This content is part of the Essential Guide: Combat the latest cloud security challenges and risks

Four ways to streamline cloud access security broker adoption

A cloud access security broker provides an extra layer of protection, but IT must choose the tool carefully to avoid weighing down cloud performance.

Security remains problematic for enterprise IT. The struggle to ensure application availability while protecting corporate data is even tougher when the business integrates public cloud services.

One emerging tool to end the struggle is a cloud access security broker. With a cloud access security broker, IT teams can enforce a multitude of cloud security policies. But these tools are not created equal, so it's important for organizations to consider potential issues and assess each offering carefully.

Here are four tips to more effectively choose and deploy a cloud access security broker.

Define your goals

One of the recurring problems with enterprise tools is that organizations lack a clear goal for deploying them. A cloud access security broker can't do everything, so start with a clear understanding of why you're deploying one.

The role of a cloud access security broker is still relatively new so careful testing and evaluation is vital.

A cloud access security broker -- such as those from Palerra, Elastica, Skyhigh Networks and Netskope -- usually imposes an independent set of security policies between the enterprise and the cloud service provider, such as Amazon Web Services (AWS) and Google Cloud Platform. But sometimes, the goal might be to discover and restrict shadow IT operations, or identify weak or liberal security policies. In other cases, the cloud access security broker might play more of monitoring and management role, allowing business units to see how cloud services are used -- an advantage for cloud budgeting.

Review the feature set

Cloud access security brokers offer a range of features. They might give administrators insight into utilization of cloud services; use packaged templates, custom policies and machine learning to monitor behaviors and spot risky activities; generate logs, send alerts and create detailed reports for administrators; and even take some remedial actions to enforce established security policies. A cloud access security broker can also integrate with existing IT platforms, such as Lightweight Directory Access Protocol, identity and access management tools, ticket and helpdesk systems, single sign-on and other security tools.

Review the cloud access security broker feature set thoroughly to ensure it fits your needs -- or identify feature gaps that may demand additional security investments. The role of a cloud access security broker is still relatively new so careful testing and evaluation is vital.

Evaluate the scope

Organizations can tailor a cloud access security broker to suit specific cloud services or platforms. These service-specific tools can perform reliably, but only for the intended service. For example, if the business develops cloud software that runs on AWS, it may need one tool for AWS and another for the cloud software repository, such as GitHub. Also, if a business changes cloud platforms, it may need to invest in another cloud access security broker. Be sure to budget for multiple tools, if necessary.

Locally hosted cloud access security brokers require updates, but, in some cases, the updates can be disruptive. Businesses that deploy a cloud access security broker in-house will need to integrate the platform with existing patch and change management tools.

When cloud access security brokers are delivered as a third-party service, users face the same possibility of service outages or disruptions that can occur with any other software as a service offering. The provider must stand behind a suitable service level agreement (SLA) that meets the business' security and compliance requirements.

Assess the operational models

Organizations can deploy a cloud access security broker in multiple locations. Each location can offer unique benefits and capabilities, so it's important to understand where the tool will operate most effectively.

Deploying cloud access security brokers locally is often the preferred model, allowing the tool to see all network traffic, manage identities and access control to the group, device or geographical level and employ local encryption to prevent unauthorized access. However, a local deployment requires IT to manage and support another system.

Cloud-based security brokers can be easy to adopt, but establishing encryption control may affect cloud applications' ability to process data. For example, if a cloud access security broker encrypts financial data, the financial cloud app intended to use that encrypted data may not be able to decrypt it. These products also experience the same availability issues that any other cloud application faces, so if the tool becomes unavailable, the cloud applications it protects may also become unavailable.

Some cloud access security brokers may also touch endpoint devices through endpoint encryption. This requires a policy link between the tool and the endpoints that enforces central security policies, drives encryption and allows a selective wipe of data if the employee leaves the company or the endpoint device is compromised.

Next Steps

Protect your cloud with cloud access security broker tools

Solve app issues with application performance management tools

Cloud access security broker tools are gaining traction

Dig Deeper on Cloud computing security