Any cloud-based infrastructure needs a robust cloud access security broker (CASB) solution to ensure data and application security and integrity.
With the adoption of cloud-based applications and services growing exponentially, especially as a result of the dramatic growth in remote work in response to the COVID-19 pandemic, more than ever organizations need to protect their data and IT systems from cloud-based threats. Cloud access security brokers are increasingly a critical component of the Secure Access Service Edge (SASE) as edge and cloud security become the newest pain points.
Choosing the right CASB provider will save time, effort and money – in addition to ensuring that enterprises stay protected against emerging threats. We carefully surveyed the field and present below our recommendations for the top CASB vendors and industry-wide wisdom for buyers.
Also see our picks for Top Cloud Security Companies and Tools.
Top 10 CASB solutions
We evaluated a wide range of CASB vendors across multiple data points and product features to make it easier for you to make a thorough assessment of their features, strengths and limitations. Independent tests, user reviews, vendor information and analyst reports were among the sources used in our analysis.
Jump ahead to:
1. Broadcom
Broadcom’s solution for addressing visibility into cloud application security is the Symantec CloudSOC CASB. Big cybersecurity acquisitions of Blue Coat Systems and Symantec this decade point to the roots of Broadcom’s CASB posture. Paired with the Symantec cloud data loss prevention (DLP) solution, the Symantec DLP Cloud includes CASB Audit, CASB for SaaS and IaaS, and CASB Gateway.
Broadcom Features
- Deep content inspection and context analysis for visibility into how sensitive data travels
- API-based inline deployment for fast risk scoring, behavioral analysis, and detection
- Continuous monitoring of unsanctioned applications, malware, security policies, and more
- Deployment routes like endpoints, agentless, web, proxy chaining, and unified authentication
- Central policy engine for controlling how users and apps access and use data
Recognition for Broadcom
In the Gartner Magic Quadrant for Cloud Access Security Brokers, Broadcom was a Challenger in 2020. On Gartner Peer Insights, Broadcom holds an average 4.4 / 5 stars with over 190 reviews. Features highlighted in reviews included product capabilities for visibility, compliance and data security, and ease of deployment. For the Forrester Wave for Cloud Security Gateways, Broadcom was dubbed a Leader in 2021.
2. Censornet
A part of the vendor’s Autonomous Security Engine (ASE) solution, Censornet Cloud Access Security Broker comes integrated with adaptive multi-factor authentication and email and web security.
Censornet Features
- Deployment options by proxy or agents for Windows and macOS and mobile devices
- Multiple security layers to protect against cloud threats and malware
- Risk assessment, rating, and categorization for cloud applications
- Granular policy-setting control by user, role, device, network, and function
- Discovery for all cloud applications in use to gain visibility of a cloud environment
Recognition for Censornet
In the Gartner Magic Quadrant for Cloud Access Security Brokers, Censornet was a Niche Player in 2017 and 2018. Features highlighted in reviews included customer support and focus on compliance. For the Forrester Wave for Cloud Security Gateways, Censornet was a Challenger in 2021.
3. Forcepoint
For critical cloud security tools, Forcepoint’s CASB products address Cloud Governance for application visibility and risk assessment, Cloud Audit & Protection for real-time activity monitoring and analytics, and other use cases like DLP, discovery and more. Forcepoint has added to its CASB offerings with technology acquisitions from Imperva and Bitglass.
Forcepoint Features
- Native user behavioral analysis for profiling app risks and business impact
- Customizable and advanced risk metrics for evaluating cloud app threat posture
- Interoperability with Identity-as-a-Service (IDaaS) partners like Okta, Ping, and Centrify
- Discovery, risking scoring, and usage data for cloud applications
- Integrate CASB data in Common Event Format for existing SIEM environments
Recognition for Forcepoint
In the Gartner Magic Quadrant for Cloud Access Security Brokers, Forcepoint was a Niche Player in 2018 and 2019 before becoming a Visionary in 2020. With over 260 reviews on Gartner Peer Insights, features highlighted include improved compliance and risk management and operational efficiencies. For the Forrester Wave for Cloud Security Gateways, Imperva was a Contender in 2016 and 2017, and Forcepoint was a Strong Performer in 2021.
