The more cloud applications and services an organization adopts, the more vulnerable it becomes—that is, unless it has implemented the appropriate security protections to defend these new apps and services. What security technology is best suited for this task? If you believe the hype, it’s the cloud access security broker (CASB).

NSS Labs defines CASBs as intermediary cloud governance mechanisms that help security administrators identify, assess, and control cloud services in use by an organization. Data from the 2018 NSS Labs Cloud Security Study indicates that 82% of surveyed US enterprises deploy a CASB product.

What’s Driving CASB Adoption?
As a part of an ongoing research initiative, NSS asked 243 IT security professionals with more than three years of experience at enterprise-sized organizations why their organizations adopted CASB products. Study respondents most frequently selected encryption, centralized cloud identity management, and visibility as their primary drivers. Let’s take a look at these drivers in greater detail.

Encryption remains one of the few mechanisms that can reduce the risk associated with data leakage or exfiltration from cloud-based services. However, field-level encryption (in other words, encrypting a specific field in, for example, Salesforce) for non-binary data (e.g., Social Security numbers and Social Insurance Numbers) remains a challenge for those vendors that don’t support industry encryption standards.

If encryption is a driver for your organization’s CASB purchase, ensure that your organization’s proof of concept (PoC) includes test cases for enacting field-level encryption. Organizations should seek out a vendor employing encryption methods that align with format-preserving, Feistel-based encryption standards (both FF1 and FF3). More information on these methods can be found in the National Institute of Standards and Technology (NIST) Special Publication 800-38G.

Centralized Cloud Identity Management
CASBs facilitate centralized management of the identities of all of an organization’s cloud-users by leveraging integrations with existing directory services, federated identity management systems, and cloud application APIs. In many cases, a CASB will log all user activity within sanctioned cloud services, which facilitates forensic investigation and compliance with (some) regulatory mandates.

Organizations should test these integrations extensively prior to committing to any one vendor’s CASB offering. Additionally, prioritize evaluation of the product’s single sign-on and two-factor/multi-factor authentication, as these are simple ways to add an additional layer of protection for cloud apps and services.

CASBs provide security administrators with visibility into the utilization of cloud services by organizational users. It’s important to remember that visibility is not a snapshot in time but rather an ongoing effort that must be continually monitored by security administrators. To accomplish this, CASBs integrate with existing on-premises perimeter network security appliances, as well as with popular SaaS, PaaS, and IaaS offerings.

When evaluating a CASB product, organizations should make sure that their PoCs include test cases for measuring the effectiveness of these integrations, as well as the effort required to establish them in a production environment.

Although the factors mentioned above were selected by IT security professionals as the predominant drivers for their organizations’ CASB adoption, other motivating factors include operational savings, compliance, automated policy validation, shadow IT discovery, and forensics. How do these drivers align with those at your own organization? Stay tuned as we look more closely at these drivers as well as at the concerns and challenges shared by enterprises in the second installment of the CASB Product Selection Guide: Part 2: Tactical Guidance, which will be released in the coming months.

John Whetstone leads research focused on cloud and data center security technologies at NSS Labs. He has worked with enterprise cybersecurity products for more than 15 years and has held roles in the IT security industry that include administration, analysis, architecture, and engineering.