Any cloud-based infrastructure needs a robust cloud access security broker (CASB) solution to ensure data and application security and integrity. With the adoption of cloud-based applications and services growing exponentially, especially as a result of the dramatic growth in remote work in response to the COVID-19 pandemic, more than ever organizations need to protect their data and IT systems from cloud-based threats.

Choosing the right CASB provider will save time, effort, and money – in addition to ensuring enterprises stay protected against emerging threats. We carefully surveyed the field and present below our recommendations for the top CASB vendors and industry-wide wisdom for buyers.

See our picks for top cloud security products

Top CASB solutions

We evaluated a wide range of CASB vendors across multiple data points and product features to make it easier for you to make a thorough assessment of their features, strengths and limitations. Independent tests, user reviews, vendor information and analyst reports were among the sources used in our analysis.

Jump ahead to:

• Netskope
• McAfee
• Palo Alto Networks
• Cisco
• Proofpoint
• Bitglass
• Symantec
• Microsoft
• Fortinet
• CipherCloud
• StratoKey
• Forcepoint
• CASB implementation

Netskope

Key takeaway: For ease of use and excellent support, few can match Netskope.

Pros:

• Improves compliance and risk management
• Good security and management

Cons:

• Pricier than others on the list but users see value

Netskope scored highest overall in our analysis, and came out on top in Detection and Response, Management, Support and Value. Its ability to identify and manage cloud applications, whether managed or unmanaged, stands out. Security gateways help prevent sensitive data being exfiltrated by risky insiders or cybercriminals who have penetrated the security perimeter.

The data-centric approach adopted by Netskope Security Cloud allows it to deliver impressive visibility and real-time data and threat protection whenever any PC or mobile device connects to the cloud. Its vast experience enables Netskope to offer the appropriate solution to the satisfaction of its clientele.

McAfee MVISION

Key takeaway: Meets compliance requirements, manages financial and reputational risks, and protects intellectual property.

Pros:

• Scores high on detection, automation and intelligence
• Excellent service and support

Cons:

• Some deployment challenges
• Management on par with competitors

Regarding value, McAfee MVISION is on par with Proofpoint and Cisco CloudLock, and right behind Netskope. Coming from an organization famed for its anti-virus and security offerings, MVISION places high priority on security, threat intelligence and artificial intelligence (AI). MVISION’s endpoint and cloud security protect data through central management and the orchestration of analytics, automation and threat intelligence.

The insight-driven CASB offering is powered by almost a billion sensors around the world, and state-of-the-art analytics delivers some of the best intelligence capabilities. The product has some deployment limitations but still ranks second overall.

Palo Alto Networks Prisma

Key takeaway: Comprehensive security across the deployment lifecycle.

Pros:

• Improves compliance and risk management
• Good visibility and security

Cons:

• Multiple consoles may be needed for additional services

Palo Alto Networks has posted impressive third-party test results across its security portfolio, so it’s not surprising that Prisma ranks high in security, and visibility and compliance are other strengths. Prisma scored well across the board in our evaluation, with Detection and Response, Management, Deployment and ease of use noteworthy standouts. One downside could be the complexity of management as additional services are added, but users overall are positive.

Cisco Cloudlock

Key takeaway: Strong security coupled with ease of deployment make Cisco Cloudlock one to consider.

Pros:

• Strong security
• Ease of deployment
• Good automation

Cons:

• Compliance and visibility could be better

Cisco Cloudlock came out on top for raw security, not a bad selling point for a security product. The cloud-native CASB product makes use of APIs to manage risks. Cisco uses machine learning algorithms to identify any anomalies based on a set of factors and moves to prevent any threat to the cloud infrastructure. Its data loss prevention (DLP) technology continuously monitors the cloud environment. Numerous out-of-the-box policies and the highly tunable custom policies make Cisco a formidable competitor on this list. The Cloudlock Apps Firewall ensures that all cloud apps connected to the enterprise IT infrastructure are regularly detected and controlled. Some users have wished for improved functionality in compliance and visibility.

