In another sign of the cloud security market’s growing maturity, Forrester recently published its first Wave report on cloud security gateways (CSG). Also referred to as cloud access security brokers (CASB), CSG/CASB solutions are on-premises or cloud-based software that secure enterprise usage of cloud services. In contrast to previous analyst research that focused on market trends, The Forrester Wave (download a complimentary copy here) is the first analyst report to evaluate and rank products in this category. The report is based on a detailed technical evaluation of each product as well as an analysis of each provider’s market share, go-to-market strategy, partner support, and customer satisfaction.
The CSG market is growing because more [security and risk] professionals see CSG as an effective and simple way to address their top cloud security challenges, and they increasingly trust CSG providers to act as strategic partners, advising them on top cloud security decisions.
The Forrester Wave: Cloud Security Gateways, Q4 2016, Andras Cser,
Stephanie Balaouras, Salvatore Schiano, and Peggy Dostie
The Wave process from a vendor’s perspective
Skyhigh was one of eight vendors selected to participate in the Wave evaluation based on market presence. The amount of time and resources Forrester spends to evaluate vendors is significant. The process is designed to cut through marketing hype and validate every vendor claim. As a participating vendor, we found the evaluation to be extremely detailed and we estimate it took hundreds of hours for Forrester to evaluate each participant over several months. To give you a sense of the process, here are some of the things it involved:
- Questionnaire – Forrester sent each vendor a 160-question technical questionnaire and each vendors’ responses resulted in approximately 250 pages of written material.
- Demo – After submitting the questionnaire, vendors walked through each use case in a live product demonstration to show how to perform each function in the product.
- Documentation – Vendors provided hundreds of additional pages of product documentation describing how users perform each function described in the questionnaire.
- Product access – Vendors supplied a login to allow Forrester analysts 24/7 access to use their products and validate the claims made in the questionnaire and demo.
- Customer references – Forrester analysts conducted in-depth reference calls with customers to understand their experience using each vendor’s product.
As you can see, the process Forrester used in evaluating CASB solutions is not very different from how a large enterprise evaluates software. In some ways, Forrester’s evaluation is even more rigorous than the typical IT procurement process. While enterprises may send vendors an RFP process to narrow their selection, see live product demos, and conduct a proof of concept, the depth Forrester went into is unique. After this detailed and rigorous assessment of our product spanning several months, we are incredibly proud that Skyhigh has been named a “leader” in this first-ever industry report ranking CSG/CASB vendors.
Must-have CASB functionality
Based on interviews with Forrester clients, the report lists six security capabilities that enterprises look for, at a minimum, when they secure their cloud usage:
- Detect and intercept unusual or fraudulent activities associated with data in the cloud
- Detect, neutralize, and eliminate malware in cloud platforms
- Detect and monitor unsanctioned cloud applications and platforms usage
- Protect against leaks of confidential information
- Encrypt structured and unstructured data in cloud platforms
- Aid investigation of suspicious users and incidents
According to Forrester, data encryption using enterprise-controlled keys (rather than cloud provider-controlled keys) is a key differentiator separating CASB vendors. Moreover, the report finds that user and entity behavior analytics (UEBA) to surface internal and external threats, malware scanning, and data loss prevention to prevent data leaks will become more important as on-premises network security tools lose their applicability in a cloud-based world. To read more about these use cases, get rankings for the top eight CASB solutions, and view detailed scores for each vendor across 23 evaluation criteria, download a copy of the report here.