2016 is the year that most SMBs will start researching and shopping for a cloud security solution, if they don’t already have one. But picking apart marketing hype from the facts won’t be easy. Understanding the underlying technology, how to implement it, how to maintain it, and how to budget will probably take longer than most IT pros anticipate.

The difficulty in Cloud Access Security Broker (CASB) shopping isn’t necessarily intentional; decentralization through the use of cloud apps makes security more complex than tried-and-true perimeter security. Unfortunately, perimeter security doesn’t adequately cover cloud apps. Each CASB vendor approaches the problem of cloud security from a different angle, and each approach leads to strengths in one area and weaknesses in others. For more details on this see the features discussed in Deciding Which CASB is Right For You.

Over the long term, industry consolidation will lead to more comprehensive solutions, but merging CASB vendors isn’t necessarily good news for SMBs. The pressure to create more comprehensive solutions will push CASBs towards the enterprise and will likely increase costs and complexity of integration. So, what should SMBs that want better cloud security do?

While central control over all cloud app activity might be the goal, the small milestones that are necessary to achieve the goal are even more important. A Discovery Phase will help you determine the basics, like:

  1. What cloud apps need to be monitored and controlled?
  2. How to monitor and control account access?
  3. How to monitor and control business data?
  4. How to manage reporting and compliance?

For example, while searching on the phrase, “What cloud apps need to be monitored and controlled,” you’ll find:

  • API-based solutions will have a handful of cloud apps that they work with natively. Users will sign in like normal through the apps, but unsupported cloud apps are expected to be blocked. API-based approaches allow for deep security integration into supported cloud apps but don’t cover unsupported cloud apps.
  • Proxy/Gateway-based solutions will allow you to use most cloud apps, but logins and speed are affected. The integrations into each service aren’t as deep.

Attempting to answer the questions above is putting the cart before the horse. Most SMBs don’t have the technology in place to provide an adequate answer. And, they don’t necessarily need all the features many CASB vendors provide in order to start securing cloud apps. Most SMBs only need one thing to begin their foray into cloud security: monitoring.

Start with Monitoring

Cloud activity monitoring gives IT pros clarity about what actions should be taken to create a more cohesive and secure cloud app ecosystem. Knowing the activity will help you start answering those critical questions and plan your next steps.  SMBs will need a CASB eventually, but their IT pros are only beginning to scratch the surface. Monitoring is a non-invasive way to begin the research process. When you start with monitoring, you can build smart policies around your cloud apps, and if necessary, control their usage.