Any cloud-based infrastructure needs a robust cloud access security broker (CASB) solution to ensure data and application security and integrity. After carefully surveying the field, we have recommendations for the top CASB vendors and an assessment of what differentiates their offerings.
With the adoption of cloud-based applications and services growing exponentially, especially as a result of the dramatic growth in remote work in response to the COVID-19 pandemic, more than ever organizations need to protect their data and IT systems from cloud-based threats. Choosing the right CASB provider will save time, effort and money – in addition to ensuring enterprises stay protected against emerging threats.
What is CASB?
CASB is cloud-based or onsite security software positioned between users and cloud services, both sanctioned and unsanctioned (“shadow IT”), whether those users are on site or remote. CASBs play the critical role of enforcing enterprise security policies for accessing those cloud services.
How CASB works
CASB uses a combination of APIs, forward proxy for managed devices and reverse proxy for unmanaged devices to control cloud access for users.
Cloud access security brokers provide protection and ensure that users adhere to company policies and compliance and governance requirements set by regulatory authorities.
CASB security benefits
CASBs control cloud application and data access by combining a variety of security policy enforcement requirements. They can manage single sign-on, logging, authentication and authorization, device profiling, encryption and tokenization, besides alerting and ensuring malware detection and prevention. They can monitor cloud access and block it if conditions or alerts are triggered.
CASB market trends
CASB isn’t the only cloud security product on the market, but it appears to be the most popular and has been a high enterprise security priority for some time. Gartner data show CASB adoption growing at a 40% compound annual growth rate the next few years, well above second-place encryption software at 24%. Remote access and BYOD trends have added to that growing demand.
See our picks for top cloud security products too
Top CASB solutions
We evaluated a wide range of CASB vendors across multiple data points and product features to make it easier for you to make a thorough assessment of their features, strengths and limitations. Independent tests, user reviews, vendor information and analyst reports were among the sources used in our analysis.
Jump ahead to:
- Netskope
- McAfee
- Palo Alto Networks
- Cisco
- Proofpoint
- Bitglass
- Symantec
- Microsoft
- Fortinet
- CipherCloud
- StratoKey
- Forcepoint
- CASB implementation
Netskope
Key takeaway: For ease of use and excellent support, few can match Netskope.
Pros:
- Improves compliance and risk management
- Good security and management
Cons:
- Pricier than others on the list but users see value
Netskope scored highest overall in our analysis, and came out on top in Detection and Response, Management, Support and Value. Its ability to identify and manage cloud applications, whether managed or unmanaged, stands out. Security gateways help prevent sensitive data being exfiltrated by risky insiders or cybercriminals who have penetrated the security perimeter.
The data-centric approach adopted by Netskope Security Cloud allows it to deliver impressive visibility and real-time data and threat protection whenever any PC or mobile device connects to the cloud. Its vast experience enables Netskope to offer the appropriate solution to the satisfaction of its clientele.
Overall score |
Detection & Response |
Management |
Ease of deployment |
Support |
Value |
|
Netskope | 4.5 | 4.6 | 4.8 | 4.1 | 4.7 | 4.4 |
McAfee MVISION
Key takeaway: Meets compliance requirements, manages financial and reputational risks, and protects intellectual property.
Pros:
- Scores high on detection, automation and intelligence
- Excellent service and support
Cons:
- Some deployment challenges
- Management on par with competitors
Regarding value, McAfee MVISION is on par with Proofpoint and Cisco CloudLock, and right behind Netskope. Coming from an organization famed for its anti-virus and security offerings, MVISION places high priority on security, threat intelligence and artificial intelligence (AI). MVISION’s endpoint and cloud security protect data through central management and the orchestration of analytics, automation and threat intelligence.
The insight-driven CASB offering is powered by almost a billion sensors around the world, and state-of-the-art analytics delivers some of the best intelligence capabilities. The product has some deployment limitations but still ranks second overall.
Overall score | Detection & Response | Management | Ease of deployment | Support | Value | |
McAfee MVISION |
4.4 |
4.5 | 4.4 | 4.0 | 4.5 |
4.3 |
Palo Alto Networks Prisma
Key takeaway: Comprehensive security across the deployment lifecycle.
Pros:
- Improves compliance and risk management
- Good visibility and security
Cons:
- Multiple consoles may be needed for additional services
Palo Alto Networks has posted impressive third-party test results across its security portfolio, so it’s not surprising that Prisma ranks high in security, and visibility and compliance are other strengths. Prisma scored well across the board in our evaluation, with Detection and Response, Management, Deployment and ease of use noteworthy standouts. One downside could be the complexity of management as additional services are added, but users overall are positive.
