The cloud access security broker (CASB) market is gaining a lot of momentum as more organizations look for a solution to help them with cloud service visibility, security, and compliance. Gartner estimates that by 2020, 85% of large enterprises will use a CASB solution for their cloud services, which is up from fewer than 5% in 2015. Customers today have a variety of options when it comes to choosing a CASB vendor and the selection process can be confusing given the variety of vendor capabilities. Just in time for the holidays, Gartner is helping customers maneuver the CASB landscape by authoring a research paper titled “How to Evaluate and Operate a Cloud Access Security Broker”.
I would like to use this opportunity to share some of the highlights of Gartner’s paper and provide a Netskope perspective on the “access centric” piece of the Gartner CASB framework. I will touch on the “threat centric” piece in a future blog post.
In this paper, Gartner uses their Adaptive Security Architecture to help IT security leaders develop a CASB strategy that is based on a continuous and adaptive approach to cloud security and governance. Here is a synopsis of each of Gartner’s best practices and Netskope’s commentary on each of these. You can get the full Gartner paper here.
Achieve Cloud Service Visibility and Perform a Risk and Compliance Assessment
To understand the risks associated with the use of cloud services, enterprises need visibility into what cloud services are already in use (and by which people); the sensitivity of the data being handled; which devices are used to access that data; and from where it’s accessed. In almost all cases, even when enterprises feel they have a good understanding of cloud services use, unsanctioned (also referred to as “shadow IT” or “citizen IT”) usage is taking place.
Netskope Take
Gartner presents what is often a critical starting point to assessing risk with cloud usage: The need to see what is going on in your environment. Although Gartner states that the capability of discovery itself is becoming a commodity, Netskope believes there is an opportunity to expand the scope of discovery to make sure that apps, data, users, devices, and location also cover unsanctioned cloud usage. Understanding what activities are occurring in your environment (e.g. sensitive data being uploaded to unsanctioned cloud apps) is a key component of assessing your risk. Many CASB vendors can help you assess risk at the activity level for sanctioned cloud apps, and can only see activities for the sanctioned apps they manage. Only Netskope allows you to see risky activities across both sanctioned and unsanctioned cloud apps.
Use the CASB to Select Appropriate Cloud Services
Enterprises need to continue to understand and verify the compliance and security posture of this cloud service. Leading CASBs have genuine intellectual property with their cloud service assurance databases. A well-designed reporting tool into this database will enable organizations to specify a template of the features and options that cloud services must have before they can even be considered for use by an organization.
Netskope Take
Assessing the risk of the cloud app itself is absolutely a critical best practice. Netskope has a dedicated team that researches tens of thousands of cloud apps and assigns an enterprise-readiness score (Cloud Confidence Index) to each. This is based on objective criteria taking in account the Cloud Security Alliance (CSA) Cloud Controls Matrix in addition to our own research. There are two key use cases that this addresses. The first is tying this to the discovery of cloud apps running in your environment and measuring the enterprise-readiness of each of the discovered app so you can assess risk. The other use case is for vendor assurance or vetting new cloud apps that you are looking to bring into your environment. Netskope can be your outsourced due-diligence team and you can use our service as a “consumer reports for your cloud apps”.
Plan for Adaptive Access
To manage risk, enterprises are looking to CASB providers for the ability to apply real-time context to the decision as to whether a cloud service should be accessed — for example, restricting access based on the location, time of day or whether the device is enterprise-managed.
Netskope Take
This best practice is critical. Context is key when it comes to determining whether a cloud service should be accessed. Without context, you are forced to take a sledgehammer approach to cloud usage policies and perform an allow vs. block at a coarse-grained lev