Proofpoint

Key takeaway: Proofpoint offers strong security and functionality and is a good value too.

Pros:

• Ease of deployment
• Good security
• Excellent support

Cons:

• Users report management can be challenging

Proofpoint aims to satisfy the needs of a client on a budget. The CASB offering secures the major cloud offerings and ensures enterprises gain people-centric visibility and control over cloud apps. The tool allows enterprises to structure levels of access to users and third-party apps based on the identified risk parameters. One of the critical advantages of Proofpoint is the granular visibility about user information and any risks to data. The insights are defined under three classes: global, user and app level. The CASB protocol offers extensive control for managing oversight of suspicious logins, activity and DLP alerts. Users are happy but report some challenges with management. Deployment times are faster than average.

Bitglass

Key takeaway: Good security, management and a unique approach that also manages to be a good value.

Pros:

• Unique agentless, browser-based approach
• Good security and management
• Good value and support

Cons:

• Deployment can be challenging

Bitglass is a cloud-native CASB that can also deploy in a docker container for on-premises client requirements. It combines forward and reverse proxy and API approaches, and its agentless, browser-based reverse proxy helps it catch threats that network-based reverse proxies might miss. Bitglass supports mobile and unmanaged devices, including mobile device management capabilities. Users give it good marks for security, compliance and visibility, but deployment can take longer than rivals. Value is better than average and support is near the top.

Symantec CloudSOC

Key takeaway: Symantec (now part of Broadcom) offers a full-featured CASB that includes encryption, behavior analytics and application discovery.

Pros:

• Full-featured
• Good security and management capabilities

Cons:

• Deployment can take longer than most

Symantec’s CloudSOC arises from the company’s acquisitions of Blue Coat Systems and Fireglass – CASB and remote browsing technology, respectively. The CASB product scores well in the all-important areas of Detection, Response and Management. CloudSOC combines behavior analytics with other measures to come up with a ThreatScore to alert security analysts to the highest-risk events. Deployment can take longer than average, while Support and Value are about average.

Microsoft Cloud App Security

Key takeaway: A solid CASB product, but might take additional investment to get the most out of it.

Pros:

• Microsoft is an emerging security player, backed by independent tests
• Not just for Office 365 – supports 16,000+ apps
• Good security and management

Cons:

• Might need additional products for maximum effectiveness
• Compliance features could be better

Microsoft has been taking security seriously, posting strong results in independent EDR tests, for example, so don’t underestimate the software giant’s potential in the CASB market. Cloud App Security may be packaged under the Microsoft 365 brand, but it monitors over 16,000 apps for more than 90 risk factors. The CASB product posted solid scores across the board in our evaluation; it may not be market-leading, but the company has the deep pockets and commitment to security to keep improving. It might take some tweaking to get it right – and additional products for maximum benefit – but users are generally happy.

Fortinet FortiCASB

Key takeaway: Strong security and capabilities make FortiCASB worth its cost.

Pros:

• Strong security
• Good overall capabilities

Cons:

• Can get pricey
• Some report a learning curve

Fortinet has subjected itself to more independent testing than most security vendors, so not surprisingly, FortiCASB scored near the top in Detection and Response. Users are also positive about the company’s performance, compliance, visibility and overall capabilities. Support is above average while Deployment is about average. The only area the company lags in is Value – users say it can get pricey, and some also report a learning curve. But it’s a cloud security product that users have faith in.

CipherCloud

Key takeaway: Good security and compliance features, but visibility and deployment can present challenges.

Pros:

• Good security and compliance features
• Office 365 and G Suite support

Cons:

• Deployment can be challenging
• Visibility could be better

CipherCloud’s weak spot is that deployment can be challenging, but otherwise it’s a solid CASB product and even offers niceties like Office 365 and G Suite support. Security, compliance and ease of use are pluses, but users would like to see improvements in visibility and functionality. They report that the vendor is responsive to development requests, however. Users are overall pretty satisfied with CipherCloud.

