9 Key Questions to Ask Every CASB Vendor

When it comes to the CASB vendor selection and buying process, the team responsible for cloud security, usually as part of a cloud center of excellence, must ensure they’re getting a product fit for purpose. Here are some critical questions that every CIO should ask when evaluating a cloud access security broker.

1. What is your solution's security value proposition?

Get the marketing stuff out of the way first and find out what they really offer. Most cloud access security brokers offer a range of features, some of which are probably not on the front page of the product guide. Establish all the features available across all tiers and focus on the products (and tiers or packages) that deliver the most value for your business.

Focus on usability features for the business and IT team, and return on investment as part of the finance equation to round out the overall proposition.

2. Does the solution provide true real-time visibility?

In the modern cloud, most service dashboards provide live monitoring of all activity. The same needs to be true of a CASB. There can’t be a delay between a breach or issue and IT or leadership knowing it. API and proxy-based CASBs offer different performance advantages, and CIOs need to know how that could impact reaction times.

3. Does your CASB support the protection of cloud data from end-to-end?

Many workers download files to their devices, which creates duplication and other issues. Being able to protect both managed and unmanaged data as it resides on both personal and corporate devices is a key function for the CASB.

4. Does the CASB help prevent unauthorized access?

A cloud access security broker alone is unlikely to block any suspicious activity as it’s only designed to report it. To respond automatically, the CASB needs to be integrated with other applications like identity access management (IAM) tools. You need to understand if the CASB provides such a feature, or if there are APIs or other plug-ins to support other applications that can prevent problems before it’s too late.

5. How do you enforce various or separate policies against multiple cloud instances?

The cloud is rarely just one application accessed by all users. Workers could have a mix of personal and business accounts in operation, while different teams could use varying versions of a cloud service. The CASB should be able to differentiate between them, or provide capabilities to create different rules for each variety.

6. How do you prevent sensitive data from moving away from secure platforms?

A typical occurrence during the business day is someone downloading a file from a sanctioned cloud application – for example, Microsoft OneDrive –  to a personal device against corporate rules and best practices. The CASB provider needs to explain how it detects this and what it does to prevent the transfer from taking place.

7. How does the CASB work with common network blind spots?

Users often use corporate devices to access random cloud storage or other unsanctioned cloud services from home, airports or other remote locations. This creates the common situation where an approved device is accessing secure data or files over an insecure or unapproved application. The CASB provider needs to explain how they’d stop data being transferred over that network to an application, usually through network controls. Or they can explain how the cloud access security broker works with a security tool that can detect compromised network access points.

8. How does your CASB ensure safe collaboration in the cloud?

Many teams collaborate remotely and need access to cloud applications and data across a growing number of devices. Managing this level of sharing should be a key feature of a CASB, building in enforcement controls to protect sensitive information from being shared beyond teams, or stored insecurely.

The provider must demonstrate suitable rules, controls or plug-ins to ensure data safety across whatever collaboration services you use.

9. What’s on your CASB roadmap that’s of value to our business?

Every vendor or provider has plans to broaden the scope of their security tools, including CASBs. Discovering what features will be added over time, and whether they’ll be part of your planned tier, or cost more to benefit from, are key but thorny questions to ask.

CASBs in 2025 will likely be more integrated and support edge networking and cloud use cases, along with support for new means of collaboration and improved management insight. Keeping on top of these trends and identifying vendors with a clear goal should help you find a partner that’s better aligned to the needs of the business.

Every CIO will have their own specific questions to ask about compatibility with the cloud apps and services they use or plan to deploy. And many will have some quirky use of a cloud app that’s outside the norm. Asking these questions along with your examples should give you greater insight into the strengths and weaknesses of any CASB vendor or provider.

Further reading:

• Top CASB Use Cases
• 3 Cloud Data Compliance Problems You Didn't Know You Had
• Manage Risks and Ensure Security: 5 Cloud Governance Tips
• Data Sovereignty and Cloud: How Do You Ensure Compliance?