This month’s Market Guide looks at Cloud Access Security Brokers (CASB). These tools, usually maintained by network or security teams, are a key component in governing cloud deployments, particularly SaaS. Their purpose is to discover, monitor, control, and secure access between your users and the cloud services they increasingly rely on to do their jobs.
For an ITAM team the Discover and Monitor aspects align most closely with our priorities but a CASB in general will provide you with greater certainty about your technology assets when looking to standardise or negotiate a contract renewal.
This largely depends on the security posture and IT policy of your organisation. If you have very light touch policies around purchasing of IT hardware, software, and services, a CASB is an immensely powerful detector of potential Shadow IT on your corporate network. Essentially, because a CASB sits at the edge of your network all network traffic leaving the organisation can be configured to pass through it. SaaS discovery is thus fully-automated – it becomes incredibly difficult to avoid detection. The CASB solution will provide a definitive list of which applications are in use on your network, and by which users. Most will identify common cloud storage services – so you can monitor capacity and usage which may be a useful metric at renewal time. You greatly ease the challenge of discovering Shadow IT spend particularly inherent in SaaS.
This definitive discovery is an extremely valuable enabling technology for optimising your Shadow IT estate. By knowing which applications are in use, and who is using them, you can build an optimisation programme. For example, your CASB may show that employees are using Zoom, WebEx, and GoToMeeting for web conferencing. Armed with that information you team can look to recommend optimisation by standardising on a single service.
For organisations with stronger IT usage policies, the CASB provides certainty around application usage. This is particularly important for regulations such as PCI-DSS which require application whitelisting for environments processing payment card transactions. An application whitelist means that only certain applications are permitted for use – clearly from an ITAM perspective this enables further optimisation through standardisation. And with a standard application catalogue implemented and enforced at the edge of the network you can enable automation of software delivery to your users through self-service.
Alternatively, you may take the opposite approach and implement application blacklisting – essentially saying “you may use any application except these”. This can be useful in enforcing standardisation too. For example, if for contractual or licensing reasons you wish to prevent employees from using Dropbox for file-sharing – you can do so via a blacklist. The Dropbox use-case is a prime example of the value of a CASB to an ITAM function. The free personal edition of Dropbox may not be used for commercial purposes. Dropbox have been known to identify corporate use of the free tier via email address and contact the company to discuss commercial terms.
Moving beyond these technical solutions to common ITAM problems, a CASB can be valuable in fostering strong stakeholder relationships. CASBs are usually managed by your Network and Security teams, who are key allies in achieving your ITAM objectives. By working together, you can ensure keeping the organisation safe also delivers value in terms of reduced costs and application complexity. Used alongside your existing ITAM tooling a CASB provides additional capabilities and enables you to expand your remit. For example, you can easily get to grips with cloud spend and consumption management in general. You can also assess the suitability of services from a governance perspective during the acquire phase of the asset lifecycle – CASB providers constantly monitor SaaS services from a Governance, Risk, and Compliance perspective.
A CASB potentially enables you to get ahead of the curve in transitioning your ITAM team to a cloud-first posture. Recent Gartner research states that just 20% of large enterprises were using a CASB in 2018 – that’s predicted to grow to around 60% in 2022. For ITAM tool vendors cloud is seen as a priority, with many marketing strongly around their capabilities in managing SaaS & IaaS. ITAM cloud tools may be slightly further along the curve in terms of adoption but there is now the opportunity to work with your Network & Security teams to add the capabilities a CASB provides to a cloud governance platform.
Does your organisation already use a CASB? Do you work with your IT Security & Network teams to make use of the information it gathers? Please let us know in the comments below. Similarly, if you have experience with one of these tools, please consider submitting a review on our Market Place.