Overall score | Detection & Response | Management | Ease of deployment | Support | Value | |
Palo Alto Prisma |
4.3 |
4.4 | 4.5 | 4.2 | 4.3 |
4.2 |
Cisco Cloudlock
Key takeaway: Strong security coupled with ease of deployment make Cisco Cloudlock one to consider.
Pros:
- Strong security
- Ease of deployment
- Good automation
Cons:
- Compliance and visibility could be better
Cisco Cloudlock came out on top for raw security, not a bad selling point for a security product. The cloud-native CASB product makes use of APIs to manage risks. Cisco uses machine learning algorithms to identify any anomalies based on a set of factors and moves to prevent any threat to the cloud infrastructure. Its data loss prevention (DLP) technology continuously monitors the cloud environment. Numerous out-of-the-box policies and the highly tunable custom policies make Cisco a formidable competitor on this list. The Cloudlock Apps Firewall ensures that all cloud apps connected to the enterprise IT infrastructure are regularly detected and controlled. Some users have wished for improved functionality in compliance and visibility.
Overall score | Detection & Response | Management | Ease of deployment | Support | Value | |
Cisco CloudLock |
4.3 |
4.5 | 4.2 | 4.2 | 4.4 |
4.3 |
Proofpoint
Key takeaway: Proofpoint offers strong security and functionality and is a good value too.
Pros:
- Ease of deployment
- Good security
- Excellent support
Cons:
- Users report management can be challenging
Proofpoint aims to satisfy the needs of a client on a budget. The CASB offering secures the major cloud offerings and ensures enterprises gain people-centric visibility and control over cloud apps. The tool allows enterprises to structure levels of access to users and third-party apps based on the identified risk parameters. One of the critical advantages of Proofpoint is the granular visibility about user information and any risks to data. The insights are defined under three classes: global, user and app level. The CASB protocol offers extensive control for managing oversight of suspicious logins, activity and DLP alerts. Users are happy but report some challenges with management. Deployment times are faster than average.
Overall score | Detection & Response | Management | Ease of deployment | Support | Value | |
Proofpoint | 4.3 | 4.5 | 4.1 | 4.3 | 4.5 |
4.3 |
Bitglass
Key takeaway: Good security, management and a unique approach that also manages to be a good value.
Pros:
- Unique agentless, browser-based approach
- Good security and management
- Good value and support
Cons:
- Deployment can be challenging
Bitglass is a cloud-native CASB that can also deploy in a docker container for on-premises client requirements. It combines forward and reverse proxy and API approaches, and its agentless, browser-based reverse proxy helps it catch threats that network-based reverse proxies might miss. Bitglass supports mobile and unmanaged devices, including mobile device management capabilities. Users give it good marks for security, compliance and visibility, but deployment can take longer than rivals. Value is better than average and support is near the top.
Overall score | Detection & Response | Management | Ease of deployment | Support | Value | |
Bitglass |
4.3 |
4.5 | 4.4 | 3.9 | 4.5 |
4.2 |
Symantec CloudSOC
Key takeaway: Symantec (now part of Broadcom) offers a full-featured CASB that includes encryption, behavior analytics and application discovery.
Pros:
- Full-featured
- Good security and management capabilities
Cons:
- Deployment can take longer than most
Symantec’s CloudSOC arises from the company’s acquisitions of Blue Coat Systems and Fireglass – CASB and remote browsing technology, respectively. The CASB product scores well in the all-important areas of Detection, Response and Management. CloudSOC combines behavior analytics with other measures to come up with a ThreatScore to alert security analysts to the highest-risk events. Deployment can take longer than average, while Support and Value are about average.
Overall score | Detection & Response | Management | Ease of deployment | Support | Value | |
Symantec |
4.3 |
4.5 | 4.4 | 4.1 | 4.4 |
4.1 |
Microsoft Cloud App Security
Key takeaway: A solid CASB product, but might take additional investment to get the most out of it.
