If you’re looking for a solution to secure your organization’s use of cloud services, it’s easy to be overwhelmed by the number of options in the market. Industry analysts track more than 20 vendors that claim some cloud access security broker (CASB) functionality. Recognizing the confusion and hype surrounding cloud security, Gartner has recently published a guide (download a complimentary copy here) with helpful evaluation criteria for enterprises looking at CASBs. But how do you start shortlisting potential vendors? Industry analysts separate vendors into tiers. Tier 1 providers are distinguished by their product maturity, scalability, partnerships and channel, experience in the market, ability to address common CASB use cases, and market share and visibility among analyst clients.

Gartner now tracks more than 20 vendors that provide solutions under the CASB banner. However, these solutions are quite varied in their capabilities and focus, which is confusing potential customers.

– Gartner, How to Evaluate and Operate a Cloud Access Security Broker,
Neil MacDonald, Craig Lawson, December 8, 2015

Limited Time Offer: Forrester Wave Report

Download a complimentary copy of the Forrester Wave ranking the top CASB vendors.

Download Now

Starting with public customer references is an excellent way to understand which vendors have traction. Strong public endorsements are a sign that current customers are happy with the solution and getting value from using it. Cloud security is also a product category that exhibits network effects. As more enterprises deploy a particular CASB and the cloud usage of more users is available to the solution, the CASB has a broader view of usage to detect new cloud services shortly after they launch. CASBs also use machine learning algorithms to detect cloud-based threats, and the more data available to tune these algorithms the more accurate they become. In this way, cloud security vendors with the most customers are best positioned to have the largest and most accurate registries of cloud services and the most accurate threat detection.

Initiate CASB deployments with discovery/risk assessment ratings of the cloud services in use.

– Gartner, How to Evaluate and Operate a Cloud Access Security Broker,
Neil MacDonald, Craig Lawson, December 8, 2015

Another way to look at CASB solutions is the breadth of product capabilities they offer and their ability to address common use cases. Gartner uses a four-pillar framework to describe the functions of a CASB: visibility, threat protection, compliance, and data security. Leading vendors support all four pillars of this framework for both services sanctioned by the enterprise’s IT department as well as those introduced by employees and the line of business. CASBs use a variety of deployment modes to gain visibility into and enforce policies across cloud services including inline proxy modes that intermediate connections between users and cloud services, as well as direct connections to cloud services using APIs.

Some CASB functions (e.g. encryption, real-time DLP, access control) are not available in API mode. Other functions (e.g. scanning of data at rest in the cloud) are not available in inline proxy mode. That’s why analysts increasingly recommend using a cloud security vendor that offers both API and inline proxy modes to cover all functionality and access scenarios. Industry analysts refer to solutions that leverage both proxy and API modes as “multimode CASBs” and even if you don’t plan to use all of these capabilities today, it’s likely you will want to be able to deploy them later without switching vendors or using two separate solutions to cover different use cases.

Choose multimode CASB solutions that offer a variety of in-line and API-based visibility options.

– Gartner, How to Evaluate and Operate a Cloud Access Security Broker,
Neil MacDonald, Craig Lawson, December 8, 2015

Until industry analysts publish comprehensive guides ranking cloud security vendors, you can start by using the above criteria to build a shortlist of available options. It’s also a good idea to reach out directly to industry analysts to understand which vendors they see used for different cloud security use cases, along with the cloud security vendors they consider to be in the top tier.