In a recent research report, Gartner tagged enterprise spending on CASBs at $713 million, up from just $150.7 million in 2015. As companies sanction cloud services such as Office 365, Salesforce, Box, ServiceNow and Slack, the shared responsibility model requires them to enforce security, governance, and compliance policies on the use of these services. The need to remain compliant and secure while providing employees with the flexibility and agility derived from cloud services has driven increased CASB adoption. The Gartner report also mentions that the average CASB deal size will likely increase from one year to three years. This trend makes it even more important for companies to choose a CASB that addresses current as well as future cloud security requirements (aka future proofing).
When selecting a CASB, companies often run into the challenge of choosing from multiple vendors, many of which claim to provide roughly similar features. While preliminary research, analyst reports, and discussions with peers can help narrow this list down, there are usually 2-3 vendors left for buyers to evaluate. Most companies usually go through a thorough vetting process from a feature and use case perspective, but sometimes longer-term issues may get overlooked, impacting the overall value realized from the CASB investment. To make life a little easier, we’ve distilled a comprehensive set of 180+ RFP questions that are used by enterprises and analyst firms to help evaluators understand and compare the capabilities of various CASB. While the questions cover all major use cases, features, and support scenarios, they also cover more intangible aspects like scalability and application performance.
As companies go through an evaluation process, below are some of the pitfalls to be aware of, to make sure the right solution is selected for the company.
Many solutions claim to have security features, but what sets an enterprise-grade solution apart is the ability to deliver these features to a large number of users, often numbering in hundreds of thousands. It is difficult for companies to test this aspect of the solution either at the RFP or the POC stage, so the limitations of a product in this area become evident after it is deployed in production. An inability to scale to company’s needs will stall the deployment and can prevent a company from implementing security controls on cloud usage in production. Consider asking your CASB solution provider for customer references on companies from the same vertical who have already deployed the solution and are using it at scale.
2) Alert Fatigue
Threats arising from compromised accounts, insider threats, and privileged user misuse are steadily growing. Research from Skyhigh shows that the average organization experiences over 23 incidents each month, an increase of 18.4% from the last year. Larger companies generate over 2 billion unique transactions in cloud services each month, and while several solutions are able to detect “anomalous usage”, the ability to surface true threats is scarce. Within many solutions, the number of anomalies (and false positives) is very high, and IT teams will often be unable to process this information and take necessary action. This results in the credible threats getting lost in the sea of anomalies and the company is unable to utilize their CASB platform to detect and remediate a potential security incident. During evaluation, discuss with your CASB on how they differentiate between anomalies and threats, and whether there are processes built within their solution to streamline the number of alerts that they provide to IT.
3) Integration with Existing Infrastructure
Enterprise security is a team sport, and a CASB solution needs to integrate with other infrastructure components in order to complement the company’s overall security controls. This may require integration with a SIEM to feed threat and incident data, or integration with Active Directory to enable policy enforcement by user groups, teams, or business units. When solutions are restrictive in their integrations with existing components, it impacts the company’s ability to fully leverage the CASB as part of their broader security strategy. Sometimes, solutions require customers to buy additional security components, which increase costs, not only in dollars spent, but also in deployment efforts. When evaluating the CASB solution, discuss integration with your existing infrastructure and make it a part of your POC criteria. Also, make sure your RFP questions cover important platform and integration features as they could include components that could be adopted by your company in the future.
4) Data Privacy Requirements
Most CASB solutions move customer data to their cloud in order analyze data to provide visibility and enforce security controls. Questions about whether the CASB solution has the necessary controls to protect sensitive customer data in the cloud should be asked early in the process so they don’t become issues down the road with security and legal teams. Data protection measures could include tokenizing sensitive data on-premises. They may also include requirements for the CASB to tokenize user information on-premises for DLP violations. Ask your CASB solution provider about their data privacy capabilities and ask to see these capabilities in action during POC.
5) Support for New Cloud Services
While companies evaluate CASB solutions based on their current security requirements, use cases may come up in the future (especially on a 3-year license) as the company grows, new cloud services are adopted, and infrastructure changes are made. A company may be looking to secure their Office 365 deployment at present, but next year, they may require a solution (preferably the same CASB) to secure their Slack deployment. Or the company may decide to migrate all custom apps in their data center to AWS or Azure, giving rise to new audit and security requirements as corporate data moves outside the firewall. So, companies need to assess the complete breadth of the CASB offering from the perspective of future use cases and ensure they deploy a CASB that provides them the broadest coverage in addition to feature depth.
Enterprises use many best practices during CASB evaluation to ensure they choose the right solution for their company. In addition to customer references and analyst discussions, they make sure the RFP questions, such as ones in this industry-standard RFP template, go deeper than the key features and cover nuances that may be overlooked due to lack of time or depth of understanding of the technology. Finally, they look for enterprise customers who speak about the product publicly in the form of case studies, webinars, conference presentations, etc., as it is usually the result of the solution having proven itself in the customer’s environment.