The Road to CASB: 2019 Business Requirements

It’s no surprise that today’s market landscape is driving large enterprises to adopt the cloud to gain flexibility and efficiency. With this adoption, a multitude of information security gaps and challenges arise.

Information Security executives must understand how to monitor all cloud activity because of the emergence of “Shadow IT” and have policies and procedures in place to react to events or incidents. In addition, challenges with managing external credentials to various SaaS providers and Bring Your Own Device (BYOD) policy adds another layer of complexity in Identity and Access Management (IAM).

Nevertheless, the shift to cloud is inevitable and will require diligence to implement changes by information security executives that are already busy working to remediate incidents, close audit findings, retain key personnel, and report to the board. How can information security keep up with the additional requirements that come with cloud adoption, such as:

  • Requirements to comply with relative regulatory mandates, such as GDPR, SOX, HIPAA, or NYDFS among others
  • IT groups or business units initiating cloud projects without information security participation where security policies are unclear, unknown, or ignored
  • Information security team being engaged at the end of a cloud project instead of project inception
  • Unknown Shadow IT usage of cloud services while business unit personnel continue subscribing to cloud-delivered services with little oversight or integration into the overall security strategy

The goal of this paper is to provide a kickstart through a working set of requirements for you to leverage, and modify as needed in your search for a CASB solution. This set of requirements provides some structure on how CASBs fit in the overall Information Security strategy.

This paper is designed to provide key requirements that you can use as input consideration for your organization’s CASB initiative. Each requirement provides specific features that are important in most organizations, but specific risk mitigation priorities must be analyzed and decided within each organization. For instance, Cedrus has provided examples of integrations such as Security Information and Event Management (SIEM), but each organization’s needs may be more specific about a particular SIEM.