Bitglass’s CASB solution has long been admired by industry analysts. In the Gartner Magic Quadrant for Cloud Access Security Brokers, Bitglass was a Visionary in 2017 before earning Leader status the last three reports. On Gartner Peer Insights, Bitglass holds an average 4.5 / 5 stars with over 150 reviews. Features highlighted in reviews included its data security capabilities and quality of technical support. For the Forrester Wave for Cloud Security Gateways, Bitglass has been a Contender in the three reports released between 2016 and 2021.
4. iboss
iboss’s CASB offerings are particularly useful for social media and Google and Microsoft cloud applications. The product is well rated by users and analysts alike.
iboss Features
- Ensure enterprise data transfers remain in native cloud accounts and are protected at rest
- Out-of-band deployment options via APIs from MS365, Google, and Box
- Policy management based on users, groups, and information accessed for data security
- Native integration with Microsoft Azure, Office 365, and Microsoft Defender for Cloud Apps
- Easy-to-use dashboard displaying usage and application data for ongoing visibility
Recognition for iboss
In the Gartner Magic Quadrant for Secure Web Gateways, iboss was a Visionary in 2020. On Gartner Peer Insights, iboss holds an average of 4.6 / 5 stars with over 70 reviews. Features highlighted in reviews included pricing and contract flexibility, support, and understanding client needs. In the vendor’s first appearance on the Forrester Wave for Cloud Security Gateways, iboss was a Strong Performer in 2021.
5. Lookout
Bolstered by the acquisition of CipherCloud, Lookout boasts a number of advanced CASB features like DLP, UEBA, zero trust, integrated endpoint security, and more.
Lookout Features
- Scan historical cloud data for open file shares, unprotected information, and more
- Security functionality for DLP, discovery, encryption, and digital rights management
- Built-in user and entity behavior analytics (UEBA) assessing traffic, devices, and users
- Integration with enterprise mobility management (EMM) solutions for endpoint policies
- Context-aware tags including user, group, location, device type, OS, and behavior
Recognition for Lookout
In the Gartner Magic Quadrant for Cloud Access Security Brokers, CipherCloud was a Challenger in 2017 before the jump to Visionary for the last three reports. Features highlighted in reviews for CipherCloud and Lookout include timeliness of vendor support and data security features. For the Forrester Wave for Cloud Security Gateways, CipherCloud was dubbed a Strong Performer in 2016 and 2017.
6. McAfee/Skyhigh
Note: McAfee’s cloud business is now Skyhigh Security, while McAfee Enterprise is under the Trellix name after merging with FireEye, so the McAfee CASB tool is now part of Skyhigh’s SASE platform.
McAfee’s MVISION Cloud claims the “largest and most accurate registry of cloud services,” AI and machine learning functionality, DLP, encryption and more. Office 365 is a particular strength.
McAfee Features
- Central policy engine with options for templates, importing, and custom policy creation
- Granular access policy options by user, attributes, IP address, location, device, or activity
- Machine learning for user behavior analytics and detecting malicious or negligent behavior
- Access to 261-point risk assessments and ratings of pertinent cloud applications
- Integrations with existing security software like SIEM, SWG, NGFW, and EMM
Recognition for McAfee
In the Gartner Magic Quadrant for Cloud Access Security Brokers, McAfee was a Leader as Skyhigh Networks in 2017 and as McAfee the last three reports. On Gartner Peer Insights, McAfee holds an average of 4.6 / 5 stars with over 340 reviews. Features highlighted in reviews included quality of technical support and product capabilities like visibility and data security. For the Forrester Wave for Cloud Security Gateways, Skyhigh was a Leader in 2016 and 2017 and McAfee most recently was a Strong Performer in the 2021 report.
7. Microsoft
Microsoft Defender for Cloud Apps addresses DLP, compliance, discovery, access and other security functions across social media, SaaS apps, email and more. Office 365 is, of course, a particularly strong use case.
Microsoft Features
- Scan cloud infrastructure for compromised users, rogue apps, and known malware
- Governance and compliance reporting for OAuth-enabled apps accessing MS365
- Real-time controls for remediating threat behavior identified at access points
- Over 90 risk factors and 26,000+ available app risk and business assessments
- Central view of cloud security configuration gaps with remediation recommendations
Recognition for Microsoft
In the Gartner Magic Quadrant for Cloud Access Security Brokers, Microsoft was a Niche Player in 2017, Challenger in 2018, and Leader the last two years. On Gartner Peer Insights, Microsoft holds an average of 4.5 / 5 stars with over 210 reviews. Features highlighted in reviews included integrations and ease of deployment and administrator visibility. For the Forrester Wave for Cloud Security Gateways, Microsoft was a Challenger in 2016 and 2017 before jumping to Leader in 2021.
