When applications and data were on premises, IT had controls that limited access to authenticated users signing in from enterprise-managed devices. Now that applications and data are moving to the cloud and enterprises are embracing BYOD programs, IT expects these same controls for cloud services.

The concern is that as users access corporate data in cloud services, they can easily download sensitive data to devices that do not have management software that enforces appropriate security controls (e.g. encryption and strong passwords). When one of these devices is stolen, enterprise data is put at risk. Identity management solutions partially address this issue by blocking access at login, but what happens when you want to enable access to services without enabling risky activity?

In an ideal world, you would enable cloud services that make employees productive from any device anywhere in the world while simultaneously limiting high-risk activity based on the context of the access (e.g. user, department, location, device management status) and action (e.g. preview, upload, download). Enter the cloud access security broker (CASB).

With a CASB, an enterprise can not only enforce coarse-level allow/block access to a cloud service, it can also apply fine-grained controls. For example, a company can create and enforce a policy that says employees accessing from unmanaged devices on remote networks are allowed to view data in Salesforce, but they cannot download reports to that device. There are several ways to approach this problem. Andy Oehler, Sr. Manager, Product Management, explains:

This post was originally published on Skyhigh Networks website and is used with their permission