Cloud security keeps IT security pros up at night, and for good reason: Between users accessing unapproved cloud services and mishandling data even in approved ones, the cloud is one of the biggest challenges security teams face.
That's where cloud access security brokers (CASB) can help. A CASB helps IT departments monitor cloud service usage and implement centralized controls to ensure that cloud services are used securely.
Gartner estimates that for the next few years, 95% of cloud security failures will be caused by customer failings, rather than cloud service provider security failings. That's true for companies accessing mainstream cloud services like Office 365 and Salesforce, and it's particularly true of cloud services acquired by business units without the IT department's involvement or knowledge. That's because this type of "shadow IT" is not subject to the security policies put in place by IT departments to try to mitigate some of the risks of cloud services.
For those reasons, the use of CASBs in enterprise security postures is set to skyrocket, according to Gartner: the research firm estimates that fewer than 5% of large enterprises use one or more CASBs currently, but that figure is likely to reach 85% by 2020.
- Product feature comparison chart
- Forcepoint CASB
- Skyhigh Networks
- Cisco Cloudlock
- Microsoft Cloud App Security
- Bitglass Cloud Security
- Netskope Active Platform
What does a CASB do?
CASBs provide a solution to many of the security problems posed by the use of cloud services – both sanctioned and unsanctioned. They do this by interposing themselves between end users – whether they are on desktops on the corporate network or on mobile devices connecting using unknown networks – or by harnessing the power of the cloud provider's own API.
The capabilities and functionality of different CASBs varies significantly, but at a minimum, Gartner suggests that CASBs should offer organizations:
- Visibility into cloud usage throughout the organization
- A way to ensure and prove compliance with all regulatory requirements
- A way to ensure that data is stored securely in the cloud
- A satisfactory level of threat protection to ensure that the security risk of using the cloud is acceptable
In practice this means that at a bare minimum, CASBs need to be able to:
- Provide the IT department with visibility into sanctioned and unsanctioned cloud service usage
- Provide a consolidated view of all cloud services being used by the organization – and the users who access them from any device or location
- Control access to cloud services
- Help administrators ensure that the organization complies with all relevant regulations and standards (such as data residency) when using cloud services
- Allow IT departments to set and enforce security policies on cloud usage and the use of corporate data in cloud services, and apply them through audit, alert, block, quarantine, delete and other controls
- Enable administrators to encrypt or tokenize data stored in the cloud
- Provide data loss prevention (DLP) capabilities, or interface with existing corporate DLP systems
- Provide access controls to prevent unauthorized employees, devices or applications from using cloud services
- Offer threat prevention methods such as behavioral analytics, anti-malware scanning and threat intelligence.
How CASBs work
CASBs may run in a corporate data center or in a hybrid mode that involves the data center and the cloud, but the majority of companies choose a CASB that operates exclusively from the cloud – unless regulatory or data sovereignty considerations require an on-premises solution.
The three key ways that a CASB can be deployed are as a reverse proxy, a forward proxy, or in an "API mode." CASBs are increasingly offering the choice between all three methods, or what Gartner calls "multimode." Each mode has its advantages and disadvantages.
For example, reverse proxies can handle user-owned devices without the need for configuration changes or certificates to be installed, but they do not handle unsanctioned cloud usage well.
Forward proxies direct all traffic from managed endpoints through the CASB, including traffic to unsanctioned cloud services, but user-owned devices may not be subject to management. Both types of proxy become a single point of failure that may leave the use of all cloud services vulnerable to a DDoS attack.
API Mode works well with user-owned devices and allows companies to perform functions such as log telemetry, policy visibility and control and data security inspection functions on all the data at rest in the cloud service. Since a CASB working in API mode is not in the data path to the cloud, it is not a single point of failure. The main problem with API mode CASBs is that not all cloud services offer API support, and those that do offer it to varying degrees.
Six CASB vendors to consider
In addition to offering the required minimum functionality outlined above, all the CASB vendors in this list:
- Have been in business for at least four years
- Have CASB revenues likely to be at least $8 million
- Have at least 80 paying customers
- Responded to requests for information
Here, then, are six top CASB vendors – followed by a chart summarizing key features of each solution.
Forcepoint’s proxy and API-based capabilities allow the company to support any cloud application in the market and provide blocking capabilities. The CASB provides deep visibility into thousands of user activities, enabling security teams to understand user behavior and implement data loss prevention (DLP) capabilities. These can be designed to stop exfiltration of data for both managed and unmanaged BYOD devices.
See our in-depth analysis of Forcepoint CASB.
Skyhigh Networks' agentless CASB product offers threat protection and data loss prevention for large and very large enterprises, along with specialized offerings such as a dedicated GDPR tool for companies regulated by the EU data protection law. Major product offerings include Shadow IT and Custom Applications in addition to support for top cloud applications. Skyhigh was acquired by McAfee in late 2017.
Cisco Cloudlock is a CASB developed as a set of micro services that can be exposed via APIs and can support home-grown applications in addition to top-name cloud apps. The company also offers tight integration with its other security products.
Microsoft Cloud App Security is a CASB for everyone from small companies through enterprises. It offers deep integration with Microsoft security products and Office 365, and supports other top cloud apps.
See our in-depth analysis of Microsoft Cloud App Security.
Bitglass Cloud Security is the only agentless CASB solution with support for any app and device, and the only CASB with integrated identity and access management (IAM) and agentless mobile data protection. It supports major enterprise cloud applications, plus SaaS, IaaS and custom apps.
Netskope Active Platform covers thousands of cloud services either through published cloud service APIs or through inline decoding of unpublished APIs. It offers DLP and combines threat intelligence, static and dynamic analysis and machine learning-based anomaly detection to spot threats in real time.
Below is a chart breaking down product features of the top CASB vendors: