You may not be familiar with the term "cloud access security broker," but it's a term that's going to become commonplace very soon.

A cloud access security broker (CASB) is a cloud security product that sits between cloud service providers and the people who use them. Its role is to apply cloud security best practices and corporate security policies as cloud services are accessed by end users, both within the corporate network or externally from any mobile device.

CASBs are needed for a simple but powerful reason. Reputable software-as -a-service (SaaS) vendors generally do a good job of securing their applications and network infrastructure - but it's still up to their customers to secure the data these cloud applications use, and the people and devices that access these applications.

This is especially critical, as enterprise business units are increasingly acquiring cloud services independently of the IT department, with little regard for cloud security. As a result, Gartner believes that through 2020 95 percent of cloud security failures will be the fault of customers rather than service providers.

A CASB provides a way to reduce the risk of cloud security failures that are the customer's fault. That's why Gartner predicts that 85 percent of large enterprises will use a cloud access security broker with their cloud services by 2020, up from fewer than 5 percent today.

While CASBs offer a wide range of functions, Gartner defines "four pillars" of functionality, all of which we discuss here:

  • Visibility
  • Compliance
  • Data security
  • Threat protection

In addition, we cover:

  • Whether to deploy a CASB on-premise or in the cloud
  • The two different CASB architectures
  • The question of whether one CASB is adequate
  • How consolidation is impacting the CASB market

Four Key CASB Features

Visibility: One of the key functions of a CASB is to give network administrators visibility into all cloud usage in an organization. This involves discovery tools to detect "shadow IT" usage of unauthorized cloud services, as well as the ability to monitor employees using cloud services outside the network perimeter on mobile devices.

Compliance: CASBs impose controls on cloud usage to ensure compliance with specific industry regulations such as HIPAA. They can also detect when cloud service usage is likely to result in falling out of compliance.

Data security: Another key feature of a cloud access security broker is the enforcement of corporate security policies to control access to sensitive data, and to ensure data is encrypted or tokenized appropriately, while still allowing application features (like search) to continue to operate. Most CASBs also offer data leakage prevention functionality, for example, by marking data as sensitive, preventing data downloads or redacting data.

Threat protection: This includes threat intelligence, anomaly detection and malware protection, but also more generally controlling unauthorized devices and users from accessing corporate cloud services.

CASB in the Cloud or On Premise

CASBs may run on premise or in the cloud. Logically CASBs sit between the end user and the cloud, but physically a CASB has to be located in one of two places: in a corporate data center or in the cloud itself. That means you have a choice between using a cloud access security broker as a service or hosting one on a physical or virtual appliance.

The SaaS option is easier to manage and is the more popular option, according to Gartner, but in certain industries you may have to use an on-premise system for compliance reasons.

How Do CASBs Work?

There are two key ways that a CASB can work. It can be set up as a proxy - either a forward or a reverse proxy - or it can work in API mode, using cloud providers' APIs to control cloud access and apply corporate security policies. Increasingly CASBs are becoming "mixed mode" or "multi-mode," using both proxying and API technology. That's because each approach offers pros and cons.

For example, a forward proxy can be used for all types of cloud applications and all data passes through the proxy, but to use a forward proxy you need to install self-signed certificates on every single device that accesses the proxy. This can be difficult to deploy in a distributed environment or one with a large number of employee-owned mobile devices.

A reverse proxy system is easier in that respect because it is accessible from any device, anywhere without the need for special configuration or certificate installation. The drawback is that a reverse proxy can't work with client-server type apps, which have hard-coded hostnames.

API-based systems are also easy to deploy. One drawback, however, is that the range of cloud applications they can work fully with is more limited because not all cloud applications provide API support.

"Proxy or API architectures from CASB have different abilities to perform different actions, which have various implications for how that provider delivers the four pillars for a specific cloud service," Gartner warns.

But over the next few years Gartner expects many cloud service providers to develop their APIs significantly. "In the long term, APIs have the potential to obviate having to intercept traffic with proxies if they mature to the point where real-time visibility and control become possible," it believes.

One CASB May Not Be Enough

The capabilities of CASBs - forward proxy based, reverse proxy based, API based or multimode - vary. It's important to understand that just because a particular application is supported by a CASB, it doesn't mean that it is supported to the same extent as is the case with another CASB.

It's also the case that the range of applications supported by a CASB varies. That makes choosing a cloud access security broker that supports the applications you use now, and are likely to use in the future, a challenge. Back-office apps like CRM, HR and ERP are generally well supported, but industry-specific apps (for example for the health care industry) are less so.

Gartner's advice? "Be cautious when entering into long-term contracts. Build in flexibility, because you may need more than one CASB or you may need to transition from your current provider to one delivering a complete set of your use cases during the next two years."

CASB Consolidation

The cloud access security broker industry as a whole is less than five years old, so Gartner expects a considerable degree of consolidation, acquisition by larger cloud security players and new entrants. It expects no more than seven standalone CASB vendors to be in existence by 2018.

This has already started: Security company Palo Alto Networks bought California-based CASB CirroSecure last May and uses the technology in its Aperture product. Security company Blue Coat Systems bought Virginia-based CASB Perspecsys in July and California-based Elastica in November. And Microsoft got into the CASB market with its September acquisition of Israel-based CASB Adallom.

If you are interested in a cloud access security broker, here is a short list of nine CASB vendors you should know.

Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.