Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Eight Questions to Ask When Evaluating a CASB

Published 09/12/2016

Eight Questions to Ask When Evaluating a CASB

By Rich Campagna, Vice President/Products & Marketing, Bitglass

Cloud Access Security Brokers are the hottest technology in enterprise security right now, topping Gartner's Top 10 list two years running. Widespread adoption of major cloud apps like Office 365 (and corresponding cloud security concerns) are accelerating CASB adoption in every major industry, from financial services to healthcare.

If you're like most enterprises, you've already decided that a CASB can help you meet your security & compliance goals when moving to the cloud. The next step is to figure out how to evaluate a CASB. There are 8 key questions you should be asking when evaluating a CASB. Drumroll please...


1. How does the CASB differ from security built into my cloud apps?

Each cloud app vendor makes their own decisions on what types of security functions to build into their application. One app may include encryption for data-at-rest, but not transaction logging. Another app might offer the opposite. Ensure that the CASB vendor is offering value above and beyond what is built into your applications. And don't shortchange the value of a single policy enforced across cloud applications or inter-cloud user behavior analytics.

2. Does the CASB protect cloud data end-to-end?

Cloud data doesn't only exist in the cloud - as soon as you deploy, your end users will arrive with an arsenal of devices and start syncing or downloading data. Very quickly, your cloud security problem becomes a mobile data protection problem. Ensure that your CASB is able to protect not only data-at-rest in the cloud, but data downloaded to devices (both managed and unmanaged - see #3 below).

3. Can the CASB control access from managed and unmanaged devices?

A user logging in from an unmanaged device represents more risk than the same user logging in from a fully patched and protected laptop running an approved corporate image. Whether we like it or not, most organizations need to extend at least some access to the unmanaged device. Make sure your CASB can control access from these devices as well as unmanaged devices - and note that this means you're not likely to be able to install agents or reconfigure these devices.

4. Does the CASB provide real-time visibility and control?

If data leaks for 30 minutes is it still data leakage? Absolutely. While there are some CASBs that operate entirely via API integration into major cloud apps, API-only approaches are subject to notification delays in the APIs, which may mean minutes, even hours of data leakage before something like an external share can be revoked. Only a hybrid approach, which leverages both API and proxies ensures total data protection.

5. Can the CASB encrypt uploaded data?

Many organizations will decide that encryption is the best way for them to safely adopt cloud apps. If this is even a consideration for your company, make sure that you're covered, as many CASBs do not offer encryption functions. Also beware that it is common for CASB vendors to weaken encryption in order to preserve application operations like search and sort

6. Does the CASB protect against unauthorized access?

Visibility into suspicious activities is helpful, but is usually too little too late. You want proactive protection against unauthorized access, something only a CASB with integrated identity management can offer. So for that often cited example of "detecting" a user logging in from two locations simultaneously, wouldn't it be better if the CASB could force a step-up to multifactor authentication on both devices as soon as the rogue session is attempted?

7. Can the CASB help me detect risky network traffic, such as shadow IT or malware?

Understanding the unsanctioned apps in use by your employees is helpful, but what if that isn't the riskiest traffic leaving your corporate network? Leading CASBs have moved beyond simple shadow IT discovery to rank and prioritize the riskiest traffic on your corporate network - whether that is shadow IT, malware, anonymizers, etc.

8. Will the solution introduce scale or performance issues?

Look to CASBs that have deployed on a global, high performance infrastructure. Appropriately architected and deployed, a CASB can actually have a CDN-like effect on your cloud applications, increasing performance versus going direct to the app!


CASBs are the most effective way to ensure a secure, compliant cloud deployment. By asking these 8 questions, you can ensure that you select the right vendor for your organization. Learn more about CASBs here.

Share this content on your favorite social network today!