Cloud security keeps IT security pros up at night, and for good reason: Between users accessing unapproved cloud services and mishandling data even in approved ones, the cloud is one of the biggest challenges security teams face.
That explains the incredible rise of cloud access security broker (CASB) software over the past few years. A CASB helps IT departments monitor cloud service usage within their organization and implement centralized controls to ensure that cloud services are used securely.
Five years ago CASBs were relatively unknown, but today about one in five of large enterprises uses a CASB to control or govern at least some cloud services, according to Gartner's "Magic Quadrant for Cloud Access Brokers" report published in October 2018. But as CASB acceptance grows, their use is likely to proliferate rapidly. Gartner predicts that 60 percent of large enterprises will be using a CASB within the next three years.
The old received wisdom used to be that cloud services themselves were insecure, but most cloud service providers now run very secure operations. For that reason Gartner believes that, for the next few years at least, 99 per cent of cloud security failures will be due to customer security failings rather than cloud service provider security failings.
That's true for companies accessing mainstream cloud services like Office 365 and Salesforce, and it's particularly true of cloud services acquired by business units without the IT department's involvement or knowledge. That's because this type of "shadow IT" is not subject to the security policies put in place by IT departments to try to mitigate some of the risks of cloud services.
Jump ahead to:
What does a CASB do?
CASBs provide a solution to many of the security problems posed by the use of cloud services – both sanctioned and unsanctioned. They do this by interposing themselves between end users – whether they are on desktops, the corporate network or on mobile devices connecting using unknown networks – or by harnessing the power of the cloud provider's own API.
The capabilities and functionality of different CASBs vary significantly, but at a minimum, Gartner suggests that CASBs should offer organizations:
- Visibility into cloud usage throughout the organization
- A way to ensure and prove compliance with all regulatory requirements
- A way to ensure that data is stored securely in the cloud
- A satisfactory level of threat protection to ensure that the security risk of using the cloud is acceptable
In practice this means that at a bare minimum, CASBs need to be able to:
- Provide the IT department with visibility into sanctioned and unsanctioned cloud service usage, including "cloud to cloud" usage
- Provide a consolidated view of all cloud services being used by the organization – and the users who access them from any device or location
- Control access to cloud services
- Help administrators ensure that the organization complies with all relevant regulations and standards (such as data residency) when using cloud services
- Allow IT departments to set and enforce security policies on cloud usage and the use of corporate data in cloud services, and apply them through audit, alert, block, quarantine, delete and other controls
- Enable administrators to encrypt or tokenize data stored in the cloud
- Provide data loss prevention (DLP) capabilities, or interface with existing corporate DLP systems
- Provide access controls to prevent unauthorized employees, devices or applications from using cloud services
- Offer threat prevention methods such as behavioral analytics, anti-malware scanning and threat intelligence.
How CASBs work
CASBs may run in a corporate data center or in a hybrid mode that involves the data center and the cloud, but the majority of companies choose a CASB that operates exclusively from the cloud – unless regulatory or data sovereignty considerations require an on-premises solution.
The three key ways that a CASB can be deployed are as a reverse proxy, a forward proxy, or in an "API mode." CASBs are increasingly offering the choice between all three methods, or what Gartner calls "multimode." Each mode has its advantages and disadvantages.
Reverse proxy: Reverse proxy CASBs can handle user-owned devices without the need for configuration changes or certificates to be installed, but they do not handle unsanctioned cloud usage well.
Forward proxy: Forward proxies direct all traffic from managed endpoints through the CASB, including traffic to unsanctioned cloud services, but user-owned devices may not be subject to management.
Both types of proxies become a single point of failure that may leave the use of all cloud services vulnerable to a DDoS attack.
API Mode: API mode works well with user-owned devices and allows companies to perform functions such as log telemetry, policy visibility and control, and data security inspection functions on all the data at rest in a cloud service. Since a CASB working in API mode is not in the data path to the cloud, it is not a single point of failure.
The main problem with API mode CASBs is that not all cloud services offer API support, and those that do offer it to varying degrees.
An additional problem with API mode is that many CASB vendors have reported encountering performance slowdowns resulting from cloud service providers increasingly throttling responses to API requests, according to Gartner.
Several CASBs now also offer cloud security posture management (CSPM) capabilities to assess and reduce configuration risk in IaaS, PaaS, and SaaS cloud services, according to Gartner, sometimes by reconfiguring native security controls directly in cloud services. However, Gartner points out that IaaS and PaaS governance are new for almost every CASB, and therefore not yet as developed as SaaS governance.
Proxy vs API: Which should you choose?