8. Netskope
Netskope has long been a leader in CASB technology, with continuous security assessment and compliance. The CASB pioneer claims “unrivaled visibility and real-time data and threat protection when accessing cloud services, websites, and private apps from anywhere, on any device.” The company has also packaged together a number of offerings as a SASE solution.
Netskope Features
- Encryption at rest or managed in real-time with certified FOPS 140-2 Level 3 KMS
- Integrations with plenty of productivity, SSO, cloud storage, EMM, and security applications
- Access to 40 threat intelligence feeds informing the detection of anomalous behavior
- Dashboard aggregating all traffic, users, and devices for SaaS, IaaS, and web activities
- Role-based access control for administrator, analyst, and other privileged user roles
Recognition for Netskope
In the Gartner Magic Quadrant for Cloud Access Security Brokers, Netskope is the only vendor to be a Leader in each of the last four reports. On Gartner Peer Insights, Netskope holds an average of 4.6 / 5 stars with over 150 reviews. Features highlighted in reviews included product performance and access to quality end-user training and third-party resources. For the Forrester Wave for Cloud Security Gateways, Netskope was a Contender in 2016 and 2017 and a Strong Performer in 2021.
9. Palo Alto Networks
Palo Alto Networks has brought its considerable security expertise to bear on the CASB and SaaS protection market with an offering that includes SaaS monitoring, compliance, DLP and threat protection, plus strong integration with Palo Alto firewalls and access solutions.
Palo Alto Networks Features
- Native integration with PAN’s VM-Series, NGFW, and Prisma Access solutions
- Advanced DLP functionality via deep learning, NLP, and optical character recognition (OCR)
- Monitor activity with scans of traffic, ports, protocols, HTTP/S, FTP, and PrivateVPN
- Built-in data security reporting for compliance auditing such as GDPR
- 400+ application categories for setting risk attributes, controls, and policy
Recognition for Palo Alto Networks
In the Gartner Magic Quadrant for Cloud Access Security Brokers, Palo Alto Networks was a Niche Player three times between 2017 and 2019. On Gartner Peer Insights, Palo Alto Networks holds an average of 4.5 / 5 stars with over 80 reviews. Features highlighted in reviews included ease of deployment, quality of support, and enhanced visibility.
10. Proofpoint
Enterprise cybersecurity company Proofpoint’s Cloud App Security Broker (CASB) is a user and DLP-focused solution for revealing shadow IT activity and managing the use of third-party SaaS applications.
Proofpoint Features
- A growing catalog of 46,000+ apps containing attributes for type and risk categorization
- Identify VAPs (Very Attacked People) and set appropriate privileges for sensitive access
- Deployment options for integrating with SOAR, IAM, and cloud-service APIs
- Continuous DLP controls and policies across endpoints, web, email, and cloud applications
- Threat detection based on the latest threat intelligence and user-specific contextual data
Recognition for Proofpoint
In the Gartner Magic Quadrant for Cloud Access Security Brokers, Proofpoint was a Visionary in 2018 and Challenger in the last two reports. On Gartner Peer Insights, Proofpoint holds an average of 4.4 / 5 stars with over 70 reviews. Features highlighted in reviews included the evaluation and contracting process and ease of integration using standard APIs.
Your Guide to Cloud Access Security Brokers
Our recommendations for cloud access security brokers (CASB) come from years of covering the enterprise migration to the cloud and the security ramifications due to that shift. As organizations, personnel, and consumers adopt cloud-built or cloud-based applications, security infrastructures have to take their fight to the network edge.
Below is eSecurityPlanet‘s guide to cloud access security brokers covering what CASBs are and how they work, why they’re a critical tool for enterprise security, and how to deploy CASB for your organization.
Also Read: Cloud Bucket Vulnerability Management
What is a CASB?
A CASB is cloud-based or on-premises security software positioned between users and cloud services, both sanctioned and unsanctioned, whether those users are on-site or remote. CASBs play the critical role of enforcing enterprise security policies for accessing cloud services. First defined by Gartner in 2012, they add CASBs “interject enterprise security policies as the cloud-based resources are accessed.” Security features included in CASB solutions include:
- Authentication, authorization, and SSO
- Credential mapping
- Device profiling
- Encryption and tokenization
- Logging and alerting
- Malware detection and prevention
Why Do You Need a CASB?
