Unrestrained adoption of cloud services by business users and enterprises is having a disruptive effect on information security. IT and security teams are forced to consider the implications of employee cloud adoption on their existing security infrastructure and the new investments they may need to secure their corporate data in third-party systems. Part of the security challenge is choosing reliable cloud service providers that have robust underlying security, but even then, enterprises are responsible for the secure usage of these applications. All of these security concerns have led to the widespread adoption of cloud access security brokers (CASBs), which are the focus of Gartner’s new report titled “CASB Platforms Deliver the Best Features and Performance” (download a free complimentary copy here.

CASBs act as a control point between cloud services and users, allowing companies to enforce security, compliance, and governance controls. At the time of market inception in 2011, the expectation was that CASB capabilities would get absorbed into firewall or proxy solutions, but the solution has grown to offer a wide array of features across the four pillars of visibility, compliance, threat protection, and data security. It’s now clear CASB is a significant standalone category and the growing feature sets, customer adoption, and increased cloud usage has led to CASB becoming a critical element of the enterprise security stack. Gartner estimated the market size of the CASB market in 2016 to be $170 million.

Gartner is now receiving a large number of client inquiries on how to select a CASB. We strongly advise starting with a reasonably detailed listing of use cases that are specific to your exact needs.

-CASB Platforms Deliver the Best Features and Performance, Craig Lawson, Neil MacDonald, Sid Deshpande, Brian Reed, Steve Riley, February 24, 2017

Limited Time Offer: Complimentary Gartner Report

Download Gartner’s latest report on the CASB market, core use cases, and more.

Download Now

Choosing a CASB is not easy

The popularity of the CASB market has led to the creation of several startups in this space, some of which offer the full range of CASB features, while others are point solutions, specializing in a single capability such as encryption or user behavior analytics (UBA). Existing network and firewall vendors have also entered the market via acquisitions or have developed their own of partial CASB offerings. Furthermore, many cloud service providers have upped their security infrastructure and offer selected capabilities within their solutions. All of these choices can be overwhelming for the IT leaders looking for a solution to secure their cloud usage.

As companies navigate the crowded CASB market, Gartner advises them to document use cases and engage in POC exercises before making a decision, rather than relying on vendor assurances. Point solutions may address the most current use cases, but may require more solutions to be tacked on as cloud usage grows. Incumbent vendors, who provide “CASB as a feature” offerings may only partially cover the security use cases given insufficient depth of capabilities. Cloud service providers have improved their security offerings, but those capabilities are almost always restricted to that specific cloud service and do not address broader cloud usage within the enterprise.

Pure-play CASBs have seen significant customer adoption as they offer a full range of capabilities across all CASB pillars. These vendors not only provide deep capabilities, but also support multiple cloud services, allowing companies to address a broad range of cloud security requirements with a single solution. Given their exclusive focus on the cloud security space, they are able to innovate on new capabilities and execute with greater agility to bring features to the market. It should come as no surprise that Gartner analysis shows that pure-play CASB vendors are dominating the market.

Based on Gartner client inquiry and market modeling, we believe that 90% or more of revenue is coming from the leading CASB platform providers and we are not seeing any developments to indicate that we need to change this analysis.

-CASB Platforms Deliver the Best Features and Performance, Craig Lawson, Neil MacDonald, Sid Deshpande, Brian Reed, Steve Riley, February 24, 2017

CASB solutions are now being used at numerous leading enterprises across industries. The Skyhigh CASB solution is deployed in over 600 enterprises which include 40% of Fortune 500. In choosing a CASB solution, here are some points enterprises commonly consider:

1. Use case coverage – As Gartner recommends, companies need to document their use cases and in some cases need to run POCs to ensure the CASB vendor provides the depth of capabilities required. Gartner lists out CASB use cases across the 4 pillars. Several CASB solutions in the market either provide partial solutions or claim features that they are not available. It is therefore important to perform detailed POCs and also get guidance from leading analysts covering this space. Recognizing the growing maturity of the CASB market, some enterprises are foregoing POCs in favor of detailed reference calls with 6-8 enterprises of similar size and with similar use cases.

2. Agility and innovation – Good enough today may not mean good enough tomorrow. Market trends indicate that enterprise cloud usage will continue to grow and so will cloud security requirements. Changes in the regulatory environment, such as the implementation of GDPR, can also necessitate companies to enforce increased security controls. Leading CASBs not only innovate and keep pace with market requirements, but also execute to quickly bring new capabilities to market. This will enable the company to keep its cloud security and compliance controls up-to-date.

3. Multi-mode deployment – Many enterprises deploy their CASBs in multiple modes including API and proxy. While the API mode provides the advantages of quick deployment and comprehensive coverage, proxies are often used to enforce real-time inline controls and address data residency requirements. Companies often choose to start with API deployments, but as their CASB deployment matures, they deploy controls such as encryption and contextual access controls via an inline proxy. The flexibility offered by a multi-mode CASB provides enterprises with options to expand their cloud security deployment inline with their evolving requirements.

4. IaaS security capabilities – According to Gartner, the IaaS market is the fastest growing sector within the public cloud services market. Enterprises looking at CASB solutions are increasingly asking for security controls to be enforced on their IaaS deployments. This includes not only securing their IaaS activity and configurations, but also protecting their custom apps with DLP controls, activity monitoring, and threat protection. There is a strong trend of companies migrating tens or hundreds of custom apps on their data centers to IaaS platforms such as AWS, Azure, and Google Cloud, and the security of these apps represent the next frontier as companies secure their SaaS applications.

Security leaders need to expand the scope of CASB visibility and control to infrastructure as a service (IaaS) privileged account monitoring, as well as sensitive data discovery and protection.

-CASB Platforms Deliver the Best Features and Performance, Craig Lawson, Neil MacDonald, Sid Deshpande, Brian Reed, Steve Riley, February 24, 2017

The average organization now uses 1,427 cloud services, and this number represents a 23.7% increase from the same quarter last year. As cloud usage grows, enterprise cloud security needs will grow and drive the evolution of the CASB market. These changes may not make choosing a CASB any easier or less complex. Gartner’s advice on developing a clear understanding of use cases, testing the capabilities in POCs or with in-depth references, and choosing solutions while considering current and future cloud usage will go a long way in clarifying the available options for enterprises.