The cloud access security broker (CASB) market is set to take center stage in 2018 and beyond as the next business-critical security solution. The high growth of this segment is powered by massive adoption of cloud services such as Amazon Web Services, Salesforce, Office 365, and Box by large enterprises. Gartner, which ranked CASB as one of the top technology for information security, predicts that by 2020, 60% of large enterprises will use a CASB, up from fewer than 5% in 2015. This prediction is quickly manifesting in reality. Already, McAfee counts well over 40% of the Fortune 500 as customers, who are deploying CASB solutions as part of critical business processes.
As the CASB space grows, the number of solution providers is also steadily growing. Gartner’s latest Magic Quadrant for Cloud Access Security Brokers evaluated 11 CASB vendors based on their ability to execute and their completeness of vision. Prior to that Forrester Wave™: Cloud Security Gateways, Q4 2016 ranked 8 vendors based on the coverage of their capabilities, vision, and market presence. So, companies are faced with the herculean task of evaluating a large number of potential vendors, especially when all of them claim to offer the full breadth of CASB functionality. Advice from analysts can help to tighten up the shortlist, but that still usually leaves 3-4 vendors for companies to comprehensively evaluate.
When choosing a CASB solution, companies usually rank use case coverage as the most important parameter. Based on interviews with its clients, Forrester lists six security capabilities that enterprises look for, at a minimum, when they secure their cloud usage:
- Detect and intercept unusual or fraudulent activities associated with data in the cloud
- Detect and monitor unsanctioned cloud applications and platforms usage
- Protect against leaks of confidential information
- Encrypt structured and unstructured data in cloud platforms
- Aid investigation of suspicious users and incidents
- Detect, neutralize, and eliminate malware in cloud platforms
While use cases are and should be an integral part of the vetting process, companies often end up overlooking certain parameters which can make a significant difference in the pace of deployment, adoption, and the ROI of the solution. Some examples include:
- Will the solution scale to support my transaction volume?
- Does this solution integrate with my existing security infrastructure?
- Does this solution have the necessary controls to maintain the security and privacy of my corporate data?
- If the solution functionality breaks, will this impact critical business processes in my company?
- Will I have the right level of customer success and support to ensure the solution is quickly deployed and my issues addressed?
To aid companies in comprehensively evaluating their CASB providers, McAfee has released a cloud access security broker (CASB) RFP template. This is an exhaustive list of over 200 questions covering key CASB categories and synthesizes learnings and questions that have come up across over hundreds of CASB RFPs sent to us during product evaluations and customer deployments with enterprises. We understand that companies often don’t have the time or the depth of understanding to draft RFP questions that ensure that they choose the right solution not just for their current cloud security requirements, but also for those that may come up in the future as their needs, technology, and industry evolve.
The CASB RFP template not only covers the core CASB use cases, but also goes into detail to cover nuances such as cloud registry depth, SLAs for DLP, tokenization of customer data, which tend to be overlooked, but can have significant impact on the adoption and the value realized from the CASB investment. Some of these questions can help avoid buyer’s remorse during the deployment process when showstopper issues on compliance or user experience come up that did not arise during a POC. The document also covers support areas such as deployment, administration, and customer success.
Companies can use this document as a ready-to-go version to ship to prospective CASB vendors or consider it a baseline to work from. Either way, we hope this document reduces several hours IT teams would otherwise have to invest during the RFP stage of evaluation and ensures that the company choose the right CASB for its current and future security requirements.