Over the next few years, cloud services are likely to allow their APIs to expose more and more of their operations, more control, and near real-time performance, meaning that the need for in-line traffic interception (via proxies) may slowly diminish.
But for the foreseeable future, APIs alone will not provide a total solution, and for that reason many organizations look for a CASB that uses a multimode approach.
Top CASB vendors
The CASB market has experienced consolidation over the last few years, as some of the early startups have been acquired by larger security companies. Of the four market leaders identified by Gartner, two (McAfee and Symantec) are well known security brands, while the other two (Bitglass and Netskope) are specialist CASB plays.
Here, then, are eight top CASB vendors, with links to deeper information on each vendor – followed by a chart summarizing key features of each solution.
Forcepoint’s proxy and API-based capabilities allow the company to support any cloud application in the market and provide blocking capabilities. The CASB provides deep visibility into thousands of user activities, enabling security teams to understand user behavior and implement data loss prevention (DLP) capabilities. These can be designed to stop exfiltration of data for both managed and unmanaged BYOD devices.
McAfee entered the CASB space with the acquisition of CASB startup Skyhigh Networks in 2018. The product was renamed McAfee Skyhigh Security Cloud, and is now known as McAfee MVISION Cloud. The agentless CASB product offers threat protection and data loss prevention for large and very large enterprises, along with specialized offerings such as a dedicated GDPR tool for companies regulated by the EU data protection law.
Cisco Cloudlock is a CASB developed as a set of micro services that can be exposed via APIs and can support home-grown applications in addition to top-name cloud apps. The company also offers tight integration with its other security products.
Microsoft Cloud App Security is a CASB for everyone from small companies through enterprises. It offers deep integration with Microsoft security products and Office 365, and supports other top cloud apps.
Bitglass Cloud Security is the only agentless CASB solution with support for any app and device, and the only CASB with integrated identity and access management (IAM) and agentless mobile data protection. It supports major enterprise cloud applications, plus SaaS, IaaS and custom apps.
Netskope for Saas covers thousands of cloud services either through published cloud service APIs or through inline decoding of unpublished APIs. It offers DLP and combines threat intelligence, static and dynamic analysis and machine learning-based anomaly detection to spot threats in real time.
Symantec added CASB capabilities to its portfolio in 2016 with the acquisition of Blue Coat Systems' Perspecsys and Elastica. These two CASB products were merged to create Symantec's current CASB offering, CloudSOC, which is aimed at enterprise customers with strong cloud discovery, usage monitoring and DLP needs.
Proofpoint acquired FireLayers in 2017, extending CASB to Proofpoint's existing threat response, mobile threat defense, remote browser isolation, and threat intelligence offerings. Proofpoint has a large installed base for its email security product; the target market for Proofpoint's CASB is as an add-on for this installed base plus new customers not currently using Proofpoint products.
Oracle (Oracle CASB): Oracle acquired Palerra's technology in 2013 and has been shipping a CASB product since 2015. Oracle CASB Cloud Service is a multimode CASB with several editions: Oracle CASB for Discovery, Oracle CASB for SaaS, Oracle CASB for IaaS, and Oracle CASB for Custom Apps. Inline DLP (for real-time detection) and API DLP (for retroactive scanning) require additional licensing.
CipherCloud (CASB+): Encryption and tokenization are strong use cases, Gartner notes, with integration with on-premises key management, DLP and data-centric audit and protection (DCAP) products. Its primary implementation is a reverse proxy for popular SaaS applications, and it also supports forward-proxy implementations and API inspection of some cloud applications. Recent improvements include selectors for exact data matching, document fingerprinting by uploading a corpus of content, and optical character recognition (OCR) in images.
Below is a chart breaking down product features of the top CASB vendors:
|Forcepoint||Large to very large enterprises||Deep support for top cloud applications, with ability to support many more||API, proxy and hybrid||Cloud||Subscription based on number of users, plus options like governance and audit|
|McAfee||Mid to large enterprises||Threat protection and DLP; dedicated GDPR offering||Combination of API and proxy depending on use case||Cloud,software or appliance||Priced on per-user, per-year basis|
|Cisco Systems||Organizations with 1,000+ employees||Micro services exposed via APls can support home-grown apps||API||Cloud||Priced on number of apps and users|
|Microsoft||Small and mid-sized companies||Deep integration with Microsoft security and Office 365||API,with in-session proxy control||Cloud||$5 a month per user; also part of Microsoft Mobility + Security|
|Bitglass||Small through large enterprises||Integrated JAM; agentless support for any app or device||Hybrid||Cloud||Priced per user per month|
|Netskope||Enterprises||Covers thousands of cloud services; DLP and threat analytics||API, proxy and hybrid||Cloud,appliance or both||Priced per user per year|