1 exchange?

CASBs can help an organization secure cloud apps and data in an environment where security is increasingly a shared model between the cloud app provider and the subscribing organization. By seeing where you stand against the above requirements, you’ll have a better understanding of your specific risk posture and where the gaps are in your security.

CASBs, by their nature, are complementary to many components in a security infrastructure. Be it MDM, SIEM, SSO, or DLP solutions, CASBs can integrate seamlessly in any IT environment to provide the necessary visibility and control for cloud apps.

These environments can include content delivery networks and threat detection solutions, underscoring the role of adjacent technology solutions to protect an organization’s data and apps. This is reinforced in the Gartner Market Guide for Data-Centric Audit and Protection that talks about the growing demand for centralized management of data security policies across different data silos.

Imperva Skyfence CASB is integrated with other Imperva solutions, including Imperva Incapsula content delivery network and DDoS protection and Imperva CounterBreach for protection against insider threats. Holistically, the suite of Imperva products has the singular objective of protecting your most valuable assets, whether they reside in databases, files, or cloud apps.  

So, even though CASBs have been generating a lot of buzz lately, it’s prudent to think about your CASB plan in the context of your overall data and app security strategy and specific IT environment.

Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.