StratoKey

Key takeaway: Good capabilities and value, but as always, due diligence required.

Pros:

• Solid security, management, deployment and value
• Partnerships with the likes of Oracle and SAP

Cons:

• Not a lot of user feedback

There’s not a lot of user feedback on StratoKey, but what’s available is positive. It offers solid security, management and value, and deployment times appear to be very good. Partnerships with vendors such as Oracle and SAP could make it a good choice for users of specific applications.

Forcepoint

Key takeaway: Good security and behavior analytics, but users would like to see more development.

Pros:

• Security and behavior analytics
• User-centric interface

Cons:

• Users say development has been slow

Forcepoint offers good security, management, behavior analytics and workflow, but a common complaint is that product development and problem resolution can be slow, which could put the company at a disadvantage in the evolving CASB market. A couple of users recommended that potential buyers conduct a proof of concept (POC) to make sure the solution meets the needs of their environment. That’s good advice in general for IT buyers.

Your guide to CASB

Our recommendations for cloud access security brokers (CASB) come from years of covering the enterprise migration to the cloud and the security ramifications due to that shift. As organizations, personnel, and consumers adopt cloud-built or cloud-based applications, security infrastructures have to take their fight to the network edge.

Below is the eSecurityPlanet guide to cloud access security brokers covering what CASB are and how they work, why they’re a critical tool for enterprise security, and how to deploy CASB for your organization.

Also Read: Cloud Bucket Vulnerability Management in 2021

What is CASB?

A CASB is a cloud-based or on-premises security software positioned between users and cloud services, both sanctioned and unsanctioned, whether those users are on-site or remote. CASBs play the critical role of enforcing enterprise security policies for accessing those cloud services. First defined by Gartner in 2012, they add CASBs “interject enterprise security policies as the cloud-based resources are accessed.” Security features included in CASB solutions include:

• Authentication, authorization, and SSO
• Credential mapping
• Device profiling
• Encryption and tokenization
• Logging and alerting
• Malware detection and prevention

Why CASB?

The explosion in internet-enabled technology has created a reliance on digital advancements like cloud computing. However, the increase in internet-accessible resources comes with the inherent security risks posed by the worldwide web. Enterprise firewalls, web gateways (SWGs), and web application firewalls (WAF) all strengthened organizations’ security posture, but they failed to offer cloud-specific security.

Also Read: Cloud-based security: SECaaS

Protecting Applications

Data and applications are moving away from private data centers and leaving behind a stack of on-premises security solutions that offer network visibility, access, data loss prevention (DLP), threat protection, and breach logging. The cloud’s introduction of SaaS products has moved data from private, on-premises DCs to cloud-based operations. Similarly, users have widely adopted cloud applications because accessing these tools outside of work and remotely is easier than ever. The added risk to applications and data on the network edge makes tools like CASB essential for cloud-based security.

Also Read: SaaS Security Risks: It’s the Users, Stupid

Remote Work and BYOD

The consequence of cloud and mobile proliferation means data and users live beyond the on-premises security infrastructure. Where legacy security systems could effectively monitor local network traffic, CASBs have taken the mantle of monitoring and authenticating access in the cloud for a world audience.

As organizations have adopted remote work and permitted personal devices (BYOD) for staff, the cloud offers open access to unmanaged or unsanctioned devices that the user can authenticate. This reality presents a security vulnerability because the data that lives in the pertinent cloud applications could be downloaded with little effort. Without a CASB in place, getting visibility into the array of access points is a significant roadblock to improving security.

