What is a CASB?
Cloud access security brokers (CASBs) are on-premises or cloud-hosted software that sit between cloud service consumers and cloud service providers to enforce security, compliance, and governance policies for cloud applications. CASBs help organizations extend the security controls of their on-premises infrastructure to the cloud.
Four Pillars of CASBs
What does a CASB vendor do? CASBs deliver functionality through these four pillars:
Discover shadow IT cloud services and gain visibility into user activity with sanctioned cloud applications
Identify sensitive data in the cloud and enforce DLP policies to meet data residency and compliance requirements
Enforce data-centric security such as encryption, tokenization, access control, and information rights management
Detect and respond to negligent or malicious insider threats, privileged user threats, and compromised accounts
Why does my organization need a CASB solution?
While some CASB capabilities incorporate familiar technologies and approaches previously used to secure data in on-premises applications, CASB is a distinct and differentiated technology from existing security categories such as identity as a service (IDaaS), web application firewalls (WAFs), secure web gateways (SWGs), and enterprise firewalls.
When the CASB category emerged in 2011, they were seen as a cloud visibility solution that discovered shadow IT but since then they have grown to offer a wide array of features across four pillars of visibility, compliance, threat protection, and data security.
Increasing cloud usage along with growing maturity of CASB solutions has driven greater enterprise adoption of CASBs. Today, CASB is a critical element of the enterprise security stack. Gartner predicts that by 2022, 60% of enterprises will be using a CASB to secure their cloud applications.
By 2020, 60% of large enterprises will use a CASB to govern cloud services, up from less than 10% today.
– Gartner, Magic Quadrant for Cloud Access Security Brokers,
Steve Riley, Craig Lawson, November 30, 2017
By using cloud access security brokers, organizations can:
- Identify what Shadow IT cloud services are in use, by whom, and what risks they pose to the organization and its data
- Evaluate and select cloud services that meet security and compliance requirements using a database of cloud services and their security controls
- Protect enterprise data in the cloud by preventing certain types of sensitive data from being uploaded, and encrypting and tokenizing data
- Identify potential misuse of cloud services, including both activity from insiders as well as third parties that compromise user accounts
- Enforce differing levels of data access and cloud service functionality based on the user’s device, location, and operating system
How do I deploy a CASB?
The enforcement point between the network and internet is clear: it’s at the network edge. In the cloud era, there is not a single enforcement point that covers all CASB functionality and access scenarios. CASBs leverage forward proxy, reverse proxy, and API modes of deployment to gain visibility into and enforce policies across cloud services, and each has its own set of functionality and coverage. Gartner refers to CASB solutions that support both proxy and API modes as multimode CASBs and notes that “they give their customers a wider range of choices in how they can control a larger set of cloud applications.”
Certain security capabilities are dependent on the deployment model, and Gartner recommends organizations look to CASB solutions that offer a full range of architecture options to cover all cloud access scenarios. They also note that vendors offering API-based controls today are not well-positioned to extend their platforms to include proxy-based controls given the significant investment needed to develop a robust proxy architecture that scales to the large data volumes exchanged between end users and cloud services.
Another consideration when deploying a CASB is where to deploy: on-premises or in the cloud. Currently, the SaaS form factor is more popular than the on-premises variations of CASB technology, and it is increasingly the preferred option for most use cases, according to Gartner.
In its latest CASB report (download a free copy here) Gartner considers CASBs to be a required security technology today and provides recommendations for security and risk management leaders evaluating cloud security controls.
Forrester recently released their Wave report (download a free copy here) that ranks CASB leaders.
Which CASB security vendor should I work with?
While many providers focus on limited areas of the four CASB functionality pillars, most organizations prefer to select a single provider that covers all use cases. Gartner recommends that organizations carefully evaluate solutions based on multiple criteria. One consideration is how many cloud providers the solution can discover and the breadth of attributes tracked in the CASB’s registry of cloud providers. Another consideration is the depth of supported controls for business-critical cloud services, such as Office 365, that are currently in use or planned in the near future.