Pros:
- Microsoft is an emerging security player, backed by independent tests
- Not just for Office 365 – supports 16,000+ apps
- Good security and management
Cons:
- Might need additional products for maximum effectiveness
- Compliance features could be better
Microsoft has been taking security seriously, posting strong results in independent EDR tests, for example, so don’t underestimate the software giant’s potential in the CASB market. Cloud App Security may be packaged under the Microsoft 365 brand, but it monitors over 16,000 apps for more than 90 risk factors. The CASB product posted solid scores across the board in our evaluation; it may not be market-leading, but the company has the deep pockets and commitment to security to keep improving. It might take some tweaking to get it right – and additional products for maximum benefit – but users are generally happy.
Overall score | Detection & Response | Management | Ease of deployment | Support | Value | |
Microsoft |
4.2 |
4.3 | 4.2 | 4.2 | 4.3 |
4.1 |
Fortinet FortiCASB
Key takeaway: Strong security and capabilities make FortiCASB worth its cost.
Pros:
- Strong security
- Good overall capabilities
Cons:
- Can get pricey
- Some report a learning curve
Fortinet has subjected itself to more independent testing than most security vendors, so not surprisingly, FortiCASB scored near the top in Detection and Response. Users are also positive about the company’s performance, compliance, visibility and overall capabilities. Support is above average while Deployment is about average. The only area the company lags in is Value – users say it can get pricey, and some also report a learning curve. But it’s a cloud security product that users have faith in.
Overall score | Detection & Response | Management | Ease of deployment | Support | Value | |
FortiCASB |
4.2 |
4.5 | 4.3 | 4.1 | 4.4 |
3.7 |
CipherCloud
Key takeaway: Good security and compliance features, but visibility and deployment can present challenges.
Pros:
- Good security and compliance features
- Office 365 and G Suite support
Cons:
- Deployment can be challenging
- Visibility could be better
CipherCloud’s weak spot is that deployment can be challenging, but otherwise it’s a solid CASB product and even offers niceties like Office 365 and G Suite support. Security, compliance and ease of use are pluses, but users would like to see improvements in visibility and functionality. They report that the vendor is responsive to development requests, however. Users are overall pretty satisfied with CipherCloud.
Overall score | Detection & Response | Management | Ease of deployment | Support | Value | |
CipherCloud |
4.1 |
4.2 | 4.3 | 3.7 | 4.2 |
4.1 |
StratoKey
Key takeaway: Good capabilities and value, but as always, due diligence required.
Pros:
- Solid security, management, deployment and value
- Partnerships with the likes of Oracle and SAP
Cons:
- Not a lot of user feedback
There’s not a lot of user feedback on StratoKey, but what’s available is positive. It offers solid security, management and value, and deployment times appear to be very good. Partnerships with vendors such as Oracle and SAP could make it a good choice for users of specific applications.
Overall score | Detection & Response | Management | Ease of deployment | Support | Value | |
StratoKey |
4.1 |
4.2 | 4.2 | 4.6 | 4.4 |
4.0 |
Forcepoint
Key takeaway: Good security and behavior analytics, but users would like to see more development.
Pros:
- Security and behavior analytics
- User-centric interface
Cons:
- Users say development has been slow
Forcepoint offers good security, management, behavior analytics and workflow, but a common complaint is that product development and problem resolution can be slow, which could put the company at a disadvantage in the evolving CASB market. A couple of users recommended that potential buyers conduct a proof of concept (POC) to make sure the solution meets the needs of their environment. That’s good advice in general for IT buyers.
Overall score | Detection & Response | Management | Ease of deployment | Support | Value | |
Forcepoint | 3.7 | 3.8 | 3.6 | 3.8 | 3.6 | 3.9 |
How to deploy a CASB successfully
A CASB is an unusual security solution in that it spans the cloud and on and off premises users, so deployment can be tricky. There are four elements to a successful CASB solution rollout:
- In the simplest terms, the first step is to gain visibility into current cloud usage. Analyzing web traffic logs will offer a good reference point. Doing so will allow you to hit on the right CASB solution that your enterprise requires.
- The second step is to develop a cloud risk model. A detailed approach will see either existing risk models being extended or specialized risk models developed based on selected attributes. This helps potential buyers understand the kind of risks their business faces so they can build a robust cloud risk model.
- The third step involves applying the risk model to the current shadow cloud usage. Once the risk model is defined, the enterprise can enforce use policies across all cloud services. The risk scores are used by the IT team to classify cloud services by category.
- The fourth step is developing cloud service onboarding using the CASB solution.
Once the cloud risk model is implemented, companies can use CASBs to streamline the onboarding process for new cloud services. The CASB registry contains the cloud service signatures, helping reduce the due diligence needed in future endeavors.