Also Read: Remote Work Security: Priorities & Projects

The Cloud: Business Enabler

The cloud is here to stay, and organizations are rushing to adopt cloud-based service models thanks to its affordability, scalability, and performance. Within organizations, the cloud applications in use aren’t always the same authorized by the IT department. While this non-IT use of technology can take up established resources, many industry leaders have confirmed the benefits of such unsanctioned activity dubbed shadow IT. The use of unmanaged cloud services can bring essential tools to the organization’s forefront and speed adoption. While by no means an ironclad process of selecting applications for company use, shadow IT can create a bridge between the IT team and business that ultimately enhances the organization in the long term.

Also Read: McAfee to Acquire CASB Vendor Skyhigh Networks

CASB Benefits and Concerns

Benefits of CASB 

CASBs control cloud application and data access by combining a variety of security policy enforcement requirements. They can manage single sign-on, logging, authentication and authorization, device profiling, encryption, and tokenization and detect, alert, and prevent malware attacks. Benefits of deploying a CASB include:

• Restrict unauthorized access
• Identify account takeovers
• Uncover shadow cloud IT
• Cloud data loss prevention (DLP)
• Internal and external data access controls
• Record an audit trail of risky behavior
• Cloud phishing and malware threats
• Continuous monitoring for new cloud risks

Other benefits noted by industry adopters include reduced costs and increased agility, and outsourced hardware, engineers, and code development.

Also Read: Cloud Security Requires Visibility, Access Control: Security Research

Auditing Network Applications

As we touch on, outside of every IT department lives unsanctioned technology known as shadow IT. While harmless in most instances, wandering personnel using unsanctioned tools pose a security risk to the organization. IT departments evaluate the network security posture, pertinent configurations, and user training needed to deploy the product best before implementing applications. Without these steps and close attention to detail, employees could be agreeing to terms of use and downloading applications that are in direct conflict with the organization’s internal or compliance standards.

CASB Vulnerabilities 

Just as it is easy for customers and personnel to access critical applications, the same ease of access is true for advanced, malicious actors. Passwords can easily be hacked, stolen, or otherwise compromised, but even more critical to the industry, several instances show login information with high-level privileges available for anyone on the internet.

A notable example of this quandary is the Solorigate attack first detected by FireEye in December 2020. Hackers were largely successful because they seamlessly entered the SolarWinds’ Orion platform and proceeded to extract a copy of their Directory Service Internals, containing everything they needed to access the network from multiple user points.

Also Read: Guarding Against Solorigate TTP

How CASB works

CASB can be API-based or proxy-based, where a forward proxy can control managed devices and a reverse proxy for unmanaged devices. A CASB’s ability to detect unsanctioned cloud applications (shadow IT), encrypt traffic, and identify sensitive traffic is invaluable to network security.

CASB solutions aren’t a one-size-fits-all product. SaaS applications today have specialized APIs that require a compatible CASB to protect the application’s specific traffic. Enterprise organizations can have a suite of CASB solutions to cover the network’s cloud application traffic.

Also Read: Firewalls as a Service (FWaaS): The Future of Network Firewalls? 

Best practices for implementing CASB

A CASB is an unusual security solution in that it spans the cloud and on and off-premises users, so that deployment can be tricky. For a successful rollout, keep the following best practices in mind.

1. Build Visibility

The first step is to gain visibility into current cloud usage. Building visibility into your network’s relationship with the cloud means diving into cloud application account usage and identifying activity by user, application, department, location, and devices used. Analyzing web traffic logs will offer a good reference point and will allow you to evaluate what enterprise or SMB CASB is appropriate.

2. Forecast Risk

The second step is to develop a cloud risk model based on the visibility into the network’s standard usage patterns. Whether a hacker has gained access with leaked credentials or a former employee still has access to the organization’s cloud applications, these are both instances of risk that the network administrator must consider. Unsanctioned access can be dangerous when users have malicious intent and the ability to steal or delete critical data. Organizations can extend existing risk models or develop specialized risk models based on the needed security configurations.

