Security "Bits"

How to Choose the Right Cloud Access Security Broker

By Jacob Serpa | June 1, 2020 at 5:00 AM
businessman hand working with modern technology and digital layer effect as business strategy concept-1

Legacy security technology is not designed to secure data as it moves beyond the perimeter and into a variety of cloud apps and devices. While leading cloud access security brokers are up to the challenge, they come in many different shapes and sizes, and some are more limited than others. In this blog, we’ll highlight a few key areas for you to consider when evaluating which CASB to deploy; we’re pretty confident about how Bitglass stacks up against the competition. 

Underlying Architecture

Some CASB providers have elected to create and maintain their own private data centers to power their solutions and serve their customers. However, with a reactive, rack-and-stack approach, it is incredibly challenging to secure the modern mobile workforce. Company off-sites, SKOs, conferences, mass hirings, and remote and traveling workers all shift customers’ load profiles overnight, challenging the use of architectures that cannot scale and adapt automatically. Other CASBs, however, are deployed in the cloud and, consequently, can leverage the power of the public cloud to scale to customers’ needs on the fly. This is known as a Polyscale Architecture. With a solution deployed in the cloud, organizations won’t suffer from the performance issues that occur when private data centers are overwhelmed by unusual spikes in traffic. 

Inline vs. out-of-band protections

Integrations with application programming interfaces (APIs) grant CASBs visibility and control over data at rest within the cloud. While this deployment mode is helpful, it is not sufficient on its own. It takes time to crawl data at rest via API--it is not inline and doesn’t enable the monitoring of traffic in real time. In other words, this approach is inherently out of band and cannot provide proactive protections (not to mention that many applications don’t provide relevant security hooks in their APIs for CASBs to leverage). 

To address the shortcomings associated with APIs, leading CASBs employ the use of proxies. There are multiple types of proxies (as described below), but, in general, proxies are inline solutions that mediate traffic in order to provide real-time visibility and control over data. While API integrations are important for securing data at rest and should be a part of your selected CASB, proxies are particularly critical for securing data in transit in today’s fast-paced business environment. 

Agentless security for any device

More than ever before (and largely due to the events of the last few months), employees are using their personal devices to perform their work duties. BYOD (bring your own device) enhances productivity and flexibility as well as user experiences, but it can also lead to security concerns when the right solutions are not put in place. 

Some CASB vendors prescribe forward proxy as the solution for real-time security for BYOD. However, installing forward proxy agents on every unmanaged device that could access corporate resources is a massive logistical challenge. Additionally, employees typically resist agent installations on their personal devices for fear of having their privacy invaded. As such, organizations should turn to cloud-based deployments that leverage agentless reverse proxies. Reverse proxies are designed to protect data in real time on any device without the need for software installations. They deploy rapidly in the cloud for entire organizations and only control traffic to and from managed apps and resources. This means that personal traffic and data is not monitored and that user privacy is respected. You should choose a CASB that has both deployment options, but agentless reverse proxy is critical for securing BYOD. 

Security for any application

Many CASBs, particularly those that rely solely upon API integrations, are limited to securing a small number of applications--typically major SaaS apps like Office 365 and Salesforce. While your cloud journey may begin with these kinds of apps, it will certainly not end there. Organizations quickly move on to deploy industry-specific, or niche, long-tail apps that are better fits for their specific use cases and further enhance productivity and flexibility. If you’re only able to secure a fixed catalog of applications, then your cloud journey will never be as beneficial as it could have been. Plan for the future of your enterprise and choose a CASB that can secure any application, whether it’s major SaaS, long-tail, or custom--and whether it provides an API or not. 

Best-of-breed technologies

Cloud security is a game of specialization, and your organization should use the leading solutions to address its different use cases--even if said solutions come from different vendors. Naturally, this means that the solutions you select should have integrations with other leading tools as well as a high degree of interoperability. So, when evaluating CASBs, a key item to consider is architecture. CASBs that rely solely upon agents, appliances, and backhauling traffic to private data centers are far more likely to clash with other solutions that you may have in place either now or in the future. Conversely, agentless solutions that are deployed in the cloud and forgo the use of appliances are far more flexible from a compatibility perspective. 

In each of the above areas, we’re convinced that Bitglass takes the cake. The company’s solutions are scalable, deployed in and for the cloud, provide inline and out-of-band protections, agentlessly secure any device, provide best-of-breed data and threat protection through integrations with vendors like CrowdStrike, and can secure any app or network. 

Want to see how Bitglass compares to specific competitors? We have competitive documentation around Microsoft Cloud Application Security (MCAS), Netskope, and McAfee’s MVISION

To learn more about the differences between CASBs, click the button below and register for our upcoming webinar, “Comparing CASB Technologies: What's the Difference?”




see all