The popularity of the CASB market has led to the creation of several startups in this space, some of which offer the full range of CASB features, while others are point solutions, specializing in a single capability such as encryption or user behavior analytics (UBA). Existing network and firewall vendors have also entered the market via acquisitions or have developed their own partial CASB offerings.
Gartner notes that the CASB market is crowded and expects that consolidation will occur and some vendors will exit the market in the next five years. A good predictor of whether a vendor will continue operating is whether they are one of the leaders in the market in terms of customer traction. Companies with more customers will naturally have a more complete view of customer needs, which will enable them to develop better solutions to meet those needs that will, in turn, attract more customers and support a sustainable business.
Furthermore, many cloud service providers have upped their security infrastructure and offer selected capabilities within their solutions. All of these choices can be overwhelming for the IT leaders looking for a solution to secure their cloud usage.
As companies navigate the crowded CASB market, organizations should document use cases and engage in POC exercises before making a decision, rather than relying on vendor assurances. Point solutions may address the most current use cases, but may require more solutions to be tacked on as cloud usage grows. Incumbent vendors, who provide “CASB as a feature” offerings may only partially cover core cloud security use cases due to insufficient depth of capabilities. Cloud service providers have improved their security offerings, but those capabilities are almost always restricted to that specific cloud service and do not address broader cloud usage within the enterprise.
Pure-play CASBs have seen significant customer adoption as they offer a full range of capabilities across all CASB pillars. These vendors not only provide deep capabilities, but also support multiple cloud services, allowing companies to address a broad range of cloud security requirements with a single solution. Given their exclusive focus on the cloud security space, they are able to innovate on new capabilities and execute with greater agility to bring features to the market. It should come as no surprise that Gartner analysis shows that pure-play CASB vendors are dominating the market.
CASB solutions are now being used at numerous leading enterprises across industries. The McAfee CASB solution is deployed in over 600 enterprises which include 40% of Fortune 500.
CASB evaluation criteria:
1. Use case coverage – As Gartner recommends, companies need to document their use cases and in some cases need to run POCs to ensure the CASB vendor provides the depth of capabilities required. Gartner lists out CASB use cases across the 4 pillars. Several CASB solutions in the market either provide partial solutions or claim features that they are not available. It is therefore important to perform detailed POCs and also get guidance from leading analysts covering this space. Recognizing the growing maturity of the CASB market, some enterprises are foregoing POCs in favor of detailed reference calls with 6-8 enterprises of similar size and with similar use cases.
2. Agility and innovation – Good enough today may not mean good enough tomorrow. Market trends indicate that enterprise cloud usage will continue to grow and so will cloud security requirements. Changes in the regulatory environment, such as the implementation of GDPR, will also require companies to enforce increased security controls. Leading CASBs not only innovate and keep pace with market requirements, but also execute to quickly bring new capabilities to market. Relying on a marketing-leading vendor enables an enterprise to keep its cloud security and compliance controls up-to-date.
3. Multi-mode deployment – Many enterprises deploy their CASBs in multiple modes including API and proxy. While the API mode provides the advantages of quick deployment and comprehensive coverage, proxies are often used to enforce real-time inline controls and address data residency requirements. Companies often choose to start with API deployments, but as their CASB deployment matures, they deploy controls such as encryption and contextual access controls via an inline proxy. The flexibility offered by a multi-mode CASB provides enterprises with options to expand their cloud security deployment inline with their evolving requirements.
4. IaaS security capabilities – According to Gartner, the IaaS market is the fastest growing sector within the public cloud services market. Enterprises looking at CASB solutions are increasingly asking for security controls to be enforced on their IaaS deployments. This includes not only securing their IaaS activity and configurations, but also protecting their custom apps with DLP controls, activity monitoring, and threat protection. There is a strong trend of companies migrating tens or hundreds of custom apps from their data centers to IaaS platforms such as AWS, Azure, and Google Cloud, and the security of these apps represent the next frontier as companies secure their SaaS applications.