Decision Time: Deploying CASB On Premises or in the Cloud

By on Jan 07, 2016

When it comes to deploying a CASB, one of the most important considerations is whether to deploy the solution in the cloud or on premises. McAfee (formerly Skyhigh Networks) offers both form factors, and we’ve learned a lot about which deployment path companies choose for different use cases from our customers. In its latest Market Guide for Cloud Access Security Brokers (download a free copy here), Gartner reaffirmed what we’ve already seen across our customer base – that companies overwhelmingly choose to deploy CASB in the cloud. So, why do companies select one path over the other?

Why companies deploy CASB in the cloud

One of the most common reasons why companies choose the cloud form factor for their CASB project is they’re looking for the benefits the cloud has to offer. Cloud services are up and running quickly. They require no hardware or software to manage, which significantly reduces the amount of time spent maintaining the application and frees IT to focus on more strategic initiatives. Together, this leads to lower total cost of ownership. These advantages are driving companies to adopt cloud services in the first place, and it’s a natural starting place to consider the cloud form factor when deploying a security solution directed at cloud services.

Another common consideration is that some features of cloud access security brokers are not available in an on-premises form factor. For example, user and entity behavioral analytics (UEBA) generally rely on sophisticated machine learning algorithms to crunch massive data sets and pinpoint unusual activity that can indicate a threat. Due to the complexity of the infrastructure required to deliver this functionality, it’s generally not included in an on-premises deployment option. And if it were, many organizations lack the skilled resources to manage this technology.

Finally, a key tenet of the growing User-Centric IT movement is that security should be transparent to the end user. When security is heavy handed and negatively impacts the user experience, it encourages users to find ways around the security in ways that can introduce even more risk; thus, negating the benefit of the security in the first place. When a CASB is deployed on premises it introduces latency as all traffic, even mobile traffic, is backhauled on premises. Response time is so important to users that Google and e-commerce sites routinely spend millions of dollars shaving milliseconds from page load times. In the cloud, a CASB can be hosted in the same data centers as cloud providers, virtually eliminating latency.

Use cases that drive on-premises deployments

Despite the popularity of the cloud form factor, there are some cases in which companies prefer an on-premises deployment. Gartner notes, “The on-premises [CASB] versions are meeting specific use cases in which regulatory and/or data sovereignty require an on-premises answer.” Some companies have strict requirements that prohibit certain data from leaving the company for the cloud. This is becoming less of an issue now that customers have more privacy options. For example, for cloud-based deployments McAfee tokenizes or obfuscates sensitive log data (e.g. IP addresses, user names, and even the customer name) on-premises before it leaves the company for the cloud.

Tokenization is the same technology used everyday to protect payment card numbers when a retailer authorizes a transaction. A cloud-based CASB can perform analysis on the data in its obfuscated form using a big data infrastructure that enables it to deliver actionable intelligence against the backdrop of millions of daily events. It doesn’t matter that the data is obfuscated since these algorithms operate purely mathematically. They don’t require the system to know whether the individual user is the clear text “” or the tokenized value “84cd315f574d654e7c15a3a”. When a user logs in to view analytics, the data is retrieved and seamlessly de-obfuscated on the client side.

While tokenization of log data for shadow IT discovery has removed one of the primary use cases that previously motivated customers to choose a purely on-premises deployment, the on-premises path can still be an attractive option for customers looking to encrypt sensitive data within their trusted cloud services. A common use case today is companies want to encrypt sensitive data uploaded to cloud services such as Salesforce and ServiceNow using encryption keys controlled by the customer, not the cloud provider. In some cases, companies want to encrypt this data before it leaves their firewall, so they prefer the CASB to sit on premises and handle encryption and decryption of data on their network.

The best of both worlds

There’s no one-size-fits-all solution. Depending on your organization’s unique requirements, you may find yourself choosing either option or maybe both options. A hybrid deployment can enable an organization to achieve the benefits of both form factors. For example, an organization can use a cloud-based CASB deployment for analytics while using an on-premises deployment to encrypt data headed for its sanctioned cloud services behind the firewall. To learn more about deployment options and other evaluation criteria when embarking on a CASB project, I encourage you to read Gartner’s latest report above.


About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs