To simplify, sometimes it’s good to start with a question, like: What should we consider when trying to find the best CASB?

In a world where cloud security is so closely tied to data security, the following capabilities must be included when trying to decide between various CASB solutions.

1. Identity-based controls

First and foremost, the best CASB should enable identity-based access controls. This includes support for SCIM provisioning and the ability to easily integrate with any SAML 2.0 compliant identity provider. In addition, standard support for syncing to Azure Directory is a must-have functionality.

2. Data security controls

Another key consideration: The best CASB should enable highly effective data security controls to protect sensitive information.  This means protecting structured as well as unstructured data, supporting regulatory compliance data such as PCI, PII and PHI, as well as things like source code, schematics and pharmaceutical formulas. 

3. Reverse proxy

The best CASB should also be able to protect any workload or application your organization is currently using or could potentially plan to use in the future.

In our view, this means that the best CASB should have a strong reverse proxy that can support inline data inspection and policy enforcement for any application. While API inspection of cloud applications provides data-at-rest scanning capabilities and is thus highly valuable for protecting business critical applications that house sensitive data, CASBs that only rely on API inspection will be limited in the number of applications they can cover. This will restrict an organization’s choice of cloud applications. 

In essence, a CASB that only supports API inspection is hindering the organization’s ability to freely choose to use various cloud applications that may be needed for a new business initiative.

4. Agentless protection

Lastly, the best CASB should be able to protect use of cloud applications from any type of device. Again, this is where a strong reverse proxy comes into play. 

By having the CASB’s reverse proxy sit in front of cloud applications and act as the security guard, you can secure any type of device accessing the app and also provide inline content inspection to protect sensitive data that users may try to move out of that application.

While API inspection of cloud applications can also provide cloud app protection regardless of the types of devices accessing the app, it can not provide inline controls that operate in real time to stop a data exfiltration attempt. And, as previously mentioned, API inspection will only be able to service a subset of cloud applications and will restrict organizations unless it is paired with a reverse proxy that can support any cloud application, including custom cloud apps.

If you’re interested to learn more about our approach to CASB, check out Forcepoint ONE CASB. It’s a solution that provides agentless protection for any cloud application, wherever people are working. And its Integration with Forcepoint DLP provides data security everywhere, keeping the data in your cloud applications safe.