3. Release the CASB

The third and final step involves applying the risk model to the current shadow cloud usage and deploying your CASB for action. With the risk model defined, the enterprise can enforce use policies across all cloud services. The IT team can assign risk scores and categorize cloud services for even more visibility into network services moving forward. When onboarding the CASB is complete, administrators can rest assured that their network and cloud infrastructure monitor traffic, protect against threats, fill the DLP gap, and ensure compliance concerning data privacy and security.

After deployment, network administrators and security analysts must give attention to CASB activity and ensure it’s functioning properly for its intended use. Many organizations start small on this process by integrating CASB for an initial application and analysis before integration across the network.

Also Read: How to Implement Zero Trust

Types of CASB deployment

Not all CASB services are created equally, including how they can be deployed. Three methods have emerged as the most popular using forward and reverse proxies for inline deployment or APIs for out-of-band deployment.

Inline Deployment: Forward and Reverse Proxies

A forward proxy is positioned closer to users and can proxy traffic to multiple cloud services. CASBs inspect cloud traffic for users and employ an SSL man-in-the-middle technique to steer traffic to the CASB forward proxy. Sadly, the downside of using a forward proxy is that each device accessing the proxy requires the installation of self-signed certificates, and an excess of users can cause latency. For germane devices, traffic is redirected to PAC files, unique DNS configurations, third-party agents, advanced forwarding, chaining, or TAP mechanisms.

A reverse proxy is positioned closer to the cloud application and can integrate into Identity-as-a-Service (IDaaS) and IAM solutions and doesn’t require particular configuration or certificate installation. Reverse proxies receive requests from the cloud application, apply predefined security rules, and pass the user’s request.

Also Read: Application Security Vendor List for 2021

Out-of-Band Deployment: API-based

CASBs typically sit in the traffic path between users and cloud platforms; however, out-of-band deployment uses asynchronous APIs to do the job. APIs receive all cloud traffic from log events to the configuration state necessary to create and enforce the appropriate security policies. Out-of-band CASB deployment enables frictionless change for application behavior, north-south and east-west traffic coverage, and retrospective policy enforcement for data-at-rest and all new traffic.

Gartner points out that APIs’ development and their ability to offer real-time visibility and control could mean the end of proxy-based methods for deploying CASB.

CASB and identity management

Identity and authentication management are growingly crucial for a world of remote users connecting to applications and data in the cloud. Identity and access management (IAM) products have grown to cover a suite of tools like directory services, web application SSO, privilege access management (PAM), and 2FA. Meanwhile, CASBs can be deployed to work with existing IAM or Identity-as-a-Service (IdP) solutions.

Gartner research director Erik Wahlstrom noted, “They don’t replace IAM, but do provide visibility and control back to IAM.” CASB supplements IAM ideally by providing behavior monitoring and cross-application security configuration, while IAM ensures authenticated users.

Also Read: Best IAM Software

CASB market trends

CASB isn’t the only cloud security product on the market, but it appears to be the most popular and has been a high enterprise security priority for some time. Gartner data showed CASB adoption growing at a 40% compound annual growth rate (CAGR) the next few years, well above second-place encryption software at 24%. Remote access and BYOD trends quickened by the COVID-19 pandemic have added to that growing demand.

Securing your cloud exposure

Once the cloud risk model is implemented, companies can use CASBs to streamline the onboarding process for new cloud services. The CASB registry contains the cloud service signatures, helping reduce the due diligence needed in future endeavors.

Just as the cloud isn’t going away, neither are the cloud-based security products known as CASB. Our top picks for CASB vendors offer granular access control, data security, and protection against the latest cloud threats.

Also Read: Top Cloud Security Companies & Tools

eSecurityPlanet’s Methodology

We evaluated a wide range of CASB vendors across multiple data points and product features to make it easier for you to make a thorough assessment of their features, strengths, and limitations. Independent tests, user reviews, vendor information, and analyst reports were among the sources used in our analysis.