As growing numbers of applications and users move to cloud-based services, it has become painfully obvious that enterprise controls for managing policies and access to cloud services needs more rigor. In fact, it's a need that has spawned a new class of security products that analyst firm Gartner refers to as the cloud access security broker (CASB) market.
After sitting on the sidelines, IBM is now jumping into the CASB market with its new Cloud Security Enforcer service. In many cases, CASB solutions are used to help expose so-called "shadow IT" operations, which is usage of technology that goes beyond and outside of the control of enterprise IT. Among the multiple vendors in the CASB space are Adallom, which was recently acquired by Microsoft, and Imperva's SkyFence.
According to Andy Land, product marketing director at IBM Security, the IBM Cloud Security Enforcer goes beyond the capabilities of traditional cloud security brokers.
"We are entering this market with some unique differentiators, namely that we have identity-as-a-service (IDaaS) capabilities built into this product," Land told eSecurityPlanet. "This means that employees no longer have to manage credentials such as passwords."
Land added that IBM also has differentiation around how it protects customers’ usage of cloud apps and closes the mobile blind spot. As part of the Cloud Security Enforcer, IBM is also integrating its X-Force global threat intelligence feeds into the product, so organizations will have a real-time view of the risk and reputation of any cloud service their employees are using.
"This allows companies to continuously analyze what’s happening around the world in terms of threats and potential threats for the outside apps their employees are using at work," Land said. "If an app is found to have rising risks or is in danger of being compromised, security teams will know immediately and can take back control of their data on that app."
IBM already has multiple identity and access management technology as part of its security portfolio. IBM Cloud Security Enforcer has IBM's identity access management (IAM) capabilities built into it, Land said.
"We utilize our access management and federated identity capabilities within the product to build employee self-service dashboards for sanctioned cloud applications," Land said. "Users will have a catalog of approved, third-party cloud applications at their fingertips that they can automatically connect to with their corporate credentials."
Land explained that Cloud Enforcer is built utilizing several key technologies in the IBM portfolio, including security intelligence (QRadar), threat intelligence (XForce), threat prevention (XGS) and identity and access control (IAM).
"We built the product as a software-as-a-service offering to lower complexity and make it easy for our customers to start using the product," he said. "The product was built using the IBM Design process where we started from the outside-in by really understanding the different users and how they would need to interact with the product."
From a deployment perspective, Land said that Cloud Security Enforcer does not require any changes to the enterprise's network configuration. The solution integrates with existing firewalls or Web gateways to gather network traffic details for analysis. Network traffic is combined with identity information for comprehensive reporting on cloud application and specific user activity.
For mobile users, Cloud Security Enforcer utilizes the native iOS or Android VPN controls or an enterprise mobility management solution on the phone to route traffic through IBM's cloud proxy.
IBM Cloud Enforcer is set to become generally available on Sept. 30, with pricing starting at $6/user/month.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.