The explosion in internet-enabled technology has created a reliance on digital advancements like cloud computing. However, the increase in internet-accessible resources comes with the inherent security risks posed by the worldwide web. Enterprise firewalls, web gateways (SWGs), and web application firewalls (WAF) all strengthened organizations’ security posture, but they failed to offer cloud-specific security.
Also Read: Cloud-based security: SECaaS
Protecting Applications
Data and applications are moving away from private data centers and leaving behind a stack of on-premises security solutions that offer network visibility, access, data loss prevention (DLP), threat protection, and breach logging. The cloud’s introduction of SaaS products has moved data from private, on-premises DCs to cloud-based operations. Similarly, users have widely adopted cloud applications because accessing these tools outside of work and remotely is easier than ever. The added risk to applications and data on the network edge makes tools like CASB essential for cloud-based security.
Also Read: SaaS Security Risks: It’s the Users, Stupid
Remote Work and BYOD
The consequence of cloud and mobile proliferation means data and users live beyond the on-premises security infrastructure. Where legacy security systems could effectively monitor local network traffic, CASBs have taken the mantle of monitoring and authenticating access in the cloud for a world audience.
As organizations have adopted remote work and permitted personal devices (BYOD) for staff, the cloud offers open access to unmanaged or unsanctioned devices that the user can authenticate. This reality presents a security vulnerability because the data that lives in the pertinent cloud applications could be downloaded with little effort. Without a CASB in place, getting visibility into the array of access points is a significant roadblock to improving security.
Also Read: Remote Work Security: Priorities & Projects
The Cloud: Business Enabler
The cloud is here to stay, and organizations are rushing to adopt cloud-based service models thanks to its affordability, scalability, and performance. Within organizations, the cloud applications in use aren’t always the same authorized by the IT department. While this non-IT use of technology can take up established resources, many industry leaders have confirmed the benefits of such unsanctioned activity dubbed shadow IT. The use of unmanaged cloud services can bring essential tools to the organization’s forefront and speed adoption. While by no means an ironclad process of selecting applications for company use, shadow IT can create a bridge between the IT team and business that ultimately enhances the organization in the long term.
CASB Benefits and Concerns
Benefits of CASB
CASBs control cloud application and data access by combining a variety of security policy enforcement requirements. They can manage single sign-on, logging, authentication and authorization, device profiling, encryption, and tokenization and detect, alert, and prevent malware attacks. Benefits of deploying a CASB include:
- Restrict unauthorized access
- Identify account takeovers
- Uncover shadow cloud IT
- Cloud data loss prevention (DLP)
- Internal and external data access controls
- Record an audit trail of risky behavior
- Cloud phishing and malware threats
- Continuous monitoring for new cloud risks
Other benefits noted by industry adopters include reduced costs and increased agility, and outsourced hardware, engineers, and code development.
Also Read: Cloud Security Requires Visibility, Access Control: Security Research
Auditing Network Applications
As we touch on, outside of every IT department lives unsanctioned technology known as shadow IT. While harmless in most instances, wandering personnel using unsanctioned tools pose a security risk to the organization. IT departments evaluate the network security posture, pertinent configurations, and user training needed to deploy the product best before implementing applications. Without these steps and close attention to detail, employees could be agreeing to terms of use and downloading applications that are in direct conflict with the organization’s internal or compliance standards.
Also Read: Guarding Against Solorigate TTPs
How Does CASB Work?
CASB can be API-based or proxy-based, where a forward proxy can control managed devices and a reverse proxy for unmanaged devices. A CASB’s ability to detect unsanctioned cloud applications (shadow IT), encrypt traffic, and identify sensitive traffic is invaluable to network security.
CASB solutions aren’t a one-size-fits-all product. SaaS applications today have specialized APIs that require a compatible CASB to protect the application’s specific traffic. Enterprise organizations can have a suite of CASB solutions to cover the network’s cloud application traffic.
Also Read: Firewalls as a Service (FWaaS): The Future of Network Firewalls?
Best Practices for Implementing CASB
A CASB is an unusual security solution in that it spans the cloud and on and off-premises users, so deployment can be tricky. For a successful rollout, keep the following best practices in mind.
1. Build Visibility
The first step is to gain visibility into current cloud usage. Building visibility into your network’s relationship with the cloud means diving into cloud application account usage and identifying activity by user, application, department, location, and devices used. Analyzing web traffic logs will offer a good reference point and will allow you to evaluate what enterprise or SMB CASB is appropriate.
2. Forecast Risk
The second step is to develop a cloud risk model based on the visibility into the network’s standard usage patterns. Whether a hacker has gained access with leaked credentials or a former employee still has access to the organization’s cloud applications, these are both instances of risk that the network administrator must consider. Unsanctioned access can be dangerous when users have malicious intent and the ability to steal or delete critical data. Organizations can extend existing risk models or develop specialized risk models based on the needed security configurations.
3. Release the CASB
The third and final step involves applying the risk model to the current shadow cloud usage and deploying your CASB for action. With the risk model defined, the enterprise can enforce use policies across all cloud services. The IT team can assign risk scores and categorize cloud services for even more visibility into network services moving forward. When onboarding the CASB is complete, administrators can rest assured that their network and cloud infrastructure monitor traffic, protect against threats, fill the DLP gap, and ensure compliance concerning data privacy and security.
After deployment, network administrators and security analysts must give attention to CASB activity and ensure it’s functioning properly for its intended use. Many organizations start small on this process by integrating CASB for an initial application and analysis before integration across the network.
Also Read: How to Implement Zero Trust
Types of CASB Deployment
Not all CASB services are created equally, including how they can be deployed. Three methods have emerged as the most popular using forward and reverse proxies for inline deployment or APIs for out-of-band deployment.
Inline Deployment: Forward and Reverse Proxies
A forward proxy is positioned closer to users and can proxy traffic to multiple cloud services. CASBs inspect cloud traffic for users and employ an SSL man-in-the-middle technique to steer traffic to the CASB forward proxy. Sadly, the downside of using a forward proxy is that each device accessing the proxy requires the installation of self-signed certificates, and an excess of users can cause latency. For germane devices, traffic is redirected to PAC files, unique DNS configurations, third-party agents, advanced forwarding, chaining, or TAP mechanisms.
A reverse proxy is positioned closer to the cloud application and can integrate into Identity-as-a-Service (IDaaS) and IAM solutions and doesn’t require particular configuration or certificate installation. Reverse proxies receive requests from the cloud application, apply predefined security rules, and pass the user’s request.
Also Read: Application Security Vendor List
Out-of-Band Deployment: API-based
CASBs typically sit in the traffic path between users and cloud platforms; however, out-of-band deployment uses asynchronous APIs to do the job. APIs receive all cloud traffic from log events to the configuration state necessary to create and enforce the appropriate security policies. Out-of-band CASB deployment enables frictionless change for application behavior, north-south and east-west traffic coverage, and retrospective policy enforcement for data-at-rest and all new traffic.
Gartner points out that APIs’ development and their ability to offer real-time visibility and control could mean the end of proxy-based methods for deploying CASB.
CASB and Identity Management
Identity and authentication management are growingly crucial for a world of remote users connecting to applications and data in the cloud. Identity and access management (IAM) products have grown to cover a suite of tools like directory services, web application SSO, privilege access management (PAM), and 2FA. Meanwhile, CASBs can be deployed to work with existing IAM or Identity-as-a-Service (IdP) solutions.
Gartner research director Erik Wahlstrom noted, “They don’t replace IAM, but do provide visibility and control back to IAM.” CASB supplements IAM ideally by providing behavior monitoring and cross-application security configuration, while IAM ensures authenticated users.
Also Read: Best IAM Software
CASB Market Trends
CASB isn’t the only cloud security product on the market, but it appears to be the most popular and has been a high enterprise security priority for some time. Gartner data showed CASB adoption growing at a 40% compound annual growth rate (CAGR) the next few years, well above second-place encryption software at 24%. Remote access and BYOD trends quickened by the COVID-19 pandemic have added to that growing demand.
Securing Your Cloud Exposure
Once the cloud risk model is implemented, companies can use CASBs to streamline the onboarding process for new cloud services. The CASB registry contains the cloud service signatures, helping reduce the due diligence needed in future endeavors.
Just as the cloud isn’t going away, neither are the cloud-based security products known as CASB. Our top picks for CASB vendors offer granular access control, data security, and protection against the latest cloud threats.
Also Read: Top Cloud Security Companies & Tools
eSecurityPlanet’s Methodology
We evaluated a wide range of CASB vendors across multiple data points and product features to make it easier for you to make a thorough assessment of their features, strengths, and limitations. Independent tests, user reviews, vendor information, and analyst reports were among the sources used in our analysis.